啥是xhcms
熊海CMS 是由熊海开发的一款可广泛应用于个人博客,个人网站,企业网站的一套网站综合管理系统,采用了前后端整套,只需要环境Apapche+Mysql+PHP5即可开箱即用。
现在好像停止维护了
工具准备
环境安装
环境下载:e4bK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2D9j5h3&6*7L8%4g2^5i4K6u0W2j5$3!0E0i4K6u0r3K9i4A6W2c8X3A6X3P5r3u0^5j5h3R3`.
安装请使用php5版本,本次示例使用php5.5.9,将文件放到网站的根目录,在浏览器打开网站即可安装。
e22K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5h3Y4W2E0b7g2y4o6c8f1N6m8b7f1c8C8x3W2b7@1f1e0q4%4c8e0j5&6x3W2)9J5k6i4m8F1k6H3`.`." alt="wKg0C2OhZymASCEGAADk2T4Q1wE692.png" />
代码审计
审计的方式大致可以分成:把握全局-功能分析-回溯敏感函数
把握全局
把握全局就是将整一个cms的代码文件全部通读一遍,这是一种很完整但是很耗时的审计方法,对于小cms系统,代码量不大的话还算是友好,但是对于大型的cms系统就是一项非常耗时耗力的工作,虽然但是这种方法可以很好地了解整个cms系统的程序逻辑。
功能分析
功能分析就是只针对cms系统的某些功能进行审计,cms的漏洞往往出在功能点上,比如登录框可能会存在SQL注入,搜索框可能存在xss等漏洞,这时候就可以针对一些常出现漏洞的点进行审计。
回溯敏感函数
PHP中存在很多危险的敏感函数,常见的敏感函数比如有可以造成文件读取的file_get_concents、include,造成RCE的eval、assert、system等危险函数,如果对这些函数使用不当或者过滤不严, 就会形成一个极大的危险漏洞。
文件分析
上面提到的功能分析,如果不知道从何下手,可以参考下面列出来的几个文件夹/文件:
/admin:管理员后台
/install:安装目录
/uploads || upload.php:文件上传目录 || 文件上传文件
/sys:可能会存放一些配置文件
config.inc.php || config.php:配置文件,通常可能会泄露mysql的信息
index.php:审计的第一口,index.php有可能会包含很多其他的功能,也是审计不可或缺的一部分
login.php:登录入口,可能是普通用户的,管理员一般是/admin/login.php
审计开始
ok,大致了解了一下流程之后,就可以开始上手审计啦!
使用seay源码审计系统对整个cms环境文件进行扫描
新建项目-选择cms的根目录-自动审计-开始
6f5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5h3U0W2a6b7g2W2$3x3V1q4m8b7f1y4Q4y4h3k6e0y4K6q4&6g2p5W2q4x3U0f1^5i4K6u0W2M7r3&6Y4" alt="wKg0C2OhZ9OAYv2AAACS71yTIE258.png" />
ce7K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5j5f1p5J5b7g2c8G2e0e0c8m8b7f1R3K6d9r3k6C8j5V1I4e0z5o6x3K6z5g2)9J5k6i4m8F1k6H3`.`." alt="wKg0C2OhaA2AToM4AAH3HfkbLS8339.png" />
首页存在文件包含漏洞
见上图,已经扫描出了一些可疑的文件,接下来进行审计,按照上面提到的功能分析和回溯敏感函数,映入眼帘的就是index.php了,seay源码审计系统给出的描述是可能存在文件包含漏洞,是不是可能存在,双击打开看看源码审计一下就知道了。
641K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5j5V1#2I4b7g2S2&6K9e0y4m8b7f1u0H3x3Y4t1#2f1q4y4h3f1e0l9H3z5q4)9J5k6i4m8F1k6H3`.`." alt="wKg0C2OhbMqAXyi3AABp2r5PSVQ008.png" />
index.php的源码非常简单,并且还很贴心给出了注释,关键点在第六行的include函数,对于敏感函数我们要看参数用户是否可控,如果可控,漏洞存在的几率又上升了一点了
首先使用GET的方式传入一个参数 r 赋值给$file,然后使用三目运算符进行判断传入的文件是否存在或者为空,如果存在就将文件名赋值给$action继续执行include('files/'.$action.'.php');,如果不存在的话,就默认赋值index给$action继续执行include。这里很明显,我们可以控制要读取什么文件,但是include是使用拼接的形式来载入文件,并且写死在files/目录下的php文件,同时还固定了文件的后缀名。虽然看起来限制挺麻烦的,但是依然可以突破这个限制,第一就是可以使用../的方式来进行目录穿越,一个../返回上一层目录,假设我在/var/www/下有一个1.php是执行phpinfo的,那么我只需要执行:9c7K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9J5c8U0t1H3x3U0t1I4x3U0t1H3i4K6u0r3P5r3S2U0L8i4y4Q4x3V1k6Q4x3@1k6J5i4K6y4p5i4K6u0W2i4K6u0W2i4K6u0r3i4K6u0W2i4K6u0W2i4K6u0r3x3b7`.`.,不用加php,因为已经固定在include里了
<?php
//单一入口模式
error_reporting(0); //关闭错误显示
$file=addslashes($_GET['r']); //接收文件名
$action=$file==''?'index':$file; //判断为空或者等于index
include('files/'.$action.'.php'); //载入相应文件
?>669K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5k6p5c8e0b7f1u0D9d9X3k6m8b7f1u0Q4x3X3b7K6M7h3A6W2d9q4c8Y4x3e0b7^5i4K6u0W2M7r3&6Y4" alt="wKg0C2OhdDSABlJfAAB3qjeHTg148.png" />
可是我们不一定能保证网站有php文件,所以这个时候就得想办法读别的文件了,但是文件后缀名又被固定住了,读取/etc/passwd时,会自动添加.php变成/etc/passwd.php,这里可以用
- %00截断(PHP版本小于5.3.4)
- 使用
.或者./截断 (在windows下目录最大长度为256字节,linux下为4096字节,其后面超出部分被丢弃) - 使用?
但是有一些是有版本或者功能限制的,就比如00截断,现在基本上很难见到了,如果突破了这一层的限制,那么就可以通过包含日志文件或者session文件写入shell。
该漏洞修复也很简单,在不改变源码的情况下,可以在index.php或者php.ini中添加一行ini_set('open_basedir','files/')即可;
多个文件存在SQL注入
继续看seay源码审计系统,由于有十多个文件是admin/目录下的,通常都是需要登录admin才有权限去访问,姑且先放一边,先审计前端可以任意访问的文件,将目光看向第15行,疑似存在sql注入
d6eK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5k6h3W2i4b7f1A6F1y4V1g2m8b7f1u0s2y4#2g2B7P5i4c8Q4x3X3c8K6x3U0V1I4i4K6u0W2M7r3&6Y4" alt="wKg0C2OheiWAJn6EAABG7Ujyts291.png" />
双击这一行读取源码:
1bfK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5k6h3E0Q4x3X3c8m8c8V1k6w2d9V1q4m8c8f1A6E0d9U0N6t1M7h3&6K6z5o6f1#2i4K6u0W2M7r3&6Y4" alt="wKg0C2OhekAFFKJAAEJmJ7Hqns855.png" />
黄色标记的就是疑似存在漏洞的语句,从第8行开始审计,首先通过GET的方式接收一个参数cid赋值给$id,如果执行正常的话,就返回一个正常的页面,反之就使用die输出修正错误.mysql_error()(不是很理解为啥语句错误了不执行第10行),这里漏洞就出在cid的参数可控且没有任何过滤(基本上所有传参点都是只用了addslashes函数过滤),并且还输出了mysql的错误信息,这不妥妥的sql注入了,这里可以使用报错注入。
$id=addslashes($_GET['cid']);
$query = "SELECT * FROM content WHERE id='$id'";
$resul = mysql_query($query) or die('SQL语句有误:'.mysql_error());
$content = mysql_fetch_array($resul);
$navid=$content['navclass'];
$query = "SELECT * FROM navclass WHERE id='$navid'";
$resul = mysql_query($query) or die('SQL语句有误:'.mysql_error());
$navs = mysql_fetch_array($resul);
//浏览计数
$query = "UPDATE content SET hit = hit+1 WHERE id=$id"; //存在sql注入的语句
@mysql_query($query) or die('修改错误:'.mysql_error());正确查询:
cdbK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9J5c8U0t1H3x3U0t1I4x3U0t1H3i4K6u0r3P5r3S2U0L8i4y4Q4x3V1k6Q4x3@1k6J5i4K6y4p5j5$3!0F1N6r3g2F1N6q4)9J5y4X3q4E0M7q4)9K6b7X3y4A6k6q4)9K6c8o6p5`.
548K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5k6W2y4#2b7f1y4J5g2f1y4m8b7f1c8G2e0$3u0o6M7$3S2B7N6K6x3I4y4q4)9J5k6i4m8F1k6H3`.`." alt="wKg0C2OhfSuACrUCAADoObCshjw314.png" />
报错注入:
964K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9J5c8U0t1H3x3U0t1I4x3U0t1H3i4K6u0r3P5r3S2U0L8i4y4Q4x3V1k6Q4x3@1k6J5i4K6y4p5j5$3!0F1N6r3g2F1N6q4)9J5y4X3q4E0M7q4)9K6b7X3y4A6k6q4)9K6c8o6q4Q4x3U0f1J5x3r3q4F1k6q4)9J5y4e0t1H3N6i4m8V1j5i4c8W2P5r3#2D9i4K6t1^5x3g2)9J5b7$3y4G2L8X3y4S2N6q4)9J5z5o6m8^5y4$3u0Q4x3V1y4Q4x3U0S2V1j5i4c8S2j5X3q4K6k6g2)9J5z5q4)9J5z5g2)9J5z5g2)9J5b7K6m8^5y4$3c8Q4x3U0W2Q4x3V1x3I4i4K6t1&6
0f1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5k6X3k6a6b7g2S2Y4g2V1c8m8b7f1p5%4y4g2q4V1x3e0V1&6d9e0j5^5y4q4)9J5k6i4m8F1k6H3`.`." alt="wKg0C2OhffOAXgVDAAA75Qd199I684.png" />
获取manger表字段:
9abK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5k6#2c8w2b7h3u0m8k6e0y4m8b7f1u0u0y4V1A6W2c8@1u0W2k6K6M7$3z5g2)9J5k6i4m8F1k6H3`.`." alt="wKg0C2OhgTKAbAe3AABI6JeGBeg769.png" />
获取密码md5值:
912K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5k6$3g2e0b7h3c8m8d9o6S2m8b7f1p5H3h3s2l9@1d9o6y4V1y4o6M7I4x3W2)9J5k6i4m8F1k6H3`.`." alt="wKg0C2OhgeSAdAH8AAA0Xp4H3d4712.png" />
数据库监控:
b4cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5L8Y4c8w2b7g2c8I4K9V1&6m8b7f1g2w2P5X3y4m8P5e0u0z5x3o6R3J5y4g2)9J5k6i4m8F1k6H3`.`." alt="wKg0C2OhntKATqjNAAEKzcAy2N0825.png" />
同样的,存在SQL注入的文件不仅仅只有这一个:
software.php
bc7K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9J5c8U0t1H3x3U0t1I4x3U0t1H3i4K6u0r3P5r3S2U0L8i4y4Q4x3V1k6Q4x3@1k6J5i4K6y4p5M7$3!0X3N6s2N6S2M7X3g2Q4x3U0k6S2L8i4m8Q4x3@1u0U0K9h3c8Q4x3@1b7I4i4K6t1#2x3U0m8S2L8X3c8Q4x3U0f1J5x3s2g2H3k6r3q4@1k6i4S2E0L8q4)9J5z5o6q4Q4x3V1y4U0L8$3&6U0j5i4c8Q4x3U0R3H3P5o6N6T1i4K6u0o6k6r3q4@1j5h3u0S2M7$3g2Q4x3U0S2Q4x3U0W2Q4x3V1x3H3P5o6N6V1i4K6t1&6i4K6u0o6x3g2)9J5z5b7`.`.
1c1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5K9o6N6o6b7f1k6y4P5f1W2m8b7f1x3I4c8V1c8c8N6K6W2D9z5o6R3#2x3q4)9J5k6i4m8F1k6H3`.`." alt="wKg0C2Ohh7CAFMyIAAC1FDQw9l8850.png" />
刚刚使用报错注入已经将数据的管理员账号密码给整出来了,如果管理员是一个安全意识不高的人,设置的密码是很常见那种,那么获得到的md5密码值就可以拿去破解md5的网站进行爆破,如果破解出来的话,请看下一个任意用户登录漏洞。
editlink.php
188K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9J5c8U0t1H3x3U0t1I4x3U0t1H3i4K6u0r3P5r3S2U0L8i4y4Q4x3V1k6S2k6r3#2A6L8W2)9J5c8W2)9K6c8Y4u0Q4x3@1c8W2k6r3W2@1L8r3W2F1K9#2)9J5y4X3q4E0M7q4)9K6b7X3W2V1i4K6y4p5i4K6u0V1x3W2)9J5y4e0t1%4i4K6t1#2x3U0m8S2L8X3c8Q4x3U0f1J5x3s2g2H3k6r3q4@1k6i4S2E0L8q4)9J5z5o6q4Q4x3V1y4U0L8$3&6U0j5i4c8Q4x3U0R3H3P5o6N6T1i4K6u0o6k6r3q4@1j5h3u0S2M7$3g2Q4x3U0S2Q4x3U0W2Q4x3V1x3H3P5o6N6V1i4K6t1&6i4K6u0o6x3g2)9J5z5g2)9J5y4e0t1K6
8bdK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5L8V1N6s2b7f1&6c8k6h3q4m8b7f1q4*7z5e0y4J5y4s2g2H3d9e0f1J5z5q4)9J5k6i4m8F1k6H3`.`." alt="wKg0C2OhnGGANQeaAAAz93r4upI528.png" />
8a9K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5L8V1A6#2b7g2M7H3e0q4g2m8b7f1u0D9b7g2u0a6f1i4y4G2K9K6V1J5x3q4)9J5k6i4m8F1k6H3`.`." alt="wKg0C2OhnJuAW0LUAABlAROQsok920.png" />
没有任何过滤,可以直接联合注入。
editsoft.php
b57K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9J5c8U0t1H3x3U0t1I4x3U0t1H3i4K6u0r3P5r3S2U0L8i4y4Q4x3V1k6S2k6r3#2A6L8W2)9J5c8W2)9K6c8Y4u0Q4x3@1c8W2k6r3W2@1M7$3!0X3N6q4)9J5y4X3q4E0M7q4)9K6b7X3W2V1i4K6y4p5i4K6u0V1x3W2)9J5y4e0t1%4i4K6t1#2x3U0m8S2L8X3c8Q4x3U0f1J5x3s2g2H3k6r3q4@1k6i4S2E0L8q4)9J5z5o6q4Q4x3V1y4U0L8$3&6U0j5i4c8Q4x3U0R3H3P5o6N6T1i4K6u0o6k6r3q4@1j5h3u0S2M7$3g2Q4x3U0S2Q4x3U0W2Q4x3V1x3H3P5o6N6V1i4K6t1&6i4K6u0o6x3g2)9J5z5g2)9J5y4e0t1K6
211K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5L8W2u0S2b7f1S2x3e0@1N6m8b7f1x3J5e0i4V1I4c8%4A6#2d9e0b7^5y4q4)9J5k6i4m8F1k6H3`.`." alt="wKg0C2OhnRaAHLOGAAC2My1GzuI484.png" />
3b5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5L8W2y4a6b7h3y4p5M7V1I4m8b7f1p5$3L8e0N6V1L8g2)9J5k6o6N6c8z5o6x3%4i4K6u0W2M7r3&6Y4" alt="wKg0C2OhnSOAcDrLAAA6m7dm7Q837.png" />
基本上后台能在线编辑的文件都存在注入漏洞,这里不一一列举了,各位师傅可以自己尝试去发现剩下的。
任意用户登录
漏洞存在于/inc/checklogin.php,用户可以自定义user从而绕过账号密码登录。
登录页面是/admin/login.php,这里使用了POST接收了两个主要的参数:user和password,传进来后,进入第9行进行判断,如果不等于空的话,就放入数据库中查询,查询有改用户时继续跳转到第18行,使用数组将该用户的password提取出来,然后使用md5值进行比对,正确的话,设置一个user=$user的cookie然后自动跳转到/admin/index.php。
6b8K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5K9V1E0e0b7h3g2r3L8r3N6m8b7f1c8S2i4K6g2X3x3s2R3^5d9W2m8m8y4o6M7$3i4K6u0W2M7r3&6Y4" alt="wKg0C2OhjKSAeFlgAADa0x8JPA476.png" />
继续跟进登录成功后跳转到的index.php,发现包含了一个checklogin.php的文件
85eK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5K9X3g2o6b7h3k6^5e0%4g2m8b7f1y4@1L8$3H3^5b7W2u0B7h3e0t1&6y4#2)9J5k6i4m8F1k6H3`.`." alt="wKg0C2OhjeCAfxOuAACtol8BRjY297.png" />
继续跟进checklogin.php,源码的意思是读取一个cookie为user的参数,如果等于空,就跳转到login.php进行登录,漏洞点出在这里,如果在知道了用户名的情况下,既可构造一个请求头Cookie: user=admin;进行登录。
7d0K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5K9e0W2w2b7f1u0z5L8V1u0m8b7f1u0x3d9r3E0J5x3o6g2m8K9K6f1%4x3q4)9J5k6i4m8F1k6H3`.`." alt="wKg0C2Ohi9KABNnBAABLHkr05Ak570.png" />
自定义一个cookie然后保存
742K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5K9#2u0i4b7f1A6D9y4o6c8m8b7f1u0Q4y4h3k6c8j5@1A6Q4y4h3k6g2d9X3M7@1x3U0S2Q4x3X3g2H3L8X3M7`." alt="wKg0C2OhkRWAJl44AABQcJUJg428.png" />
保存后直接访问index.php,然后发现已经绕过登录了。
fdfK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9J5c8U0t1H3x3U0t1I4x3U0t1H3i4K6u0r3P5r3S2U0L8i4y4Q4x3V1k6S2k6r3#2A6L8W2)9J5c8W2)9K6c8Y4u0Q4x3@1c8A6L8X3c8W2P5l9`.`.
9a8K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5L8r3H3$3b7g2q4p5e0X3W2m8b7f1y4K6c8i4y4U0N6q4m8u0N6K6t1H3x3g2)9J5k6i4m8F1k6H3`.`." alt="wKg0C2Ohll6AQDNiAACsEsctPIw201.png" />
后台存在xss
这个xss的利用其实挺鸡肋的,用来盗取cookie的话,也没必要了,都进后台了。
658K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9J5c8U0t1H3x3U0t1I4x3U0t1H3i4K6u0r3P5r3S2U0L8i4y4Q4x3V1k6S2k6r3#2A6L8W2)9J5c8W2)9K6c8Y4u0Q4x3@1c8S2k6s2y4W2N6l9`.`.
52eK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5L8s2A6Q4x3X3c8m8c8@1c8B7i4K6g2X3b7f1q4o6j5e0V1%4g2h3y4^5M7f1f1J5z5e0q4Q4x3X3g2H3L8X3M7`." alt="wKg0C2OhlzAGDjAACa97UcxqE291.png" />
facK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5L8o6q4S2b7h3c8@1K9@1&6m8b7f1u0k6c8@1S2w2e0s2W2x3j5K6p5K6z5g2)9J5k6i4m8F1k6H3`.`." alt="wKg0C2Ohl1aAdtkNAABYGHKLyLc139.png" />
在任意广告位置输入\<script>alert(document.cookie)\</script>
753K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5L8o6k6&6b7g2y4A6K9r3#2m8b7f1c8n7K9s2p5I4K9#2m8r3L8K6l9#2x3q4)9J5k6i4m8F1k6H3`.`." alt="wKg0C2Ohl6yASihmAADBhq1kPFo050.png" />
前台反射性xss
还有一个前台的反射性xss在/files/contact.php中
通过传入page,任何直接拼接在page中,可造成xss
18aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5L8%4b7J5b7f1A6T1K9$3k6m8b7f1y4@1N6o6g2#2c8e0u0C8j5K6b7$3y4W2)9J5k6i4m8F1k6H3`.`." alt="wKg0C2Ohot2AJbkfAACtt5uE2kc466.png" />
864K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9J5c8U0t1H3x3U0t1I4x3U0t1H3i4K6u0r3P5r3S2U0L8i4y4Q4x3V1k6Q4x3@1k6J5i4K6y4p5j5$3!0F1N6r3q4U0N6q4)9J5y4X3q4E0M7q4)9K6b7Y4m8S2k6$3g2Q4x3@1c8Q4x3U0f1K6b7%4y4U0M7X3W2H3N6q4)9J5y4e0y4q4j5h3I4W2M7Y4c8Q4x3U0S2Q4x3V1k6T1P5g2)9#2k6Y4k6r3f1V1g2q4i4K6u0r3i4K6t1&6i4K6t1#2x3@1y4Q4x3V1k6K6j5%4u0A6M7s2c8Q4x3U0f1K6c8b7`.`.
4a4K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5L8%4S2S2b7f1g2h3K9h3S2m8b7f1y4D9j5i4g2o6d9K6W2o6g2e0x3&6z5q4)9J5k6i4m8F1k6H3`.`." alt="wKg0C2OhoxaAEVihAAClauCK9CU398.png" />
后台存在csrf
漏洞文件在 /admin/files/linklist.php中
67dK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5M7p5S2A6b7g2A6x3N6X3E0m8b7f1u0F1L8e0y4v1L8q4u0g2g2e0M7#2x3W2)9J5k6i4m8F1k6H3`.`." alt="wKg0C2OhpHiAZLvkAABnm3JlRUU752.png" />
删除连接时,没有任何有效的验证,点击即可删除,根据这种特性,可以构造恶意连接诱导其他用户点击。
1ecK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5M7r3y4e0b7f1W2I4M7r3!0m8b7f1y4J5L8r3A6m8y4@1q4w2j5K6f1&6y4#2)9J5k6i4m8F1k6H3`.`." alt="wKg0C2OhpcSAIqpoAACrljA7AKc597.png" />
除此之外,以下文件也存在csrf:
/admin/files/commentlist.php
总结
这个cms系统的作者好像是一个人写出来的,怎么说呢,这个cms是很久以前的,版本也是比较老,没有维护,初始版本的漏洞还挺多的,所以这个cms非常适合新手入门代码审计这一关。虽然我不是大佬,但是这篇文章可以给你带来一点点审计的思路和过程(大佬轻点喷)。
bdcK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4W2j5#2)9J5k6r3W2F1i4K6u0W2j5$3!0E0i4K6u0r3K9h3#2Y4i4K6u0r3M7$3W2F1i4K6u0r3e0e0l9H3i4K6u0r3x3o6q4Q4x3V1j5@1z5g2)9J5c8Y4N6w2k6K6m8o6x3V1!0Z5M7g2q4#2b7h3k6o6N6f1I4m8b7f1u0j5h3h3E0v1d9s2y4F1e0e0x3$3x3W2)9J5k6h3A6H3k6H3`.`." alt="" />