韵达快递某站命令执行直入内网
程序员文章站
2022-07-08 18:34:55
好久没冒泡了
漏洞站点
http://soa.dongputech.com:7010/
存在weblogic反序列化漏洞
...
好久没冒泡了
漏洞站点
http://soa.dongputech.com:7010/
存在weblogic反序列化漏洞
cat /usr/local/nginx/conf/nginx.conf
worker_processes 4; google_perftools_profiles /tmp/tcmalloc; events { worker_connections 8192; } http { # 1 ip geo $limited { default 1; 127.0.0.1/32 0; 10.0.0.0/16 0; 10.3.0.0/16 0; 10.4.0.0/16 0; 10.10.0.0/16 0; 192.168.1.0/24 0; 192.168.105.0/24 0; 58.40.18.71/32 0; 218.83.242.38/32 0; 116.228.72.131 0; 222.72.45.34 0; 211.103.142.2/32 0; } map $limited $limit { 1 $binary_remote_addr; 0 ""; } limit_req_zone $limit zone=one:10m rate=300r/m; limit_req zone=one burst=20; # 2 config include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server_tokens off; # 3 zip gzip on; gzip_min_length 4096; gzip_buffers 4 8k; gzip_types text/* text/css application/javascript application/x-javascript; gzip_comp_level 1; gzip_vary on; gzip_http_version 1.1; # 4 server server { listen 11113; server_name localhost; root /yd; access_log /dev/null; error_log /dev/null; index index.php; error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # 5 filter if ($request_uri ~* "(cost\()|(concat\()") { return 404; } if ($request_uri ~* "[+|(%20)]union[+|(%20)]") { return 404; } if ($request_uri ~* "[+|(%20)]and[+|(%20)]") { return 404; } if ($request_uri ~* "[+|(%20)]select[+|(%20)]") { return 404; } if ( $query_string ~* ".*[\;'\<\>].*" ){ return 404; } # 6 match location ~ \.jsp$ { proxy_set_header Host $host:11113; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://127.0.0.1:7001; } location ~ \.(js|htm|html|xml|txt|jpg|gif|png|css|ico|xsl|swf|zip|exe|doc|docx|xls|xlsx)$ { expires 1h; } # 7 status location /nginx_status { stub_status on; access_log off; allow 10.0.2.0/24; deny all; } } }
系统自带nmap,可直接进行扫描。架设socks可进一步对内网进行渗透,就不深入了
cat /usr/local/nginx/conf/nginx.conf
worker_processes 4; google_perftools_profiles /tmp/tcmalloc; events { worker_connections 8192; } http { # 1 ip geo $limited { default 1; 127.0.0.1/32 0; 10.0.0.0/16 0; 10.3.0.0/16 0; 10.4.0.0/16 0; 10.10.0.0/16 0; 192.168.1.0/24 0; 192.168.105.0/24 0; 58.40.18.71/32 0; 218.83.242.38/32 0; 116.228.72.131 0; 222.72.45.34 0; 211.103.142.2/32 0; } map $limited $limit { 1 $binary_remote_addr; 0 ""; } limit_req_zone $limit zone=one:10m rate=300r/m; limit_req zone=one burst=20; # 2 config include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server_tokens off; # 3 zip gzip on; gzip_min_length 4096; gzip_buffers 4 8k; gzip_types text/* text/css application/javascript application/x-javascript; gzip_comp_level 1; gzip_vary on; gzip_http_version 1.1; # 4 server server { listen 11113; server_name localhost; root /yd; access_log /dev/null; error_log /dev/null; index index.php; error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # 5 filter if ($request_uri ~* "(cost\()|(concat\()") { return 404; } if ($request_uri ~* "[+|(%20)]union[+|(%20)]") { return 404; } if ($request_uri ~* "[+|(%20)]and[+|(%20)]") { return 404; } if ($request_uri ~* "[+|(%20)]select[+|(%20)]") { return 404; } if ( $query_string ~* ".*[\;'\<\>].*" ){ return 404; } # 6 match location ~ \.jsp$ { proxy_set_header Host $host:11113; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://127.0.0.1:7001; } location ~ \.(js|htm|html|xml|txt|jpg|gif|png|css|ico|xsl|swf|zip|exe|doc|docx|xls|xlsx)$ { expires 1h; } # 7 status location /nginx_status { stub_status on; access_log off; allow 10.0.2.0/24; deny all; } } }
解决方案:
程序猿懂得