[Xiaodi Security] Day52 Code Audit-PHP project RCE and filesIncluding download and delete - BilibiliClick to view the full text>https://www.bilibili.com/read/cv15169189?spm_id_from=333.999.0.0

0x00 knowledge point

1. Vulnerability keywords

#SQL Injection:

---select insert update mysql_query mysqli etc.

#File upload:

---$_FILES, type="file", upload, move_uploaded_file(), etc.

#XSS Cross-Site:

---print print_r echo sprintf die var_dump var_export etc.

#The file contains:

---include include_once require require_once etc.

#Code execution:

---eval assert preg_replace call_user_func call_user_func_array etc.

#Command execution:

---system exec shell_exec `` passthru pcntl_exec popen proc_open

#Variable override:

---extract() parse_str() importrequestvariables() $$ etc.

#Deserialization:

---serialize() unserialize() __construct __destruct etc.

#Other vulnerabilities:

---unlink() file_get_contents() show_source() file() fopen() etc.

2. General keywords

---$_GET,$_POST,$_REQUEST,$_FILES,$_SERVER etc.

---There may be loopholes in function point or keyword analysis

---Capture the package or search for keywords to find the source of the code and the corresponding file

---Track the filtered or accepted data function, and find the place where this function or code is triggered to trigger the test

http://192.168.0.102:91/?r=../../index.txt%00

http://192.168.0.102:94/admin/save.php?act=delfile

path=/upload/../install/install.lock

0x01 Case Ideas

1, xhcms-frameless-file includes cross-site-search or application-include

Overall ideas

///Analysis of general applications and url addresses may contain xss and security vulnerabilities

Capture the package to find the xss unfiltered code block and the file contains a suffix to bypass the code block

(See the link for the specific analysis process [Xiaodi Security] Day52 code audit - PHP project class RCE and file contains download and delete - Bilibili)

2, earmusic-frameless-file download-search or application function-down, etc.

Overall ideas

---Judging by application analysis or search that there may be file download operations

---Capture and analyze the download address to find the corresponding code block, the file download address is controlled by $file

---$file is known from the database query statement, tracking where such data can be updated or changed

---Try to modify the discovery filter, track the filter mechanism to analyze and bypass, and use the full path address to bypass

Analysis steps:

Enter the shooting range and observe the function

---Here is a possible loophole from the function of the member center:

There is a file download vulnerability in music download;

There is a file upload vulnerability in avatar and music upload;

Personal information modification may have SQL injection vulnerabilities;

Logs, footers may have XSS vulnerabilities;

There may be some other loopholes in the api to view the call;

View the packet transmission format, etc.

---According to the function of the website, take guesses about possible loopholes: biased towards social networking, injection, XSS more; music download, file download, upload loopholes more;

---Two ideas for file download vulnerability mining here:

(1) Functional test based on file download

(2) Search for related functions and keywords of file download and then capture and analyze the package

(3) Track the filtered or accepted data function, and find the place where this function or code is triggered to trigger the test

3, zzzcms-frameless-file delete RCE-search or apply-unlink,eval

Overall ideas

---File delete search keyword unlink, corresponding to the function del_file, see where this is called

---Background delfile function call, how to punish the delfile function, controlled by parameters, test

---The code executes the search keyword eval, the corresponding configuration template parses the file, and sees where this is called

---It is judged that the template file can be modified in the background, the template file is triggered in the foreground, and the payload is constructed for testing

Analysis steps:

---File deletion is generally used for white box auditing, you can delete the install.lock file

(For specific steps, see the link [Xiaodi Security] Day52 code audit - PHP project class RCE and file contains download and delete - Bilibili)