FeifeiCMS 4.0 任意文件删除漏洞分析<\/h1>

漏洞概述<\/h2>
FeifeiCMS 4.0 存在多处任意文件删除漏洞，攻击者可以利用这些漏洞删除服务器上的任意文件。这些漏洞主要存在于后台管理模块中，由于对用户输入参数缺乏充分过滤，直接将参数拼接到文件路径中，导致可以删除非预期的文件。<\/p>

漏洞位置与详情<\/h2>

1. DataAction.class.php 中的任意文件删除<\/h3>

漏洞位置<\/h4>
`Lib\/Lib\/Action\/Admin\/DataAction.class.php<\/code><\/p>`

漏洞代码<\/h4>
public<\/span> function<\/span> del<\/span>(){
<\/span><\/span>    $filename =<\/span> trim<\/span>($_GET['id'<\/span>]);
<\/span><\/span>    @<\/span>unlink<\/span>(DATA_PATH<\/span>.<\/span>'_bak\/'<\/span>.<\/span>$filename);
<\/span><\/span>    $this-><\/span>success<\/span>($filename.<\/span>'已经删除!'<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/删除所有分卷文件
<\/span><\/span><\/span><\/span>public<\/span> function<\/span> delall<\/span>(){
<\/span><\/span>    foreach<\/span>($_POST['ids'<\/span>] as<\/span> $value){
<\/span><\/span>        @<\/span>unlink<\/span>(DATA_PATH<\/span>.<\/span>'_bak\/'<\/span>.<\/span>$value);
<\/span><\/span>    }
<\/span><\/span>    $this-><\/span>success<\/span>('批量删除分卷文件成功!'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞分析<\/h4>

直接使用未经处理的$_GET['id']<\/code>和$_POST['ids']<\/code>参数拼接文件路径<\/li>
攻击者可以构造特殊的文件名路径，实现目录穿越，删除任意文件<\/li>
默认情况下_bak<\/code>文件夹不存在，需要先触发备份功能创建该目录<\/li>
<\/ul>
利用条件<\/h4>

需要先触发备份功能创建_bak<\/code>目录<\/li>
需要后台管理员权限<\/li>
<\/ol>
利用步骤<\/h4>


触发备份功能创建_bak<\/code>目录：<\/p>

访问数据库备份功能<\/li>
满足strlen($sql) >= $filesize*1000<\/code>条件创建备份文件<\/li>
<\/ul>
<\/li>

构造删除payload：<\/p>
http:\/\/localhost:8888\/4.0.181010\/index.php?s=\/admin-data-del&id=..\/..\/..\/path\/to\/target\/file
<\/code><\/pre>
<\/li>
<\/ol>
2. TplAction.class.php 中的任意文件删除<\/h3>
漏洞位置<\/h4>
Lib\/Lib\/Action\/Admin\/TplAction.class.php<\/code><\/p>
漏洞代码<\/h4>
public<\/span> function<\/span> del<\/span>(){
<\/span><\/span>    $id =<\/span> admin_ff_url_repalce<\/span>(str_replace<\/span>(trim<\/span>($_GET['id'<\/span>])));
<\/span><\/span>    if<\/span> (!<\/span>substr<\/span>(sprintf<\/span>("%o"<\/span>,fileperms<\/span>($id)),-<\/span>3<\/span>)){
<\/span><\/span>        $this-><\/span>error<\/span>('无删除权限!'<\/span>);
<\/span><\/span>    }
<\/span><\/span>    @<\/span>unlink<\/span>($id);
<\/span><\/span>    if<\/span> (!<\/span>empty<\/span>($_SESSION['tpl_jumpurl'<\/span>])) {
<\/span><\/span>        $this-><\/span>assign<\/span>("jumpUrl"<\/span>,$_SESSION['tpl_jumpurl'<\/span>]);
<\/span><\/span>    }else<\/span>{
<\/span><\/span>        $this-><\/span>assign<\/span>("jumpUrl"<\/span>,'?s=Admin\/Tpl\/Show'<\/span>);
<\/span><\/span>    }
<\/span><\/span>    $this-><\/span>success<\/span>('删除文件成功!'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞分析<\/h4>

$_GET['id']<\/code>参数仅经过trim()<\/code>和str_replace()<\/code>处理，没有过滤路径穿越字符<\/li>
直接使用用户输入作为文件路径进行删除操作<\/li>
虽然检查了文件权限，但无法防止路径穿越<\/li>
<\/ul>
利用条件<\/h4>

需要后台管理员权限<\/li>
<\/ul>
利用步骤<\/h4>
构造删除payload：<\/p>
http:\/\/localhost:8888\/4.0.181010\/index.php?s=\/admin-tpl-del&id=\/path\/to\/target\/file
<\/code><\/pre>
漏洞修复建议<\/h2>


对用户输入进行严格过滤：<\/p>

过滤..\/<\/code>等路径穿越字符<\/li>
限制文件名只能包含特定字符集<\/li>
<\/ul>
<\/li>

使用白名单机制：<\/p>

只允许删除特定目录下的特定类型文件<\/li>
验证文件路径是否在允许范围内<\/li>
<\/ul>
<\/li>

修复代码示例：<\/p>
<\/li>
<\/ol>
\/\/ 对于DataAction.class.php
<\/span><\/span><\/span><\/span>public<\/span> function<\/span> del<\/span>(){
<\/span><\/span>    $filename =<\/span> basename<\/span>(trim<\/span>($_GET['id'<\/span>])); \/\/ 只获取文件名部分
<\/span><\/span><\/span><\/span>    $filepath =<\/span> DATA_PATH<\/span>.<\/span>'_bak\/'<\/span>.<\/span>$filename;
<\/span><\/span>    if<\/span>(!<\/span>is_file<\/span>($filepath)) {
<\/span><\/span>        $this-><\/span>error<\/span>('文件不存在!'<\/span>);
<\/span><\/span>    }
<\/span><\/span>    @<\/span>unlink<\/span>($filepath);
<\/span><\/span>    $this-><\/span>success<\/span>($filename.<\/span>'已经删除!'<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 对于TplAction.class.php
<\/span><\/span><\/span><\/span>public<\/span> function<\/span> del<\/span>(){
<\/span><\/span>    $id =<\/span> trim<\/span>($_GET['id'<\/span>]);
<\/span><\/span>    \/\/ 验证文件路径是否在模板目录内
<\/span><\/span><\/span><\/span>    $allowed_dir =<\/span> realpath<\/span>(TEMPLATE_PATH<\/span>);
<\/span><\/span>    $target_file =<\/span> realpath<\/span>($id);
<\/span><\/span>    if<\/span>(strpos<\/span>($target_file, $allowed_dir) !==<\/span> 0<\/span>) {
<\/span><\/span>        $this-><\/span>error<\/span>('非法文件路径!'<\/span>);
<\/span><\/span>    }
<\/span><\/span>    if<\/span> (!<\/span>substr<\/span>(sprintf<\/span>("%o"<\/span>,fileperms<\/span>($id)),-<\/span>3<\/span>)){
<\/span><\/span>        $this-><\/span>error<\/span>('无删除权限!'<\/span>);
<\/span><\/span>    }
<\/span><\/span>    @<\/span>unlink<\/span>($id);
<\/span><\/span>    $this-><\/span>success<\/span>('删除文件成功!'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>总结<\/h2>
FeifeiCMS 4.0 中存在的任意文件删除漏洞主要源于对用户输入缺乏充分验证，直接将用户可控参数拼接到文件路径中。攻击者利用这些漏洞可以删除服务器上的重要文件，可能导致服务中断或更严重的安全问题。开发者应当对所有用户输入进行严格验证，特别是涉及文件系统操作时，应采用白名单机制限制可操作的文件范围。<\/p>

FeifeiCMS 4.0 任意文件删除漏洞分析<\/h1>

漏洞位置与详情<\/h2>

1. DataAction.class.php 中的任意文件删除<\/h3>

漏洞位置<\/h4> Lib\/Lib\/Action\/Admin\/DataAction.class.php<\/code><\/p>

2. TplAction.class.php 中的任意文件删除<\/h3>

漏洞位置<\/h4> Lib\/Lib\/Action\/Admin\/TplAction.class.php<\/code><\/p>

漏洞位置<\/h4>
`Lib\/Lib\/Action\/Admin\/DataAction.class.php<\/code><\/p>`

漏洞位置<\/h4>
`Lib\/Lib\/Action\/Admin\/TplAction.class.php<\/code><\/p>`