天博app下载链接

fastadmin(V1.0.0.20200506_beta)前台getshell(文件上传解析)漏洞分析

2020-9-21 / 0 评论 渗透测试 / Mrxn

benwengongji 2341 zi,ganxienindenaixinliulanyupinglun.

0x1.简介

fastadminshiyikuanjiyuthinkphphebootstrapdejisuhoutaikaifakuangjia。

butianpingtaijieshao:jinri,butianloudongxiangyingpingtaijiancedaohulianwangshangchuxianfastadminwenjianshangchuanloudong,expbeigongkai。gailoudongyuanyuwangluoxitonghuochanpindedaimakaifaguochengzhongcunzaishejihuoshixianbudangdewenti,kedaozhiwenjianshangchuanbingjiexiweikezhixingwenjian。muqianchangshangyifabuxinbanbenxiufuciloudong,butianloudongxiangyingpingtaijianyishouyingxiangdekehujiangkuangjiagengxinzhianquanbanben。

yingxiangbanben:v1.0.0.20180911_beta~v1.0.0.20200506_beta

xiufujianyi:

shengjifastadminbanbendaov1.0.0.20200920_beta,xiangjianguanwanglianjie:

http://www.fastadmin.net/download.html

0x2.漏洞详情

liyongxianzhi:xuyaokaiqihuiyuanzhongxingongneng,qiedengluhuiyuanzhongxin。

/application/config.php wenjianzhong:

  //是否开启前台会员中心
    'usercenter'            => true,

loudongfenxi

/application/index/user.php wenjian

di58-67xing:

public function _empty($name)
    {    
        $data = Hook::listen("user_request_empty", $name);
            foreach ($data as $index => $datum) {
            $this->view->assign($datum);
            }
    return $this->view->fetch($name);
}

user_request_empty weikaifazheyuliudegouzikeyihushibukan,zhuyaokan return $this->view->fetch($name);

cifangfazhongde $name canshukekong,bingqiejiang $name dezhichuanrudaole fecth() hanshuzhong。

fetch() weithinkphpdejieximobanhanshu,qifanhuimobanwenjianxuanranhoudeneirong

fetch() hanshudeguanjianneirongruxia:

public function fetch($template, $data = [], $config = [])
    {
        if ('' == pathinfo($template, PATHINFO_EXTENSION)) {
            // 获取模板文件名
            $template = $this->parseTemplate($template);
        }
        // 模板不存在 抛出异常
        if (!is_file($template)) {
            throw new TemplateNotFoundException('template not exists:' . $template, $template);
        }
        // 记录视图信息
        App::$debug && Log::record('[ VIEW ] ' . $template . ' [ ' . var_export(array_keys($data), true) . ' ]', 'info');
        $this->template->fetch($template, $data, $config);
    }

jixudiaoyongzhankeyikanxiaqishizheigefetch()hanshudiaoyongdeshineizhimobanyinqingdefetchfangfa, zheigefangfashijishangjiushijiangyaoshuchudeyemianneirongfuzhijiyigebianliang,weilefangbian,thinkphpzaiduimobanxuanrandeguochengzhong,tianjialephpbiaoqiangongneng,shideqikeyijiexiphpdaima。

总之一句话,这个漏洞其实就是由于对传入变量过滤不严导致的模板引擎注入漏洞,只要控制了传入模板的文件,就可以利用模板本身的渲染功能,实现包含漏洞getshell

lingwaixuyaozhuyideshi,dangyanzhengchuanrudemobanshifoushiwenjianshi,shiyongde is_file() hanshu,zheigehanshuzailinuxxiahewindowsxiadepanduanhuiyousuobutong,jutiruxia:

1、zailinuxxialiyong is_file() laipanduanleisiyu /****/../../../../etc/passwd wenjianshi,ruguo **** shibucunzaidemulu,zehuifanhuifalse,zaiwindowsxia ,zheigemulucunzaiyufou,junfanhuitrue,ruxiatusuoshi:

is_file.png

is_file_linux.png


2、zailinuxxia, is_file() hanshupankeyongyupanduanfuhaolianjie

3、zailinuxxia, is_file hanshuhuishoudaoquanxiandeyingxiang,dangqianyonghuquanxianbuzuhuofumulumeiyoushezhi+xquanxianshi, is_file() huifanhuifalse

4、windowsxitonglimian / he \ doukeyishiyong,danshizailinuxxiazhinengshiyong / laifengelujing,yincizheihuidaozhi is_file() zaibutongxitongxiadefanhuijieguobuyizhi

is_file_d.png

is_file_d2.png


5、 is_file() panduanwenjianshi,ruguowenjiandaxiaochaoguo2^32shi,huipanduanshibai

0x3.漏洞验证

通过前文可知,这个漏洞的利用点在 _empty() 函数,需要注意的是,在官方文档中通常 _empty() 方法是用来判断一个方法是否存在,如果不存在,则进入该函数。而这里是开发者自定义的方法,因此直接传入 _empty 方法,调用name参数即可。

liyongguochengruxia:

zaiqiantaidehuiyuanzhongxin,gerenziliaochu,shangchuanxiugaitouxiang:

headpic.png

zhuabaohouxiugaitupianshuju(manzutupiantougeshijike):

bp_head.png

记录下路径后,成功getshell

getshell.png

在Linux下,通过这种方法会失效,因为在 /public 路径下不存在 user 目录,由前文中的知识点可以知道,当不存在这个目录的时候,无论怎么跳转目录, is_file() 函数返回的结果始终未false,因此无法利用该漏洞,如下图所示:

linux.png

dangwomenzai /public muluxiachuangjianwenjianjia /user ,zailiyong,jikechenggong:

linux2.png

最后感谢 @ 师傅提供的漏洞点,又学习了一波

wenzhangchuzi:http://forum.90sec.com/t/topic/1294

zuozhe:http://forum.90sec.com/u/panda

dajiakeyitougao90zhucea!jinimentoupiao!hahaha

标签: 代码 渗透测试 漏洞 getshell

转载:转载请注明原文链接 - fastadmin(V1.0.0.20200506_beta)前台getshell(文件上传解析)漏洞分析


0条回应:“fastadmin(V1.0.0.20200506_beta)前台getshell(文件上传解析)漏洞分析”


发表评论

{view_code_no}