【漏洞实战】基于mezzanine的攻防比赛环境搭建及XXE漏洞构造

一步一步教你搭建基于mezzanine的攻防比赛环境,以及XXE漏洞的构造方法。

虚拟部署

virtualenv是python环境配置和切换工具,进入该虚拟环境后,pip安装的软件不影响当前主环境,这样就能很好的安装几个python版本了,解决了库之间的依赖关系。
安装virtualenv和pip

sudo apt-get install python-virtualenv python-pip

创建虚拟部署环境

gongfangbisai@ubuntu:~$virtualenv -p /usr//bin/python2.7 app
gongfangbisai@ubuntu:~$ cd app/
gongfangbisai@ubuntu:~/app$ ls
bin  include  lib  local
gongfangbisai@ubuntu:~/app$ source bin/activate
(app)gongfangbisai@ubuntu:~/app$ pip install mezzanine
Downloading/unpacking mezzanine
  Downloading Mezzanine-3.1.10-py2.py3-none-any.whl (5.7MB): 5.7MB downloaded
Downloading/unpacking bleach>=1.4 (from mezzanine)
  Downloading bleach-1.4.1.tar.gz
``` 
首先使用virtualenv创建一个虚拟节点app,然后使用source激活,再在激活的节点下pip安装mezzanine,安装完mezzanine之后使用mezzanine-project来创建一个工程。 
```bash
(app)gongfangbisai@ubuntu:~/app$ mezzanine-project myproject
(app)gongfangbisai@ubuntu:~/app$ cd myproject/
(app)gongfangbisai@ubuntu:~/app/myproject$ ls
deploy  fabfile.py  __init__.py  local_settings.py  manage.py  requirements.txt  settings.py  urls.py  wsgi.py
(app)gongfangbisai@ubuntu:~/app/myproject$ python manage.py createdb
Creating tables ...
Creating table auth_permission
Creating table auth_group_permissions
Creating table auth_group
..........
You just installed Django's auth system, which means you don't have any superusers defined.
Would you like to create one now? (yes/no): yes
Username (leave blank to use 'gongfangbisai'): gongfangbisai
Email address: shengqi158@gmail.com
Password:
Password (again):
Superuser created successfully.
A site record is required.
Please enter the domain and optional port in the format 'domain:port'.
For example 'localhost:8000' or 'www.example.com'.
Hit enter to use the default (127.0.0.1:8000):
Creating default site record: 127.0.0.1:8000 ...
Installed 2 object(s) from 1 fixture(s)
Would you like to install some initial demo pages?
Eg: About us, Contact form, Gallery. (yes/no): yes
Creating demo pages: About us, Contact form, Gallery ...
Installed 16 object(s) from 3 fixture(s)
Installing custom SQL ...
Installing indexes ...
Installed 0 object(s) from 0 fixture(s)
(app)gongfangbisai@ubuntu:~/app/myproject$ ls
deploy  fabfile.py   __init__.pyc       local_settings.pyc  requirements.txt  settings.pyc  urls.py
dev.db  __init__.py  local_settings.py  manage.py           settings.py       static        wsgi.py
``` 
使用mezzanine-project myproject创建完工程之后就是创建数据库,使用命令python manage.py createdb 即可,由于mezzanine是基于django框架的,可以看到一些基于django的数据库的创建。再接着会提示输入超级管理用户的用户名,email,密码,请记住,这是mezzanine系统的超级管理员。接下来我们试运行一下: 
```bash
(app)gongfangbisai@ubuntu:~/app/myproject$ python manage.py runserver 0.0.0.0:8000

再接着在浏览器访问127.0.0.1:8000,如果正常说明mezzanine的搭建第一步ok。

采用uwsgi + nginx 方案部署

前期准备

首先是安装nginx,uwsgi,再接着集中模板和静态文件,这样好配置静态路径

python manager.py collectstatic
python manager.py collecttemplates
sudo apt-get install nginx
sudo apt-get install uwsgi

请求的发送过程大概如下,如果在最后的测试中报错的话就得按照数据的走向来排查问题:

--> nginx --> uwsgi --> mezzanine(django)```

### nginx 配置
安装好nginx之后,/etc/init.d/nginx start 即可以启动nginx,在页面访问80端口就能查看到nginx的欢迎页面。重要是配置:
nginx的默认配置文件路径:/etc/nginx/
在/etc/nginx/sites-enabled 新建自己的配置文件,从sites-available拷贝一个default重命名为mysite_nginx.conf,编辑如下:

server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;

 root /home/gongfangbisai/app/myproject/; #网站的root目录
 index index.html index.htm;

 # Make site accessible from http://localhost/
 server_name localhost;

location /static {    #静态配置文件
    autoindex on;
    alias /home/gongfangbisai/app/myproject/static;
    access_log off;
    log_not_found off;
}

 location / {        #非静态请求,通过本地的8630端口来通信,这就是uwsgi后续要启动的端口
      # First attempt to serve request as file, then
      # as directory, then fall back to displaying a 404.
      try_files $uri $uri/ =404;
      # Uncomment to enable naxsi on this location
      # include /etc/nginx/naxsi.rules
      uwsgi_pass 127.0.0.1:8630;         
    include /home/gongfangbisai/app/myproject/uwsgi_params;
 }
修改完之后,可通过nginx -t 来测试配置文件是否有语法错误,确认ok之后即可启动。
### uwsg 配置
wsgi.py的内容具体如下:
```python
from __future__ import unicode_literals
import os
PROJECT_ROOT = os.path.dirname(os.path.abspath(__file__))
settings_module = "%s.settings" % PROJECT_ROOT.split(os.sep)[-1]
os.environ.setdefault("DJANGO_SETTINGS_MODULE", settings_module)
from django.core.wsgi import get_wsgi_application
application = get_wsgi_application()

下面是配置wsgi:
在网站根目录新建wsgi.xml,具体如下:
(app)gongfangbisai@ubuntu:~/app/myproject$ cat wsgi.xml

<uwsgi>
    <socket>127.0.0.1:8630</socket>
    <master>true</master>
    <chdir>/home/gongfangbisai/app/myproject/</chdir>
    <pythonpath>..</pythonpath>
    <module>wsgi</module>
    <wsgi-file>wsgi.py</wsgi-file>
    <enable-threads>true</enable-threads>>
    <processes>4</processes>>
    <plugin>python</plugin>
</uwsgi>

socket 是和nginx通信接口,pythonpath 为..,这样才能包含djaong的setting,chdir为网站根目录

(app)gongfangbisai@ubuntu:~/app/myproject$ uwsgi -x wsgi.xml

启动起来之后访问首页ok,但是到一些具体的功能页的时候就报404,查看输出日志,uwsgi出现404的时候没动,nginx有日志,也就是说请求到了nginx就没发到uwsgi了,按道理应该是nginx的配置有问题,就查nginx的日志实在找不出问题,而且关键是想不到搜索的关键字,总报404于是就将nginx的配置文件的try_files $uri $uri/ =404;注释掉,这回uwsgi有输出了,显示如下:
– unavailable modifier requested: 0 –
搜索该关键字,很多人遇到这个问题,好吧,再把相应的库给装上吧

apt-get install uwsgi-plugin-python```

装上库之后再sudo uwsgi -x wsgi.xml总报:
```bash
ImportError: No module named mezzanine
unable to load app 0 (mountpoint='') (callable not found or import error)

找了一下,说是python的路径问题,直接在该环境下python,再找sys.path没问题,后来再一看是自己手贱多加了个sudo,导致python环境不对,去掉sudo 运行uwsgi OK。

XXE漏洞的构造

前期调研未做好,装了ubuntu13.04,装它的原因就是因为他最近没有报本地提权漏洞,有点因小失大。好吧,总不能从头安装mezzine吧,于是拿libxml下手,选用的python的lxml作为问题程序,其etree.so依赖libxml2和libxslt.
于是安装存在xxe漏洞的libxml和libxlst,低于2.9.0,到http://xmlsoft.org/sources/ 下载相应的软件包,这里libxml选择2.8,libxlst选择1.2.27

gongfangbisai@ubuntu:~$ tar -zxvf libxslt-1.1.27.tar.gz
gongfangbisai@ubuntu:~$ cd libxslt-1.1.27/
gongfangbisai@ubuntu:~/libxslt-1.1.27$ ./configure&make 最后make install 它会装在/usr/local/lib目录下
gongfangbisai@ubuntu:~/libxslt-1.1.27$ python
Python 2.7.6 (default, Jun 22 2015, 17:58:13)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from lxml import etree
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ImportError: /usr/lib/x86_64-linux-gnu/libxml2.so.2: version `LIBXML2_2.9.0' not found (required by /usr/lib/python2.7/dist-packages/lxml/etree.so)
>>>
gongfangbisai@ubuntu:~/libxslt-1.1.27$ ldd /usr/lib/python2.7/dist-packages/lxml/etree.so
/usr/lib/python2.7/dist-packages/lxml/etree.so: /usr/lib/x86_64-linux-gnu/libxml2.so.2: version `LIBXML2_2.9.0' not found (required by /usr/lib/python2.7/dist-packages/lxml/etree.so)
/usr/lib/python2.7/dist-packages/lxml/etree.so: /usr/lib/x86_64-linux-gnu/libxml2.so.2: version `LIBXML2_2.9.0' not found (required by /usr/lib/x86_64-linux-gnu/libxslt.so.1)
        linux-vdso.so.1 =>  (0x00007fffb9cc6000)
        libxslt.so.1 => /usr/lib/x86_64-linux-gnu/libxslt.so.1 (0x00007fca6d652000)
        libexslt.so.0 => /usr/lib/x86_64-linux-gnu/libexslt.so.0 (0x00007fca6d43d000)
        libxml2.so.2 => /usr/lib/x86_64-linux-gnu/libxml2.so.2 (0x00007fca6d0df000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fca6cec1000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fca6cafc000)
        libgcrypt.so.11 => /lib/x86_64-linux-gnu/libgcrypt.so.11 (0x00007fca6c87d000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fca6c679000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fca6c460000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fca6c159000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fca6dc02000)
        libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 (0x00007fca6bf55000)

安装完这两个软件后,通过strace python test.py > test.log 2>&1发现其还是依赖原先libxml,第一步想到的是update-alternatives,

gongfangbisai@ubuntu:~/app/myproject/static/media/uploads$ update-alternatives --list libxml
update-alternatives: error: no alternatives for libxml

怎么都不提示有两个版本的的libxml,那怎么办呢,强制修改软链接:

gongfangbisai@ubuntu:/usr/lib/x86_64-linux-gnu$ sudo ln -s /usr/local/lib/libxslt.so.1.1.27 libxslt.so
gongfangbisai@ubuntu:/usr/lib/x86_64-linux-gnu$ sudo rm libxslt.so.1
gongfangbisai@ubuntu:/usr/lib/x86_64-linux-gnu$ sudo ln -s /usr/local/lib/libxslt.so.1.1.27 libxslt.so.1
gongfangbisai@ubuntu:/usr/lib/x86_64-linux-gnu$ ldconfig

这样libxslt.so的依赖关系搞定了,通过同样的方式搞定libxml2,搞定这两个库之后,还是会提示etree.so依赖2.9的接口,怎么办呢,直接pip install -v lxml==3.0 这个xml版本就不存在依赖2.9接口的问题。在这里也引入了后面会遇到的一个问题,xx测试在python命令行中没有问题,但是在django环境中就有问题,总报库的依赖有问题,猛一回头发现是python虚拟环境搞得鬼,这个虚拟环境会引入libxml和libxslt这种系统lib下的库,但是像python的环境就不会引入,比如/usr/local/lib/python2.7/site-packages/下的,没办法只能在虚拟环境下重新安装了一遍lxml,这样就不会有库依赖的问题了。

gongfangbisai@ubuntu:~/app/myproject/static/media/uploads$ xmllint –noent a.xml //命令行测试比python更容易跟踪

解决了依赖问题,下面就是编码问题了:
django的登录认证:
./django/contrib/auth/views.py 在这里去掉修改密码的功能,注释掉password_change函数

去掉重置密码链接:直接注释用注释url链接
编辑grappelli_safe/templates/registration/ 相关页面

修改上传页面的逻辑处理,对于xml加上对entity的解释功能,这样就能导入一个xxe漏洞,修改filebrowser_safe/views.py

def decode_string(target):
    try:
        result = target.decode('utf8').encode('utf8')
        return (1,result)
    except:
        pass
    try:
        result = target.decode('gbk').encode('utf8')
        return (2,result)
    except:
        pass
    try:
        result = target.decode('gb2312').encode('utf8')
        return (3,result)
    except:
        pass
    try:
        result = target.decode('utf16').encode('utf8')
        return (4,result)
    except:
        pass
    try:
        result = target.decode('latin1').encode('utf8')
        return (5,result)
    except:
        pass
    return ''
def _upload_file(request):
            for line in filedata.chunks():
                code_type, line = decode_string(line)
                if code_type != 4 and 'ENTITY' in line:
                    msg = _('illegal xml, ENTITY found!!!!')
                    return HttpResponse(msg)
            uploadedfile = default_storage.save(file_path, filedata)
            if default_storage.exists(file_path) and file_path != uploadedfile:
                default_storage.move(smart_text(uploadedfile), smart_text(file_path), allow_overwrite=True)
            if file_path.lower().endswith(".xml"):
                from lxml import etree
                try:
                    msg = _('path:%s:%s:%s:%s' %(uploadedfile, file_path,directory,type(filedata.chunks())))
                    if default_storage.exists(file_path):
                        abs_path = smart_text(django_settings.MEDIA_ROOT + "/" + file_path)
                        tree = etree.parse(abs_path)
                        tree.write(abs_path)
#                    return HttpResponse(msg)
                except Exception,e:
                    msg = _('IOERROR:%s' %(e))
                    return HttpResponse(msg)

转载自:

http[:]//xxlegend.com/2016/04/01/%E5%9F%BA%E4%BA%8Emezzanine%E7%9A%84%E6%94%BB%E9%98%B2%E6%AF%94%E8%B5%9B%E7%8E%AF%E5%A2%83%E6%90%AD%E5%BB%BA%E5%8F%8AXXE%E6%BC%8F%E6%B4%9E%E6%9E%84%E9%80%A0/

 

Spread the word. Share this post!

Meet The Author

Leave Comment