qclover / code-audit Goto Github PK
View Code? Open in Web Editor NEWAbout some cms's audit and some writeup pages.
About some cms's audit and some writeup pages.
漏洞出现在数据备份时,未对表名做严格过滤,导致任意代码写入执行。
代码位置:漏洞发生在 database.class.php文件backup_action备份函数。通过回溯分析整个执行流程如下:
首先将POST过来的表名直接交给了数组变量$DBParameter中的tablename。然后往下继续执行BackupDatabaseInit($DBParameter)函数,跟进函数
跟进此函数在代码103行附件可以看到将获取的$tablename直接赋给了$d_table变量。通过分析此过程并未经过任何过滤函数然后将$d_table连同其他信息一起交给了$string并将此写入了$mypath/config.php文件里。如下图所示:
以下是$mypath备份路径的参数传递过程,通过分析可以知道备份路径为bdata路径下写入的文件目录为bdata下的目录名为phpyun_2018+当前时间的目录写入数据的文件为config.php。
复现:
登入后台进行数据备份抓包重放构造payload:xxxx];phpinfo();//成功写入了文件且导致代码执行发生
漏洞出现在后台备份恢复功能删除zip处,对应的文件为Metinfo/app/system/databack/admin/index.class.php的821~836行从代码中可以看到$file可控且未进行过滤可进行任意目录遍历
漏洞复现
删除成功
文件上传漏洞也是也是出现在数据库备份恢复时,追踪对应文件上传功能点处,具体为upfilety.php文件的269行开始处,上传type为sql时执行,而默认type为sql,上传的后缀限制为sql和zip,若为压缩包zip程序进行解压判断压缩包里的文件是否为sql文件,而漏洞正是发生在此处位置代码312328行处,当zip里面的文件非sql文件时并未终止上传,继续判断然后输出压缩包里的文件非sql文件,上传完成后,输出提示信息再exit退出。整个上传逻辑判断存在问题,因此可通过zip上传任意文件。(在审计此处时看到代码的320行处后缀(houzhui)开发竟然写为houzui了,普通话哈哈)
压缩包校验
此漏洞原来与1任意文件删除类似不在进行详述。
$file可控且未过滤../
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.