You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Construct a PHP sentence and then compress it in zip format through the compressed package
Upload the zip to the VPS server and use python on the VPS to start an http service
Log in to the website backend, find Extension Management -> Plug-in List, and search for an uninstalled plug-in to download in the operations on the right side of the page (and capture packets through Burp at the same time)
Copy the URL of the compressed package file on the VPS, replace the download_url parameter with the zip link address on your VPS, and release the packet (but do not turn off interception, because there are still several packet URLs that need to be replaced)
Such as:
Then repeat this operation to replace all the urls originally specified to down.jizhicms.cn
You can see that this request was returned on the VPS
Then visit the vulnerable website, the directory is /app/admin/exts/ plus the file name of the PHP one-sentence Trojan constructed in the first step
Vulnerability analysis:
In the update method in the file located at app/admin/c/PluginsController.php, $remote_url does not perform a security check on the url, which allows any zip file to be downloaded remotely and decompressed as can be seen in the code behind.
According to the code on line 719, we can know that the downloaded and decompressed file is stored under app/admin/exts
The text was updated successfully, but these errors were encountered:
Vulnerability recurrence:
Such as:
You can see that this request was returned on the VPS
Vulnerability analysis:
In the update method in the file located at app/admin/c/PluginsController.php, $remote_url does not perform a security check on the url, which allows any zip file to be downloaded remotely and decompressed as can be seen in the code behind.
According to the code on line 719, we can know that the downloaded and decompressed file is stored under app/admin/exts
The text was updated successfully, but these errors were encountered: