卡卡罗特先生: 土耳其黑客欺人太甚,蒴源攻击惊喜发现(CVE-2018-6389)漏洞新姿势!| 镜鉴

卡卡罗特先生 2019年6月27日16:49:53 评论 300

卡卡罗特先生: 土耳其黑客欺人太甚,蒴源攻击惊喜发现(CVE-2018-6389)漏洞新姿势!| 镜鉴

一、事件背景:

网站还没有建设完成,就被土耳其黑客组织盯上了。看了一下,是57.alay组织,大概查了一下:

卡卡罗特先生: 土耳其黑客欺人太甚,蒴源攻击惊喜发现(CVE-2018-6389)漏洞新姿势!| 镜鉴
卡卡罗特先生: 土耳其黑客欺人太甚,蒴源攻击惊喜发现(CVE-2018-6389)漏洞新姿势!| 镜鉴

大概属于土耳其的一波人干的事。简单看了一下,使笔者有了分析的欲望。简单分析了整个被黑的流程,发现暂未公布的wordpress 的一个新姿势,在此分享给各位看客。为了理清土耳其黑客的姿势,在介绍前,笔者先介绍一下(CVE-2018-6389)这个去年的没有被wordpress官方承认的鸡肋漏洞。

漏洞发现者首次公布地址:baraktawily.blogspot.com

二、(CVE-2018-638)漏洞背景介绍:

拒绝服务攻击(英语:denial-of-service attack,缩写DoS attackDoS)亦称洪水攻击,是一种网络攻击手法,其目的在于使目标电脑的网络系统资源耗尽,使服务暂时中断或停止,导致其正常用户无法访问。

黑客使用网络上两个或以上被攻陷的电脑作为“僵尸”向特定的目标发动“拒绝服务”式攻击时,称为分布式拒绝服务攻击(distributed denial-of-service attack,缩写DDoS attackDDoS)。据2014年统计,被确认为大规模DDoS的攻击已达平均每小时28次。[1]DDoS发起者一般针对重要服务和知名网站进行攻击,如银行、信用卡支付网关、甚至根域名服务器等。

WordPress当中存在一个load-scripts.php,这个文件中存在着以下语句:

卡卡罗特先生: 土耳其黑客欺人太甚,蒴源攻击惊喜发现(CVE-2018-6389)漏洞新姿势!| 镜鉴

其中,$wp_scripts是调用WordPress内建JS模块的方式。这些模块被统一存放在/wp-includes/script-loader.php里面。打开这个文件给你们看一下是有多么壮观:

卡卡罗特先生: 土耳其黑客欺人太甚,蒴源攻击惊喜发现(CVE-2018-6389)漏洞新姿势!| 镜鉴

总共有180个(显示181的其中一个是注释中的,写明了调用方式)模块。这个模块名单是如此之长以至于我都不想再放上来增加文章长度。

那么,如果构造一个请求,让服务器加载所有模块的话。

理论上是可行的,对吧!(突然兴奋.jpg)

所以这个攻击异常的暴力+没有技术含量,就能用2.6KB的请求炸出服务器4MB的回复。

卡卡罗特先生: 土耳其黑客欺人太甚,蒴源攻击惊喜发现(CVE-2018-6389)漏洞新姿势!| 镜鉴

使用PoC进行攻击演示:

依靠已安装的插件和模块,load-scripts.php文件可以通过传递name到load参数来选择性的调用必须的JS文件,这些name是以“,”隔开的,就像下面的链接:

1. https://your-wordpress-site.com/wp-admin/load-scripts.php?c=1&load=editor,common,user-profile,media-widgets,media-gallery

当网站加载时,load-scripts.php会根据URL中的每个name去寻找对应的JS文件,并把其中的内容添加到一个单独的文件,然后发送回用户的web浏览器。

研究人员说,攻击者可以通过把所有的参数传递给上面的URL来让load-scripts.php来调用所有可能的JS文件,通过消耗更多的CPU和服务器内存来让目标网站运行变慢。

用户可以用预先定义好的列表($wp_scripts)来发送请求,而这是load[]参数的一部分。如果请求的值存在,服务器会用从用户那里获取的补充值相关的预定义的路径来执行I/O读操作。

虽然访客不能用一个简单的请求来拿下整个网站,但是研究人员用一个Python POC脚本(doser.py)来向相同的URL发起大量的并发请求,这会大量消耗目标服务器的CPU资源并让服务器宕机。

doser.py文件下载地址 :https://github.com/quitten/doser.py

Hacker News验证了DOS漏洞利用的真实性,成功地拿下了中等VPS服务器上运行的demo WordPress站点。这再次证明了load-scripts.php不需要任何的认证,匿名用户也可以进行上述操作。当服务器的请求达到500左右的时候,服务器就不再响应了,返回502/503/504错误。但是来自一个机器的40Mbps的连接是不足以让运行在处理能力和内存比较高配的服务器上的demo WordPress站点宕机的。

三、(CVE-2018-638)漏洞修复:

截止目前,还没有补丁发布。该漏洞大概影响29%的web站点,将上百万的网站至于黑客的面前,同时会让合法的用户得不到正常的服务。对于那些不能提供预防应用层攻击的DDOS保护的网站,研究人员做了一个WordPress站点的副本,可以预防此类漏洞。

研究人员建议用户不要安装此类修改过的CMS,即使这种CMS的来源是可信的。研究人员也发布了bash脚本来修复该漏洞。

修复脚本地址:  https://github.com/Quitten/WordPress/blob/master/wp-dos-patch.sh

有更大带宽和僵尸主机的攻击者可以利用该漏洞来攻击更大、更主流的WordPress站点。

好了,以上的(CVE-2018-638) 解释就到这里,怎么根据这个漏洞产生新的姿势呢,继续、、

四、事件背景介绍:

WordPress CMS平台上发现一个简单但很严重的应用级DoS漏洞(CVE-2018-638),攻击者利用该漏洞可以用很小的带宽来达到网络级DDoS攻击的效果,达到拿下WordPress站点的目的。

影响过去9年发布的所有WordPress版本,包括最新的WordPress稳定版Version 4.9.2。但厂商拒绝修复该漏洞。

网站是5月20号之前正常的,22号下午,当打开网站首页后,看到如下一幕(我X.jpg):

卡卡罗特先生: 土耳其黑客欺人太甚,蒴源攻击惊喜发现(CVE-2018-6389)漏洞新姿势!| 镜鉴

(网站整体文件被删除,根目录下被放了这个组织的介绍页面)

实在是欺人太甚!但是这时如果直接删除土耳其黑客介绍文件,恢复网站文件备份,终究还是不了解这个组织是怎么进入网站,而后又能上传木马,最后取得管理员权限。这样的话,还不是一样会再次被搞?必须将整个攻击过程整体蒴源,网站后台,宝塔后台,服务器后台,一一排查问题,才能继续安心开发站点,不担心再次被搞!

五、日志分析基础:

卡卡罗特先生: 土耳其黑客欺人太甚,蒴源攻击惊喜发现(CVE-2018-6389)漏洞新姿势!| 镜鉴

(案例1)

  • 192.168.1.66:表示客户端 IP 地址
  • [06/Sep/2012:20:55:05 +0800]:访问时间及服务器所在时区
  • GET:数据包提交方式为 GET 方式。常见的有 GET 和 POST 两种类型
  • /index.html:客户端访问的 URL
  • HTTP/1.1:协议版本信息
  • 404:WEB 服务器响应的状态码。404 表示服务器上无此文件;200 表示响应正常;500 表示服务器错误
  • 287:此次访问传输的字节数
  • Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0:客户端浏览器和系统环境等信息

六、分析找到新姿势

此时因为网站程序整体被删除,只有20号的网站在线网站文件还有留存。只能从系统日志开始分析,首先,查看一下服务器端是否有可疑用户登录:

卡卡罗特先生: 土耳其黑客欺人太甚,蒴源攻击惊喜发现(CVE-2018-6389)漏洞新姿势!| 镜鉴

(网站日志)

从这里可以看到ip是; 85.107.108.187,土耳其是一开始检查了我的网站的后台地址(当然,我的站才建立,他应该是用批量软件检测后台没有更改的网站扫描到了我)。通过ip全球精准定位显示,这小子是在土耳其的Kocaeli市区的一家快餐店。(出于道德,暂时不暴露他的详细位置)

卡卡罗特先生: 土耳其黑客欺人太甚,蒴源攻击惊喜发现(CVE-2018-6389)漏洞新姿势!| 镜鉴

查看服务器系统管理员动作,可以看到,所有ip的地址属于公司成员所在地,排除土耳其黑客进入服务器的可能。随此时只有进入宝塔后台和网站后台的。进行下一步排查:

卡卡罗特先生: 土耳其黑客欺人太甚,蒴源攻击惊喜发现(CVE-2018-6389)漏洞新姿势!| 镜鉴

(服务器用户查看)

从宝塔后台进入后,打开根文件下的日志,下载后继续分析:

1. 85.107.108.187 - - [21 / May / 2019:09:11:41 +0800] “GET /wp-admin/load-scripts.php?c=0&amp;load%5B%5D=wpdialogs,hoverIntent,common,admin-bar ,wp-a11y,customize-base,theme,updates,svg-painter,shortcode,media-editor,media-audiovideo,&load%5B%5D = mce-view&ver = 5.1.1 HTTP / 2.0“ 200 42026 ”https:/ /<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHAlM0EvL3d3dy54eHh4eC5jbi93cC1hZG1pbi90aGVtZXMucGhw" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">http://www.</span><span class="visible">xxxxx.cn/wp-admin/theme</span><span class="invisible">s.php</span></a>“”Mozilla / 5.0(Windows NT 6.1; Win64; x64)AppleWebKit / 537.36(KHTML,与Gecko一样)Chrome / 74.0.3729.157 Safari / 537.36“

从上面这段代码,可以看到土耳其小哥是先用软件批量测试网站后,发现我的网站对于(cve-2018-6389)漏洞进行检测,发现能够正常回显(此时小哥把批量检测的网站整理后,进行手动检测注入):

卡卡罗特先生: 土耳其黑客欺人太甚,蒴源攻击惊喜发现(CVE-2018-6389)漏洞新姿势!| 镜鉴

继续分析:

1. 85.107.108.187 - - [21/May/2019:09:11:30 +0800] "GET /wp-admin/ HTTP/2.0" 200 38790 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vL3dwLWxvZ2luLnBocA==" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn//wp-login.php</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"
2. 85.107.108.187 - - [21/May/2019:09:11:31 +0800] "GET /wp-admin/load-styles.php?c=0&amp;dir=ltr&amp;load%5B%5D=dashicons,wp-jquery-ui-dialog,admin-bar,common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menu&amp;load%5B%5D=s,wp-pointer,widgets,site-icon,l10n,buttons,wp-auth-check,wp-color-picker,editor-buttons,media-views&amp;ver=5.1.1 HTTP/2.0" 200 116363 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtYWRtaW4v" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-admin/</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"
3. 85.107.108.187 - - [21/May/2019:09:11:35 +0800] "GET /wp-admin/load-scripts.php?c=0&amp;load%5B%5D=jquery-core,jquery-migrate,thickbox,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-resizable,jquery-ui-draggable,jque&amp;load%5B%5D=ry-ui-button,jquery-ui-position,jquery-ui-dialog,utils,jquery-ui-sortable,underscore,wp-util,jquery-ui-slider,jquery-touch-punch&amp;load%5B%5D=,iris,wp-color-picker,backbone,wp-backbone,media-models,moxiejs,plupload,wp-plupload,mediaelement-core,mediaelement-migrate,wp-m&amp;load%5B%5D=ediaelement,wp-api-request,media-views&amp;ver=5.1.1 HTTP/2.0" 200 223136 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtYWRtaW4v" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-admin/</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"
4. 85.107.108.187 - - [21/May/2019:09:11:35 +0800] "GET /wp-admin/load-scripts.php?c=0&amp;load%5B%5D=wpdialogs,hoverIntent,common,admin-bar,wp-ajax-response,jquery-color,wp-lists,quicktags,jquery-query,admin-comments,postbox,wp-a&amp;load%5B%5D=11y,dashboard,plugin-install,updates,shortcode,media-upload,svg-painter,media-editor,media-audiovideo,mce-view&amp;ver=5.1.1 HTTP/2.0" 200 54478 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtYWRtaW4v" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-admin/</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"
5. 85.107.108.187 - - [21/May/2019:09:11:35 +0800] "GET /wp-content/plugins/js_composer/assets/vc/logo/wpb-logo-white_32.svg HTTP/2.0" 200 1607 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtYWRtaW4v" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-admin/</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"
6. 85.107.108.187 - - [21/May/2019:09:11:36 +0800] "GET /wp-content/themes/dt-the7/inc/admin/assets/fonts/dt-icons/dt-icons.ttf?o0mqts HTTP/2.0" 200 7700 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtY29udGVudC90aGVtZXMvZHQtdGhlNy9pbmMvYWRtaW4vYXNzZXRzL2Nzcy9hZG1pbi1iYXIubWluLmNzcw==" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-content/the</span><span class="invisible">mes/dt-the7/inc/admin/assets/css/admin-bar.min.css</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"
7. 85.107.108.187 - - [21/May/2019:09:11:36 +0800] "GET /wp-content/plugins/Ultimate_VC_Addons/admin/fonts/ultimate.woff HTTP/2.0" 200 1300 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtYWRtaW4v" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-admin/</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"
8. 85.107.108.187 - - [21/May/2019:09:11:36 +0800] "POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/2.0" 500 1 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtYWRtaW4v" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-admin/</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"

从1-7条日志分析,小哥用GET方式不断测试,网站回显数据中的敏感信息。然后第8条信息进行POST操作,向我的网站打入数据,但是这次没有成功。因为网站回显还是500的错误(红色标注500)。继续分析:

1. 85.107.108.187 - - [21/May/2019:09:11:43 +0800] "GET /wp-admin/load-scripts.php?c=0&amp;load%5B%5D=jquery-core,jquery-migrate,thickbox,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-resizable,jquery-ui-draggable,jque&amp;load%5B%5D=ry-ui-button,jquery-ui-position,jquery-ui-dialog,utils,underscore,backbone,wp-util,wp-backbone,jquery-ui-sortable,jquery-ui-slid&amp;load%5B%5D=er,jquery-touch-punch,iris,wp-color-picker,media-models,moxiejs,plupload,wp-plupload,mediaelement-core,mediaelement-migrate,wp-m&amp;load%5B%5D=ediaelement,wp-api-request,media-views&amp;ver=5.1.1 HTTP/2.0" 200 223043 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtYWRtaW4vdGhlbWVzLnBocA==" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-admin/theme</span><span class="invisible">s.php</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"
2. 85.107.108.187 - - [21/May/2019:09:11:44 +0800] "POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/2.0" 500 1 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtYWRtaW4vdGhlbWVzLnBocA==" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-admin/theme</span><span class="invisible">s.php</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"
3. 85.107.108.187 - - [21/May/2019:09:11:45 +0800] "GET /wp-admin/theme-install.php HTTP/2.0" 200 37148 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtYWRtaW4vdGhlbWVzLnBocA==" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-admin/theme</span><span class="invisible">s.php</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"
4. 85.107.108.187 - - [21/May/2019:09:11:47 +0800] "POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/2.0" 500 1 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtYWRtaW4vdGhlbWUtaW5zdGFsbC5waHA=" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-admin/theme</span><span class="invisible">-install.php</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"
5. 85.107.108.187 - - [21/May/2019:09:11:48 +0800] "POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/2.0" 200 18 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtYWRtaW4vdGhlbWUtaW5zdGFsbC5waHAlM0Zicm93c2UlM0RmZWF0dXJlZA==" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-admin/theme</span><span class="invisible">-install.php?browse=featured</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"

小哥通过之前的回显数据,重新构造GET请求格式。在第1、3个请求中测试回显json数据中敏感信息后,小哥通过第3条数据,构造重新POST的数据,第4条没有成功,第5条终于成功了(哈哈,我看小哥的测试,都看累了,小哥也不容易。)此时通过第5条POST数据提交,服务器回显200提示。继续分析;

1. 85.107.108.187 - - [21/May/2019:09:12:28 +0800] "POST /wp-admin/update.php?action=upload-theme HTTP/2.0" 200 31659 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtYWRtaW4vdGhlbWUtaW5zdGFsbC5waHAlM0Zicm93c2UlM0RmZWF0dXJlZA==" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-admin/theme</span><span class="invisible">-install.php?browse=featured</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"
2. 85.107.108.187 - - [21/May/2019:09:12:30 +0800] "GET /wp-admin/load-styles.php?c=0&amp;dir=ltr&amp;load%5B%5D=dashicons,wp-jquery-ui-dialog,admin-bar,common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menu&amp;load%5B%5D=s,wp-pointer,widgets,site-icon,l10n,buttons,wp-color-picker,editor-buttons,media-views&amp;ver=5.1.1 HTTP/2.0" 200 115837 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtYWRtaW4vdXBkYXRlLnBocCUzRmFjdGlvbiUzRHVwbG9hZC10aGVtZQ==" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-admin/updat</span><span class="invisible">e.php?action=upload-theme</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"
3. 85.107.108.187 - - [21/May/2019:09:12:30 +0800] "GET /wp-admin/load-scripts.php?c=0&amp;load%5B%5D=jquery-core,jquery-migrate,thickbox,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-resizable,jquery-ui-draggable,jque&amp;load%5B%5D=ry-ui-button,jquery-ui-position,jquery-ui-dialog,utils,jquery-ui-sortable,jquery-ui-slider,jquery-touch-punch,iris,wp-color-pick&amp;load%5B%5D=er,underscore,backbone,wp-util,wp-backbone,media-models,moxiejs,plupload,wp-plupload,mediaelement-core,mediaelement-migrate,wp-m&amp;load%5B%5D=ediaelement,wp-api-request,media-views&amp;ver=5.1.1 HTTP/2.0" 200 222542 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtYWRtaW4vdXBkYXRlLnBocCUzRmFjdGlvbiUzRHVwbG9hZC10aGVtZQ==" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-admin/updat</span><span class="invisible">e.php?action=upload-theme</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"
4. 85.107.108.187 - - [21/May/2019:09:12:31 +0800] "GET /wp-admin/load-scripts.php?c=0&amp;load%5B%5D=wpdialogs,hoverIntent,common,admin-bar,svg-painter,shortcode,media-editor,media-audiovideo,mce-view&amp;ver=5.1.1 HTTP/2.0" 200 22548 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtYWRtaW4vdXBkYXRlLnBocCUzRmFjdGlvbiUzRHVwbG9hZC10aGVtZQ==" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-admin/updat</span><span class="invisible">e.php?action=upload-theme</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"
5. 85.107.108.187 - - [21/May/2019:09:12:32 +0800] "POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/2.0" 500 1 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtYWRtaW4vdXBodHRwcyUzQS8vd3d3LnR5cGluZy5jb20vc3R1ZGVudC9sZXNzb25zZGF0ZS5waHAlM0ZhY3Rpb24lM0R1cGxvYWQtdGhlbWU=" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-admin/uphtt</span><span class="invisible">ps://www.typing.com/student/lessonsdate.php?action=upload-theme</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"

小哥在测试成功后,第1条又进行了POST数据投送。回显200,终于确定可以用了(我替他高兴。)小哥在第二条GET加了参数dir=ltr、判断出文件的路径后继续开干。可以确定的是小哥向我网站的这个页面进行请求数据:"xxxxx.cn/wp-admin/updat" 。终于,小哥在第4条确定了关键信息后,第5条通过POST方式上传了他的木马。

1. 85.107.108.187 - - [21/May/2019:09:14:29 +0800] "GET /wp-content/themes/dapza/alay.php?path=/www/wwwroot HTTP/2.0" 200 1442 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtY29udGVudC90aGVtZXMvZGFwemEvYWxheS5waHA=" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-content/the</span><span class="invisible">mes/dapza/alay.php</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"
2. 85.107.108.187 - - [21/May/2019:09:14:57 +0800] "POST /wp-content/themes/dapza/cracker.php?grab HTTP/2.0" 200 2416 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtY29udGVudC90aGVtZXMvZGFwemEvY3JhY2tlci5waHAlM0ZncmFi" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-content/the</span><span class="invisible">mes/dapza/cracker.php?grab</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"
3. 139.99.103.80 - - [21/May/2019:09:15:01 +0800] "POST /wp-login.php HTTP/1.1" 200 1868 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
4. 139.99.103.80 - - [21/May/2019:09:15:01 +0800] "POST /xmlrpc.php HTTP/1.1" 200 413 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

此时,小哥非常开心。从第1条顺利访问了alay.php木马后,陆续通过第2/3/4条上传了cracker.php和xmlrpc.php 。同时可以看到,小哥在第3、4条终于挂代理vpn,并且换了系统ubuntu(我估计是换kali linux正式准备提权拿我根服务器了)。

1. 85.107.108.187 - - [21/May/2019:09:23:32 +0800] "POST /wp-content/themes/dapza/webadmin.php HTTP/2.0" 200 2459 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtY29udGVudC90aGVtZXMvZGFwemEvd2ViYWRtaW4ucGhw" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-content/the</span><span class="invisible">mes/dapza/webadmin.php</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"
2. 85.107.108.187 - - [21/May/2019:09:23:32 +0800] "GET /wp-content/themes/dapza/webadmin.php?image=smiley HTTP/2.0" 404 548 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtY29udGVudC90aGVtZXMvZGFwemEvd2ViYWRtaW4ucGhw" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-content/the</span><span class="invisible">mes/dapza/webadmin.php</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"
3. 85.107.108.187 - - [21/May/2019:09:23:32 +0800] "GET /wp-content/themes/dapza/webadmin.php?image=folder HTTP/2.0" 404 548 "<a class=" external" rel="external nofollow" target="_blank" href="https://www.kkltxs.com/wp-content/themes/begin/go.php?url=aHR0cHM6Ly9saW5rLnpoaWh1LmNvbS8/dGFyZ2V0PWh0dHBzJTNBLy93d3cueHh4eHguY24vd3AtY29udGVudC90aGVtZXMvZGFwemEvd2ViYWRtaW4ucGhw" target="_blank" rel="nofollow noopener noreferrer" data-za-detail-view-id="1043"><span class="invisible">https://www.</span><span class="visible">xxxxx.cn/wp-content/the</span><span class="invisible">mes/dapza/webadmin.php</span></a>" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36"

最后,可以看到。第1条中继续提交提权大马webadmin.php , 但是提取没有成功,从第2、3条看到,一直显示404。后面还有几十行404日志,这里也就不放了。

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: