目录
1、XAMPP简介
XAMPP(Apache+MySQL+PHP+PERL)是一个功能强大的建站集成软件包。
这个软件包原来的名字是 LAMPP,但是为了避免误解,最新的几个版本就改名为 XAMPP 了。它可以在Windows、Linux、Solaris、Mac OS X 等多种操作系统下安装使用,支持多语言;XAMPP 的确非常容易安装和使用:只需下载,解压缩,启动即可。该软件和phpstudy类似。
2、漏洞成因
在windows下,XAMPP允许非管理员账号访问和修改其编辑器和浏览器的配置,编辑器的默认配置为notepad.exe,一旦修改配置后,则对应的每个可以访问XAMPP控制面板的用户都更改了配置。当攻击者将编辑器的值设置为恶意的.exe文件或.bat文件,与此同时如果有管理员账号通过XAMPP控制面板查看apache的日志文件,便会执行恶意的.exe文件或.bat文件,以此达到任意命令执行。
3、影响范围
Apache Friends XAMPP <7.2.29
Apache Friends XAMPP 7.3.*,<7.3.16
Apache Friends XAMPP 7.4.*,<7.4.4
4、环境搭建
下载XAMPP软件
查看root账户信息并添加账户lower
登录账户lower
新建脚本conn.bat
low用户新建conn.bat脚本,目的是将low用户添加到administrators组
@echo off
net localgroup administrators lower /add
运行XAMPP
执行保存;之后转换用户为root用户,点击右键使用管理员运行xmpp软件;
提升为管理员权限
执行如下命令:
思考
回想整个过程,其实就是多加了一个XAMPP的过程,核心无非就是以管理员的权限内,添加用户进入管理员组
net localgroup administrators lower /add ;正常情况下我们直接也可以实现该功能点;
目前看来XAMPP上的管理员相当于在配置config中,将刚才的命令加入该配置内,而logs按钮则是触发整个命令执行的关键点所在,如果不触发logs按钮则不会执行添加用户加入管理员组的权限;
以下是apache/logs文件夹下install文件
Installing Apache HTTP Server 2.x with
DomainName = example.com
ServerName = www.example.com
ServerAdmin = [email protected]
ServerPort = 80
ServerSslPort = 443
ServerRoot = c:/Apache24
Rewrote docs/conf/extra/httpd-autoindex.conf.in
to c:/Apache24/conf/original/extra/httpd-autoindex.conf
Rewrote docs/conf/extra/httpd-default.conf.in
to c:/Apache24/conf/original/extra/httpd-default.conf
Rewrote docs/conf/extra/httpd-ssl.conf.in
to c:/Apache24/conf/original/extra/httpd-ssl.conf
Rewrote docs/conf/extra/httpd-multilang-errordoc.conf.in
to c:/Apache24/conf/original/extra/httpd-multilang-errordoc.conf
Rewrote docs/conf/extra/httpd-info.conf.in
to c:/Apache24/conf/original/extra/httpd-info.conf
Rewrote docs/conf/extra/httpd-userdir.conf.in
to c:/Apache24/conf/original/extra/httpd-userdir.conf
Rewrote docs/conf/extra/httpd-mpm.conf.in
to c:/Apache24/conf/original/extra/httpd-mpm.conf
Rewrote docs/conf/httpd.conf.in
to c:/Apache24/conf/original/httpd.conf
Rewrote docs/conf/extra/proxy-html.conf.in
to c:/Apache24/conf/original/extra/proxy-html.conf
Rewrote docs/conf/extra/httpd-vhosts.conf.in
to c:/Apache24/conf/original/extra/httpd-vhosts.conf
Rewrote docs/conf/extra/httpd-dav.conf.in
to c:/Apache24/conf/original/extra/httpd-dav.conf
Rewrote docs/conf/extra/httpd-languages.conf.in
to c:/Apache24/conf/original/extra/httpd-languages.conf
Rewrote docs/conf/extra/httpd-manual.conf.in
to c:/Apache24/conf/original/extra/httpd-manual.conf
Duplicated c:/Apache24/conf/original/extra/httpd-autoindex.conf
to c:/Apache24/conf/extra/httpd-autoindex.conf
Duplicated c:/Apache24/conf/original/extra/httpd-default.conf
to c:/Apache24/conf/extra/httpd-default.conf
Duplicated c:/Apache24/conf/original/extra/httpd-ssl.conf
to c:/Apache24/conf/extra/httpd-ssl.conf
Duplicated c:/Apache24/conf/original/extra/httpd-multilang-errordoc.conf
to c:/Apache24/conf/extra/httpd-multilang-errordoc.conf
Duplicated c:/Apache24/conf/original/extra/httpd-info.conf
to c:/Apache24/conf/extra/httpd-info.conf
Duplicated c:/Apache24/conf/original/extra/httpd-userdir.conf
to c:/Apache24/conf/extra/httpd-userdir.conf
Duplicated c:/Apache24/conf/original/extra/httpd-mpm.conf
to c:/Apache24/conf/extra/httpd-mpm.conf
Duplicated c:/Apache24/conf/original/httpd.conf
to c:/Apache24/conf/httpd.conf
Duplicated c:/Apache24/conf/original/magic
to c:/Apache24/conf/magic
Duplicated c:/Apache24/conf/original/charset.conv
to c:/Apache24/conf/charset.conv
Duplicated c:/Apache24/conf/original/extra/proxy-html.conf
to c:/Apache24/conf/extra/proxy-html.conf
Duplicated c:/Apache24/conf/original/extra/httpd-vhosts.conf
to c:/Apache24/conf/extra/httpd-vhosts.conf
Duplicated c:/Apache24/conf/original/extra/httpd-dav.conf
to c:/Apache24/conf/extra/httpd-dav.conf
Duplicated c:/Apache24/conf/original/mime.types
to c:/Apache24/conf/mime.types
Duplicated c:/Apache24/conf/original/extra/httpd-languages.conf
to c:/Apache24/conf/extra/httpd-languages.conf
Duplicated c:/Apache24/conf/original/extra/httpd-manual.conf
to c:/Apache24/conf/extra/httpd-manual.conf
error文件下,可看到执行的命令过程
而执行该命令必须的根据配置走向而定位
控制台必定由它的配置文件决定如何控制,控制的范围;
后期修复的可操作性,可以让普通用户/管理员无操作该文件的权限;只有超管可以;
比如:
结束!!!