从这个网页截图中,可以获取到以下关于漏洞的关键信息: 1. CVE-ID: - CVE-2024-48454 2. Description: - 一个在SourceCodester Purchase Order Management System v1.0中的问题允许远程攻击者通过/admin?page=user组件执行任意代码。 3. Additional Information: - 使用了“https://yunjing.ichunqiu.com/cve/detail/1160?pay=2”进行测试。 - 更详细的信息可以在“https://github.com/N0zoM1z0/Vuln-Search/blob/main/SourceCodester%20Purchase%20Order%20Management%20System%20v1.0.md”中查看。 4. Vulnerability Type: - 命令执行漏洞 5. Vendor of Product: - SourceCodester Purchase Order Management System v1.0 6. Affected Product Code Base: - SourceCodester Purchase Order Management System - SourceCodester Purchase Order Management System v1.0 7. Affected Component: - /admin?page=user 8. Attack Type: - 远程 9. Impact Code execution: - 真实 10. Attack Vectors: - 首先登录到后端,然后选择/admin?page=user来修改用户头像,可以上传php webshell,修改后右键访问图片(webshell)地址,通过POST: 1=phpinfo();来获取shell。 11. Discoverer: - https://github.com/N0zoM1z0/ 12. Reference: - https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html - https://github.com/N0zoM1z0/Vuln-Search/blob/main/SourceCodester%20Purchase%20Order%20Management%20System%20v1.0.md - https://www.sourcecodester.com/ - https://yunjing.ichunqiu.com/cve/detail/1160?pay=2