奇安信攻防社区-SeedDMS密码爆破加远程命令执行

SeedDMS密码爆破加远程命令执行

日常测试

无意间在网上找到了一个SeedDms系统  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-02968f5484fb5f2642c1fd967ee6823f2148708f.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-02968f5484fb5f2642c1fd967ee6823f2148708f.png)  
试了下admin,admin登录失败，所以就先收集信息吧，然后制作一个字典,burp爆破  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-adb02a9963d02cc91e94b91c35c91b3e8df2a2bc.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-adb02a9963d02cc91e94b91c35c91b3e8df2a2bc.jpg)  
爆了2分钟就出来了  
用户名admin  
密码2359631867  
我们成功就入了seeddms  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-076a9dd9968dd2244f4454383ea9b903994fe6d2.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-076a9dd9968dd2244f4454383ea9b903994fe6d2.png)  
权限是只读的，转了半大天终于发现了个上传位置  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-e3c6e9285e9706e72862b25b90ac0173b1025849.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-e3c6e9285e9706e72862b25b90ac0173b1025849.png)  
上一个远程代码脚本  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-65d5873159f4c235342c3dac4d44ad0ba6c39c3f.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-65d5873159f4c235342c3dac4d44ad0ba6c39c3f.png)  
这里并没有限制什么，可以直接上传php文件  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-604362fd355793222eef1336b643faa97be16139.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-604362fd355793222eef1336b643faa97be16139.png)  
上传成功，但别以为这就结束了，打不开。。。。  
确切说是没有位置  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-0ad97fbb20e8ccbc728676b00e240cd7b693a618.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-0ad97fbb20e8ccbc728676b00e240cd7b693a618.png)  
文件有了，但没有位置，太坑了啊，不能放弃  
首先我们来分析一下，这个网站是存在多语种选项的，那就说明存在languages目录，接下来我们对languages目录专门扫描一下  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-434ff020ba4b24aa3f44fe00bad021f0c41fbf4e.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-434ff020ba4b24aa3f44fe00bad021f0c41fbf4e.png)  
扫出来乱七八糟一片，其中有一个关键文件languages/sk\_SK/lang.inc  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-494b931600dec134e25a97f941e4fe6fcb3f0544.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-494b931600dec134e25a97f941e4fe6fcb3f0544.png)  
仔细看一下，你会发现这个  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-2c6cfdc82e3ab02c0f901aacdd90b8957231d84c.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-2c6cfdc82e3ab02c0f901aacdd90b8957231d84c.png)  
settings\_contentOffsetDir\_desc文件系统配置设置，生成一个1048576文件夹,直接在域名后面加1048576显示404[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-d8f49468867d710be99599e81b81f31c514b1453.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-d8f49468867d710be99599e81b81f31c514b1453.png)  
但之前我们已经做了大量的信息收集，用dirbuster爆到了/data/1048576/  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-42627dfd01630ebecf1a3d78cee0448644e5d6fc.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-42627dfd01630ebecf1a3d78cee0448644e5d6fc.png)  
再后面直接加上1.php是打不开的404，再次陷入深渊中。。。  
回到主页面继续分析  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-8c1b132da982e890e42e6e4fdb45c88d9b693640.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-8c1b132da982e890e42e6e4fdb45c88d9b693640.png)  
out.ViewDocument.php?documentid=3&amp;showtree=1  
似乎我们一直忽略了documentid=3，/data/1048576/3/试一下  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-3738343ada4a5eb1f0b919563fadce1ce1741e12.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-3738343ada4a5eb1f0b919563fadce1ce1741e12.png)  
哈哈，成功了，后面加上我们的脚本，成功运行1.php  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-ef762f1967800bff6c7f8d3342bf2095646ba0c0.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-ef762f1967800bff6c7f8d3342bf2095646ba0c0.png)  
真累啊，希望大家看了对文件目录有更多了解吧。

发表于 2021-06-26 17:35:48
阅读 ( 5567 )
分类：漏洞分析

SeedDMS密码爆破加远程命令执行

0 条评论