Foreword:
Use this CMS to see if we can dig out loopholes, and luckily, I dug two, namely SSRF and file coverage GETSHELL. The following will explain the thinking process of this audit. The CMS version is 4.2. The following vulnerabilities are indexed by CNVD.
Environment Description:
PHP version with 7.0.9 just fine.
SSRF:
According to the directional audit of function points, there is a collection function in the toolbar in the background. According to experience, this function generally exists in SSRF.
Use python3 to start a simple http service locally.
Click Next, and sure enough there is SSRF.
Conduct vulnerability analysis.
[→Follow me for all resources, and reply to "data" by private message to get ←]
1. Network security learning route
2. E-books (white hat)
3. Internal video of a big security company4,
100 src documents5
, common security interview questions6
,the classic topics of the ctf competition
7, a full set of toolkits
8, emergency response notes
According to the request package captured by burpsuite, it is easy to locate the code location.
In the file upload/plugins/sys/admin/Collect.php#Collect->add, the POST parameter cjurl is passed to the $this->caiji->str method without security processing.
Then we follow up to the $this->caiji->str method, but phpstorm can't find where that method is defined.
As a solution, we can directly search by pressing the Shift key twice in a row.
After following up to the str method, I found that the url parameter was passed into the htmlall method, and continued to follow up this method.
You can see that the htmlall method uses the curl request url.
Basically, there are SSRF vulnerabilities where the $this->caiji->str method is called.
File overwrite results in GETSHELL:
The vulnerability is found through the way of backtracking the parameter process of the sensitive function.
The sensitive function of file writing is used in upload/cscms/app/helpers/common_helper.php#write_file, which is the same file as htmlall of SSRF.
Use Ctrl+Shift+F to find where write_file is called, the write_file function is called in upload/plugins/sys/admin/Plugins.php#Plugins->_route_file, and note [ note[note[key][‘name’] 和 n o t e [ note[ The value of n o t e [ key]['url'] is spliced to the file content in a string mode, which is a comment, and we can bypass it by using a newline.
Find where _route_file is called, track whether the value of $note is controllable, there are many places to call this function, and finally find one that can be used. _route_file is called in upload/plugins/sys/admin/Plugins.php#Plugins->setting_save. Since this function has a lot of content, I split it into two interfaces, and close some unimportant content. The position where the red line is drawn must be set when calling _route_file. You can see that the value of $note is obtained at the position marked with blue 3, and the analysis can begin to reproduce here.
Use burpsuite to grab request packets.
Modify the content of the request package to write the constructed code, you can see that I used the %0a newline to bypass the comment.
You can see the successful write in upload/cscms/config/dance/rewrite.php.
Looking for the location where rewrite.php is referenced, I am too lazy to look at the code. By clicking on each page, I finally found it on the music page of the personal center after unremitting efforts, so you need to register as a member user.
Replay the request packet captured by burpsuite and output the content successfully.
At this point, the matter is not over, when I try to write malicious content and find it is escaped.
I tried eval, shell_exec, etc. to be escaped, but assert was not escaped. Considering the problem of assert after the PHP7 version, I still need to find a better way. I'm too lazy to look at the escaped code. I use the following method to successfully RCE according to the dynamic characteristics of PHP.
Summarize:
This code audit uses two general code audit ideas, the first one: directional auditing based on function points, and the second one: the process of backtracking parameters of sensitive functions. The one that is not used is to read the full text code. Using phpstorm can greatly increase the efficiency of code auditing.