Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86386335

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking

0x00 前言本文記錄從零開始搭建GoAnywhere Managed File Transfer漏洞調試環境的細節。

0x01 簡介本文將要介紹以下內容:

GoAnywhere Managed File Transfer安裝

GoAnywhere Managed File Transfer漏洞調試環境配置

數據庫操作

0x02 GoAnywhere Managed File Transfer安裝參考資料:https://static.fortra.com/goanywhere/pdfs/guides/ga6_8_6_installation_guide.pdf

下載地址:https://www.goanywhere.com/products/goanywhere-free/download

需要註冊賬號獲得license

GoAnywhere Managed File Transfer可以分別安裝在Windows和Linux操作系統

Windows系統下默認的Web路徑:C:\Program Files\HelpSystems\GoAnywhere\tomcat\webapps\ROOT

Linux系統下默認的Web路徑:/usr/local/HelpSystems/GoAnywhere/tomcat/webapps/ROOT

1.開啟遠程調試功能通過開啟Tomcat調試功能來實現,開啟Tomcat調試功能的方法如下:

切換至bin目錄

執行命令:catalina jpda start

Tomcat調試功能開啟後默認監聽本地8000端口

對於GoAnywhere Managed File Transfer,開啟調試功能的方法如下:

(1)Windows下調試

修改文件C:\Program Files\HelpSystems\GoAnywhere\tomcat\bin\GoAnywhere.exe的文件屬性

雙擊文件C:\Program Files\HelpSystems\GoAnywhere\tomcat\bin\GoAnywhere.exe,切換到Java標籤頁,在Java Optinos添加:-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8090,如下圖

重啟服務GoAnywhere

(2)Linux調試

修改文件:/opt/HelpSystems/GoAnywhere/tomcat/bin/start_tomcat.sh,將exec '$PRGDIR'/'$EXECUTABLE' start '$@'修改為exec '$PRGDIR'/'$EXECUTABLE' jpda start '$@'

修改文件:/opt/HelpSystems/GoAnywhere/tomcat/bin/goanywhere_catalina.sh,將JPDA_ADDRESS='localhost:8000'修改為JPDA_ADDRESS='*:8090'

注:

Tomcat默認的調試端口8000同GoAnywhere Managed File Transfer的Web端口衝突,所以這裡選擇修改Tomcat默認的調試端口為8090

打開防火牆允許外部訪問8090端口:iptables -I INPUT -p tcp --dport 8090 -j ACCEPT

啟動GoAnywhere進程:/opt/HelpSystems/GoAnywhere/goanywhere.sh start

0x03 數據庫操作GoAnywhere Managed File Transfer使用Apache Derby數據庫

Windows下默認數據庫存儲位置為:C:\Program Files\HelpSystems\GoAnywhere\userdata\database\goanywhere

Linux下默認數據庫存儲位置為:/opt/HelpSystems/GoAnywhere/userdata/database/goanywhere/

數據庫操作的實現細節可從lib文件夾下的ga_classes.jar獲得

從中我們可以得到Web用戶口令加密的實現細節,對應位置:C:\Program Files\HelpSystems\GoAnywhere\lib\ga_classes.jar!\com\linoma\ga\ui\admin\action\user\ChangeUserPasswordAction.class

提取出的Java實現代碼如下:

1.png

1.讀取Derby數據庫(1)命令行實現

使用Apache Derby,下載地址:https://archive.apache.org/dist/db/derby/db-derby-10.14.2.0/db-derby-10.14.2.0-bin.zip

運行bin目錄下的ij.bat

連接數據庫:connect 'jdbc:derby:C:\Program Files\HelpSystems\GoAnywhere\userdata\database\goanywhere;';

查詢用戶配置:SELECT * FROM DPA_USER;

(2)界面化實現

使用DBSchema,下載地址:https://dbschema.com/download.html

啟動DBSchema後,選擇連接Derby數據庫,JDBC Driver選擇derbytools.jar org.apache.derby.jdbc.EmbeddedDriver,Folder選擇C:\Program Files\HelpSystems\GoAnywhere\userdata\database\goanywhere

查詢用戶數據表,如下圖

下载.png

可以看到默認用戶有以下三個:

Administrator,未啟用

root,未啟用

admin,默認用戶

2.修改數據庫GoAnywhere Managed File Transfer的Derby數據庫使用了內嵌模式,其他應用程序不可訪問,所以有以下兩種修改數據的方法:

(1)GoAnywhere Managed File Transfer處於運行狀態

可以通過寫入jsp文件實現數據庫的修改

(2)GoAnywhere Managed File Transfer處於關閉狀態

可以選擇Apache Derby或DBSchema打開數據庫文件夾,直接進行修改

修改數據庫的命令示例:

啟用root用戶:UPDATE APP.DPA_USER SET ENABLED='1' WHERE USER_NAME='root';

設置root用戶口令:UPDATE APP.DPA_USER SET USER_PASS='$5$mpoe6zI4B6+LHRMdbFKr8g==$RnAILbYe9KDauKE3wXTFVvlXQNZeM4Z2c7x1aEtME/U=' WHERE USER_NAME='root';

0x04 小結在我們搭建好GoAnywhere Managed File Transfer漏洞調試環境後,接下來就可以著手對漏洞進行學習。