简介:
https://www.vulnhub.com/entry/drunk-admin-web-hacking-challenge-1,14/
环境:
VMware网络选择的桥接模式,根据自己的环境进行配置,
攻击机:kali linux
靶机:Drunk Admin VM
0x001 信息收集
开机你将会看到靶机的IP地址,我的VM靶机地址为192.168.1.104
0x002 端口扫描
TCP端口扫描
nmap -n -A -p- 192.168.1.104
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-08 16:17 CST
Nmap scan report for 192.168.1.104
Host is up (0.0058s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze1 (protocol 2.0)
| ssh-hostkey:
| 1024 57:a2:04:3d:6e:e5:01:7b:b4:c6:e5:f9:76:25:8a:8a (DSA)
|_ 2048 66:9a:ee:a2:2a:1a:59:47:b9:c5:50:da:a6:96:76:16 (RSA)
8880/tcp open http Apache httpd 2.2.16 ((Debian))
|_http-server-header: Apache/2.2.16 (Debian)
|_http-title: Tripios
MAC Address: E0:94:67:A1:C9:FD (Intel Corporate)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.26 - 2.6.35, Linux 2.6.32
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 5.80 ms 192.168.1.104
UDP端口扫描 没有找到开放的UDP端口
nmap -n -A -sU 192.168.1.104
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-08 16:26 CST
Nmap scan report for 192.168.1.104
Host is up (0.0087s latency).
All 1000 scanned ports on 192.168.1.104 are closed (956) or open|filtered (44)
MAC Address: E0:94:67:A1:C9:FD (Intel Corporate)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 8.66 ms 192.168.1.104
0x003 侦查Web应用
http://192.168.1.104:8880/index.php
http://192.168.1.104:8880/info.php
使用burp suite 中的Spider爬取源码引用的链接
http://192.168.1.104:8880/myphp.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
http://192.168.1.104:8880/myphp.php?id=102
使用Intruder模块尝试对id数字进行增量,设置payloads set 设置为1 payload type 设置为Numbers ,payload options Numbers
from: 0 to: 1000 step : 1
GET /myphp.php?id=§102§ HTTP/1.1
Host: 192.168.1.104:8880
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: trypios=nop
Connection: close
Upgrade-Insecure-Requests: 1
对响应200长度为345 将显示这样一句话
Try harder, you might find something here. Or not? Who knows.
排序下可看到99,101,102,104,108,116,132,164响应长度不一样,打开URL链接将看到一些敏感信息。
#PHP版本Apache和PHP配置等信息
http://192.168.1.104:8880/myphp.php?id=101
#禁用的PHP函数列表
http://192.168.1.104:8880/myphp.php?id=104
dirb爬取的信息
dirb http://192.168.1.104:8880 -o dirb.log
GENERATED WORDS: 4612
---- Scanning URL: htt