Arbitrary file write
This CMS is developed on the basis of ThinkPHP5.1. If you want to rCE, you can search file_put_content and other dangerous functions directly in the application folder, as shown below. We directly globalize to file_put_content in the FileEdit method
We see that the first parameter, $rootPath, is concatenated with this path
$rootpath = Env::get('root_path') . 'theme' . DIRECTORY_SEPARATOR . $template . DIRECTORY_SEPARATOR . $path;
Copy the codeWhere $path is under our control, we can generally consider whether there is a path traversal problem
The second argument, htmlspecialChars_decode (Request::param(‘ HTML ‘), is also under our control
So it’s a little bit clearer here, we just need to… Htmlspecialchars_decode also doesn’t affect how we write PHP code, so we just post path=.. /.. /index.php&html=
can
You can see that the RCE has been successful
Arbitrary file reading
Let’s go down the fileEdit method and see that there is file_get_contents, which is also $rootPath, so we have control over that as well. The difference is that we can access the else branch with get
We pass directly.. /.. /index. PHP ()
Deserialization vulnerability
The above two vulnerabilities make use of file_get_contents and file_put_content. These two functions are both operation functions involving IO, that is to say, phar deserialization vulnerability can be operated, but their paths are not completely controllable, only the latter part can be controlled. So this doesn’t work, so the next idea is to search for functions that can manipulate phar
We directly global search is_dir, one by one to see if it is available
The method scanFilesForTree is directly controllable. At the beginning of the article, it says that this CMS is based on ThinkPHP5.1 secondary development, so we can directly use this vulnerability to generate phar files for RCE
Let’s first see if we can upload the Phar file. In the background, we find that we can upload the file
We first catch a bag to try water, found prompt illegal picture file, should be written what filter
We went to the upload function and found some validation of the type and size of the image
Public function upload($file, $fileType = 'image') {switch ($fileType) {case 'image': $result = $file->check(['ext' => $this->config['upload_image_ext'], 'size' => $this->config['upload_image_size']*1024]); If (empty($result)){$this->error = $file->getError(); return false; } break; $result = $this->uploadHandler->upload($file); $data = array_merge($result, ['site_id' => $this->site_id]); SiteFile::create($data); return $data; }Copy the codeThen try to add GIF89a header to upload, it seems that more CTF is still useful, so directly upload our Phar file
Remember to add the GIF89a header when generating the Phar file, as follows
$phar->setStub('GIF89a'.'<? php __HALT_COMPILER(); ? > '); / / set the stubCopy the codeYou can see that it has been successfully uploaded and remember the path below
Finally, we can just trigger our phar file here at scanFilesForTree
conclusion
All the loopholes in this paper have been submitted to CNVD. This CMS is generally suitable for practice. The main entry point is to find some dangerous functions through the white box and then try to control its parameters and variables
Experiment exercise: Code audit of any file download vulnerability (after learning this section, understand the principle of file download vulnerability, and master the causes and repair methods of file download vulnerability through code audit.)