• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

FastAdmin前台文件上传复现


This Wind

Recommended Posts

概述

漏洞发生于:2021年/4月1号
漏洞点:application\api\controller\Common.php
触发漏洞的url:/index/ajax/upload
要求:application\extra\upload.php里的chunking为true (分片上传为true)

 

cuYe9x.png

复现过程

漏洞点分析
需要包括以下的post请求参数才行
1.chunkid参数
2.action参数
3.chunkindex参数
4.chunkcount参数
5.filename参数

 

cuYG4I.md.png

随后进入if判断,当action参数不为merge或method不为clean的时候。调用chunk函数chunk($chunkid, $chunkindex, $chunkcount);进入分片文件上传

 

cuYDEj.md.png

跟进chunk函数,
1.首先$destDir=RUNTIME_PATH/chunks路径, RUNTIME=ROOT_PATH . ‘runtime’ . DS (DS=根据系统的文件分隔符)

 

cuYrUs.md.png

2.$fileName=$chunkid-$chunindex.part //$chunkid和$chunindex都可控
3.$destDir=$destDir.DS.$fileName //拼接得到最后文件路径
4.判断RUNTIME_PATH/chunks路径是否存在,不存在则创建文件夹
5.将临时文件移动到RUNTIME_PATH/chunks路径下

 

cuYhb4.md.png

之后触发merge函数,写shell
要求action参数为merge

 

cutQzV.md.png

首先chunkDir变量来自于下图
$chunkDir=RUNTIME_PATH . ‘chunks’

 

cut3sU.md.png

1.$filePath=RUNTIME_PATH . ‘chunks’.DS.$chunkid //$chunkid参数可控
2.根据$chunkcount变量进行循环
3.判断$filePath-$i-.part文件是否存在
4.如果文件存在,在/runtime/chunks路径下创建以$filepath作为文件名的文件$destFile=@fopen($uploadPath, “wb”)
5.锁定文件
6.根据$chunkcount参数循环 //$chunkcount参数可控
7.$partFile=$filePath-$i-.part
8.循环读取$partFile内容,写入文件到$filepath
9.读取完文件后,删除分片文件,释放文件锁定,关闭文件句柄

 

cutDsO.md.png

 

cutrLD.md.png

exp分析:

 

cut2FA.png

 

cut4Qf.png

exp地址:https://github.com/exp1orer/FastAdmin_Upload

 

cut5y8.png

至于这里的shell地址为什么是根目录,因为这个exp是这么写的

 

cutjS0.md.png

参考链接

https://zhuanlan.zhihu.com/p/57166400
https://xz.aliyun.com/t/9395
https://mp.weixin.qq.com/s/otrH75ZjCHBQbRB7g5DdWg

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now