Quiet
  • HOME
  • ARCHIVE
  • CATEGORIES
  • TAGS
  • LINKS
  • ABOUT

Nokali

  • HOME
  • ARCHIVE
  • CATEGORIES
  • TAGS
  • LINKS
  • ABOUT
Quiet主题
  • Vuln

tpAdmin-RCE

Nokali

2023-04-09 15:55:14

RCE Vulnerability in tpAdmin

Project: https://github.com/yuan1994/tpAdmin

tpadmin is a management background based on the official version of ThinkPHP5.0 and Hui.admin v2.5.

So far, the project has 437 stars and 186 forks on github.

An arbitrary file upload vulnerability exists in tpadmin, allowing an attacker to take over server privileges.


Note:
If you want to deploy the system:
After downloading the project, use composer to download the required dependencies (it is recommended to modify composer.json first)
Just modify the following part:

    "require": {
        "php": ">=5.4.0",
        "topthink/framework": "5.0.7",
        "topthink/think-captcha": "1.0.7",
        "qiniu/php-sdk": "7.1.3",
        "phpoffice/phpexcel": "1.8.2",
        "yuan1994/tp-mailer": "0.2.4"

Then execute composer update or composer install
If you still cannot access the page, refer to thinkphp’s official deployment manual:
https://www.kancloud.cn/manual/thinkphp5/129745
https://www.kancloud.cn/manual/thinkphp5/177576


Visit and log in to the background, for example: http://192.168.159.134/admin/pub/login.html

Username:admin

Password:123456

Vulnerable file: application\admin\controller\Upload.php

RCEcode

The file upload function in this controller does not set the file format filter, so that the webshell can be uploaded.

RCE

Click to upload webshell, and get the url path in the http return package

Vul

getshell

GETSHELL.

下一篇

tpAdmin-SSRF

©2023 By Nokali. 主题:Quiet
Quiet主题