版权声明:人类的最大弱点之一是自命不凡的幻想。 https://blog.csdn.net/claysystem/article/details/78849305
(1)信息收集
从校园网登录认证的web服务器入手
认证登录URL:
可以看到URL中的参数都被加密成一大串密文
登录成功后跳转的页面:
http://10.0.0.2:9090/zportal/goToAuthResult
服务器OS:CentOS CentOS release 6.5 (Final)
服务器IP:10.0.0.2
WEB端口:9090
丢NMAP里
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 128
135/tcp filtered msrpc no-response
139/tcp filtered netbios-ssn no-response
445/tcp filtered microsoft-ds no-response
514/tcp filtered shell no-response
1099/tcp open rmiregistry syn-ack ttl 128
3306/tcp open mysql syn-ack ttl 128
8009/tcp open ajp13 syn-ack ttl 128
8080/tcp open http-proxy syn-ack ttl 128
9009/tcp open pichat syn-ack ttl 128
9050/tcp open tor-socks syn-ack ttl 128
9090/tcp open zeus-admin syn-ack ttl 128
开放的端口很多,我们有戏了
祭出神器
没错,我们可以直接遍历服务器文件 这里没有保存密码 我们去看看能不能遍历shadow文件
bingo 获取root密码
用john跑了5个小时都没跑出来root密码
要换个思路了
查看下系统历史命令 看看管理员曾经都用过什么命令
发现管路员写过一个数据库备份的sh 我们看下这个sh
mysql 配置文件
# The following options will be passed to all MySQL clients
[client]
port = 3306
socket = /tmp/mysql.sock
[mysqld]
port = 3306
socket = /tmp/mysql.sock
skip-external-locking
server-id =1
basedir=/opt/mysql/mysql
[mysql]
default-character-set = utf8
sql_mode=NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES
mysql db_bak.sh
\#!/usr/bin/env bash
############################################################################################
DB_HOST=`ifconfig|grep "inet addr:"|grep -v "127.0.0.1"|cut -d: -f2|awk '{print $1}'`
DB_USER="root"
DB_PASS=
DB_PORT=3306
DB_DATA_DIR=/opt/mysql/mysql/data
#INDEX_FILE_NAME=mysqlmaster-bin.index
# Weekly backup day
DOW='7'
# Monthly backup day
DOM='01'
BACK_UP_FOLDER=/opt/backup/data
BACK_UP_LOG_FOLDER=/opt/backup/log
# 'daily'
D_DELETE_BACKUP_OLDER_THAN_DAYS=7
# 'weekly'
W_DELETE_BACKUP_OLDER_THAN_DAYS=30
# Dates format for naming backups
DATE_FORMAT="%Y-%m-%d_%H-%M" # current
D_DATE_FORMAT="%Y-%m-%d" # daily
W_DATE_FORMAT="%Y-%m-%d" # weekly
M_DATE_FORMAT="%Y-%m-%d" # monthly
# Backup folders names
CURRENT_FOLDER='01_current'
DAILY_FOLDER='02_daily'
WEEKLY_FOLDER='03_weekly'
MONTHLY_FOLDER='04_monthly'
log_backup(){
#delete binlog before 7 day
TIME=$(date "-d 7 day ago" +%Y%m%d%H%M%S)
#back up binlog from yesterday
StartTime=$(date "-d 1 day ago" +"%Y-%m-%d %H:%M:%S")
mysql -u$DB_USER -p$DB_PASS -e "purge master logs before ${TIME}" && echo "delete binlog before 7 day"
filename=`cat $DB_DATA_DIR/$INDEX_FILE_NAME |awk -F "/" '{print $2}'`
for db in $DB_LIST
do
dbfolder=""
if [ ! -e $BACK_UP_LOG_FOLDER/$db ]; then
mkdir $BACK_UP_LOG_FOLDER/$db
fi
for i in $filename
do
if [ ! -e $BACK_UP_LOG_FOLDER/$db/logBak$(date "-d " +%Y%m%d).sql.gz ]; then
/usr/local/mysql/bin/mysqlbinlog -u$DB_USER -p$DB_PASS -d $db --start-datetime="$StartTime" $DB_DATA_DIR/$i |gzip >> $BACK_UP_LOG_FOLDER/$db/logBak$(date "-d " +%Y%m%d).sql.gz
fi
done
done
}
db_backup(){
local dir=${BACK_UP_FOLDER}
if [ ! -d $dir ]; then
${MKDIR} $dir
fi
local currentdirfiles="${BACK_UP_FOLDER}/${CURRENT_FOLDER}/*"
local currentdir="${BACK_UP_FOLDER}/${CURRENT_FOLDER}/data"
local currentdirbase="${BACK_UP_FOLDER}/${CURRENT_FOLDER}"
local dailydir="${BACK_UP_FOLDER}/${DAILY_FOLDER}"
local weeklydir="${BACK_UP_FOLDER}/${WEEKLY_FOLDER}"
local monthlydir="${BACK_UP_FOLDER}/${MONTHLY_FOLDER}"
for i in $currentdir $dailydir $weeklydir $monthlydir; do
if [ ! -d $i ]; then
mkdir -p $i
fi
done
local filename="${currentdirbase}/bak_`date +"$DATE_FORMAT"`_full.tar.gz"
local dailyfile="${dailydir}/bak_`date +"$DATE_FORMAT"`_full.tar.gz"
local weeklyfile="${weeklydir}/bak_`date +"$DATE_FORMAT"`_full.tar.gz"
local monthlyfile="${monthlydir}/bak_`date +"$DATE_FORMAT"`_full.tar.gz"
local posfile="${BACK_UP_FOLDER}/${CURRENT_FOLDER}/data/xtrabackup_checkpoints"
local tmpdir=""
#full backup
if [ "`date +"%u"`" = "$DOW" ]; then
rm -rf $currentdirfiles
echo `innobackupex --backup --user=$DB_USER --password=$DB_PASS --no-lock --no-timestamp ${currentdir}`
filename="${currentdirbase}/bak_`date +"$DATE_FORMAT"`_full.tar.gz"
echo `tar -zcvf ${filename} ${currentdir}`
elif [ "`date +"%d"`" = "$DOM" ]; then
rm -rf $currentdirfiles
echo `innobackupex --backup --user=$DB_USER --password=$DB_PASS --no-lock --no-timestamp ${currentdir}`
filename="${currentdirbase}/bak_`date +"$DATE_FORMAT"`_full.tar.gz"
echo `tar -zcvf ${filename} ${currentdir}`
#incremental backup
else
if [ ! -e $posfile ]; then
echo `innobackupex --backup --user=$DB_USER --password=$DB_PASS --no-lock --no-timestamp ${currentdir}`
filename="${currentdirbase}/bak_`date +"$DATE_FORMAT"`_full.tar.gz"
echo `tar -zcvf ${filename} ${currentdir}`
else
tmpdir="${BACK_UP_FOLDER}/${CURRENT_FOLDER}/tmp"
mkdir -p $tmpdir
mv $currentdir $tmpdir
filename="${currentdirbase}/bak_`date +"$DATE_FORMAT"`_incremental.tar.gz"
mkdir -p $currentdir
local tmpdirtrue="${BACK_UP_FOLDER}/${CURRENT_FOLDER}/tmp/data"
echo "${tmpdirtrue}"
echo `xtrabackup --backup --user=$DB_USER --password=$DB_PASS --no-lock --no-timestamp --target-dir=${currentdir} --incremental-basedir=${tmpdirtrue}`
echo `tar -zcvf ${filename} ${currentdir}`
fi
fi
chmod +x ${filename}
# Daily backup
echo "doing daily backup file copy"
cp $filename $dailydir
# Weekly backup
if [ "`date +"%u"`" = "$DOW" ]; then
if [ ! -e $weeklyfile ]; then
echo "doing weekly backup file copy"
cp $filename $weeklydir
fi
fi
# Monthly backup
if [ "`date +"%d"`" = "$DOM" ]; then
if [ ! -e $monthlyfile ]; then
echo "doing monthly backup file copy"
cp $filename $monthlydir
fi
fi
echo `rm -f ${filename}`
echo `rm -rf ${tmpdir}`
}
delete_old_backups()
{
local dailydir="${BACK_UP_FOLDER}/${DAILY_FOLDER}"
local weeklydir="${BACK_UP_FOLDER}/${WEEKLY_FOLDER}"
log_b "Deleting old backups on database ${database}"
find ${dailydir} -name "*.tar.gz" -mtime +${D_DELETE_BACKUP_OLDER_THAN_DAYS} -type f -print -exec rm -f {} \;
find ${weeklydir} -name "*.tar.gz" -mtime +${W_DELETE_BACKUP_OLDER_THAN_DAYS} -type f -print -exec rm -f {} \;
}
db_backup
#log_backup
#delete_old_backups
bingo 得到数据库的密码
连接一下 连接失败 mysql不允许远程连接
试一下用mysql的密码登录ssh
bingo
修改mysql权限 我们远程访问它
大概逃了一天课就把它数据库搞出来了 不得不说学校联通服务器的安全实在堪忧