记一次cms代码审计 – 作者:星云博创科技有限公司-安全小百科

0×00：前言

记录一次小型cms代码审计

0×01：任意文件删除

由于代码繁杂，不再一一展示

/app/controller/kindeditor.class.php

关键漏洞代码

public function delete() {$path = ROOT_PATH.$_GET['pic'];unlink($path);$flash = M("flash");$row = $flash->query("delete from tc_flash wherephoto='".$_GET['pic']."'");echo '删除成功';}}

可以看到直接调用delete方法get传入pic参数就可以删除任意文件

0×02：Getshell

/install/index.php

case '4':if (intval($_GET['install'])) {$n = intval($_GET['n']);$arr = array();$dbHost = trim($_POST['dbhost']);$dbPort = trim($_POST['dbport']);$dbName = trim($_POST['dbname']);$dbHost = empty($dbPort) || $dbPort == 3306 ? $dbHost : $dbHost .':' . $dbPort;$dbUser = trim($_POST['dbuser']);$dbPwd = trim($_POST['dbpw']);$dbPrefix = empty($_POST['dbprefix']) ? 'tc_' :trim($_POST['dbprefix']);$uname = trim($_POST['manager_email']);$password = trim($_POST['manager_pwd']);$webpath = trim($_POST['webpath']);............if ($i == 999999) exit;$message = '成功添加站点信息<br />成功写入配置文件<br>安装完成．';//$newmodelstr = "<?php \n";$newmodelstr .= " define('DBHOST', '" . $dbHost . "');\n ";$newmodelstr .= "define('DBUSER', '" . $dbUser . "');\n ";$newmodelstr .= "define('DBPWD', '" . $dbPwd . "');\n ";$newmodelstr .= "define('DBNAME', '" . $dbName . "');\n ";$newmodelstr .= "define('DBCODE', 'utf8');\n ";$newmodelstr .= "define('DBCONN', " . $db_pconnect . ");\n ";$newmodelstr .= "define('MORESITE', false);\n ";$newmodelstr .= "define('USEMC', false);\n ";$newmodelstr .= "define('MCHOST', '127.0.0.1');\n ";$newmodelstr .= "define('MCPORT','11211');\n ";$newmodelstr .= "define('MCHOST2', '127.0.0.1');\n ";$newmodelstr .= "define('MCPORT2','11211');\n ";$newmodelstr .= "\n?>\n";$targetFile = '../app/data/mysql.php';@file_put_contents($targetFile, $newmodelstr);$arr = array('n' => 999999, 'msg' => $message);die(json_encode($arr));}include_once ("./templates/s4.php");exit;

在安装cms的时候在$dbName可以写入一句话木马进行getshell

当然当你访问网站的时候已经是安装好了的

这时候需要上一个任意文件删除的漏洞删除/app/data/install.lock文件进行系统重装

0×03：如何调用

/***cms/core/controller.class.php

控制器代码

public function Run() {$this->Analysis ();$this->control = $_GET ['c'];$this->action = $_GET ['a'];if ($_GET ['a'] === "list") {$this->action = "listAll";}$groupDir = GROUP_DIR;$controlFile = ROOT_PATH . '/' . APP_PATH . "/" . GROUP_DIR . "/" .$this->control . '.class.php';if (! file_exists ( $controlFile )) {$this->setValue ( "error", $this->control . Config::lang ("CONTROLLERNOTEXISTS" ) );$this->forward ( "error.html" );exit ();}include ($controlFile);if (! class_exists ( $this->control )) {$this->setValue ( "error", $this->control . Config::lang ("CONTROLLERNOTDEFINED" ) );$this->forward ( "error.html" );exit ();}if (! empty ( $_REQUEST ['token'] ) && ! in_array ( $_REQUEST ['ac'],array ('user_login', 'user_reg', 'user_regOrLoginProtocol', 'user_findPwd','user_getCode' ) )) {$this->pubCheck ();}$instance = new $this->control ();$methodName = $this->action;$instance->$methodName ();$this->forceAttack();

跟进$this->Analysis ();方法

protected function Analysis() {$ac = array ();$acStr = $_GET ['ac'];if (empty ( $acStr )) { // 无ac参数$ac [0] = $this->control;$ac [1] = $this->action;} else if (! strpos ( $acStr, '_' ) && $acStr) { // ac=list$ac [0] = $acStr; // empty($this->control) ?self::getDefaultAction() : $this->control;//NULL$ac [1] = self::getDefaultAction ();$modelClass = $ac [1];$controlClass = $ac [0];} else { // ac=news_list 支持下划线的控制器$acAry = explode ( "_", $acStr );if (count ( $acAry ) == 2) {$modelClass = $acAry [1];$controlClass = $acAry [0];}if (count ( $acAry ) == 3) {$modelClass = $acAry [2];$controlClass = $acAry [0] . '_' . $acAry [1];}}if ($this->c ['URL_MODE'] == 1) {$this->control = ! empty ( $controlClass ) ? trim ( $controlClass ): $this->control;$this->action = ! empty ( $modelClass ) ? trim ( $modelClass ) :$this->action;} else if ($this->c ['URL_MODE'] == 2) {if (isset ( $_SERVER ['PATH_INFO'] )) {$path = trim ( $_SERVER ['PATH_INFO'], '/' );$paths = explode ( '/', $path );// index.php/news/show/id/275$this->control = array_shift ( $paths ); // news$this->action = array_shift ( $paths ); // showParseUrl (); // news/show/id/275 index.php后面的}} else if ($this->c ['URL_MODE'] == 3) {// $_SERVER["QUERY_STRING"]=>// string(19) "ac=news_show&id=275"// $_SERVER["REQUEST_URI"]=>// string(30) "/index.php?ac=news_show&id=275"// bencandy.php?fid-{$fid}-id-{$id}-page-{$page}.html$path = str_replace ( ".asp", "", $_SERVER ["QUERY_STRING"] ); //news-show-1$paths = explode ( '-', $path );$this->control = array_shift ( $paths ); // news$this->action = array_shift ( $paths ); // show$key = $this->action == 'show' ? 'id' : 'page';$_GET [$key] = array_shift ( $paths ); // id page classidss}$_GET ['c'] = ! empty ( $this->control ) ? $this->control : 'index';$_GET ['a'] = ! empty ( $this->action ) ? $this->action :self::getDefaultAction ();$ac [0] = $_GET ['c'];$ac [1] = $_GET ['a'];