Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

FastAdmin前台文件上传复现

 Share


Recommended Posts

漏洞发生于:2021年/4月1号
漏洞点:application\api\controller\Common.php
触发漏洞的url:/index/ajax/upload
要求:application\extra\upload.php里的chunking为true (分片上传为true)

cuYe9x.png

复现过程

漏洞点分析
需要包括以下的post请求参数才行
1.chunkid参数
2.action参数
3.chunkindex参数
4.chunkcount参数
5.filename参数

cuYG4I.md.png

随后进入if判断,当action参数不为merge或method不为clean的时候。调用chunk函数chunk($chunkid, $chunkindex, $chunkcount);进入分片文件上传

cuYDEj.md.png

跟进chunk函数,
1.首先$destDir=RUNTIME_PATH/chunks路径, RUNTIME=ROOT_PATH . ‘runtime’ . DS (DS=根据系统的文件分隔符)

cuYrUs.md.png

2.$fileName=$chunkid-$chunindex.part //$chunkid和$chunindex都可控
3.$destDir=$destDir.DS.$fileName //拼接得到最后文件路径
4.判断RUNTIME_PATH/chunks路径是否存在,不存在则创建文件夹
5.将临时文件移动到RUNTIME_PATH/chunks路径下

cuYhb4.md.png

之后触发merge函数,写shell
要求action参数为merge

cutQzV.md.png

首先chunkDir变量来自于下图
$chunkDir=RUNTIME_PATH . ‘chunks’

cut3sU.md.png

1.$filePath=RUNTIME_PATH . ‘chunks’.DS.$chunkid //$chunkid参数可控
2.根据$chunkcount变量进行循环
3.判断$filePath-$i-.part文件是否存在
4.如果文件存在,在/runtime/chunks路径下创建以$filepath作为文件名的文件$destFile=@fopen($uploadPath, “wb”)
5.锁定文件
6.根据$chunkcount参数循环 //$chunkcount参数可控
7.$partFile=$filePath-$i-.part
8.循环读取$partFile内容,写入文件到$filepath
9.读取完文件后,删除分片文件,释放文件锁定,关闭文件句柄

cutDsO.md.png
cutrLD.md.png

exp分析:

cut2FA.png
cut4Qf.png

exp地址:https://github.com/exp1orer/FastAdmin_Upload

cut5y8.png

至于这里的shell地址为什么是根目录,因为这个exp是这么写的

cutjS0.md.png

参考链接

https://zhuanlan.zhihu.com/p/57166400
https://xz.aliyun.com/t/9395
https://mp.weixin.qq.com/s/otrH75ZjCHBQbRB7g5DdWg

Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...