I’ll bet you a pack of latiao this is the most detailed code audit on the web.

preface

This article is about some new discoveries of the ultimate CMSv1.7 vulnerabilities, starting from MVC to exploit the vulnerabilities using MVC

First, open index.php

<? PHP / / application directory for the current directory define (' APP_PATH '__DIR__.'/'); //define('APP_DEBUG', true); // Define the project directory define('APP_HOME','Home'); // Define the project template file directory define('HOME_VIEW','template'); // Define the project template public file directory define('Tpl_common', "); // Define the project controller file directory define('HOME_CONTROLLER','c'); // Define the project model file directory define('HOME_MODEL','m'); // Define the project default method define('DefaultAction','jizhi'); // Cancel log define('StopLog',false); // Define static file path define('Tpl_style','/static/'); // Require (app_path. 'FrPHP/ fr.php '); // It's as simple as thatCopy the code

First you define the definition, then you load the frame, so go directly to the loaded frame and look at it, which is FrPHP/ fr.php, open it, drag it to the end, and find

The configuration file is loaded first, because the configuration file is wrapped in single quotes, so there is nothing to see. Then the EUN method of FrPHP will be triggered to follow up

I am a network security worker, good at penetration attack and defense content, study and work for a few years, also organized a lot of penetration, attack and defense, audit and other information documents, need this document readers ** point my information to get **

The first three are simple: configure the database, and simple processing of incoming data. Note the route() processing, and follow it upThe parameters passed in by the URL are received on line 141, and the controller and method names are defined on line 206The incoming URL is then processed at line 212, removing the index.php that precedes the incoming URLAnd then starting at line 231, it splits the url that’s passed in into an array, so if I type in index.php /home/ce, it splits it into Home and ce and then assigns it to the controller name and the method name at line 243 We then call the method of our specified class

Vulnerability article

SQL injection

In jizhi in \Home\c\ homecontroller.phpSee that there is a link in line 101
$The URL becomes an array and is then fetched for SQL injection. while$The URL is from here:$url accepts only the input from the URL bar, so let’s look at the receiving mode:See only after receiving index. PHP. So we’re thinking about how to exploit it, but we can’t replace /home/otherwise we won’t be able to execute jizhi. But if we go back to the MVC chapter, in line 264, we can see something like ControllerName defaults to Home if the one we entered does not existSo this means that we can write as much as we want, all of which will eventually be converted to Home by default, so we can inject SQL directly:PHP jizhi_details: SQL injection: jizhi_details: jizhi_details: jizhi_details: Jizhi_details: Jizhi_details: Jizhi_details: Jizhi_details: Jizhi_details: Jizhi_details: Jizhi_details: Jizhi_details: Jizhi_details: Jizhi_details

If (_POST){data = $this->frparam(); $this->frparam();

$w = get_fields_data($data,$w['molds']); switch($w['molds']){ case 'article': if(! $data [' body ']) {if ($this - > frparam (" ajax ")) {JsonReturn ([' code '= > 1,' MSG '= >' content cannot be empty! ']); }else{Error(' Contents cannot be empty! '); } } if(! $data [' title ']) {if ($this - > frparam (" ajax ")) {JsonReturn ([' code '= > 1,' MSG '= >' title cannot be empty! ']); }else{Error(' Title cannot be empty! '); } } $data['body'] = $this->frparam('body',4); $w['title'] = $this->frparam('title',1); $w['seo_title'] = $w['title']; $w['keywords'] = $this->frparam('keywords',1); $w['litpic'] = $this->frparam('litpic',1); $w['body'] = $data['body']; $w['description'] = newstr(strip_tags($data['body']),200); break; . }... if($this->frparam('id')){ $a = M($w['molds'])->update(['id'=>$this->frparam('id')],$w); if(! {$a) if ($this - > frparam (" ajax ")) {JsonReturn ([' code '= > 1,' MSG '= >' did not modify the content, can't submit! ']); }else{Error(' Unmodified content, cannot submit! '); }} the if ($this - > frparam (" ajax ")) {JsonReturn ([' code '= > 0,' MSG '= >' modify success! 'and' url '= > U (' user/posts' [' molds' = > $w [' molds']])]); }else{Success(' Modified successfully! ',U('user/posts',['molds'=>$w['molds']])); } }else{ $a = M($w['molds'])->add($w); if(! {$a) if ($this - > frparam (" ajax ")) {JsonReturn ([' code '= > 1,' MSG '= >' launch failure, please try again! ']); }else{Error(' Publish failed, please try again! '); }} the if ($this - > frparam (" ajax ")) {JsonReturn ([' code '= > 0,' MSG '= >' release success! 'and' url '= > U (' user/posts' [' molds' = > $w [' molds']])]); }else{Success(' Publish successfully! ',U('user/posts',['molds'=>$w['molds']])); }}}Copy the code

Data is assigned first, then data, then data, and then data goes through the get_fields_data function, which looks like this: get_fields_data; get_fields_data; get_fields_data; get_fields_data; get_fields_data

function get_fields_data($data,$molds,$isadmin=1){ if($isadmin){ $fields = M('fields')->findAll(['molds'=>$molds,'isadmin'=>1],'orders desc,id asc'); }else{// Foreground needs to check if the foreground displays $fields = M('fields')->findAll(['molds'=>$molds,'isshow'=>1],' Orders desc, ID ASC '); } foreach($fields as $v){ if(array_key_exists($v['field'],$data)){ switch($v['fieldtype']){ case 1: case 2: case 5: case 7: case 9: case 12: $data[$v['field']] = format_param($data[$v['field']],1); break; case 11: $data[$v['field']] = strtotime(format_param($data[$v['field']],1)); break; case 3: $data[$v['field']] = format_param($data[$v['field']],4); break; case 4: case 13: $data[$v['field']] = format_param($data[$v['field']]); break; case 14: $data[$v['field']] = format_param($data[$v['field']],3); break; case 8: $r = implode(',',format_param($data[$v['field']],2)); if($r! =''){ $r = ','.$r.','; } $data[$v['field']] = $r; break; } }else if(array_key_exists($v['field'].'_urls',$data)){ switch($v['fieldtype']){ case 6: case 10: $data[$v['field']] = implode('||',format_param($data[$v['field'].'_urls'],2)); break; } }else{ $data[$v['field']] = ''; } } return $data; }Copy the code

$w = $w; $w = $w; $w = $w;

Then you see this sentence in the source code
$data[‘body’] =$this->frparam(‘body’,4); XSS (XSS) {payload = 4; payload = 4;tid=2&article=asd&body=<script>alert(1)</script>&id=4&molds=article&title=qwe&sad=qwe 2

The bug is in \Home\c\ errorController.phpIt’s easy. Just type it in

? msg=<script>alert(1)</script>

Arbitrary file deletion

Error: A\c\ syscontroller.php deletePicAll:

First of all, the frparam function can be evaluated by passing values in the browser Filtering data by value, the function to a certain extent, there are mainly with single quotes as double quotes filtering, then later put the data value, filtering the function to a certain extent, there are mainly with single quotes as double quotes filtering, then later put the data value, filtering the function to a certain extent, there are mainly filter with single quotes as double quotation marks, and then later the dat Litpic checks for filename in array A and then deletes the file.

First, let’s test the code:

function ce(){ $data = $this->frparam('data',1); if($data! ='') { $pictures = M('pictures')->findAll('id in(' . $data . ')'); var_dump($pictures); $isall = true; foreach($pictures as $v){ if(strpos($v['litpic'],'http')===false){ var_dump('.'.$v['litpic']); }else{ $isall = false; }}}}Copy the code

Then type:Select * from the list where the statement is executed; select * from the list where the statement is executed; select * from the list where the statement is executed;This allows you to delete any files first

[Code audit data collection] [Code audit data collection]

[Code audit data collection]

I am a network security worker, good at penetration attack and defense content, study and work for a few years, also organized a lot of penetration, attack and defense, audit and other information documents, need this document readers ** point my information to get **