问答
发起
提问
文章
攻防
活动
Toggle navigation
首页
(current)
问答
商城
实战攻防技术
漏洞分析与复现
NEW
活动
摸鱼办
搜索
登录
注册
实战|全程分析js到getshell
渗透测试
看到望海师傅的山理证书真滴好看,真想搞一本,刚刚入edusrc的时候收集了一波山理的子域资产,全部看了一遍都被大佬挖的干干净净了。没有内网VPN基本上挖不到,然后我就去公众号看了一下,找到...
看到望海师傅的山理证书真滴好看,真想搞一本,刚刚入edusrc的时候收集了一波山理的子域资产,全部看了一遍都被大佬挖的干干净净了。没有内网VPN基本上挖不到,然后我就去公众号看了一下,找到了一个系统 [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-792062d56afe4b85eb71e3ebfadb73a99a118510.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-792062d56afe4b85eb71e3ebfadb73a99a118510.jpg) [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-b00b5a8975743ca1956398f8753355a699cbe06f.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-b00b5a8975743ca1956398f8753355a699cbe06f.jpg) 首先来点团队特色F12大法,查看html源码 发现一处js [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-e3f993e7e8cdacfd05d55b46d0dc27ab515b3a03.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-e3f993e7e8cdacfd05d55b46d0dc27ab515b3a03.png) 发现登录后直接跳转这个地址 [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-3d6965a63b3545790661ef5e9a7e5ad30881d609.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-3d6965a63b3545790661ef5e9a7e5ad30881d609.png) 直接访问看看有没有未授权漏洞 <http://xx.xx.xx.xx/index.jsp> [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-56e5228053d3f5a74a1f9c052dfa1b243d291932.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-56e5228053d3f5a74a1f9c052dfa1b243d291932.png) 访问了好吧,是首页。。打扰了 但是我不甘心,我再用F12大法,发现了index.js [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-261bd9a00c5ff908f0aded60f743cf9b733a15db.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-261bd9a00c5ff908f0aded60f743cf9b733a15db.png) 访问http://xx.xx.xx.xx/index.js 翻了一下好像收获 [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-e556dd87ef4acd4f17f52aa9de04bf215a76517a.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-e556dd87ef4acd4f17f52aa9de04bf215a76517a.png) 访问看看http://xx.xx.xx.xx/dateConf/cfg\_workUser.jsp 还是显示未登录 再次使用F12大法—又找到一个js [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-077a121439cf4e82f718252382d0d26896873cde.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-077a121439cf4e82f718252382d0d26896873cde.png) 发现了两处接口 [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-5e0cd3fad078474b14f13e9c6a9dfdf0f790ea22.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-5e0cd3fad078474b14f13e9c6a9dfdf0f790ea22.png) [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-a0e285a6edaa3a58164af940dbec35b84f121644.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-a0e285a6edaa3a58164af940dbec35b84f121644.png) 第一处构造访问一下 <http://xx.xx.xx.xx> /commonServlet fromflag=queryWorkUserBySectionId&sectionId\_search=1 [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-ef55da5817ca12c85997160d3a4e729e622fb159.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-ef55da5817ca12c85997160d3a4e729e622fb159.png) 好像没什么信息 第二处接口: [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-1585c5bb32de9ac10cceeb8b9a8a76a652f56ed5.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-1585c5bb32de9ac10cceeb8b9a8a76a652f56ed5.png) 嘿嘿,工号出来了 我们尝试用burp爆破一下sfz后六位 爆破了半小时无果,放弃了~~~然后去群里吹了一下牛逼~ 心不甘然后又找其他js看看 返回index.js找找其他入口 [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-0d4d996af867075e1369148bf9183a5735ee6df8.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-0d4d996af867075e1369148bf9183a5735ee6df8.png) 依旧上f12大法查看这个页面的js文件 [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-a1bb3f87eb07810e6bbb32b28775bd5ebbc80bca.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-a1bb3f87eb07810e6bbb32b28775bd5ebbc80bca.png) <http://xx.xx.xx.xx/js/appointment/appointment.js> 惊喜来了,找到一处上传接口 [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-b54e521061e06c2a1859645724b2a26070fdd1ef.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-b54e521061e06c2a1859645724b2a26070fdd1ef.png) [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-7998f6490cc57a48e7f6e2dbc6143b18afe71188.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-7998f6490cc57a48e7f6e2dbc6143b18afe71188.png) 那我们开始测试一下 新建个html测试上传文件 [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-61abe09cb896560bf6a0492ad025b3c2e90416e2.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-61abe09cb896560bf6a0492ad025b3c2e90416e2.png) [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-ae63ef808e1d30cbdb0f20502eee6485101af58e.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-ae63ef808e1d30cbdb0f20502eee6485101af58e.png) 百度找了个免杀马,上传成功 [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-6119e21b21bf079999349655a5aeae5e067c1c1d.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-6119e21b21bf079999349655a5aeae5e067c1c1d.png) 访问一下试试404,干得漂亮 [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-6707c9c838a386b0e837de49ac22cbb38c1b37a6.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-6707c9c838a386b0e837de49ac22cbb38c1b37a6.png) 接着分析js [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-ff84338e22f13c551152072f5397e266165c8af0.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-ff84338e22f13c551152072f5397e266165c8af0.png) 分析了一下js应该是上传到upload目录 [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-935551cd4173349cdbc820ad2c1ecdcbb6181cad.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-935551cd4173349cdbc820ad2c1ecdcbb6181cad.png) 然后直接上菜刀 [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-5956165df22c270d33b979a24315202cc3b70c7f.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-5956165df22c270d33b979a24315202cc3b70c7f.png) Getshell成功 [![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-15a634c2682fe483be71870b97a53471737ac944.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-15a634c2682fe483be71870b97a53471737ac944.png) 此漏洞已提交edusrc,并且已修复
发表于 2021-07-15 11:51:55
阅读 ( 6632 )
8 推荐
收藏
2 条评论
十块修得同船渡
2022-03-04 18:46
这个f12大法,是否可以用jsfinder或burp插件代替?
请先
登录
后评论
Oldto
2022-04-22 15:06
任意文件上传,大师傅。
请先
登录
后评论
请先
登录
后评论
十二小可爱
2 篇文章
×
发送私信
请先
登录
后发送私信
×
举报此文章
垃圾广告信息:
广告、推广、测试等内容
违规内容:
色情、暴力、血腥、敏感信息等内容
不友善内容:
人身攻击、挑衅辱骂、恶意行为
其他原因:
请补充说明
举报原因:
×
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!