Wuzhicms code audit

 Zero basic hacker , Search official account ： White hat left 

author ： Control security — grapefruit

Environment building

Source download official website ：https://www.wuzhicms.com/

Put it here phpstudy The root directory , visit install Path to install .

Access background ：

Access the front desk ：

Leakage of sensitive information

Hang a link directly in the background ：

The code analysis

The front desk sql Inject

Vulnerability analysis
Search for select When Found in mysql.class There is a function in the file select And there is no filtering in the back splicing

Search where this function is called , First of all api In the catalog sms_check It is found in the file that get_one function And the parameters are through the previous $code Splicing .

We can see code First through $GLOBALS To get the parameters param Value As you can see from the previous Introduction $GLOBALS Is available post get Value There is no definition in front of this file param Variable that This param It should be post perhaps get It's what we can control This is also the point that leads to injection
code And through strip_tags function And the function is to strip html label , Filter xss.

After that, the function is directly passed in Continue to further function Because this file also introduced db class .

You can see this get-one In the function It also calls a array2sql Function to handle $where

Let's first look at the function .

You can see that this function is used for filtering . If it's an array This entry if Put the brackets Single quotation marks are filtered out .

If not, go else Filter %20 %27. Then return the parameter , But that's where the filter is There is no protection in place . The parameter we passed is not an array So I didn't go if, and else What is filtered inside is %20 %27.

Although we passed through url Coded however web The server will automatically decode once therefore When we send it to the back-end code, there is no url code .

But the secondary coding is different because web The server decodes only once , If it is secondary coding, here else Filtering works ,return Called get_one Is the first thing I saw mysql.class It's in the document .

Now you can start to construct directly payload 了 From the code analysis, we can see that the quotation marks are closed .

Loophole recurrence
payload：

sms_check.php?param=1%27+or%20extractvalue(1,concat(0x7e,(select%20database)))%23](http://192.168.1.7/wuzhicms/api/sms_check.php?param=1'+or extractvalue(1,concat(0x7e,(select database)))%23)

backstage sql Inject a

Vulnerability analysis
stay www\api\sms_check.php in ：

The ginseng param to $code, Then splice directly to sql In the sentence , Lead to sqli:

Loophole recurrence

backstage sql Injection 2

stay eframe\app\promote\admin\index.php in ：

obtain $keywords Splice directly to sql In the sentence , Lead to sqli:

Background arbitrary file read 、 Delete

coreframe\app\attachment\admin\index.php in dir Method ：

Analyze logic and find , take …/,./,.\,…\ Replace with empty and add / ending , You can bypass by writing more here ：

At the same time, it is found that the read file can be deleted , There are deleted links after each .
find del Method ：

adopt url After getting the path , Tested ATTACHMENT_URL Parameters , Replace empty ,

define(‘ATTACHMENT_URL’,‘http://www.wuzhicmstest.com/uploadfile/’);// Attachment path

Then there is no other filter , Pass in my_unlink：

To achieve the purpose of deletion .

Logical loopholes

stay \api\uc.php in ：

You can call... By passing parameters uc_note Class ：

You can change the user name, password, etc .

backstage RCE

Vulnerability analysis
stay coreframe\app\core\libs\function\common.func.php in set_cache Method ：

Write content is not filtered , Then search where to call set_cache：

member There are calls in the model .

Find direct access to setting Write cache .

utilize , write in phpinfo：

Loophole recurrence

Backstage access

expand

Global search found , There are many other uses of the same ：