最近,对Linux下的webshell进行了实战及研究,这里做个记录
环境
靶机:
- Ubuntu 20.04
- Xampp
攻击机:
- Windows 10
- 冰蝎3.0
环境搭建
换源
打开虚拟机,首先进行换源,输入命令备份文件:
sudo cp /etc/apt/sources.list /etc/apt/sources.bak1
使用命令打开源文件:
sudo gedit /etc/apt/sources.list
然后删掉所有内容,复制粘贴阿里云的镜像源
完事之后运行命令更新源:
sudo apt-get update
xampp安装
下载官方推荐的xampp
执行命令:
sudo chmod 777 xampp-linux-x64-7.4.3-0-installer.run
sudo ./xampp-linux-x64-7.4.3-0-installer.run
在弹出来的界面处,点击Welcome界面,点击Open Application Folder:
找到hotdocs文件夹,将解压后的dvwa网站源码放进去,并运行以下命令:
sudo chmod 777 -R DVWA-master
点击Manage Servers,然后点击Start All按钮:
全绿即可。
如果绿不了,尝试以下命令即可解决:
sudo service mysql stop
sudo service mysqld stop
sudo service nginx stop
sudo service apache stop
sudo service apache2 stop
然后修改网站源码下的config文件夹内的config.inc.php.dist为config.inc.php,然后更改文件内容(主要是数据库账号密码)
然后就可以打开网站了
然后可以在页面更改安全级别:
webshell上传
进入页面,点击左侧导航栏File Upload,将冰蝎解压后的server文件夹内的可爱的小木马全部上传上去:
这里上传不成功的话参照上文更改安全级别即可
webshell利用
安装配置Java环境后,直接双击冰蝎的jar包即可运行:
直接在空白处右键,点击新增:
然后在弹出的对话框中填上上传的webshell地址,密码默认就是
rebeyond,然后点击保存即可。直接双击打开刚刚创建的连接,可以看到显示了PHPinfo的信息:
然后在命令执行处可以执行任意命令:
攻击检测
Linux安装Sysmon之后,首先使用脚本清除系统日志:
python sysmon_xml2json.py -cls 1
然后使用冰蝎建立连接,执行命令。攻击完成之后,使用脚本导出日志:
python sysmon_xml2json.py
通过对日志进行分析,搜索whoami命令关键词,查看发现其父进程是/usr/bin/dash,具体日志如下:
{
"@timestamp": "2021-11-12T03:43:27.203729000Z",
"Hostname": "ubuntu",
"TerminalSessionId": "3",
"ProcessGuid": "{fd8c6fc0-5ac9-618c-91c7-32e5b5550000}",
"ParentUser": "daemon",
"Channel": "Linux-Sysmon/Operational",
"ProcessId": "100900",
"Product": "-",
"Description": "-",
"SourceName": "Linux-Sysmon",
"Company": "-",
"ParentProcessId": "100899",
"ParentProcessGuid": "{fd8c6fc0-5ac9-618c-f597-be492a560000}",
"User": "daemon",
"Hashes": "-",
"OriginalFileName": "-",
"EventID": "1",
"Task": "1",
"ParentImage": "/usr/bin/dash",
"FileVersion": "-",
"Level": "4",
"CurrentDirectory": "/opt/lampp/htdocs/DVWA-master/hackable/uploads",
"CommandLine": "whoami",
"ProviderGuid": "{ff032593-a8d3-4f13-b0d6-01fc615a0f97}",
"LogonGuid": "{fd8c6fc0-0000-0000-0100-000000000000}",
"LogonId": "1",
"TimeCreated": "2021-11-12T03:43:27.203729000Z",
"Image": "/usr/bin/whoami",
"IntegrityLevel": "no level",
"ParentCommandLine": "sh",
"UtcTime": "2021-11-10 23:50:33.409",
"RuleName": "-",
"Keywords": "0x8000000000000000"
}
再对其父进程日志进行分析:
{
"@timestamp": "2021-11-12T03:43:27.201778000Z",
"Hostname": "ubuntu",
"TerminalSessionId": "3",
"ProcessGuid": "{fd8c6fc0-5ac9-618c-f597-be492a560000}",
"ParentUser": "-",
"Channel": "Linux-Sysmon/Operational",
"ProcessId": "100899",
"Product": "-",
"Description": "-",
"SourceName": "Linux-Sysmon",
"Company": "-",
"ParentProcessId": "100772",
"ParentProcessGuid": "{00000000-0000-0000-0000-000000000000}",
"User": "daemon",
"Hashes": "-",
"OriginalFileName": "-",
"EventID": "1",
"Task": "1",
"ParentImage": "-",
"FileVersion": "-",
"Level": "4",
"CurrentDirectory": "/opt/lampp/htdocs/DVWA-master/hackable/uploads",
"CommandLine": "sh -c cd /opt/lampp/htdocs/DVWA-master/hackable/uploads/;whoami",
"ProviderGuid": "{ff032593-a8d3-4f13-b0d6-01fc615a0f97}",
"LogonGuid": "{fd8c6fc0-0000-0000-0100-000000000000}",
"LogonId": "1",
"TimeCreated": "2021-11-12T03:43:27.201778000Z",
"Image": "/usr/bin/dash",
"IntegrityLevel": "no level",
"ParentCommandLine": "-",
"UtcTime": "2021-11-10 23:50:33.408",
"RuleName": "-",
"Keywords": "0x8000000000000000"
}
发现其父进程为空,但通过ParentProcessId字段可以看出其父进程的ID号,于是去系统通过命令查看:
cd /proc/100772
sudo ls -ail
发现其进程名为httpd,于是就与Apache服务建立了关联:
但搜索日志,并没有发现进程名为httpd的日志,也没有ProcessID为100772的日志记录。哪怕是重启了Apache服务,也抓取不到Apache的日志记录。尝试通过更改Sysmon的配置文件为:
<Sysmon schemaversion="4.81">
<EventFiltering></EventFiltering>
</Sysmon>
也搜集不到想要的那条日志。因此,个人猜测是Linux下的Sysmon日志搜集能力还待加强,或者需要通过其他方式更改Sysmon的配置文件吧。
