Shocker靶机带来的启示:目录爆破进阶技巧
这台靶机的投票中Easy和Medium票数不相上下,总体难度还算简单,主要考查到了两个地方:
- 目录及目录下的文件爆破
- shellshock漏洞
目录爆破
目录爆破,我想各位应该都很熟练了,我们可以使用ffuf工具来进行目录爆破:
ffuf -u http://10.10.10.56/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.10.56/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
.htaccess [Status: 403, Size: 295, Words: 22, Lines: 12, Duration: 3ms]
.htpasswd [Status: 403, Size: 295, Words: 22, Lines: 12, Duration: 4ms]
cgi-bin/ [Status: 403, Size: 294, Words: 22, Lines: 12, Duration: 7ms]
server-status [Status: 403, Size: 299, Words: 22, Lines: 12, Duration: 4ms]
:: Progress: [20476/20476] :: Job [1/1] :: 7857 req/sec :: Duration: [0:00:02] :: Errors: 0 ::
也可以使用gobuster工具来进行爆破:
gobuster dir -u http://10.10.10.56 -w /usr/share/seclists/Discovery/Web-Content/big.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.56
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/09/14 08:59:52 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 295]
/.htpasswd (Status: 403) [Size: 295]
/cgi-bin/ (Status: 403) [Size: 294]
/server-status (Status: 403) [Size: 299]
===============================================================
2022/09/14 08:59:57 Finished
===============================================================
从上述结果中可以看到,当前靶机所提供的web服务中,存在/cgi-bin/子目录。
如果目录爆破的工作就到此为止的话,恐怕你和我一样,会卡在这里,然后去Google搜其它人写的write up了。
因此,这台靶机带给我的启示之一是:当你爆破出某个子目录时,应该做进一步爆破,尝试爆破该子目录下的更多内容(子目录/文件)
所以,我们接下来需要对/cgi-bin/子目录来进行进一步爆破:
文件名爆破
我翻了翻网上的其它人写的write up后,总结如下:
可以通过feroxbuster工具来爆破文件名:
feroxbuster -u http://10.10.10.56/cgi-bin/ -x sh,cgi,pl
也可以通过gobuster工具配合directory-list-2.3-medium.txt字典爆破文件名:
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56/cgi-bin/ -x sh,cgi
看到上面的命令,我去看了一下字典里的文件名,总觉得有些运气成分在里面,因为字典里的文件名太少了!!!
万一我下一次遇到的靶机某个文件不在这个字典里,那不就又歇菜了!!?
所以进一步又引发了我的思考:有没有一个特别牛逼的大而全的文件名字典和后缀名字典?以后见到子目录无脑扫就完事了!
经过我的一番查找,在SecLists里找到了一个文件名大全的字典(big.txt)和文件后缀名大全的字典(extensions-skipfish.fuzz.txt)。
以Moderators靶机为例,后续遇到某个特殊的子目录,就可以这样继续扫它的子目录:
ffuf -u http://10.10.11.173/logs/e21cece511f43a5cb18d4932429915ed/FUZZ/ -w big.txt
也可以通过以下方式扫子目录里的文件:
ffuf -u http://10.10.11.173/logs/e21cece511f43a5cb18d4932429915ed/FUZZ1.FUZZ2 -w big.txt:FUZZ1 -w ../../Fuzzing/extensions-skipfish.fuzz.txt:FUZZ2
shellshock
至于shellshock漏洞原理及利用,可以参考以下内容: https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf
在此我就不赘述了。
参考文章
https://0xdf.gitlab.io/2021/05/25/htb-shocker.html
https://ranakhalil101.medium.com/hack-the-box-shocker-writeup-w-o-metasploit-feb9e5fa5aa2
https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-shocker/
