Shulou(Shulou.com)06/01 Report--

This document is mainly about a path we often use in the host * (Survival judgment-Port scanning-Port deletion (web Port)-targeted * * (web***)), which mainly involves some experience and skills in the process of finding vulnerabilities, exploiting vulnerabilities, and obtaining upload locations. To put it simply, this article is mainly to record the whole process of a host! If there is anything unreasonable or wrong, please give me your advice. Thank you!

1.1 Host Survival judgment

When we get a host IP, we first determine its survival, the easiest thing is to use the ping command, but if the host is ping disabled, then we may make a mistake, so we need to use nmap to determine survival again (the command format is: nmap-sn [ip]).

By using the ping command, as shown in figure 1, we can determine that the host is alive.

Fig. 1 judgment of host survival

1.2 Port scan

Judging by the survival of the host, we know that the host is alive, and the next step is to scan the port of the host to see which ports are open. The port scanning tool can use tools such as nmap and Royal Sword to scan, while nmap for scanning all ports, I think it is very slow (maybe it's my bandwidth dregs), so I almost always use Imperial Sword for port scanning. However, Yujian's identification of the service is not as good as nmap, depending on the situation. In terms of host * *, we mainly scan some control ports or web ports. For control ports, we mainly use brute force cracking tools to detect weak passwords. If you are lucky, you may be able to directly obtain the control of the server. However, I have always been unlucky, so this article mainly chooses web ports to start * *. In addition, we can use nmap to check for vulnerabilities on the host (command format: nmap-script=vuln [ip]), but with any luck, we can directly sweep out a vulnerability in remote command execution, and then we can use, but not limited to, metaspolit to exploit!

As shown in figure 2, through port scanning, we found that the host opened the following ports. I generally choose the ports followed by the-> symbol. Most of these ports are web ports (personal experience, for reference only). We can get 2 ports. We randomly choose a 8008 to carry out * (only later found that the loopholes of the two ports are the same).

Figure 2 Port scan

1.3 get basic server information

There are many ways to get the basic information of the server, this time you will use nc to get the basic information of the server, the method is: nc [ip] [port], then enter HEAD HTTP/1.0, press enter to echo the basic information of the server, if there is no echo, you can change 1.0 to 1.1 to try, as shown in figure 3, the website uses jsp scripts, and there is also servlet to know that the site is mainly java development. (if you encounter this situation later, first use the deserialization tool to verify)

Figure 3 get the basic information of the server

1.4 wvs web vulnerability scanning

Although the http response code is 404, it can still be scanned to see if the directory and other related information can be found.

Fig. 4 http response code 404

Wvs is an automated web application security testing tool that scans web sites and applications that can be accessed through web browsers and that follow http or https rules. Through wvs, you can scan for SQL injection, XSS, directory detection, version detection, source code disclosure, and many other vulnerabilities.

Through the wvs scan, as shown in figure 5, you can see that the site is oracleweblogic server, and there are weblogic * f loopholes. Because I am really a rookie, I can only detect the internal network port and cannot rebound shell. The passing god asks for advice on how to use weblogic * f to rebound shell. Thank you for the small one. So find out that since it was developed by weblogic or java (preliminary judgment above), use the java deserialization tool to see if there is this vulnerability.

Figure 5 wvs scan results

1.5 Discovery of weblogic deserialization vulnerability

Verified by the java deserialization vulnerability exploitation tool, as shown in figure 6, the vulnerability exists and knows the current user and the user's current directory and other information.

Figure 6 verifying the existence of vulnerabilities

1.6 upload webshell

Vulnerabilities exist and can be exploited. Through this vulnerability, we can execute commands, manage files, and upload webshell. Let's choose webshell upload (to increase the workload), but for upload we need a path that we can access to web, as shown in figure 7, but where can we find the path?

Figure 7 physical path is required for upload

1.7 find the web path

Through wvs, we can get the relevant path, as shown in figure 8, but we need an absolute path, and we chose one of them to use locate to find it, and found that it was too much to tell which one, as shown in figure 9.

Figure 8 scan the found directory

Figure 9 cannot determine the specific directory

Is that it? Of course not, as I said in the last article, we can look at the image properties on the page and then look for the web path. Through the F12 source code review, we can get the path of the relevant image, as shown in figure 10, figure 11, and choose the image path of figure 11 here (because the only thing I scanned the directory first is console, as shown in figure 12).

Figure 10 web path 1

Figure 11 web path 2

Figure 12 Catalog scan

1.8 find absolute path

By obtaining the image name and the corresponding directory, we use locate [picture name] to view it, as shown in figure 13. The absolute path can be obtained by comparison (the second one in the figure).

Figure 13 get the absolute path

1.9 upload webshell

By obtaining the absolute path and the web path, we can upload webshell and try to upload a pony first (forget the screenshot, refer to the upload horse below), but we can't connect, and the pony that is free from killing has also tried, but it doesn't work. As shown in figure 14, server 500has an error. Isn't there a ready-made k200pxd horse on K8, as shown in figure 15? try to upload and find that it is successful, such as figure 16 ~ ~ k200pxd horse connection! But the operation is very inconvenient, may be temporarily brain down, pony can not why not upload big horse, why always want to Chinese kitchen knife (too patriotic), really lost watermelon picked up sesame.

Fig. 14 pony connection failure

Figure 15 k200pxd horse code acquisition

Figure 16 k200pxd Horse connected successfully

1.10 successful webshell acquisition

Try uploading Malaysia again through the acquired physical path and web path. As shown in figure 17, the upload is successful, and the access to Malaysia is successful, as shown in figure 18.

Figure 17 upload Malaysia successfully

Figure 18 successful connection to Malaysia

1.11 Summary

In this *, we mainly use the weblogic deserialization loophole to obtain webshell, but we need to access the uploaded webshell, so we need to obtain the physical path corresponding to the web path and the web path. To obtain the web path, we can scan the directory to see if it can be found, and check the source code to see if there is any relevant information. In addition, there are other means such as error information disclosure path and so on. The main purpose of this paper is to find the corresponding relationship according to the attributes of the pictures on the page combined with the locate command.

In addition, in the process of uploading the pony, I was always unsuccessful. Although the pony uploaded successfully (you can check the files in the corresponding directory through ls), I could not access it. I always reported 500errors and the kitchen knife could not be connected, so I thought of using k200pxd horse for upload (if I had encountered uploading a pony or a pony before, I could upload a k200pxd horse). I found that it was successful, maybe it was a fixed mind and found that the pony could not be uploaded. At the beginning, I didn't expect to upload the horse. After connecting to the k200pxd horse, I felt that I didn't like the operation very much, so I thought of uploading the horse to try, and finally uploaded the horse successfully!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.