admin 发表于 2018-10-20 20:17:57

Linux本地包含漏洞入侵国外网站

<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        最近在搞国外网站发现一个存在本地包含漏洞的网站目标为:<a href="http://caricaturesbylori.com/index.php?page=index.php">http://caricaturesbylori.com/index.php?page=index.php</a>
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        <img width="554" height="357" src="https://www.2k8.org/content/uploadfile/201809/23/6f0aa78cce4244bda6f9259aa2d72d57.jpg" />&nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        幺嚯!page参数后面直接包含一个网页,那我们是不是可以尝试看看存在不存在包含漏洞
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        <img width="553" height="301" src="https://www.2k8.org/content/uploadfile/201809/23/618b513d1e054c2088d28d9ea091de8f.jpg" />&nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        没能直接包含成功,试试报错
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        &nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        &nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        &nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        &nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        &nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        &nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        &nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        <img width="554" height="281" src="https://www.2k8.org/content/uploadfile/201809/23/573941da1630412b8b40f476c1ab4de4.jpg" />&nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        哈哈,爆出物理路径,然后接着../../../../etc/passwd,直接包含成功了
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        <img width="554" height="288" src="https://www.2k8.org/content/uploadfile/201809/23/59d0019bd1d345f4840ca3b150d8bf39.jpg" />&nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        哈哈,看来是真的存在包含漏洞,那么我们包含一下环境变量文件试试,http://caricaturesbylori.com/index.php?page=../../../../proc/self/environ
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        <img width="553" height="184" src="https://www.2k8.org/content/uploadfile/201809/23/5bd00d5b85de4711b88148f6b819c9d7.jpg" />&nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        &nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        &nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        没有权限,看来包含环境变量写webshell方法是失败了,那我们该怎么办呢,答案是乱搞
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        我的思路是查询一下旁站网站看看有没有上传,但是经过用旁注查询工具查询,就一个旁站,且无法上传,并且也爆不了物理路径,这时候我就想到用burpsuite来暴力破解一下LFI的字典,看看到底可以包含哪些文件,我们来开启burpsuite
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        <img width="553" height="289" src="https://www.2k8.org/content/uploadfile/201809/23/7864e1b807664ea2aa12f255f867d528.jpg" />&nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        然后发送到intruder,
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        <img width="554" height="294" src="https://www.2k8.org/content/uploadfile/201809/23/2444647e2ab94ccd846143dd0f1d6f9e.jpg" />&nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        Clears(清除变量)重新设置变量
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        <img width="554" height="305" src="https://www.2k8.org/content/uploadfile/201809/23/7632329ae1c24987a4c499724d204320.jpg" />&nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        <img width="554" height="286" src="https://www.2k8.org/content/uploadfile/201809/23/56bb4de45eb64867b034242cff56cc84.jpg" />&nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        破解到这里卡住了,哈哈说明包含到真正的log文件呢,我们终止掉,burp之前我测试在高带宽起码50MB的速度下可以显示出正确的结果,否则的话会导致网站卡,下面我们介绍另一种方法,用迅雷下载的方式来下载log文件并且查看,我们首先来制作一个迅雷要下载的url链接,需要批量处理一下,
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        &nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        &nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        <br clear="all" style="page-break-before:always;" />
<img width="553" height="282" src="https://www.2k8.org/content/uploadfile/201809/23/8dcaba17619c4759999064157f7406a6.jpg" />
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        使用正则批量替换,替换%00为
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        <img width="553" height="281" src="https://www.2k8.org/content/uploadfile/201809/23/bf03ed6552904feaae7cf7e740fa2d56.jpg" />&nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        下面用迅雷开始下载
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        <img width="554" height="289" src="https://www.2k8.org/content/uploadfile/201809/23/f6a50892f07447baa4a0a17b05beb8b0.jpg" />&nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        把下载同样KB的都删除掉,最后剩下几十兆的,我们丢进编辑工具里看看,如图:
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        <img width="554" height="253" src="https://www.2k8.org/content/uploadfile/201809/23/72bda0231c254aa69dc3eaa372d79d64.jpg" />&nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        读到一个报错log文件,目测像是同服上的网站,正好扫描一下,找一个上传地址如图:
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        <img width="553" height="293" src="https://www.2k8.org/content/uploadfile/201809/23/fe51507625144d0d9091f14471b868ee.jpg" />&nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        <img width="554" height="332" src="https://www.2k8.org/content/uploadfile/201809/23/3632fe452c97471587dbc962fbf54770.jpg" />&nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        然后上传图片一句话木马如图
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        <img width="554" height="294" src="https://www.2k8.org/content/uploadfile/201809/23/d83bf1a345a54bf6a3ba028b6d9f8d7e.jpg" />&nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        下面我们来构造一下包含url
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        <a href="http://caricaturesbylori.com/index.php?page=../../../../home/creative/public_html/xml/upfiles/zxh/new_name.jpeg(home/creative/public_html/目录即为log文件里的物理路径)">http://caricaturesbylori.com/index.php?page=../../../../home/creative/public_html/xml/upfiles/zxh/new_name.jpeg (home/creative/public_html/目录即为log文件里的物理路径)</a>
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        下面我们用菜刀连接一下,
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        <img width="554" height="320" src="https://www.2k8.org/content/uploadfile/201809/23/53757f4a5157423496c614d027f8ac63.jpg" />&nbsp;
</p>
<p style="margin:0pt 0pt 0.0001pt;text-align:justify;">
        OK,文章就到这里了,谢谢大家观看,原创作者:酷帥王子
</p>
页: [1]
查看完整版本: Linux本地包含漏洞入侵国外网站