靶机渗透日记 Billu_b0x
-
端口
-
访问 80 端口
-
目录扫描
-
/add.php
文件下存在文件上传没有上传成功
/test.php
缺少
file
参数,构造URLhttp://ip/test.php?file=/etc/passwd
尝试不行,使用 post 方式
-
依次读取目录扫描到的文件
//add.php <?php echo '<form method="post" enctype="multipart/form-data"> Select image to upload: <input type="file" name=image> <input type=text name=name value="name"> <input type=text name=address value="address"> <input type=text name=id value=1337 > <input type="submit" value="upload" name="upload"> </form>'; ?>
//index.php <?php session_start(); include('c.php'); include('head.php'); if(@$_SESSION['logged']!=true) { $_SESSION['logged']=''; } if($_SESSION['logged']==true && $_SESSION['admin']!='') { echo "you are logged in :)"; header('Location: panel.php', true, 302); } else { echo '<div align=center style="margin:30px 0px 0px 0px;"> <font size=8 face="comic sans ms">--==[[ billu b0x ]]==--</font> <br><br> Show me your SQLI skills <br> <form method=post> Username :- <Input type=text name=un>   Password:- <input type=password name=ps> <br><br> <input type=submit name=login value="let\'s login">'; } if(isset($_POST['login'])) { $uname=str_replace('\'','',urldecode($_POST['un'])); $pass=str_replace('\'','',urldecode($_POST['ps'])); $run='select * from auth where pass=\''.$pass.'\' and uname=\''.$uname.'\''; $result = mysqli_query($conn, $run); if (mysqli_num_rows($result) > 0) { $row = mysqli_fetch_assoc($result); echo "You are allowed<br>"; $_SESSION['logged']=true; $_SESSION['admin']=$row['username']; header('Location: panel.php', true, 302); } else { echo "<script>alert('Try again');</script>";== } } echo "<font size=5 face=\"comic sans ms\" style=\"left: 0;bottom: 0; position: absolute;margin: 0px 0px 5px;\">B0X Powered By <font color=#ff9933>Pirates</font> "; ?>
//c.php <?php #header( 'Z-Powered-By:its chutiyapa xD' ); header('X-Frame-Options: SAMEORIGIN'); header( 'Server:testing only' ); header( 'X-Powered-By:testing only' ); ini_set( 'session.cookie_httponly', 1 ); $conn = mysqli_connect("127.0.0.1","billu","b0x_billu","ica_lab"); // Check connection if (mysqli_connect_errno()) { echo "connection failed -> " . mysqli_connect_error(); } ?>
得到数据库的账号密码
-
利用得到的账号密码登录 phpmyadmin,查看 phpinfo 得到网站的根路径
利用 phpmyadmin 写入一句话,显示权限过低
在 auth 表中得到一组账号密码
用此账号密码成功登录 index.php
-
发现在 add user 中有上传功能
直接上传 .php 文件,提示 only png,jpg and gif file are allowed
绕过失败,这里上传一个图片马,配合文件包含拿shell,上传图片没有返回上传路径,继续代码审计,查看 panel.php
<?php session_start(); include('c.php'); include('head2.php'); if(@$_SESSION['logged']!=true ) { header('Location: index.php', true, 302); exit(); } echo "Welcome to billu b0x "; echo '<form method=post style="margin: 10px 0px 10px 95%;"><input type=submit name=lg value=Logout></form>'; if(isset($_POST['lg'])) { unset($_SESSION['logged']); unset($_SESSION['admin']); header('Location: index.php', true, 302); } echo '<hr><br>'; echo '<form method=post> <select name=load> <option value="show">Show Users</option> <option value="add">Add User</option> </select>  <input type=submit name=continue value="continue"></form><br><br>'; if(isset($_POST['continue'])) { $dir=getcwd(); $choice=str_replace('./','',$_POST['load']); if($choice==='add') { include($dir.'/'.$choice.'.php'); die(); } if($choice==='show') { include($dir.'/'.$choice.'.php'); die(); } else { include($dir.'/'.$_POST['load']); } } if(isset($_POST['upload'])) { $name=mysqli_real_escape_string($conn,$_POST['name']); $address=mysqli_real_escape_string($conn,$_POST['address']); $id=mysqli_real_escape_string($conn,$_POST['id']); if(!empty($_FILES['image']['name'])) { $iname=mysqli_real_escape_string($conn,$_FILES['image']['name']); $r=pathinfo($_FILES['image']['name'],PATHINFO_EXTENSION); $image=array('jpeg','jpg','gif','png'); if(in_array($r,$image)) { $finfo = @new finfo(FILEINFO_MIME); $filetype = @$finfo->file($_FILES['image']['tmp_name']); if(preg_match('/image\/jpeg/',$filetype ) || preg_match('/image\/png/',$filetype ) || preg_match('/image\/gif/',$filetype )) { if (move_uploaded_file($_FILES['image']['tmp_name'], 'uploaded_images/'.$_FILES['image']['name'])) { echo "Uploaded successfully "; $update='insert into users(name,address,image,id) values(\''.$name.'\',\''.$address.'\',\''.$iname.'\', \''.$id.'\')'; mysqli_query($conn, $update); } } else { echo "<br>i told you dear, only png,jpg and gif file are allowed"; } } else { echo "<br>only png,jpg and gif file are allowed"; } } } ?>
可以发现上传到了 uploaded_images/ 下,利用蚁剑连接成功GETSHELL
-
上线到 MSF ,查看当前系统版本
cat /etc/issue
Ubuntu 12.04.5 LTS,搜索 EXP
编译执行后得到 root 权限