Tianmu MVC audit I

Preface

Today, let's audit one from scratch CMS： Tianmu CMS This article is edited by Er Nong Xi Zhu

Tianmu CMS Official website

MVC Understanding of Architecture

• MVC The architecture generally includes three parts ：M The business model ,V User interface ,C Controller . You can check the details on Baidu .
• According to our understanding of MVC Understanding . I generally have two audit modes ：

Direct audit controller

It's just C The content of , Trace some more functions . Search the whole picture filt__, because filt English means filter , You can check the filtering rules by searching this type of function globally . This kind of audit is usually faster .

However, this situation is generally based on the fact that you can clearly understand the paragraph CMS Routing rules , Suitable for old birds , It is convenient to backtrack and verify according to the vulnerability points found in the audit

from index Page read through audit

This kind of audit method is more suitable for chicken like me . It is not easy to ignore some loopholes . This article is audited in this way ！

Start audit

Get ready

At the beginning of the audit , I am usually used to Look at the list of directories , So that we can do the whole CMS Have a general understanding of ：

app -----------------------------------   Main program directory 
attachment ----------------------------   Additional directories 
public --------------------------------   Public procedures 
runtime -------------------------------   Usually log files 
temmoku -------------------------------   Some plug-ins , Configuration files, etc 
view ----------------------------------   View 
index.php -----------------------------   Program entrance 

index.php

What we can see is index.php Is to define some constants , And it includes ‘temmoku’.DS.’run.php’ This file .

For these constants , I saw a cousin have a way , Is in the index.php Add at the end , Print out constants , Save to a .txt Search for

Remember to like the collection ！

foreach(get_defined_constants(true)['user'] as $k=>$v){
    echo $k.'---'.$v."\r\n";
}

So we can find ,DS Namely \ , It actually includes temmoku\run.php This file

run.php

Then we follow up ==>

well , It's a pile of constants and contains C:\phpstudy_pro\WWW\temmoku\temmoku\functions.php

C:\phpstudy_pro\WWW\temmoku\temmoku\app.php

these two items. php file , And instantiate app In this class run Method .

functions.php

With the functions.php, Various ways to find the face defined inside , Put it first. , Wait for some specific calls in the audit controller , More specific audit .

app.php

With the app.php, At the beginning, I saw namespace and use These two things , Don't understand , well , Baidu, we know ： use From the same namespace Import class 、 Functions and constants . Then I found that run.php Called in app In this class run Method , Let's look for it .

spl_autoload_register Functions are simply automatic instantiation of classes .

Load_Class, That's what will come in $class It contains \\ To /, Judging existence includes

go back to app.php, The next step is to call setReporting() Method , Take a brief look at , It doesn't matter , It's probably something like error reporting level .

default_config() Method , Determine the caching.php Does this file exist , And contains , After a look, I just want to load a cache , Here we pay attention to , Look at the back $setting['caching'] Will it be controllable .

The adventure continues , Here we define a configuration information and a routing information , And put in Load_conf To deal with , We follow up

Here will be the end conf and route Took it out alone , And read the directory , Read the file as well , Maybe that's what it means , That is, load conf Configuration and routing information

Then we go back to app.php Continue to audit , stay 124 OK, we see one C Method , To follow up , blunt ！！！！！！ Find out C Method is actually loading some program variables , For this thing , I still use the method mentioned in an article I saw , Just give C Method to add a formal parameter , Then go to index.php At the end of the call , Then save the obtained program variables in a txt in , Search when necessary .

The next step is to load the version information

hey ~, Found a getRealIP This method , Blind guessing is to get the truth IP, Ah ha ha ha ha ha

well ！ good heavens , And so it was . We found that , If the CLIENT-IP Forgery will not succeed , But yes X-FORWARDED-FOR Parameters are forged , this ….. I can't understand this operation , This can be recorded first , Wait and see if it will getRealIP Surprise us . Auditing is like this , You never know what will happen later .

Here, basically default_config The method is finished , The following is the definition of some constants .

And then we go back to app.php Continue in ,20 Line instantiates a route, We think back to the front use temmoku\route, Look in the folder , When you see instantiating a class , We generally need to pay attention to magic methods , See it first right C:\phpstudy_pro\WWW\temmoku\app\module_route.php Determine if the file exists , Then incoming Load_file Handle , Is loading some static arrays , And two constants are defined .

Then there's the call Route() This method , Then look down on this method , In front with get The way to get PATH_INFO Segmentation , Traverse

In the next if Branch , We found that ROUTE This array is empty by default , So put it down and don't look

This is the way to define pseudo static

If _SERVER['PATH_INFO'] Value passed in , Will / Division , Become an array containing two elements , for example xxx/xx, Turn into xxx、xx,test_module That is, the first one introduced / Previous content , And then it's going to be xxx Convert to lowercase , Then determine whether to install , That is to say $lock Whether there is , Installed if present

The next step is to judge whether there is $test_module, without , The definition is MODULE by home

139 Line is if no module is defined , The default is home modular ,141-142 OK, that's right admin Module is a special route , Namely Admin_Route() This method , See this later .

Next, load the plug-ins and private functions under each module

stay 159-174 That's ok , take $_SERVER['PATH_INFO'] With / Division , Define routes , for example home/index/index, Refers to home Under module ,index Under the controller ,index Method .

Then we look back Admin_Route(), That is to say admin Routing rules under the module , It will also $_SERVER['PATH_INFO'] With / Division , Then go through , And judge whether the controller is modular or plugin

Then I found a big baby . this .... This is filtering ?

EMMMMM……. It seems that there is no XSS The attack of , If SQL If you inject it , The required parameters cannot be the above , And it's a number type . Or you can query two parameters at the same time , use \ Go around . Don't worry . Go ahead and see app.php

self::log(); This function finds something that records logs , Put it first. .

Then follow self::Load_Controller(), stay app.php 63-75 That's ok ,home Whether this variable is equal to admin、user、install、home, If it is ：home It's empty , If not ：

Then determine whether it is a plug-in .

Judge whether the controller exists . If there is , For this controller instantiate .

To follow up class controller, Inside is to verify the member status

Return to the top and follow app.php 71 The function of line , Finding it is to judge whether there is a method

==> Through the above audit , We found three routing rules .

Routing rules

• 127.0.0.1/ Module name / controller / Method The corresponding file path is ./app/ Module name /controller/ controller .php The corresponding method is the passed method .
• 127.0.0.1/?temmoku_dirs= Module name / The controller, / Method name The corresponding file path is ./app/ Module name /controller/ controller .php

==> The corresponding method is the passed method .

127.0.0.1/?m= Module name &c= The controller, &a= Method name The corresponding file path is ./app/ Module name /controller/ controller .php

The corresponding method is the passed method . This rule cannot be applied to admin modular

Try it , well , That's all right. , This is the routing rule , Next, we will formally audit the controller .