靶标介绍
Pluck-CMS-Pluck-4.7.16 后台RCE
靶场截图
![[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图](https://www.moluyao.wang/wp-content/uploads/2024/06/unnamed-file-3651.png "[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图")
靶场过关
1、点击url进入首页,点击admin进入后台登录页面
![[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图1](https://www.moluyao.wang/wp-content/uploads/2024/06/unnamed-file-3652.png "[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图1")
![[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图2](https://www.moluyao.wang/wp-content/uploads/2024/06/unnamed-file-3653.png "[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图2")
2、弱口令admin登录,进入 后台管理页面
![[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图3](https://www.moluyao.wang/wp-content/uploads/2024/06/unnamed-file-3656.png "[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图3")
3、去github上搜索Pluck CMS,下载压缩包解压
![[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图4](https://www.moluyao.wang/wp-content/uploads/2024/06/unnamed-file-3658.png "[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图4")
![[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图5](https://www.moluyao.wang/wp-content/uploads/2024/06/unnamed-file-3659.png "[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图5")
将构造的一句话木马写入info.php中
file_put_contents() 函数:把一个字符串写入文件中。
base64_decode()对encoded_data进行解码,返回原始数据。
PD9waHAgc3lzdGVtKCdjYXQgL2ZsYWcnKTtwaHBpbmZvKCk7Pz4是<?php system('cat /flag');phpinfo();?>的base64编码
<?php file_put_contents('haha.php',base64_decode('PD9waHAgc3lzdGVtKCdjYXQgL2ZsYWcnKTtwaHBpbmZvKCk7Pz4='));?>![[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图6](https://www.moluyao.wang/wp-content/uploads/2024/06/unnamed-file-3662.png "[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图6")
4、将改好的文件压缩为zip,去安装主题处上传
![[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图7](https://www.moluyao.wang/wp-content/uploads/2024/06/unnamed-file-3663.png "[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图7")
![[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图8](https://www.moluyao.wang/wp-content/uploads/2024/06/unnamed-file-3664.png "[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图8")
![[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图9](https://www.moluyao.wang/wp-content/uploads/2024/06/unnamed-file-3666.png "[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图9")
![[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图10](https://www.moluyao.wang/wp-content/uploads/2024/06/unnamed-file-3667.png "[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图10")
5、访问haha.php获取flag
![[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图11](https://www.moluyao.wang/wp-content/uploads/2024/06/unnamed-file-3671.png "[春秋云镜]CVE-2022-26965 XStream Pluck-CMS-Pluck-4.7.16 后台RCE插图11")
原文链接:https://blog.csdn.net/weixin_52848454/article/details/132462253?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522171852222916800197081238%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=171852222916800197081238&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~times_rank-16-132462253-null-null.nonecase&utm_term=cms%E4%B8%BB%E9%A2%98
