当前位置:网站首页>Tianmu MVC audit I
Tianmu MVC audit I
2022-07-06 09:51:00 【XRSec】
Preface
Today, let's audit one from scratch CMS: Tianmu CMS This article is edited by Er Nong Xi Zhu
MVC Understanding of Architecture
- MVC The architecture generally includes three parts :M The business model ,V User interface ,C Controller . You can check the details on Baidu .
- According to our understanding of MVC Understanding . I generally have two audit modes :
Direct audit controller
It's just C The content of , Trace some more functions . Search the whole picture filt__, because filt English means filter , You can check the filtering rules by searching this type of function globally . This kind of audit is usually faster .
However, this situation is generally based on the fact that you can clearly understand the paragraph CMS Routing rules , Suitable for old birds , It is convenient to backtrack and verify according to the vulnerability points found in the audit
from index Page read through audit
This kind of audit method is more suitable for chicken like me . It is not easy to ignore some loopholes . This article is audited in this way !
Start audit
Get ready
At the beginning of the audit , I am usually used to Look at the list of directories , So that we can do the whole CMS Have a general understanding of :
app ----------------------------------- Main program directory attachment ---------------------------- Additional directories public -------------------------------- Public procedures runtime ------------------------------- Usually log files temmoku ------------------------------- Some plug-ins , Configuration files, etc view ---------------------------------- View index.php ----------------------------- Program entrance
index.php
What we can see is index.php Is to define some constants , And it includes ‘temmoku’.DS.’run.php’ This file .
For these constants , I saw a cousin have a way , Is in the index.php Add at the end , Print out constants , Save to a .txt Search for
Remember to like the collection !
foreach(get_defined_constants(true)['user'] as $k=>$v){ echo $k.'---'.$v."\r\n"; }
So we can find ,DS Namely \ , It actually includes temmoku\run.php
This file
run.php
Then we follow up ==>
well , It's a pile of constants and contains C:\phpstudy_pro\WWW\temmoku\temmoku\functions.php
C:\phpstudy_pro\WWW\temmoku\temmoku\app.php
these two items. php file , And instantiate app In this class run Method .
functions.php
With the functions.php
, Various ways to find the face defined inside , Put it first. , Wait for some specific calls in the audit controller , More specific audit .
app.php
With the app.php
, At the beginning, I saw namespace
and use
These two things , Don't understand , well , Baidu, we know : use
From the same namespace
Import class 、 Functions and constants . Then I found that run.php
Called in app In this class run Method , Let's look for it .
spl_autoload_register
Functions are simply automatic instantiation of classes .
Load_Class
, That's what will come in $class
It contains \\
To /
, Judging existence includes
go back to app.php
, The next step is to call setReporting()
Method , Take a brief look at , It doesn't matter , It's probably something like error reporting level .
default_config()
Method , Determine the caching.php Does this file exist , And contains , After a look, I just want to load a cache , Here we pay attention to , Look at the back $setting['caching']
Will it be controllable .
The adventure continues , Here we define a configuration information and a routing information , And put in Load_conf
To deal with , We follow up
Here will be the end conf and route Took it out alone , And read the directory , Read the file as well , Maybe that's what it means , That is, load conf Configuration and routing information
Then we go back to app.php Continue to audit , stay 124 OK, we see one C Method , To follow up , blunt !!!!!! Find out C Method is actually loading some program variables , For this thing , I still use the method mentioned in an article I saw , Just give C Method to add a formal parameter , Then go to index.php At the end of the call , Then save the obtained program variables in a txt in , Search when necessary .
The next step is to load the version information
hey ~, Found a getRealIP This method , Blind guessing is to get the truth IP, Ah ha ha ha ha ha
well ! good heavens , And so it was . We found that , If the CLIENT-IP Forgery will not succeed , But yes X-FORWARDED-FOR
Parameters are forged , this ….. I can't understand this operation , This can be recorded first , Wait and see if it will getRealIP
Surprise us . Auditing is like this , You never know what will happen later .
Here, basically default_config The method is finished , The following is the definition of some constants .
And then we go back to app.php
Continue in ,20 Line instantiates a route, We think back to the front use temmoku\route
, Look in the folder , When you see instantiating a class , We generally need to pay attention to magic methods , See it first right C:\phpstudy_pro\WWW\temmoku\app\module_route.php
Determine if the file exists , Then incoming Load_file
Handle , Is loading some static arrays , And two constants are defined .
Then there's the call Route()
This method , Then look down on this method , In front with get The way to get PATH_INFO Segmentation , Traverse
In the next if Branch , We found that ROUTE
This array is empty by default , So put it down and don't look
This is the way to define pseudo static
If _SERVER['PATH_INFO'] Value passed in , Will / Division , Become an array containing two elements , for example xxx/xx, Turn into xxx、xx,test_module That is, the first one introduced / Previous content , And then it's going to be xxx Convert to lowercase , Then determine whether to install , That is to say $lock
Whether there is , Installed if present
The next step is to judge whether there is $test_module
, without , The definition is MODULE by home
139 Line is if no module is defined , The default is home modular ,141-142 OK, that's right admin Module is a special route , Namely Admin_Route() This method , See this later .
Next, load the plug-ins and private functions under each module
stay 159-174 That's ok , take $_SERVER['PATH_INFO']
With /
Division , Define routes , for example home/index/index, Refers to home Under module ,index Under the controller ,index Method .
Then we look back Admin_Route()
, That is to say admin Routing rules under the module , It will also $_SERVER['PATH_INFO']
With /
Division , Then go through , And judge whether the controller is modular or plugin
Then I found a big baby . this .... This is filtering ?
EMMMMM……. It seems that there is no XSS The attack of , If SQL If you inject it , The required parameters cannot be the above , And it's a number type . Or you can query two parameters at the same time , use \
Go around . Don't worry . Go ahead and see app.php
self::log();
This function finds something that records logs , Put it first. .
Then follow self::Load_Controller(), stay app.php 63-75 That's ok ,home Whether this variable is equal to admin、user、install、home, If it is :home It's empty , If not :
Then determine whether it is a plug-in .
Judge whether the controller exists . If there is , For this controller instantiate .
To follow up class controller, Inside is to verify the member status
Return to the top and follow app.php 71 The function of line , Finding it is to judge whether there is a method
==> Through the above audit , We found three routing rules .
Routing rules
127.0.0.1/ Module name / controller / Method
The corresponding file path is ./app/ Module name /controller/ controller .php The corresponding method is the passed method .127.0.0.1/?temmoku_dirs= Module name / The controller, / Method name
The corresponding file path is ./app/ Module name /controller/ controller .php
==> The corresponding method is the passed method .
127.0.0.1/?m= Module name &c= The controller, &a= Method name
The corresponding file path is ./app/ Module name /controller/ controller .php
The corresponding method is the passed method . This rule cannot be applied to admin modular
Try it , well , That's all right. , This is the routing rule , Next, we will formally audit the controller .
边栏推荐
- Which is the better prospect for mechanical engineer or Electrical Engineer?
- VH6501学习系列文章
- 五月刷题27——图
- 为什么要数据分层
- 018.有效的回文
- 【深度学习】语义分割:论文阅读:(CVPR 2022) MPViT(CNN+Transformer):用于密集预测的多路径视觉Transformer
- If a university wants to choose to study automation, what books can it read in advance?
- Redis connection redis service command
- 112 pages of mathematical knowledge sorting! Machine learning - a review of fundamentals of mathematics pptx
- MapReduce instance (IX): reduce end join
猜你喜欢
Sqlmap installation tutorial and problem explanation under Windows Environment -- "sqlmap installation | CSDN creation punch in"
MapReduce工作机制
Hero League rotation map automatic rotation
Hard core! One configuration center for 8 classes!
Take you back to spark ecosystem!
Mapreduce实例(九):Reduce端join
解决小文件处过多
Solve the problem of too many small files
[flask] crud addition and query operation of data
Design and implementation of online shopping system based on Web (attached: source code paper SQL file)
随机推荐
Programmation défensive en langage C dans le développement intégré
MapReduce instance (IX): reduce end join
MapReduce instance (VI): inverted index
C#/. Net phase VI 01C Foundation_ 01: running environment, process of creating new C program, strict case sensitivity, meaning of class library
[deep learning] semantic segmentation: paper reading: (2021-12) mask2former
Processes of libuv
零基础学习单片机切记这四点要求,少走弯路
[deep learning] semantic segmentation: thesis reading (neurips 2021) maskformer: per pixel classification is not all you need
Hero League rotation chart manual rotation
Une grande vague d'attaques à la source ouverte
Oom happened. Do you know the reason and how to solve it?
【深度学习】语义分割:论文阅读:(2021-12)Mask2Former
Detailed explanation of cookies and sessions
[Yu Yue education] reference materials of power electronics technology of Jiangxi University of science and technology
《ASP.NET Core 6框架揭秘》样章发布[200页/5章]
PR 2021 quick start tutorial, first understanding the Premiere Pro working interface
Compilation of libwebsocket
Selection of software load balancing and hardware load balancing
Mapreduce实例(九):Reduce端join
Publish and subscribe to redis