IT博客汇 | thinksaas任意文件读取

thinksaas任意文件读取

Joseph发表于 2016-12-29 02:23:31

早先玩360补天的时候看见有这个厂商挖的洞,但是忘记提交了。看了一下最新版还是存在的。

漏洞文件:/app/user/action/api.php

$sitekey = trim($_POST[\'sitekey\']);
$sitename = trim($_POST[\'sitename\']);
$openid = trim($_POST[\'openid\']);
$username = trim($_POST[\'username\']);
$email = trim($_POST[\'email\']);
$phone = trim($_POST[\'phone\']);
$face = trim($_POST[\'face\']);

if($sitekey!=\'thinksaas\'){//ÕýÊ½Ê¹ÓÃµÄÊ±ºòÇëÐÞ¸Ä´Ë´¦thinksaasÎªÆäËû×Ö·û´®
    getJson(\'sitekeyÃÜÔ¿²»ÕýÈ·\');
}

if($sitename && $openid && $username && $email){


    $strOpen = $new[\'user\']->find(\'user_open\',array(
        \'sitename\'=>$sitename,
        \'openid\'=>$openid,
    ));

前面的可控很多以及key什么的都不是采用随机或者配置文件那种而是直接写死的。所以前面的逻辑都可直接跳过

if($strOpen){

        $userData = $new[\'user\']->find(\'user_info\',array(
            \'userid\'=>$strOpen[\'userid\'],
        ),\'userid,username,path,face,isadmin,signin,uptime\');

        //¸üÐÂµÇÂ¼Ê±¼ä
        $new[\'user\']->update(\'user_info\',array(
            \'userid\'=>$strOpen[\'userid\'],
        ),array(
            \'ip\'=>getIp(),  //¸üÐÂµÇÂ¼ip
            \'uptime\'=>time(),   //¸üÐÂµÇÂ¼Ê±¼ä
        ));

        $_SESSION[\'tsuser\']	= $userData;

        //header("Location: ".SITE_URL);exit;

        getJson(\'µÇÂ¼³É¹¦£¡\',1,1);


    }else{


        $salt = md5(rand());

        $pwd = random(5,0);

        $userid = $new[\'user\']->create(\'user\',array(
            \'pwd\'=>md5($salt.$pwd),
            \'salt\'=>$salt,
            \'email\'=>$email,
        ));

这里是通过我们的openid以及sitename来查询,如果有返回结果集那么为真,但我们的漏洞是在假中所这里我们需要利用就要输入数据库中没有的内容。

$new[\'user\']->create(\'user_info\',array(
            \'userid\'			=> $userid,
            \'username\' 	=> $username,
            \'email\'		=> $email,
            \'ip\'			=> getIp(),
            \'addtime\'	=> time(),
            \'uptime\'	=> time(),
        ));

        //²åÈëts_user_open
        $new[\'user\']->create(\'user_open\',array(
            \'userid\'=>$userid,
            \'sitename\'=>$sitename,
            \'openid\' => $openid,
            \'uptime\'=>time(),
        ));
        //¸üÐÂÓÃ»§Í·Ïñ
        if($face){
            //1000¸öÍ¼Æ¬Ò»¸öÄ¿Â¼
            $menu2=intval($userid/1000);
            $menu1=intval($menu2/1000);
            $menu = $menu1.\'/\'.$menu2;
            $photo = $userid.\'.jpg\';

            $photos = $menu.\'/\'.$photo;

            $dir = \'uploadfile/user/\'.$menu;
            $dfile = $dir.\'/\'.$photo;

            createFolders($dir);

            if(!is_file($dfile)){
                $img = file_get_contents($face);
                file_put_contents($dfile,$img);
            };

            $new[\'user\']->update(\'user_info\',array(
                \'userid\'=>$userid,
            ),array(
                \'path\'=>$menu,
                \'face\'=>$photos,
            ));

        }

上面的代码会点代码就一眼看明白了，利用点就在file_get_contents

至于爆路径什么的,这套程序有很多处的。