PHP代码审计之TaoCMS(SQL注入+SSRF 0day)
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">首发于先知社区</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">原文链接:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://xz.aliyun.com/t/12499</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">原文作者:A2Cai</p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;">前言</h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">大众</span>好,我是A2Cai</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">今天给<span style="color: black;">大众</span>带来的是 TaoCMS 的代码审计</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">这是我审的<span style="color: black;">第1</span>个 CMS,<span style="color: black;">倘若</span>有错误请<span style="color: black;">大众</span>多多包涵</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">PS: 版本是 TaoCMS 3.0.2,本文</span>审计<span style="color: black;">到的都是我网络上没找到的,均已提交 CNVD。</span></p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;">前台 DOM 型 XSS</h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">有点难受的是,我一<span style="color: black;">起始</span>以为这是个存储型 XSS(<span style="color: black;">因此</span><span style="color: black;">文案</span>是这么来的呜呜呜</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">结果后面看了下<span style="color: black;">实质</span>是 DOM 型的 XSS...<span style="color: black;">害处</span>一下子降到底了</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">由于</span>这个漏洞产生的<span style="color: black;">原由</span>是 后端过滤不严谨 + 前端直接操作节点属性 <span style="color: black;">引起</span>的</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">不死心的我又跑去后台看了一下 ,<span style="color: black;">瞧瞧</span>有<span style="color: black;">无</span>解析...答案<span style="color: black;">是不是</span>定的</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">因此</span>说防御 XSS 漏洞需要对输入和输出进行防御....</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">即便传进去 XSS Poc 了<span style="color: black;">亦</span>执行不了呜呜呜呜</p>
<h3 style="color: black; text-align: left; margin-bottom: 10px;">漏洞复现</h3>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">首要</span>,点击首页任意一篇<span style="color: black;">文案</span>,<span style="color: black;">这儿</span>就选一<span style="color: black;">起始</span>默认的<span style="color: black;">文案</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/yzsHc8qARCxPzGdzoiak5SetPJ0xDdaVrCPE055ibdfJ7dZyUTJlK0KMIcKlUajqk8ens0iapr3kGhDjuAh4LF6IQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">往下拉<span style="color: black;">发掘</span>有个评论功能</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/yzsHc8qARCxPzGdzoiak5SetPJ0xDdaVr1xwrr8Wbpqp45ibZAEYZZDiaafA5q5RKI4qaYahL0OIJwy4tib3z0ylUg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">依次填入以下poc:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">姓名:aaa)+alert(1)+(</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">邮箱:www.gdit.edu.cn@qq.com</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">网址:www.baidu.com</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">验证码:按<span style="color: black;">需求</span>输入</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">评论:随意</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">而后</span>点击提交评论</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">看到上面被<span style="color: black;">插进</span>了用户的留言,<span style="color: black;">而后</span>点击 回复</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/yzsHc8qARCxPzGdzoiak5SetPJ0xDdaVrJnCOuCXCAlgibjNqCtZk0A50oxzRpaQ5pk11ExKrRia8GkkSFOLcwgug/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">发掘</span> XSS poc 被触发</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/yzsHc8qARCxPzGdzoiak5SetPJ0xDdaVruyNicsmdgAOb2pfGSfibxUg4I4TJBhJASJpWoRN1Po3IQibk2y3QKqUHw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<h3 style="color: black; text-align: left; margin-bottom: 10px;">代码审计</h3>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">这儿的功能在 Model/Comment.php 下被实现</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/yzsHc8qARCxPzGdzoiak5SetPJ0xDdaVrIvNAHXCia6jpeDg5wPoZsSN5eoDSNqxsrmMWM5HhibjIIR11as3hrNog/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">经过</span>抓包,<span style="color: black;">咱们</span><span style="color: black;">能够</span>看到 姓名 这个的参数名是 name</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/yzsHc8qARCxPzGdzoiak5SetPJ0xDdaVrIvNAHXCia6jpeDg5wPoZsSN5eoDSNqxsrmMWM5HhibjIIR11as3hrNog/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在代码中不难<span style="color: black;">发掘</span>,name 参数是<span style="color: black;">运用</span> safeword <span style="color: black;">办法</span>进行了两次过滤处理</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/yzsHc8qARCxPzGdzoiak5SetPJ0xDdaVrPFickpFSoU18AFJA9uOjENnqib3yep6Dpm4rIe1RPDMEZDk5Z1IcaGoA/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">跟踪到 safeword <span style="color: black;">办法</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/yzsHc8qARCxPzGdzoiak5SetPJ0xDdaVr48mqz0MdP7Nhh8zzL6ianqgNicV4M4O6ps7zd0DSnKOCL3LGCEmiaYQvQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> level 3 和 level 5 两个等级的 safeword <span style="color: black;">办法</span>对传入的字符串进行了以下处理:</p>strip_tags 去除所有 HTML、XML、PHP 的标签。htmlspecialchars 把预定义的字符转换成 HTML 实体。nl2br 把字符串中的 \n 转换成 <br>。<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">但这种过滤防护忽略了一种<span style="color: black;">状况</span>:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">便是</span>当用户的输入会被<span style="color: black;">插进</span>在 HTML 标签的属性时,该过滤<span style="color: black;">办法</span>将完全失效。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">回到前端代码,F12 定位到回复的这个超链接中</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/yzsHc8qARCxPzGdzoiak5SetPJ0xDdaVrajtaiaIFq6a3aYiasmqssqh7sXCpNo7FWv4SWcibzInVzlP2t2Wxb5Oyw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">定位到 backcomment 函数</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/yzsHc8qARCxPzGdzoiak5SetPJ0xDdaVrajtaiaIFq6a3aYiasmqssqh7sXCpNo7FWv4SWcibzInVzlP2t2Wxb5Oyw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">发掘</span>它是简单拼接后就直接给节点赋值</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">正常情况下,用户自定义的名字,会被<span style="color: black;">插进</span>到 backcomment 函数中被两个单引号<span style="color: black;">包含</span>起来</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">咱们</span><span style="color: black;">能够</span><span style="color: black;">经过</span> ) 来逃逸 backcomment 函数的范围</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">因为</span>是 return,<span style="color: black;">因此</span>即便有分号<span style="color: black;">亦</span>不会再往后执行</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">咱们</span><span style="color: black;">能够</span><span style="color: black;">经过</span> + 对 return 的内容进行拼接,就变成下面这个样子</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/yzsHc8qARCxPzGdzoiak5SetPJ0xDdaVrajtaiaIFq6a3aYiasmqssqh7sXCpNo7FWv4SWcibzInVzlP2t2Wxb5Oyw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">最后点击回复<span style="color: black;">就可</span>触发 DOM XSS</p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;">SQL 注入</h2>
<h3 style="color: black; text-align: left; margin-bottom: 10px;">漏洞复现</h3>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">因为</span>这个漏洞点是直接审的代码</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">因此</span><span style="color: black;">亦</span>就没这么多过程了</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">直接上 Poc</p><span style="color: black;">GET /admin/admin.php?action=datastore&ctrl=create&bulist=admin+where+id=1+union+select+(user()),2,3,4,5,6,7,8 HTTP/1.1</span><span style="color: black;">Host: phpcode.com</span><span style="color: black;">User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0</span><span style="color: black;">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8</span><span style="color: black;">Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2</span><span style="color: black;">Accept-Encoding: gzip, deflate</span><span style="color: black;">Connection: close</span><span style="color: black;">Referer: http://phpcode.com/admin/admin.php?action=datastore&ctrl=display</span><span style="color: black;">Cookie: PHPSESSID=ecfspc92npb6f3napn1j1c11l1; tao_dig27=1682952434</span><span style="color: black;">Upgrade-Insecure-Requests: 1</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">响应包:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/yzsHc8qARCxPzGdzoiak5SetPJ0xDdaVrdNTb2XZs9p93D03lldic9jUicCzjLqWC41qkzLHROzEofxcJ6HmAeGCw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">不外</span>后面还是稍微翻了一下</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">功能点在这儿</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/yzsHc8qARCxPzGdzoiak5SetPJ0xDdaVrhGHWEFTZ2Skric9XJCuDiaHJtibUCOic1Z1W1qmhXldS5sXjw5friaXib1Sg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">又稍稍上 CNVD 看了一眼,<span style="color: black;">好似</span><span style="color: black;">无</span>人和我提交<span style="color: black;">同样</span>的(<span style="color: black;">亦</span>可能是没公开</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">PS:我怎么<span style="color: black;">晓得</span>的呢?<span style="color: black;">由于</span>我是直接上 github 翻这套 CMS 的 issue 的,里面有漏洞<span style="color: black;">仔细</span>的信息。</p>
<h3 style="color: black; text-align: left; margin-bottom: 10px;">代码审计</h3>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">功能实现<span style="color: black;">掌控</span>器在 Model/Datastore.php</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">漏洞产生点在 create <span style="color: black;">办法</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/yzsHc8qARCxPzGdzoiak5SetPJ0xDdaVrh22ia7ge2tSc73gDdORoTRic9TVmYrkYj0kbTvJ7FMSZkl31rXoB0ibYA/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">这段代码的<span style="color: black;">规律</span>,大体上是<span style="color: black;">经过</span> GET 获取 bulist 参数的值</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">对 bulist 参数的值进行分割,<span style="color: black;">而后</span>分批读取数据库内的所有表的所有数据</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">并写入到 backup-xxxxx.sql 中供用户下载</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">简而言之,<span style="color: black;">便是</span>一个数据库的备份功能</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">但<span style="color: black;">这儿</span>并<span style="color: black;">无</span>对 bulist 的值进行任何过滤,就<span style="color: black;">插进</span> "select * from " 后面<span style="color: black;">而后</span>执行</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">最后</span>会<span style="color: black;">引起</span> SQL 注入的<span style="color: black;">出现</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Poc:</p><span style="color: black;">http://xxx.com/admin/admin.php?action=datastore&ctrl=create&bulist=admin+where+id=1+union+select+(user()),2,3,4,5,6,7,8</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">重视</span>:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Referer 的值要为</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">http://xxx.com/admin/admin.php?action=datastore&ctrl=display </p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">,<span style="color: black;">否则</span>会<span style="color: black;">没法</span>执行。</p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;">SSRF</h2>
<h3 style="color: black; text-align: left; margin-bottom: 10px;">漏洞复现</h3>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">实战从没利用成功的 SSRF <span style="color: black;">最终</span>让我代审给你捕到了</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">人麻了,人与人之间要是多点信任,少点防火墙那该有多好啊</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">下面是漏洞复现</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">登录后台,进到这个页面</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/yzsHc8qARCxPzGdzoiak5SetPJ0xDdaVrcwzNbjduEmLnGXexribcz5vcUSmnYYuuDrrkvO7nQ9zdI3aHxqxU76Q/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">而后</span>更改为以下配置</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/yzsHc8qARCxPzGdzoiak5SetPJ0xDdaVrMdzUVbYUBQ0sibsjHkYtMDlniaDUBNQ5U6q8fQcVvkGCic0OJba10cZlg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">点击<span style="color: black;">起始</span>采集</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/yzsHc8qARCxPzGdzoiak5SetPJ0xDdaVrNbrrpiaCqjJC3Q2DM141UibpjhL8cmbgdN99afQtpib6LO5qYqMVZkNmA/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">这个时候<span style="color: black;">倘若</span>抓包的话,会<span style="color: black;">发掘</span>是服务端返回的信息</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">而不是客户端发起的请求,<span style="color: black;">因此</span>是个 SSRF</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">而后</span>尝试 file 伪协议读文件</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Poc:file:///D:/1.txt?</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">重视</span>:? 号<span style="color: black;">必定</span>得带,至于为啥看后面有讲</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">尝试探测端口</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Poc:http://127.0.0.1:3306/?</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
<h3 style="color: black; text-align: left; margin-bottom: 10px;">代码审计</h3>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">这次漏洞点在 Module/Spider.php 的 execute <span style="color: black;">办法</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">定位到 execute <span style="color: black;">办法</span>(代码有点长我只截图关键的...</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">发掘</span>有个可能有问题的<span style="color: black;">办法</span> fetchurl</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">定位到 fetchurl <span style="color: black;">办法</span>,如下图所示</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">发掘</span><span style="color: black;">便是</span>传入一个链接,<span style="color: black;">而后</span>直接拖取数据的<span style="color: black;">办法</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">这种<span style="color: black;">倘若</span><span style="color: black;">无</span>对传入的链接做出限定的话,很可能会<span style="color: black;">引起</span> SSRF 漏洞</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">此时</span>候<span style="color: black;">能够</span>往回<span style="color: black;">瞧瞧</span>,<span style="color: black;">瞧瞧</span> fetchurl 传入的三个参数可不可控,有没被过滤</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">发掘</span><span style="color: black;">无</span>任何的过滤,那就可以说尝试<span style="color: black;">瞧瞧</span> SSRF 了</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">不外</span>接下来还要<span style="color: black;">思虑</span>下<span style="color: black;">是不是</span>能输出...继续看下去</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">这一段的<span style="color: black;">规律</span>是:</p>看下指定的编码是不是 UTF-8,<span style="color: black;">倘若</span>不是就转换。<span style="color: black;">运用</span> preg_match 去获取符合正则的内容,放到 titlearray 数组中,并将其赋值给 data["name"]。最后 打印 data["name"] 的值。<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">因此</span>到了<span style="color: black;">这儿</span>,问题就变<span style="color: black;">成为了</span> “<span style="color: black;">怎样</span>让获取的内容符合正则表达式呢?”</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这儿</span>会<span style="color: black;">发掘</span>说,诶这个 titlepreg 的正则是哪来的?</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">往上翻会<span style="color: black;">发掘</span>有个 createpreg 的<span style="color: black;">办法</span>,定位到这个<span style="color: black;">办法</span>看下</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">下面是定位到的 createpreg <span style="color: black;">办法</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">发掘</span>这个<span style="color: black;">办法</span>其实很简单,<span style="color: black;">便是</span>字符串替换<span style="color: black;">而后</span>返回个正则表达式<span style="color: black;">吗</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">按照</span>前面的代码<span style="color: black;">能够</span><span style="color: black;">晓得</span>,name 参数的值是被写死的,<span style="color: black;">咱们</span>可控的是 preg 参数的值</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">咱们</span>最后的目的是为了让它返回所有的内容<span style="color: black;">吗</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">因此</span>结合 return 后面的值来看,<span style="color: black;">咱们</span>只需要传入 .* <span style="color: black;">就可</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">但这儿还要<span style="color: black;">重视</span>一个点,<span style="color: black;">便是</span> preg_match 这个函数</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">当你传入第三个值的时候,就会将搜索结果填充到第三个参数中</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">因此</span>前面的正则表达式还需要加上 () <span style="color: black;">才可</span>有搜索结果</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">最后得到的正则表达式<span style="color: black;">便是</span> (.*)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">而后</span>找到调用这个<span style="color: black;">办法</span>的业务点(懒得拼接参数</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">开代理抓包:</p><span style="color: black;">GET /admin/admin.php?front=http%3A%2F%2Fwww.baidu.com%2F%3F&start=1&rend=2&back=.htm&each=2&basecode=utf-8&titlepreg=%28.*%29&contentpreg=%28.*%29&cat=0&repword=%E7%AC%91%E5%98%BB%E5%98%BB%7CtaoCMS%0D%0A%E5%BF%AB%E4%B9%90%7C%E9%AB%98%E5%85%B4&llink=1&action=spider&ctrl=execute&Submit=%E5%BC%80%E5%A7%8B%E9%87%87%E9%9B%86&test=1 HTTP/1.1</span><span style="color: black;">Host: phpcode.com</span><span style="color: black;">User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0</span><span style="color: black;">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8</span><span style="color: black;">Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2</span><span style="color: black;">Accept-Encoding: gzip, deflate</span><span style="color: black;">Connection: close</span><span style="color: black;">Referer: http://phpcode.com/admin/admin.php?action=spider&ctrl=display</span><span style="color: black;">Cookie: PHPSESSID=ecfspc92npb6f3napn1j1c11l1; tao_dig27=1682952434; caf_ipaddr=3.0.92.142; country=SG; city="Singapore"; expiry_partner=; __gsas=ID=a4732952401d9990:T=1682933879:S=ALNI_MZCN7IrRihmqjkL4o8N7JGsDAxHwQ; pvisitor=c0664828-e038-4d7c-b430-bff02e4113dd</span><span style="color: black;">Upgrade-Insecure-Requests: 1</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">后面就大差不差了,<span style="color: black;">详细</span>的都在上面漏洞复现里展示了</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">就还有要<span style="color: black;">重视</span>的一个点...</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">是<span style="color: black;">运用</span> file:// 伪协议去读文件的时候,需要在末尾加个 ? 号<span style="color: black;">或</span> # 号</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">由于</span>它这个采集数据的时候,会拼接数字<span style="color: black;">做为</span>采集的范围</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">urlback 参数<span style="color: black;">能够</span>为空,但 i 参数<span style="color: black;">必定</span>是个整数</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">因此</span>要用 ? <span style="color: black;">或</span> # 去注释掉后面拼接的数字</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Poc:file%3A%2F%2F%2FD%3A%2F1.txt%23</p>
楼主发的这篇帖子,我觉得非常有道理。
页:
[1]