奇安信攻防社区-实战|全程分析js到getshell

实战|全程分析js到getshell

看到望海师傅的山理证书真滴好看，真想搞一本，刚刚入edusrc的时候收集了一波山理的子域资产，全部看了一遍都被大佬挖的干干净净了。没有内网VPN基本上挖不到，然后我就去公众号看了一下，找到...

看到望海师傅的山理证书真滴好看，真想搞一本，刚刚入edusrc的时候收集了一波山理的子域资产，全部看了一遍都被大佬挖的干干净净了。没有内网VPN基本上挖不到，然后我就去公众号看了一下，找到了一个系统  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-792062d56afe4b85eb71e3ebfadb73a99a118510.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-792062d56afe4b85eb71e3ebfadb73a99a118510.jpg)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-b00b5a8975743ca1956398f8753355a699cbe06f.jpg)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-b00b5a8975743ca1956398f8753355a699cbe06f.jpg)  
首先来点团队特色F12大法，查看html源码  
发现一处js  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-e3f993e7e8cdacfd05d55b46d0dc27ab515b3a03.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-e3f993e7e8cdacfd05d55b46d0dc27ab515b3a03.png)  
发现登录后直接跳转这个地址  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-3d6965a63b3545790661ef5e9a7e5ad30881d609.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-3d6965a63b3545790661ef5e9a7e5ad30881d609.png)  
直接访问看看有没有未授权漏洞  
<http://xx.xx.xx.xx/index.jsp>  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-56e5228053d3f5a74a1f9c052dfa1b243d291932.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-56e5228053d3f5a74a1f9c052dfa1b243d291932.png)  
访问了好吧，是首页。。打扰了  
但是我不甘心，我再用F12大法，发现了index.js  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-261bd9a00c5ff908f0aded60f743cf9b733a15db.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-261bd9a00c5ff908f0aded60f743cf9b733a15db.png)  
访问http://xx.xx.xx.xx/index.js  
翻了一下好像收获  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-e556dd87ef4acd4f17f52aa9de04bf215a76517a.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-e556dd87ef4acd4f17f52aa9de04bf215a76517a.png)  
访问看看http://xx.xx.xx.xx/dateConf/cfg\_workUser.jsp  
还是显示未登录  
再次使用F12大法—又找到一个js  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-077a121439cf4e82f718252382d0d26896873cde.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-077a121439cf4e82f718252382d0d26896873cde.png)  
发现了两处接口  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-5e0cd3fad078474b14f13e9c6a9dfdf0f790ea22.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-5e0cd3fad078474b14f13e9c6a9dfdf0f790ea22.png)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-a0e285a6edaa3a58164af940dbec35b84f121644.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-a0e285a6edaa3a58164af940dbec35b84f121644.png)  
第一处构造访问一下  
<http://xx.xx.xx.xx> /commonServlet  
fromflag=queryWorkUserBySectionId&amp;sectionId\_search=1  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-ef55da5817ca12c85997160d3a4e729e622fb159.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-ef55da5817ca12c85997160d3a4e729e622fb159.png)  
好像没什么信息  
第二处接口:  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-1585c5bb32de9ac10cceeb8b9a8a76a652f56ed5.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-1585c5bb32de9ac10cceeb8b9a8a76a652f56ed5.png)  
嘿嘿，工号出来了  
我们尝试用burp爆破一下sfz后六位  
爆破了半小时无果，放弃了~~~然后去群里吹了一下牛逼~

心不甘然后又找其他js看看  
返回index.js找找其他入口  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-0d4d996af867075e1369148bf9183a5735ee6df8.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-0d4d996af867075e1369148bf9183a5735ee6df8.png)  
依旧上f12大法查看这个页面的js文件  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-a1bb3f87eb07810e6bbb32b28775bd5ebbc80bca.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-a1bb3f87eb07810e6bbb32b28775bd5ebbc80bca.png)  
<http://xx.xx.xx.xx/js/appointment/appointment.js>  
惊喜来了，找到一处上传接口  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-b54e521061e06c2a1859645724b2a26070fdd1ef.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-b54e521061e06c2a1859645724b2a26070fdd1ef.png)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-7998f6490cc57a48e7f6e2dbc6143b18afe71188.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-7998f6490cc57a48e7f6e2dbc6143b18afe71188.png)  
那我们开始测试一下  
新建个html测试上传文件  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-61abe09cb896560bf6a0492ad025b3c2e90416e2.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-61abe09cb896560bf6a0492ad025b3c2e90416e2.png)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-ae63ef808e1d30cbdb0f20502eee6485101af58e.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-ae63ef808e1d30cbdb0f20502eee6485101af58e.png)  
百度找了个免杀马，上传成功  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-6119e21b21bf079999349655a5aeae5e067c1c1d.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-6119e21b21bf079999349655a5aeae5e067c1c1d.png)  
访问一下试试404,干得漂亮  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-6707c9c838a386b0e837de49ac22cbb38c1b37a6.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-6707c9c838a386b0e837de49ac22cbb38c1b37a6.png)  
接着分析js  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-ff84338e22f13c551152072f5397e266165c8af0.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-ff84338e22f13c551152072f5397e266165c8af0.png)  
分析了一下js应该是上传到upload目录  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-935551cd4173349cdbc820ad2c1ecdcbb6181cad.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-935551cd4173349cdbc820ad2c1ecdcbb6181cad.png)  
然后直接上菜刀  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-5956165df22c270d33b979a24315202cc3b70c7f.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-5956165df22c270d33b979a24315202cc3b70c7f.png)  
Getshell成功  
[![](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-15a634c2682fe483be71870b97a53471737ac944.png)](https://shs3.b.qianxin.com/attack_forum/2021/07/attach-15a634c2682fe483be71870b97a53471737ac944.png)  
此漏洞已提交edusrc，并且已修复

发表于 2021-07-15 11:51:55
阅读 ( 5367 )

2 条评论

十块修得同船渡 2022-03-04 18:46

这个f12大法，是否可以用jsfinder或burp插件代替？

Oldto 2022-04-22 15:06

任意文件上传，大师傅。