MacCMS 7.x 某处设计不当可后台GETSHELL

### 简要描述： MacCMS 7.x 某处设计不当可后台GETSHELL 某处限制可绕过 ### 详细说明： 模板生成-页面模板-default-html-添加新页面 [<img src="https://images.seebug.org/upload/201401/17133909240441897836e9f2a27d444e7d6a01fd.png" alt="mac0001.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/17133909240441897836e9f2a27d444e7d6a01fd.png) 很明显添加页面时有硬性要求后缀必须为html，用来防止GETSHELL 这里我们先写上一句话木马（不管后缀）…… [<img src="https://images.seebug.org/upload/201401/17134026ab5b681fe4c161f0d25bbe29179c8356.png" alt="mac0002.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/17134026ab5b681fe4c161f0d25bbe29179c8356.png) 抓包，发现surffix为html，改成php看看 [<img src="https://images.seebug.org/upload/201401/17134148f07d081be6973fd03feffce91f8bf057.png" alt="mac0003.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/17134148f07d081be6973fd03feffce91f8bf057.png) [<img src="https://images.seebug.org/upload/201401/171342274658ee729800fa53f977d1885dfd174c.png" alt="mac0004.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/171342274658ee729800fa53f977d1885dfd174c.png) 木马已经就位 [<img src="https://images.seebug.org/upload/201401/17134239e82a73850e50a74ea0889cbb68d62938.png" alt="mac0005.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/17134239e82a73850e50a74ea0889cbb68d62938.png) 上菜刀，由于之前上传到default/html里面了，多以对应地址如图 [<img src="https://images.seebug.org/upload/201401/171343116855c184d5cd2fe7cc4e199c4a2ad3cd.png" alt="mac0006.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/171343116855c184d5cd2fe7cc4e199c4a2ad3cd.png) [<img src="https://images.seebug.org/upload/201401/171344001125939ef9b71c28f8bed42d87e0641e.png" alt="mac0007.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/171344001125939ef9b71c28f8bed42d87e0641e.png) ### 漏洞证明： 木马已经就位 [<img src="https://images.seebug.org/upload/201401/17134239e82a73850e50a74ea0889cbb68d62938.png" alt="mac0005.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/17134239e82a73850e50a74ea0889cbb68d62938.png) 上菜刀，由于之前上传到default/html里面了，多以对应地址如图 [<img src="https://images.seebug.org/upload/201401/171343116855c184d5cd2fe7cc4e199c4a2ad3cd.png" alt="mac0006.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/171343116855c184d5cd2fe7cc4e199c4a2ad3cd.png) [<img src="https://images.seebug.org/upload/201401/171344001125939ef9b71c28f8bed42d87e0641e.png" alt="mac0007.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/171344001125939ef9b71c28f8bed42d87e0641e.png)