At the beginning of the target site, the main site did not find the point can be used

Target site using FOFA for C-segment query, random access to a page found to be TP.

Find its background site weak password login success (but the background does not have any function points can not be used) :

Directory traversal

This site has several directory traversal files

Then began to crazy files, to see if you can find some useful configuration file information – no accident did not turn to useful information, at this time when there is no other way out of nowhere, I happened to see an article issued by an official number (the link is posted below) :

It is mentioned that KindEditor CMS has a directory traversal vulnerability.

The vulnerability occurred in file_manager_json.php, which is used to browse files that have been uploaded

$php_path = dirname(__FILE__) . '/'; ________________________________ $root_path = $php_path . '.. /attached/'; ________________________________ if (empty($_GET['path'])) { $current_path = realpath($root_path) . '/'; $current_url = $root_url; $current_dir_path = ''; $moveup_dir_path = ''; }Copy the code

If there are no attached directories, realPath (rootpath) is empty, root_path (rootpath) is empty, rootpath (rootpath) is empty, current_path is /, which is the system root directory, then you can see /etc, / TMP, /var and so on. Although there is a ban on the back.. /, but browsing from the root directory is useless.

Kindeditor (kindeditor) :

Payload is constructed for traversal, and the backup source code of this site is successfully found and downloaded for code audit:

Code audit

class BaseController extends Controller { public function __construct(){ parent::__construct(); foreach ($_REQUEST as $key => $value) { $canshu .= $key.'='.$value.'&'; } $canshu = trim($canshu,'&'); addlog(array('url'=>'http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'? $canshu),' API -'.action_name,' interface address: '); Addlog ($_REQUEST,' API -'.action_name,' receive parameter: '); Addlog ($_FILES,' API -'.action_name,' receive file '); } function addlog($arr,$name,$description){ error_log ($description.':'.date('Y-m-d H:i:s').'----'.var_export($arr,true).' ',3,"./log/".date('Y-m-d')."-".$name.".php"); }Copy the code

So addlog adds the log of the route, error_log saves the error message to the path file that you define, and then the log file ends in PHP again, so when we construct payload to access the controller method, add a path that doesn’t exist to write the parameters that you input to the file, and access the file for parsing.

Content:

Content: / index. PHP/Api / < a > Base/a? search=<? php phpinfo(); ? >Copy the code

Test access locally:

You can see that the log file has been generated locally. Access this log file:

Getshell success.