Preface:

This article: the CMS version is 4.2. The following vulnerabilities are included in CNVD.

Environment Description:

For the PHP version, use 7.0.9.

SSRF:

According to the function point directed audit, there is a collection function in the background toolbar. According to experience, this function generally exists in THE SSRF.

1, Network security learning route 2, electronic books (white hat) 3, security factory internal video 4, 100 SRC documents 5, common security comprehensive questions 6, CTF contest classic topic analysis 7, full kit 8, emergency response notes

Start a simple HTTP service locally using python3.

Click next, and sure enough SSRF exists.

Conduct vulnerability analysis. The code location is easily located based on the request package caught by BurpSuite.

In the file upload/plugins/sys/admin/Collect php# Collect – > add, the parameters of the POST cjurl do not make security processing is passed to the $this – > caiji – > STR method.

$this->caiji-> STR (); $this->caiji-> STR ();

The solution, we can press the Shift key twice in a row directly to find.

After following the STR method, I found that the URL parameter was passed to the HTMLAll method, and continued to follow the method.

The htmlAll method uses curl to request the URL.

$this->caiji-> STR ($this->caiji-> STR))

File overwrite causes GETSHELL:

The vulnerability is found by tracing the parameter process through sensitive functions. In the upload/CSCMS/app/helpers/common_helper php# write_file using the file is written to sensitive function, with SSRF htmlall is the same file.

Ctrl + Shift + F find where call write_file, in the upload/plugins/sys/admin/plugins php# plugins – > _route_file call write_file function, and
n o t e [ note[ [key] ‘name’] and
n o t e [ note[ The value of key][‘ URL ‘] is concatenated as a string to the file content, which is a comment that can be bypassed using a newline.

Find out where _route_file is called, traceConclusion:

This code audit uses two general code audit ideas, the first one: targeted audit according to function points, the second one: sensitive function backtracking parameter process, what is not used is to read the full text of the code. Using PHPStorm makes code auditing much more efficient.