201x年1x月2x日,我们团队在一次信息安全的决赛中,拿下了一台Windows+wamp的主机。但是该主机在php.ini中限制了所有跟执行有关的函数,如system, popen等,因此,无法使用webshell正常运行系统命令,更无法运行上传的后门。而题目中有一个得分点是得到服务器中安装的360杀毒中白名单文件名。该服务器的远程桌面是打开的但是端口是在1433监听的(默认应为3389)。我们的扫描器在扫描时没有打开协议枚举
# nmap -A
因此我们对1433端口判断错误。于是思路转为绕过PHP系统执行限制(本题目的官方思路应为使用webshell拿下SAM文件,然后gethash后字典破解,使用mstsc远程进入桌面)。
在exploit-db中发现一个php5.x通过shellshock漏洞绕过函数限制的利用
# searchsploit php bypass ... PHP 5.x Shellshock Exploit (bypass disable_f | /php/webapps/35146.txt
但是此漏洞仅能从Linux服务器上成功执行。我们在这里卡住了。
后来猛然想起Apache无论是在Wamp中还是在Linux发行版中,CGI程序执行默认都是打开的!于是上传后门和利用脚本到cgi-bin中:
start backdoor.exe echo Started...
然后在浏览器中访问http://xxx.xxx.xxx.xxx/cgi-bin/start.bat,等待片刻,目标机器成功上线。
附上WAMP2.4版默认apache配置文件片段
#LoadModule cache_module modules/mod_cache.so #LoadModule cache_disk_module modules/mod_cache_disk.so #LoadModule cern_meta_module modules/mod_cern_meta.so LoadModule cgi_module modules/mod_cgi.so #LoadModule charset_lite_module modules/mod_charset_lite.so #LoadModule data_module modules/mod_data.so #LoadModule dav_module modules/mod_dav.so #LoadModule dav_fs_module modules/mod_dav_fs.so ... <IfModule alias_module> # # Redirect: Allows you to tell clients about documents that used to # exist in your server's namespace, but do not anymore. The client # will make a new request for the document at its new location. # Example: # Redirect permanent /foo http://www.example.com/bar # # Alias: Maps web paths into filesystem paths and is used to # access content that does not live under the DocumentRoot. # Example: # Alias /webpath /full/filesystem/path # # If you include a trailing / on /webpath then the server will # require it to be present in the URL. You will also likely # need to provide a <Directory> section to allow access to # the filesystem path. # # ScriptAlias: This controls which directories contain server scripts. # ScriptAliases are essentially the same as Aliases, except that # documents in the target directory are treated as applications and # run by the server when requested rather than as documents sent to the # client. The same rules about trailing "/" apply to ScriptAlias # directives as to Alias. # ScriptAlias /cgi-bin/ "F:/WampServer/cgi-bin/" </IfModule> <IfModule cgid_module> # # ScriptSock: On threaded servers, designate the path to the UNIX # socket used to communicate with the CGI daemon of mod_cgid. # #Scriptsock cgisock </IfModule>
推荐设置:
如非必要请关闭cgi扩展
通过.htaccess限制可以执行的文件名
(linux)限制文件权限