Original title: Record a CMS code audit
Author: ddwGeGe
This article is adapted from the Prophet Community: //xz.aliyun.com/t/11774
preface
Inadvertently browse the official website of a niche OA and download it to the source code. After a random audit, get the shell successfully. Don't spray it
directory structure
Environment construction
WIN11 PhpStudy(Mysql) Redis IDEA(Tomcat 8.0)
Import the sql file into phpstudy (MySQL), start the Redis service at the same time, and configure the database environment
Use white and black for audit. From the function point, images can be uploaded in the personal data
Starting to capture packages for file upload, the suffix and file content were not verified, and the upload path and file name were returned. It was thought that it could get the shell directly, but it could not be parsed, and the file did not land
Code audit
Directly search the route according to the path of the data packet (/func/upload/uploadImages), and successfully find the upload function
First, judge the value of db, and determine the saving method of uploaded files according to the value of db
When uploading initially, db=1, while if's GlobalConstant FILE_UPLOADER_SAVE_FILE=0, so directly enter else if
New file name=upload time 10 random numbers suffix of original uploaded file
String extend = FileUtils.getExtend(fileName);// Get File Extension
String noextfilename = DateUtils.getDataString(DateUtils.SDF_YYYYMMDDHHMMSS) StringUtil.random(10);// Custom File Name
String myfilename= noextfilename "." extend;// Custom File Name
The file is stored in the database, the file name is saved through the map, and finally returned to the data package
DB is controllable. When uploading, change db=1 to db=0 and enter if
A new upload directory will be created. The new directory=the upload time of the web root directory (MM/DD/YYYY). If it does not exist, it will be created
String realPath = request.getSession.getServletContext.getRealPath("/") "/upload/" strYYYYMMDD "/";// The real path of the file's hard disk
String path = "upload/" strYYYYMMDD "/";
File file = new File(realPath);
if (!file.exists) {
file.mkdirs;// Create root directory
}
The naming method of the new file name is basically the same as else if. When obtaining the suffix of the file, the file was not checked and filtered, but directly spliced, resulting in a file upload vulnerability
Finally, directly copy the uploaded file content to the newly created file
FileCopyUtils.copy(mf.getBytes, savefile);
Finally, the file is stored through the map, and the file upload path and file name are stored in filePath and saveName respectively
Map
