实战渗透教学：从备份文件扫描到Getshell<\/h1>

1. 信息收集与备份文件扫描<\/h2>

1.1 扫描策略<\/h3>

目标命名规则：子域名.主域名.com<\/code><\/li>

扫描文件规则：

子域名.zip<\/code> 或 子域名.rar<\/code><\/li>
abc.子域名.主域名.com<\/code> 对应 abc.zip<\/code> 或 abc.rar<\/code><\/li>
<\/ul>
<\/li>
使用工具：

自定义异步扫描工具（基于aiohttp, aiomysql）<\/li>
Kemoon师傅的snail2.0工具（针对.svn,.git,.rar,.zip泄露）<\/li>
<\/ul>
<\/li>
<\/ul>
1.2 识别备份文件<\/h3>
通过响应头中的Content-Type判断：<\/p>

RAR文件: application\/octet-stream<\/code><\/li>
ZIP文件: application\/x-zip-compressed<\/code><\/li>
<\/ul>
2. 源代码审计<\/h2>
2.1 系统架构分析<\/h3>

中间件: Tomcat<\/li>
开发框架: Spring MVC<\/li>
数据库: Oracle<\/li>
默认凭证: System\/****2020<\/li>
<\/ul>
2.2 安全控制分析<\/h3>

web.xml<\/code>配置了登录过滤器<\/li>
除\/images\/<\/code>, \/scripts\/<\/code>, \/css\/<\/code>目录外，其他访问都会重定向到\/login.jsp<\/code><\/li>
未发现敏感操作的Servlet地址<\/li>
<\/ul>
3. 认证绕过<\/h2>
3.1 默认凭证利用<\/h3>

使用FOFA搜索同系统站点<\/li>
测试默认凭证System\/****2020<\/code><\/li>
成功登录后获得系统管理员权限<\/li>
<\/ul>
3.2 SSO控制器漏洞<\/h3>
发现SSOcontroller<\/code>中\/CSS<\/code>开头的路由地址存在认证问题：<\/p>
@RequestMapping<\/span>(<\/span>method =<\/span> {<\/span>RequestMethod.<\/span>GET<\/span>},<\/span> value =<\/span> {<\/span>"\/CSS\/sso"<\/span>})<\/span>
<\/span><\/span>public<\/span> ModelAndView sso<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response,<\/span> String xxx)<\/span> {<\/span>
<\/span><\/span>    \/\/ 认证逻辑
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>认证流程分析：<\/p>

检查Referer头：
String referer =<\/span> request.<\/span>getHeader<\/span>(<\/span>"REFERER"<\/span>);<\/span>
<\/span><\/span>if<\/span> (<\/span>referer ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>    \/\/ 跳转错误页面
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
检查非admin账户：
if<\/span> (<\/span>"admin"<\/span>.<\/span>equals<\/span>(<\/span>xxx))<\/span> {<\/span>
<\/span><\/span>    \/\/ 跳转错误页面
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
用户存在性检查：
User dbUser =<\/span> this<\/span>.<\/span>userService<\/span>.<\/span>getUserByUserID<\/span>(<\/span>xxx);<\/span>
<\/span><\/span>if<\/span> (<\/span>dbUser ==<\/span> null<\/span> ||<\/span> dbUser.<\/span>getLocked<\/span>().<\/span>intValue<\/span>()<\/span> ==<\/span> 1<\/span>)<\/span> {<\/span>
<\/span><\/span>    \/\/ 错误处理
<\/span><\/span><\/span><\/span>}<\/span> else<\/span> {<\/span>
<\/span><\/span>    \/\/ 直接登录
<\/span><\/span><\/span><\/span>    mav =<\/span> this<\/span>.<\/span>userLoginController<\/span>.<\/span>login<\/span>(<\/span>request,<\/span> dbUser,<\/span> "1"<\/span>);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
利用方法：<\/p>

构造请求头Referer: 任意值<\/code><\/li>
爆破有效用户名（非admin账户）<\/li>
直接登录无需密码<\/li>
<\/ul>
4. 文件上传漏洞<\/h2>
4.1 漏洞代码分析<\/h3>
String type =<\/span> matUrl.<\/span>getOriginalFilename<\/span>().<\/span>substring<\/span>(<\/span>matUrl.<\/span>getOriginalFilename<\/span>().<\/span>lastIndexOf<\/span>(<\/span>"."<\/span>));<\/span>
<\/span><\/span>String OriginalFilename =<\/span> matUrl.<\/span>getOriginalFilename<\/span>().<\/span>substring<\/span>(<\/span>0<\/span>,<\/span> matUrl.<\/span>getOriginalFilename<\/span>().<\/span>lastIndexOf<\/span>(<\/span>"."<\/span>));<\/span>
<\/span><\/span>String saveName =<\/span> System.<\/span>currentTimeMillis<\/span>()<\/span> +<\/span> type;<\/span>
<\/span><\/span>String saveName2 =<\/span> OriginalFilename +<\/span> type;<\/span>
<\/span><\/span>String contextPath =<\/span> request.<\/span>getSession<\/span>().<\/span>getServletContext<\/span>().<\/span>getRealPath<\/span>(<\/span>"\/upload"<\/span>);<\/span>
<\/span><\/span>File savefile =<\/span> new<\/span> File(<\/span>contextPath +<\/span> "\/"<\/span> +<\/span> saveName);<\/span>
<\/span><\/span>\/\/ 文件保存逻辑...
<\/span><\/span><\/span><\/code><\/pre>漏洞点：<\/p>

未对文件扩展名进行校验<\/li>
直接拼接用户控制的文件名和扩展名<\/li>
最终保存为时间戳+原始扩展名的形式<\/li>
<\/ul>
4.2 利用方法<\/h3>

构造上传表单：
<form<\/span> action<\/span>=<\/span>"漏洞URL"<\/span> method<\/span>=<\/span>"post"<\/span> enctype<\/span>=<\/span>"multipart\/form-data"<\/span>>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"file"<\/span> name<\/span>=<\/span>"Filedata"<\/span>\/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"submit"<\/span> value<\/span>=<\/span>"提交"<\/span>\/>
<\/span><\/span><\/form<\/span>>
<\/span><\/span><\/code><\/pre><\/li>
上传JSP webshell：
<%String name = "yuanhai";%>
<h1>hello<%=name%><\/h1>
<\/code><\/pre>
<\/li>
访问上传的文件（需携带有效会话Cookie）<\/li>
<\/ol>
5. 批量利用与评分<\/h2>
5.1 批量利用策略<\/h3>

使用FOFA搜索同系统站点（案例中发现79个站点）<\/li>
自动化测试SSO认证漏洞<\/li>
自动化上传webshell<\/li>
<\/ul>
5.2 评分计算<\/h3>

每个站点提交可获得3-6分<\/li>
79个站点总计可获得246分（教育SRC平台）<\/li>
<\/ul>
6. 防御建议<\/h2>
6.1 针对备份文件泄露<\/h3>

禁止在web目录存放源代码压缩包<\/li>
使用.gitignore等机制排除敏感文件<\/li>
定期检查web目录文件权限<\/li>
<\/ul>
6.2 针对认证漏洞<\/h3>

禁用或修改所有默认凭证<\/li>
实现强密码策略<\/li>
对SSO接口增加二次验证<\/li>
<\/ul>
6.3 针对文件上传漏洞<\/h3>

实施严格的白名单校验<\/li>
对上传文件重命名（不使用用户输入）<\/li>
限制上传目录的执行权限<\/li>
对上传内容进行安全检查<\/li>
<\/ul>
7. 工具与资源<\/h2>

自定义备份文件扫描工具（即将开源）<\/li>
snail2.0信息泄露扫描工具：https:\/\/github.com\/lakemoon602\/snail2.0<\/li>
FOFA搜索引擎：https:\/\/fofa.info\/<\/li>
教育SRC平台：https:\/\/src.sjtu.edu.cn\/<\/li>
<\/ul>

实战渗透教学：从备份文件扫描到Getshell<\/h1>

1. 信息收集与备份文件扫描<\/h2>

2. 源代码审计<\/h2>

3. 认证绕过<\/h2>

4. 文件上传漏洞<\/h2>

5. 批量利用与评分<\/h2>

6. 防御建议<\/h2>

7. 工具与资源<\/h2> 自定义备份文件扫描工具（即将开源）<\/li> snail2.0信息泄露扫描工具：https:\/\/github.com\/lakemoon602\/snail2.0<\/li> FOFA搜索引擎：https:\/\/fofa.info\/<\/li> 教育SRC平台：https:\/\/src.sjtu.edu.cn\/<\/li> <\/ul>

7. 工具与资源<\/h2>

自定义备份文件扫描工具（即将开源）<\/li>
snail2.0信息泄露扫描工具：https:\/\/github.com\/lakemoon602\/snail2.0<\/li>
FOFA搜索引擎：https:\/\/fofa.info\/<\/li>
教育SRC平台：https:\/\/src.sjtu.edu.cn\/<\/li> <\/ul>