esc0rp 发表于 2024-10-10 03:36:01

实战 | 记一次Fastadmin后台getshell的渗透记录


    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_gif/3xxicXNlTXLicwgPqvK8QgwnCr09iaSllrsXJLMkThiaHibEntZKkJiaicEd4ibWQxyn3gtAWbyGqtHVb0qqsHFC9jW3oQ/640?wx_fmt=gif&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">文案</span>作者&nbsp;:</strong><span style="color: black;"><strong style="color: blue;">小九</strong></span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">文案</span><span style="color: black;">源自</span> :</strong><span style="color: black;"><strong style="color: blue;">war9.cn</strong></span></p>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;"><strong style="color: blue;"><span style="color: black;">1.信息搜集</span></strong></h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">先来<span style="color: black;">瞧瞧</span><span style="color: black;">目的</span>站点的<span style="color: black;">各样</span>信息</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvou8U88mZx6taiaKfWwf45pERP7FDr4uydVdOP7kWEYN6Wbl7bzib8Y0k2ibr1o6quZ7q2hIqe3QMVaWyA/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">后端PHP,前端<span style="color: black;">运用</span>layui,路由URL规则看起来像ThinkPHP,那自然想到的是ThinkPHP<span style="color: black;">哪些</span>年爆发的命令执行了,准备一把梭!然而,尝试了一番,并<span style="color: black;">无</span>历史漏洞。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">那接着继续信息搜集,<span style="color: black;">这儿</span><span style="color: black;">首要</span><span style="color: black;">运用</span>的是Tide团队的潮汐在线指纹识别,看了下子域名和旁站信息,资产还不少。PS:项目关系,<span style="color: black;">这儿</span>截图只截图部分。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这儿</span><span style="color: black;">剧烈</span>安利一下潮汐,虽然<span style="color: black;">日前</span>指纹识别方面指纹库不是很全,但其集<span style="color: black;">成为了</span>域名信息、子域名、旁站、C段等功能,加上是SaaS的模式不会被封IP,<span style="color: black;">因此呢</span>在信息搜集初步<span style="color: black;">周期</span>是神兵利器。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvou8U88mZx6taiaKfWwf45pERPp1alMBcec3k8t9pgBpTTWAUUqeNHneBKRrFOulaHoPI04xgKRAY1LA/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">扫描出的信息,含有<span style="color: black;">海量</span>登录窗口且界面UI都很类似,应该是同一家外包<span style="color: black;">机构</span>的<span style="color: black;">制品</span>,源码应该<span style="color: black;">亦</span>类似。在查看子域名以及旁站资产的时候,<span style="color: black;">发掘</span>了关键信息。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvou8U88mZx6taiaKfWwf45pERPwOG59DjkvTjicaXq578Q9hKZmoBzkmMEp8oN5icObeM7QyC6ATibDEKrg/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">总结 :至此初步信息搜集结束,拿到的信息有ThinkPHP、FastAdmin、宝塔、外包<span style="color: black;">机构</span>、子域名、C段信息等</span></p>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;"><strong style="color: blue;"><span style="color: black;">2.<span style="color: black;">平常</span>漏洞利用</span></strong></h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">宝塔和FastAdmin,<span style="color: black;">首要</span>FastAdmin印证了是ThinkPHP的猜测,有宝塔<span style="color: black;">能够</span>尝试利用宝塔的phpmyAdmin未授权<span style="color: black;">拜访</span>漏洞进行利用。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">7.4.2(Linux)、7.5.13(Linux)版本的宝塔面板存在未授权<span style="color: black;">拜访</span>phpmyAdmin的漏洞,<span style="color: black;">经过</span><span style="color: black;">拜访</span>ip:888/pma则可无需任何登录操作直接进入phpmyAdmin</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">拜访</span>宝塔<span style="color: black;">无</span>响应,<span style="color: black;">因此呢</span>将重点放在了FastAdmin上面,FastAdmin在2020年有一个前台Getshell漏洞,漏洞分析可参见http://www.cnpanda.net/codeaudit/777.html,该漏洞利用时,需要<span style="color: black;">目的</span>站点开启注册和前台登录功能。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">拜访</span>FastAdmin站点,眼前一亮,祖师爷赏饭吃啊,基本是默认的FastAdmin Demo页面,开启了注册。于是上传<span style="color: black;">照片</span>马,<span style="color: black;">拜访</span>/fastadmin/public/index/user/_empty?name=../../public/uploads/20210116/4a91d432904c0042bcd038ea96ad4947.jpg,emm,当时僵硬了0.5秒,<span style="color: black;">拜访</span>后并不是自己的小马,而是DEBUG页面,这站居然是调试模式。。。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">虽然FastAdmin的漏洞没利用成功,<span style="color: black;">然则</span><span style="color: black;">按照</span>DEBUG页面拿到了数据库的连接信息。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvou8U88mZx6taiaKfWwf45pERPicnNXiagDQSEDG4gIT44PRwVrT0nKZ6zde9iauMmgWnTqdwaeyk6QXeow/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">总结:<span style="color: black;">咱们</span>依据信息搜集到的内容,对<span style="color: black;">平常</span>的漏洞进行了利用尝试,<span style="color: black;">最后</span>虽然<span style="color: black;">无</span>利用成功的历史漏洞,但依据DEBUG信息拿到了一台RDS数据库的权限。</span></p>
    <h2 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;"><strong style="color: blue;">3.权限放大</strong></span></h2>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">拿到的数据库为阿里云RDS,<span style="color: black;">运用</span>Navicat连接数据库,查看admin表,系统<span style="color: black;">持有</span>两个admin账户,表中含有<span style="color: black;">秘码</span>和盐字段。<span style="color: black;">这儿</span>百度了一下FastAdmin忘记<span style="color: black;">秘码</span>,<span style="color: black;">按照</span>帖子内容添加了一个账户。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://ask.fastadmin.net/article/43.html</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">数据库修改fa_admin表的两个字段</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">秘码</span>(password):c13f62012fd6a8fdf06b3452a94430e5</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">秘码</span>盐(salt):rpR6Bv</p>登录<span style="color: black;">秘码</span>是&nbsp;123456
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvou8U88mZx6taiaKfWwf45pERPc1NVWhHiamKHKYEwe7DvjJmlCtZQWNqDp3H2do7mpATAphd9nthBUUQ/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">运用</span>添加的账号登录后,<span style="color: black;">发掘</span><span style="color: black;">无</span>权限<span style="color: black;">拜访</span>后台</p>

    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvou8U88mZx6taiaKfWwf45pERPWmLBF3RGkWoC5HicXMShibbXpOfqDicRjWkCM7ueHtMUvITEmNTylQx4g/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这儿</span><span style="color: black;">无</span>提示账号<span style="color: black;">秘码</span>错误,添加账户应该是成功了,于是翻看数据库,看有<span style="color: black;">无</span>权限表之类的。找到了三个关键的表信息,auth_group,auth_group_access,auth_rule</p>

    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvou8U88mZx6taiaKfWwf45pERPXuMCQibVHicgxdLTdEBUy38CB9A6qGBP34YwPdohyEN99S8Im27uxuLw/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">于是将添加的用户添加到admin分组内,成功登录,至此看到了后台界面全貌。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvou8U88mZx6taiaKfWwf45pERPrT7hlUkGFLbz29vniaWEgKMicOBsKicHHAkrgYDc1ickic37lMppe8QrbQA/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">FastAdmin后台<span style="color: black;">供给</span>了插件管理的功能,<span style="color: black;">能够</span><span style="color: black;">经过</span>安装文件管理插件进行Getshell。官方商店的文件管理需要收费,<span style="color: black;">另一</span>之前一个免费的插件<span style="color: black;">亦</span>被下架了,还好在Github找到了此插件的源码。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://github.com/WenchaoLin/Filex&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; FastAdmin文件管理插件</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">下载Zip后,在站点=&gt;插件管理=&gt;离线安装安装刚才下载的插件,上传马儿,成功GetShell。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvou8U88mZx6taiaKfWwf45pERPDBWZoKJYGVeSYW5ooKic00Dy7rcvjCcYP5MJduCZcWOd1icKkjbW0ZLw/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">拿到shell后先不急着高兴,先<span style="color: black;">瞧瞧</span>能<span style="color: black;">不可</span>旁站跨过去,还是经典的祖师爷赏饭,shell虽然是www用户,<span style="color: black;">然则</span>权限还挺高,<span style="color: black;">能够</span>跨目录。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvou8U88mZx6taiaKfWwf45pERP0YA5K244U0bpCAO89aGc97GibibrDia33vMicvevgf2d7p6S11OHTkBsYQ/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">接着查看一波<span style="color: black;">咱们</span>本来的<span style="color: black;">目的</span>,<span style="color: black;">经过</span>站点源码,将数据库信息做一个整理,<span style="color: black;">而后</span>重复前面的操作。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这儿</span>站点的数据库不对外开放,监听的本地端口,<span style="color: black;">因此呢</span>利用哥斯拉的数据库管理功能,连接<span style="color: black;">目的</span>数据库,添加管理员账户。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这儿</span>有个小插曲,翻看<span style="color: black;">目的</span>站点源码<span style="color: black;">发掘</span><span style="color: black;">亦</span>是FastAdmin,<span style="color: black;">然则</span><span style="color: black;">经过</span>先前找的忘记<span style="color: black;">秘码</span><span style="color: black;">办法</span>添加上去,提示账号<span style="color: black;">秘码</span>错误。于是仔细看了下<span style="color: black;">目的</span>站点的源码,得知其认证方式为 md5(password+salt),和FastAdmin的认证加密方式并不<span style="color: black;">同样</span>,FastAdmin的认证方式为md5(md5(password)+salt);</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">FastAdmin的认证方式,<span style="color: black;">经过</span>GitHub文件找了一下。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://github.com/karsonzhang/fastadmin/blob/12a62eaa0512a48ad9e150261170fafa870c3084/application/admin/library/Auth.php#L39</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">目的</span>站点是Think PHP,<span style="color: black;">因此呢</span>在application//controller/Admin.php 就<span style="color: black;">能够</span>找到。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">接下来就简单了,php输出一个<span style="color: black;">秘码</span>为123456,salt为指定字符串的密文<span style="color: black;">就可</span>。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvou8U88mZx6taiaKfWwf45pERPiaEGDUMy161DlcvD6SqnDEuZY249Vdq1AWuzvb6ve7R4UONbOib16ncg/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">之后<span style="color: black;">经过</span>哥斯拉,update一下之前创建的账号,将<span style="color: black;">秘码</span>更新为刚才输出的密文,成功登录。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/Uq8Qfeuvou8U88mZx6taiaKfWwf45pERPSIvo88jD1GBalKib84GVwRDYuqBp8iaorjoHQlBThQ3DXEqYaHluTUlA/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">总结:<span style="color: black;">经过</span>旁站的数据库权限,成功拿到了<span style="color: black;">目的</span>服务器的后台系统权限。</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">整体渗透思路:</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">寻找后台认证加密方式=&gt;添加系统账户=&gt;GetShell=&gt;横向<span style="color: black;">目的</span>=&gt;寻找认证加密方式=&gt;添加系统账户。&nbsp;</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">另一</span><span style="color: black;">因为</span>各个站点之间<span style="color: black;">无</span>隔离,旁站的shell和<span style="color: black;">目的</span>站点的shell<span style="color: black;">无</span>差别,无需继续,至此渗透结束。</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">侵权请私聊公众号删文</strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/3xxicXNlTXLicjiasf4mjVyxw4RbQt9odm9nxs9434icI9TG8AXHjS3Btc6nTWgSPGkvvXMb7jzFUTbWP7TKu6EJ6g/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/3xxicXNlTXLib0FWIDRa9Kwh52ibXkf9AAkntMYBpLvaibEiaVibzNO1jiaVV7eSibPuMU3mZfCK8fWz6LicAAzHOM8bZUw/640?wx_fmt=jpeg&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>




m5k1umn 发表于 4 天前

你的见解独到,让我受益匪浅,非常感谢。
页: [1]
查看完整版本: 实战 | 记一次Fastadmin后台getshell的渗透记录