某电影cms审计处体验

  • A+
所属分类:安全资讯
摘要

最近在secquan看到皮师傅写的代码审计,觉得还阔以,下载源码下来看看,审计了一下午,也发现了几个辣鸡漏洞,写下文章,记录下第一次代码审计。文件读取(鸡肋)like.php位置:data/like.php关键代码$fang=$_GET[‘play’];$jmfang=base64_dec…

最近在secquan看到皮师傅写的代码审计,觉得还阔以,下载源码下来看看,审计了一下午,也发现了几个辣鸡漏洞,写下文章,记录下第一次代码审计。

文件读取(鸡肋)

like.php

位置:data/like.php

关键代码

$fang=$_GET['play'];
$jmfang=base64_decode($fang);
$like=file_get_contents($jmfang);
$likezz="/<ul class='s-guess-list g-clear js-list' data-block='tj-guess' monitor-desc=\"猜你喜欢\">(.*?)<\/ul>/is";
$kikez1="/ <img src=\"(.*?)\" data-src='(.*?)'>
            <\/a>
            <div class='s-guess-right'>
                <p class='title'><a href='(.*?)' data-index=(.*?)>(.*?)<\/a><\/p>
            <\/div>
/is";

preg_match_all($likezz, $like,$likearr);
preg_match_all($kikez1, $likearr['1']['0'],$liketitle);
...........略.........

直接传play参数,然后读取

某电影cms审计处体验

读取文件

某电影cms审计处体验

可以读取只是没有显示,因为like.php中对于读取的文件会自己进行处理,按一定的格式进行输出。另外皮师傅发现的fenlei.php的文件读取更好,这里就不再说明了。

相同的还有play.php

<?php
error_reporting(0);
$player = base64_decode($_GET['play']);
$tvinfo = file_get_contents($player);

SQL

agent/index.php

<?php
require dirname(__FILE__) . "/dzsck.php";
if($_GET['type']=='Sell' and $_GET['id']!=''){  
   $cm->query("UPDATE d_kami SET km_sell=1 WHERE km_id ='".$_GET['id']."'");
   echo tiao("已复制好,可贴粘。", "index.php");
    exit();
  }
if($_GET['type']=='close' and $_GET['id']!=''){  
   $cm->query("UPDATE d_kami SET km_sell=0 WHERE km_id ='".$_GET['id']."'");
   echo backs("卡密取消复制成功!");
   exit();
  } 
$cm->query("SELECT * FROM d_adminuser where admin_id='" . $_SESSION["adminid"] . "' order by admin_id asc");  
$adminuser = $cm->fetch_array($rs);
$cm->query("SELECT * FROM d_kami where km_uid='" . $_SESSION["adminid"] . "' order by km_type asc");
$mypagesnum = $cm->db_num_rows();
?>
  ............略...............

可以看到id参数没有任何过滤带入sql语句,盘他,因为这里是代理的功能,所以要先注册一个代理,直接注册就行

Payload:http://192.168.0.100/tuana/agent/index.php?type=Sell&id=123

某电影cms审计处体验

时间盲注

类似的注入还有

http://192.168.0.100/tuana/agent/index.php?type=close&id=123

XSS

payreturn.php

$orderid = $_GET["orderid"];
    //$isql="update d_ddcenter set dd_type=1 where dd_order='".$orderid."'";
    //$ddinfo=mysql_query($isql);
    //$cm->query("SELECT * FROM d_ddcenter where dd_order='" . $orderid . "'");
    //$row = $cm->fetch_array($rs);
    //$dd_adminid=$row['dd_adminid'];
    echo $orderid;
    $cm->query("SELECT * FROM d_ddcenter where dd_order='" . $orderid . "' order by dd_id desc");
    $km_number = $cm->fetch_array($rs);
    $cm->query("SELECT * FROM d_adminuser where admin_id='" . $km_number["dd_adminid"] . "'    ");
    $km_number3 = $cm->fetch_array($rs);
        if($km_number["dd_vip"]==1){
           if( $km_number3['admin_endtime']<time())$ddvip = $cm->query("UPDATE d_adminuser SET admin_endtime=".time()."+2678400,admin_level=1,admin_opentime='".$nowtime."' WHERE admin_id='" . $km_number["dd_adminid"] . "'");
           else $ddvip = $cm->query("UPDATE d_adminuser SET admin_endtime=admin_endtime+2678400,admin_level=1,admin_opentime='".$nowtime."' WHERE admin_id='" . $km_number["dd_adminid"] . "'");
            }
.............略....................

将传入的orderid参数直接输出,很明显的xss

某电影cms审计处体验

XSS2

admin/edituser.php

<?php
require dirname(__FILE__) . "/dzsck.php";
if (($_GET["type"] == "edit") && $_POST) {
    $date = array("admin_aglevel" => $_POST["admin_aglevel"]);
    $updates = $cm->cmupdate($date, "admin_id='" . $_POST["id"] . "'", "d_adminuser");
 if($updates)
   {echo tiao("修改成功!", "edituser.php?id=" . $_POST["id"]);
   exit();
   }
   else{echo tiao("修改失败,请重新修改!", "edituser.php?id=" . $_POST["id"]);
   exit();
   } 
    }

这里POSTid没有任何处理就直接输出,看起来是个xss,那就试试

某电影cms审计处体验

直接插入xss,发现并不行,代码直接变成这样了

<script type='text/javascript'>alert('修改成功!');location.replace('edituser.php?id=<script>alert(/xss/)</script>');</script>

仔细观察,发现edituser.php?id会把$_POST["id"]的内容直接连接,并且添加了一些其他的东西);</script>,像个办法绕过,尝试将POST的内容改成admin_aglevel=1&id=123</script>');<script>alert(/xss/)</script>('

某电影cms审计处体验

成功xss

文件上传

某电影cms审计处体验

跟进index.php看看,

<?php
if(is_array($_FILES["upfile"])){
$i=0;
if($_POST['pwd'] != $passwd){
    echo '<script>alert("??û??Ȩ??")</script>';
    exit;
}
while($i<count($_FILES["upfile"])){
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{


if (!is_uploaded_file($_FILES["upfile"][tmp_name][$i]))
//?Ƿ?????ļ?
{
// echo $_FILES["upfile"][tmp_name][$i];
echo "<font color='red'>?ļ?Ԥ????</font>";
exit;
}
// echo $_FILES["upfile"][tmp_name][$i];
 $file = $_FILES["upfile"];
 if($max_file_size < $file["size"][$i])
 //????ļ???С
 {
 echo "<font color='red'>?ļ?̫??</font>";
 exit;
  }

if(!in_array($file["type"][$i], $uptypes))
//????ļ?????
{

 echo "<font color='red'>?????ϴ????????ļ???</font>";
 exit;
}

if(!file_exists($destination_folder))
if(!mkdir($destination_folder,0777,true)){
    echo "<font color='red'>??????Ŀ¼ʧ??,???ֶ???????</a>";
}


$filename=$file["tmp_name"][$i];
$image_size = getimagesize($filename);
$pinfo=pathinfo($file["name"][$i]);
$ftype=$pinfo[extension];
$destination = $destination_folder.$i.time().".".$ftype;
if (file_exists($destination) && $overwrite != true)
{
     echo "<font color='red'>ͬ???ļ??Ѿ??????ˣ?</a>";
     exit;
  }
echo $destination;
 if(!move_uploaded_file ($filename, $destination))
 {
   echo "<font color='red'>?ƶ??ļ?????</a>";
     exit;
  }

$pinfo=pathinfo($destination);
$fname=$pinfo[basename];

这里要注意的是,我们直接上传的话提示输入密码,还好密码就在inc/aik.config.php

某电影cms审计处体验

tu_pass=123456

某电影cms审计处体验

上传phpinfo试试,很明显,类型不正确,尝试修改Content-Type

某电影cms审计处体验

上传成功!

某电影cms审计处体验

试试一句话

某电影cms审计处体验

成功getshell

本文来源于先知社区,原文地址:https://xz.aliyun.com/t/5065

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: