0] Declaration Information:
The access and use of these links should be limited to the administrator's permission, but the link can be retrieved in the management interface and can still be accessed and used by replacing it with the registered member's address!!!
Affected version: poscms v3.2.8 & finecms - 5.0.9
Official website address:
1】 Examples of vulnerability links:
Pocms
Vulnerability link 1:
https://www.test.com//index.php?s=member&c=api&m=upload&name=value_3&siteid=1&count=1&code=62e0HOlD4CautS+HhuBtP8mGSxZOX23GArLUok2XtEBXXvO5Pw&df=1
Vulnerability link 2:
https://www.test.com//index.php?s=member&c=api&m=upload&name=value_4&siteid=1&code=a4ec1F+hBBkO82dlOkXf72PdyxDQh0RgnTQujcelqdIxvlzJPg&count=99997
Finecms
Vulnerability link 3:
https://www.test.com/index.php?s=member&c=api&m=upload&name=value_3&siteid=1&count=1&code=62e0HOlD4CautS+HhuBtP8mGSxZOX23GArLUok2XtEBXXvO5Pw&df=1
Vulnerability link 4:
https://www.test.com/index.php?s=member&c=api&m=upload&name=value_4&siteid=1&code=a4ec1F+hBBkO82dlOkXf72PdyxDQh0RgnTQujcelqdIxvlzJPg&count=99997
2】 Detailed process of vulnerability exploitation:
Please take advantage of Chrome browser, Firefox will have problems. The vulnerability link will be uploaded at the first place:
First, take the demo environment test of the official website: (this vulnerability page is invisible in the foreground)
Manage background content custom content add single file.
At the same time of uploading, grab a packet and send it to the repeater (for standby) to release the current packet. Unexpectedly, never thought of it. Demo environment, no upload.
Extract the referer as follows:
http://demo.poscms.net:88/index.php?s=member&c=api&m=upload&name=file&siteid=1&count=1&code=75195FBKQX41dCbbi+0FTbCqnXZH3JF0xxkqmrwiOyh68g&df=1
No user accesses the link directly in another browser, and then tries to upload it. An error is found (the picture is lost, instead of the intranet picture, the effect is the same as the principle).
Local construction environment:
First, directly access the vulnerability link. When uploading, it is still a prompt error:
Sign up for an ordinary account, log in and test again, and find that it can be uploaded, wow, no surprise, no joy, no excitement, come to see a woman's photo for five minutes;
Then exit the current registered account, delete the cookie in burpsuite, test the upload, and make an error. Judging from this, upload at least requires the permission of registered member:
Let's make use of our strengths as follows. Don't be surprised. Let's calm down and hold our tight hearts
Visit the link:
http://127.0.0.1:8081/index.php?s=member&c=api&m=upload&name=value_3&siteid=1&count=1&code=62e0HOlD4CautS+HhuBtP8mGSxZOX23GArLUok2XtEBXXvO5Pw&df=1
Upload the packet capture (you can also upload the PHP file by directly visiting the link, but the foreground does not return the address):
Take a walk, grab an uploaded packet, and try the TXT text:
Try PHP again:
Success: it's so exciting.
Visit the upload link:
In the same way, the other links are the same, and they will not be demonstrated one by one:
http://demo.poscms.net:88/index.php?s=member&c=api&m=upload&name=value_4&siteid=1&code=a4ec1F+hBBkO82dlOkXf72PdyxDQh0RgnTQujcelqdIxvlzJPg&count=99997
3】 Attachment address:
In addition, the backstage getshell (chicken ribs) of the star of station building is also given to you:
4):
Please use it to test the safety of your own and friends, not for serious nature problems and illegal tests.
5] Thank you:
Thanks for the patient guidance of the villain, the sincere help of the General Manager BA, and the guidance of my safety Instructor (keep his name secret) all the time. Give you three loving kisses, Momo dada ~ ~.
6] ask for doubt:
If you don't understand something, you can ask each other for advice. Please preach to each other to solve your doubts. I wish you a bright future.